AXIOM Protocol is a decentralized, cryptography-driven system. Security is a top priority, and responsible disclosure is strongly encouraged.

Only the latest stable release on the main branch is actively supported with security updates.

Running outdated versions may expose you to known or unknown vulnerabilities.

If you discover a security issue, DO NOT open a public GitHub issue.

Please report vulnerabilities responsibly by contacting:

Email: security@axiomprotocol.org
(replace with your real email if different)

If email is unavailable, you may:

• Open a private GitHub Security Advisory
• Or contact the maintainer directly via GitHub

We aim to follow this disclosure timeline:

• Acknowledgement: within 48 hours
• Initial assessment: within 5 days
• Fix or mitigation: as soon as possible depending on severity
• Public disclosure: after a fix is released (if applicable)

The following are considered in scope:

• Consensus logic
• Cryptographic primitives
• Wallet & key management
• Networking (libp2p)
• Transaction validation
• Supply & issuance logic

The following are out of scope:

• Denial of service via spam without protocol exploit
• Social engineering attacks
• Issues in third-party dependencies unless exploitable through Axiom

1. Clippy (Rust Linter & Code Quality)

• Tool: cargo clippy --all-targets --all-features
• Status: ✅ COMPLETED
• Findings: 48 warnings across codebase (mostly style/best practices)

2. Manual Code Review

• Focus Areas:
  • Cryptographic operations (Blake3 PoW, ZK-STARKs, VDF)
  • Networking layer (libp2p, consensus)
  • Wallet & key management
  • Supply cap enforcement (124M AXM)
  • Transaction validation

3. Dependency Analysis

• Method: Manual review of Cargo.toml dependencies
• Status: ✅ All dependencies analyzed
• Critical dependencies: Checked for known vulnerabilities

1. Prometheus Histogram Initialization Error (energy_benchmark.rs:358-363)

   • Severity: Critical (compilation failure)
   • Issue: Invalid API usage - Histogram::new() doesn't exist in prometheus crate
   • Fix: Updated to Histogram::with_opts(HistogramOpts::new(...))
   • Status: ✅ FIXED & TESTED

2. Unused Variable Warnings

   • Location: transaction_circuit.rs:237, vdf.rs:82
   • Severity: Low (best practices)
   • Issue: Unused variables in function returns
   • Fix: Prefixed with underscore (_vk, _pi)
   • Status: ✅ FIXED

3. Digit Grouping Inconsistency (cross_chain.rs:456)

   • Severity: Low (code clarity)
   • Issue: Inconsistent numeric literal formatting
   • Fix: Changed 1000_000_000_000 to 1_000_000_000_000
   • Status: ✅ FIXED

4. Needless Borrows in Hashing Operations (neural_guardian.rs, privacy/view_keys.rs)

   • Type: Code quality
   • Fix: Removed unnecessary & operators for types implementing Copy
   • Status: ✅ AUTO-FIXED by Clippy

5. Suboptimal Pattern Matching (neural_guardian.rs:270)

   • Type: Code quality
   • Fix: Changed or_insert_with(Vec::new) to or_default()
   • Status: ✅ AUTO-FIXED by Clippy

• Release Build: ✅ PASSING (1m 59s)
• Test Suite: ✅ PASSING
• Warnings After Fixes: 19 (all style/best practices, no security issues)

Critical Cryptographic Dependencies:

• ✅ blake3 1.5 - Latest version, actively maintained
• ✅ ed25519-dalek 2.1 - Latest version, well-reviewed
• ✅ ark-bls12-381 0.5 - Part of arkworks, mature ecosystem
• ✅ winterfell 0.9 - Production-grade ZK-STARK library

Networking Dependencies:

• ✅ libp2p 0.54 - Actively maintained P2P framework
• ✅ tokio 1.35 - Industry-standard async runtime

Known Transitive Dependencies: The tracing-subscriber crate (via ark-relations) has a medium-severity advisory (RUSTSEC-2025-0055) for ANSI escape sequence injection. IMPACT ASSESSMENT:

• Axiom Impact: LOW - AXIOM Protocol does not log untrusted user input in a way that would permit this attack
• Mitigation: Logs are controlled by the operator and do not process malicious input
• Tracking: Awaiting upstream fix from arkworks ecosystem

✅ Consensus Security:

• VDF computation properly verified (1800s iterations)
• Blake3 hash function correctly implemented
• Guardian Sentinel maintains network consistency

✅ Cryptographic Security:

• ZK-STARKs enforced for all transactions
• Ed25519 key generation secure
• No weak cryptographic primitives used

✅ Supply Cap Security:

• 124M AXM supply cap enforced at genesis
• Economics module prevents inflation
• Block rewards follow defined schedule

✅ Network Security:

• libp2p with noise protocol encryption
• Peer discovery via bootstrap nodes
• Guardian Sentinel monitors for network attacks

1. Pre-Deployment:

   • Run cargo audit before each release
   • Address any new RUSTSEC advisories immediately
   • Monitor arkworks/ark-relations for ANSI escape patch

2. Regular Audits:

   • Monthly Clippy scan: cargo clippy --all-targets --all-features -- -D warnings
   • Quarterly dependency updates
   • Annual professional security audit (recommended)

3. Best Practices:

   • Keep Rust toolchain updated: rustup update
   • Review security.txt for latest advisories
   • Report issues responsibly via security@axiomprotocol.org

4. Testing:

   • Continue comprehensive test suites (unit, integration, stress)
   • Fuzz testing for consensus logic (recommended future work)
   • Hardware security module support for key management (future enhancement)

We kindly ask reporters to:

• Avoid exploiting vulnerabilities beyond proof-of-concept
• Not disclose issues publicly before a fix
• Provide clear reproduction steps if possible

We appreciate and respect all responsible security researchers.

AXIOM Protocol is a running upcoming crypto project run and test for urself