XCMv2 Audit Completed by Quarkslab

XCMv2 has now been audited for a second time to discover any potential cross-chain security or fairness issues, including logical bugs, denial-of-service, and incorrect lock/unlock or burn/mint on both chains

By PolkadotApril 8, 2022

XCM (Cross-Consensus Messaging format) provides a fundamental utility for the Polkadot technology stack. It enables seamless communication between blockchains as well as pallets (Substrate runtime modules) and smart contracts (including over bridges and sharded enclaves like Polkadot’s SPREE), fulfilling Polkadot’s foundational objective to be a fully-functioning, interoperable multichain ecosystem. Crucially, XCM is consensus agnostic, meaning it can be used to communicate between blockchains with differing consensus systems, and conceivably even between disparate ecosystems such as Polkadot and Ethereum.

Having a common messaging format broadens the scope of projects in the Polkadot and Substrate ecosystem, allowing cross-chain communication, a defining functionality for connecting chains and dapps not necessarily working under the same technology or consensus rules, providing a solid foundation for the future of Web3.

For background on XCM, see the recent series of blogs (Part I, Part II, Part III) by Polkadot founder Dr. Gavin Wood examining the importance and functionality of the format.

Auditing XCMv2

XCMv2, deployed first on Kusama, Polkadot’s canary network, has now been audited for a second time and is ready for production release. Because of the scope of cross-consensus messaging for the Polkadot network, it is crucial that every iteration of XCM undergoes independent review from external security organizations.

Quarkslab has completed a comprehensive second audit (a previous audit was already completed by another security firm) of XCMv2, an overview of which can be found here. The goal of this audit was to discover any potential cross-chain security or fairness issues, including logical bugs, denial-of-service, and incorrect lock/unlock or burn/mint on both chains.

The findings

Two security engineers from Quarkslab carried out the audit over a span of 50 man-days. They did not uncover any important security issues within XCMv2. Additionally, the scope of the audit included an examination of the underlying security of multiple XCM components. This makes the audit report useful for anyone interested in exploring the inner workings of XCM.

A full audit report can be found here.

Keep up to date with the latest XCM developments

Following the full audit, XCMv2 is ready for production release, and XCMv3 is currently in the final stages of development. For information on using XCM, watch the workshop from Parity’s Shawn Tabrizi. For updates, follow the xcm-format repository on GitHub, and follow Polkadot on Twitter and sign up for the newsletter.

Interested in building on Polkadot or Kusama? Get in touch!

From the blog

Empowering the next wave of founders: Welcome to EasyA x Polkadot University

Unlock a structured path to start building on Polkadot with EasyA x Polkadot University.

Dynamic & Modular: Scaling Ambition with Agile Coretime

Polkadot’s Agile Coretime simplifies launching and scaling blockchain projects with dynamic blockspace allocation and flexible cost options. Learn how Agile Coretime makes it easier to build, launch, and scale ambitious Web3 projects.

How play-to-earn (P2E) is transforming onchain mobile sports gaming

Play-to-earn games are transforming mobile sports gaming. Learn how blockchain, NFTs, and platforms like Polkadot create new opportunities for digital asset ownership and cross-chain gameplay.

Polkadot Token 2049 and Decoded Asia 2024: A multichain ecosystem in action

At Token 2049 and Decoded Asia 2024 in Singapore, Polkadot teams and contributors showcased a multichain future for real-world applications. Key moments included Dr. Gavin Wood’s vision for digital individuality, Chrissy Hill’s regulatory insights, and announcements from emerging projects shaping the Web3 ecosystem.

What is a crypto wallet? Your all-access pass to the future web

In Web3, your wallet is your most valuable digital tool. It’s more than just a place to store, send, and receive cryptocurrencies securely—it’s your passport to the decentralized world.

July 2024: Key network metrics and insights

Welcome to your go-to source for the latest tech updates, key metrics, and discussions within Polkadot, brought to you by the Parity Success Team. This blog series covers a variety of topics, drawing insights from GitHub, project teams, and the Polkadot Forum.

Polkadot 2.0: The rebirth of a network

Polkadot 2.0 reimagines blockchain with a bold rebrand and powerful features: Agile Coretime, Async Backing, and Elastic Scaling. Step into a more flexible, faster, and scalable network. Learn about the improvements and changes that led to this next era of Polkadot.

Meet the Decentralized Futures grant recipients: transforming ideas into impact on Polkadot

The Decentralized Mic is here to spotlight the innovative projects and teams driving Polkadot’s growth. Join us as we explore the achievements of Decentralized Futures grant recipients and their contributions to the Polkadot ecosystem on the new ecosystem community call series.

The ultimate 2024 Polkadot grants and funding guide

Explore Polkadot ecosystem funding: grants, venture capital, bounties, and community initiatives. Discover opportunities for blockchain builders today.

Decoded 2024: Polkadot’s vision for a decentralized future

Polkadot Decoded 2024 in Brussels brought together top blockchain minds to explore the future of Web3. Highlights included Björn Wagner's insights on payments and Dr. Gavin Wood's vision for digital individuality. Showcasing technical breakthroughs and real-world use cases, Polkadot affirmed its leadership in the multi-chain future.

June 2024: Key network metrics and insights

Welcome to your go-to source for the latest tech updates, key metrics, and discussions within Polkadot, brought to you by the Parity Success Team. This blog series covers a variety of topics, drawing insights from GitHub, project teams, and the Polkadot Forum.

Introducing the New Polkadot Ledger App

Discover the new Polkadot Ledger app for seamless, secure transactions. Now available on Ledger Live, it supports Polkadot, Kusama, and more.