QAN Virtual Machine (QVM) Audit
QANplatform received QVM audit
QANplatform’s Core Innovation, the QVM Passed Security Audit
We are thrilled to announce a significant milestone in the journey to a robust and secure QAN MainNet: the QAN Virtual Machine (QVM) has successfully completed a comprehensive security audit conducted by leading blockchain security firm, Hacken.
This audit marks the first milestone in our comprehensive QAN MainNet audit pipeline, and arguably the most challenging due to the QVM’s complexity. Beyond quantum-resistant security, the QVM is central to what makes QANplatform unique, empowering developers to code smart contracts in any programming language.
Why is the QVM Audit so Important?
QANplatform is uniting the worlds of traditional software development and blockchain, empowering anyone to build rapidly and securely. The QVM is driving this democratization of Web3, potentially bringing over 28 million new developers into the space by removing the programming language barriers of existing blockchain platforms. But what is the QVM?
Understanding the QVM: Running Linux on the Blockchain
The QVM (QAN Virtual Machine) is the world’s first blockchain Virtual Machine capable of executing statically linked ELF Linux binaries in a deterministic way, allowing them to be used for smart contracts. Here’s a closer look at what that means.
But first, what is a Virtual Machine (VM)? Think of a VM as a software-based emulation of a computer system. It allows you to run software designed for one environment on a different environment. In the blockchain world, VMs are essential for executing smart contracts — the self-executing agreements that power decentralized applications. Ethereum’s EVM (Ethereum Virtual Machine) is the most well-known example. — It’s good to know that QANplatform is also EVM-compatible, allowing any smart contract currently running on Ethereum to be seamlessly migrated to the QAN MainNet without requiring code changes.
However, the QVM isn’t just another VM. It’s fundamentally different. Most blockchain VMs require smart contracts to be written in specific, often complex or a limited set of programming languages. The QVM, on the other hand, allows developers to bring their existing coding knowledge directly onto the blockchain. This opens up a world of possibilities for developers and significantly reduces the learning curve for adopting blockchain technology.
The Key to Trust: Determinism
A crucial aspect of any blockchain VM is determinism. Determinism in a blockchain environment means that given the same input and starting state, the VM will always produce the same output. This is essential for consensus. If different nodes on the network produce different results when executing a smart contract, it breaks the chain.
But why would they produce different results in the first place? Determinism seems straightforward for simple operations, but can get complicated easily, demonstrated in the following example:
Imagine a charity smart contract which deducts 10 USD from the donor and adds it to the charity’s balance. This is a simple rule to follow and will make all nodes end up with the same balance for both the donor’s and the charity’s account obviously.
Things get complicated when the charity smart contract is modified with a luck factor and now it should deduct 10USD + a random amount resulting from rolling a dice. How can we guarantee that this virtual dice roll ends up with the same result across all nodes without them constantly communicating with each other about every execution step?
This is a hard problem to solve, so most blockchains resort to severely limiting the possible number of operations to a very narrow, controllable subset to ensure determinism. This sadly also severely limits the freedom of developers, who are used to abundant freedom during their career.
QVM removes this barrier and lets developers code freely as they are used to, and it lets them do it in any programming language. Our modified linux based execution environment takes care of the determinism, without requiring developers to learn new programming languages or other primitives.
QVM achieves this determinism even when running complex Linux binaries, a significant technical feat. Hacken’s audit rigorously tested this determinism, ensuring the QVM consistently delivers predictable results.
Hacken’s Deep Dive: A Thorough Examination
Auditing the QVM was no small task. It’s arguably the most complex component of the entire QANplatform ecosystem, therefore it was performed by Hacken, an ISO-certified end-to-end blockchain security & compliance partner for digital assets.
Unlike traditional providers, Hacken was born on blockchain, combining deep Web3 expertise with enterprise-grade quality, AI-powered offensive security, and globally recognized certifications. Since 2017, Hacken has been trusted by 1,500 adopters, including the European Commission, ADGM, MetaMask, Ethereum Foundation, and Binance to secure the new digital frontier.
Hacken’s team meticulously examined the QVM’s architecture, code, and execution logic, looking for vulnerabilities and potential attack vectors. Hacken’s team even developed an AI-powered threat modeling tool specifically for the QVM. During the QVM audit the AI tool helped draft plausible attack scenarios and evaluated over 2800 test cases uncovering 22 potential issues. Manual audits of this scale could take years and potentially miss critical edge cases.
Note: QVM module was audited at this scope as a standalone module instead of being operated in a blockchain environment. This is a stricter testing scenario since the blockchain logic itself would protect against many kinds of non-determinism. The 22 findings shouldn’t cause practical harm in a blockchain environment where expected transaction output hashes would be included in the input of the transaction initiating the QVM call. While the above findings would indeed cause non-determinism, affected transactions should burn all gas and finally simply get discarded due to their output hash not matching the one defined in the input of the initiating transaction. All of the reported issues were fixed by QANplatform team.
The AI tool — which was open-sourced by Hacken and QANplatform to help the Web3 developer community — provides automated tests to aid security-conscious development ultimately building more secure and reliable web3 applications. This AI tool emerges in the era where established cybersecurity players like Cloudflare are leveraging AI for generating security libraries like the OAuth 2.1 provider framework for authentication.
Dyma Budorin, Co-Founder and CEO of Hacken said:
“Hacken’s custom-built AI agent was tailored specifically for QAN and delivered outstanding results. Our deep expertise in AI-driven offensive security allowed us to accelerate the audit while increasing its depth. This isn’t a replacement for traditional audits but a powerful upgrade. We welcome QAN’s decision to make it open source, as it gives the Web3 community a real-world example of how new technology can enhance security.”
Bartosz Barwikowski, Lead Auditor at Hacken added:
“It was exciting and refreshing to audit such a revolutionary technology as QANplatform’s QVM, an X86_64-based deterministic runtime and work on an AI tool which could successfully broaden the audit angles of such a complex technology.”
What This Means for QANplatform and Our Community
The successful completion of the QVM audit is a huge vote of confidence in the technology powering QANplatform. It signifies:
• Increased Security: The QVM is a robust and secure environment for running smart contracts.
• Faster Development: Developers can leverage their existing coding knowledge accelerating blockchain adoption.
• Greater Flexibility: The QVM unlocks possibilities for more complex and powerful smart contracts.
• Smooth Path to MainNet: We’re one step closer to the full launch of the QAN MainNet and confident to move towards auditing QAN XLINK — the quantum-resistant security layer of QANplatform.
We’re incredibly proud of QVM, the world’s first audited smart contract runtime where developers can build in any programming language on the blockchain. This is a real enabler of mass adoption the whole blockchain community has been anticipating for many years. We are grateful to Hacken for their thorough audit. You can read the full audit report here.
Last updated