Most blockchain projects hide
security issues until they become exploits.
We commission independent audits and publish everything —
including what's wrong.
Savitri is in Testnet. We are here exactly to find these problems.
Audit transparency is our security model.
Coverage: PoU consensus protocol, Rust client,
smart contract runtime, RPC endpoints, P2P networking.
TOTAL: 68 findings · No hidden findings. All published.
Independent audit completed in February 2026. Full report available on request: [email protected]
Updated with every patch. Last update: March 2026.
Active remediation — ETA Q2 2026
The critical findings concern mainly edge cases in the BFT protocol and input validation in some RPC endpoints under extreme load. None have been exploited — we are in Testnet with a controlled network.
The core consensus is isolated from the critical findings. The PoU + BFT finality mechanism works correctly in normal Testnet usage.
Under review — partial patches published
Most High findings concern P2P networking hardening under DoS attacks and error handling in degraded network conditions.
Prioritized backlog
Medium findings are mainly improvements to logging, error handling, and robustness in non-critical scenarios. They do not impact consensus integrity.
Planned pre-Mainnet
Code quality improvements, internal documentation, and minor optimizations. No impact on Testnet operational security.
Remediation progress: 26/68 findings resolved (38%)
ETA COMPLETE: Q2 2026Goal: 100% remediation completed before Mainnet launch.
Zero unsafe blocks in the core Rust
Verifiable with:
grep "unsafe"
in the repository
Re-entrancy protection built-in in the runtime
Standard in smart contracts — not delegated to the developer
Open source — auditable by anyone
fork welcome
# Verify zero unsafe blocks in core code git clone https://github.com/savitri-network/savitri grep -r "unsafe" src/ --include="*.rs" \ | grep -v "// " \ | grep -v "test" # Expected output: no results # (zero unsafe blocks in the production src/ path)
Some external dependencies (libp2p, RocksDB) contain
unsafe Rust internally — this is normal for system libraries.
The Savitri core code (src/) contains none.
The audit also verified critical dependencies.
Active protections
Known vulnerabilities (from report)
Some High findings concern additional hardening under massive DoS attacks. In remediation.
Active protections
Known vulnerabilities (from report)
The 16 Critical findings concern BFT edge cases and input validation under extreme stress conditions. Consensus works correctly in normal usage.
Active protections
Known vulnerabilities (from report)
No critical findings in the application layer. Some Medium findings related to error handling in smart contracts in edge case scenarios.
The responsible disclosure program is active. If you find a vulnerability, we want to know — before someone else finds it in production.
Submit a report to [email protected]
or through the secure form on this page
The team confirms receipt within 48 hours
Evaluation and classification of the finding within 5 days
If the finding is valid:
The vulnerability is fixed and the patch published before any public disclosure
| Severity | Reward | Response |
|---|---|---|
| Critical | 5.000 – 50.000 SAVI | < 24h |
| High | 1.000 – 5.000 SAVI | < 48h |
| Medium | 500 – 1.000 SAVI | < 5 days |
| Low | 100 – 500 SAVI | < 10 days |
IN SCOPE
OUT OF SCOPE
Every security patch is documented here.
Fix: input validation in endpoint /savitri/account/{address}
with malformed addresses that caused panic in the RPC thread.
Finding #041 from Feb 2026 report. Verified closed.
Fix: rate limiting per IP on RPC endpoints. A single client could saturate the thread pool with malformed requests.
Finding #018 from Feb 2026 report.
Fix: logging of private keys in verbose debug mode.
Keys were not exposed in production (RUST_LOG=info)
but only with RUST_LOG=trace. Hardened anyway.
Finding #056 from Feb 2026 report.