Audits

Axal has partnered with Sherlock, a web3 auditing and security firm, to help ensure the safety of users funds through rigorous and repeatable reviews. You can see more here: https://x.com/sherlockdefi/status/1952761539980624099

We conducted a white box audit of our Trusted Execution Environment based signer and a black box audit of our production servers. You can read more about the distinction between white box and black box methodologies here.

How a web3 audit works at Axal

Web3 systems span on chain code, off chain services, and the seams between them. Our audits therefore combine multiple lenses into a single narrative assessment:

• Design review and threat modeling to map assets, trust boundaries, and failure modes across smart contracts, TEEs, services, and wallets.
• Deep source review of critical components with static analysis, invariant and property checks, and targeted fuzzing where applicable.
• Environment hardening review, including identity and access management, build pipelines, artifact signing, logging, and secrets handling.
• Behavioral testing of the full system using pre production configurations and on chain simulations to exercise edge cases, pause paths, and kill switches.
• Remediation, retesting, and documentation to verify issues are fixed and controls are durable.

Audit results

Axal’s audit report can be found here. All identified issues have been addressed. We have open sourced our signer and welcome community review and bug reports.

Continuous assurance

Security does not end with a single audit. We pair audits with hardening work, continuous monitoring, and a live bug bounty so researchers can report emergent issues quickly.

Bug Bounties

Help secure Axal by participating in our live bug bounty, hosted by Sherlock, with rewards up to 25,000 USDC for verified issues. Review scope and submit reports on the bounty page here.