Skip to main content
Skip to main content
Polkadot logo

XCMv2 Audit Completed by Quarkslab

XCMv2 has now been audited for a second time to discover any potential cross-chain security or fairness issues, including logical bugs, denial-of-service, and incorrect lock/unlock or burn/mint on both chains

By PolkadotApril 8, 2022

XCM (Cross-Consensus Messaging format) provides a fundamental utility for the Polkadot technology stack. It enables seamless communication between blockchains as well as pallets (Substrate runtime modules) and smart contracts (including over bridges and sharded enclaves like Polkadot’s SPREE), fulfilling Polkadot’s foundational objective to be a fully-functioning, interoperable multichain ecosystem. Crucially, XCM is consensus agnostic, meaning it can be used to communicate between blockchains with differing consensus systems, and conceivably even between disparate ecosystems such as Polkadot and Ethereum.

Having a common messaging format broadens the scope of projects in the Polkadot and Substrate ecosystem, allowing cross-chain communication, a defining functionality for connecting chains and dapps not necessarily working under the same technology or consensus rules, providing a solid foundation for the future of Web3.

For background on XCM, see the recent series of blogs (Part I, Part II, Part III) by Polkadot founder Dr. Gavin Wood examining the importance and functionality of the format.

Auditing XCMv2

XCMv2, deployed first on Kusama, Polkadot’s canary network, has now been audited for a second time and is ready for production release. Because of the scope of cross-consensus messaging for the Polkadot network, it is crucial that every iteration of XCM undergoes independent review from external security organizations.

Quarkslab has completed a comprehensive second audit (a previous audit was already completed by another security firm) of XCMv2, an overview of which can be found here. The goal of this audit was to discover any potential cross-chain security or fairness issues, including logical bugs, denial-of-service, and incorrect lock/unlock or burn/mint on both chains.

The findings

Two security engineers from Quarkslab carried out the audit over a span of 50 man-days. They did not uncover any important security issues within XCMv2. Additionally, the scope of the audit included an examination of the underlying security of multiple XCM components. This makes the audit report useful for anyone interested in exploring the inner workings of XCM.

A full audit report can be found here.

Keep up to date with the latest XCM developments

Following the full audit, XCMv2 is ready for production release, and XCMv3 is currently in the final stages of development. For information on using XCM, watch the workshop from Parity’s Shawn Tabrizi. For updates, follow the xcm-format repository on GitHub, and follow Polkadot on Twitter and sign up for the newsletter.

Interested in building on Polkadot or Kusama? Get in touch!

From the blog

Security isn’t optional: What builders are factoring into chain choice

Security is no longer an afterthought in blockchain development. Builders are looking beyond incentives to long-term infrastructure stability. Here's why resiliency is critical and how the Polkadot Assurance Legion is helping developers launch safely.

How to set up a Polkadot wallet: A step-by-step guide

New to Polkadot? This beginner-friendly guide walks you through how to set up a Polkadot-compatible wallet, from choosing the right option to securing your seed phrase and getting started with staking and managing your DOT.

What is a DAO? How decentralized communities are reshaping governance

DAOs are changing how communities organize online. Learn what a DAO is, how decentralized governance works, the different types of DAOs, and how you can participate in blockchain-powered decision-making.

Governance, side by side: Polkadot, Ethereum, and NEAR

Decentralized Mic pulled together experts from leading experts from Polkadot, Ethereum, and NEAR to discuss decentralized decision-making approaches, address participation challenges, and explore the potential impact of AI on future governance models.

Where real-world value meets access: How Polkadot powers RWA and DePIN

Polkadot is making real-world assets and infrastructure accessible through tokenization, unlocking new opportunities in finance and energy for everyday participants and communities.

Understanding DeFi: A starter guide to decentralized finance

DeFi transforms traditional finance by replacing banks and brokers with smart contracts on blockchain networks. Discover how dapps enable lending, trading, and earning interest without intermediaries—and how Polkadot’s interoperability brings these tools together for a connected financial future.

The evolution of digital ownership: How tokenization is transforming gaming, music, and beyond

Tokenization is redefining digital ownership in gaming and music, enabling players and artists to control their assets. With blockchain, NFTs, and Polkadot’s interoperability, digital economies are becoming more decentralized, secure, and accessible.

Web3 funding playbook for builders, creators, and founders

Discover funding opportunities in the Polkadot ecosystem, from grants and bounties to venture capital and community-driven fundraising. Explore pathways for builders at every stage, with insights on securing support for DeFi, DePIN, AI, gaming, and real-world asset tokenization.

From speculation to sustainability: Top ETHDenver takeaways

ETHDenver 2025 highlighted Web3’s shift toward sustainability, emphasizing talent development, decentralized governance, and aligned incentives. Polkadot’s insights reinforced the industry’s move beyond speculation toward long-term, community-driven growth.

Build, Play, Connect: Join Polkadot at ETHDenver 2025

Get ready for ETHDenver 2025 with Polkadot! Join Polkadot for keynotes, hacker houses & parties, immersive booth experiences, and hands-on workshops. Whether you’re building, playing, or connecting, there’s something for everyone at one of blockchain’s biggest events.

The most impactful blockchain use cases in 2025 and why Polkadot is leading the way

Explore the top blockchain trends of 2025, from decentralized AI and tokenized assets to enterprise adoption and Web3 gaming. Learn how projects powered by Polkadot are shaping the future of finance, infrastructure, and digital identity.

Decentralization’s ripple effect: How Web3 is rewriting digital sovereignty

Centralized platforms dictate access, control data, and pose security risks, leaving individuals without control over their digital presence. Decentralization offers a resilient alternative, paving the way to a digitally sovereign future.