Skip to main content
Vana contracts and core components are audited by independent firms. Responsible disclosure from the security research community is welcome, and every effort is made to acknowledge and address reports promptly.
Trust and risk. Third-party audits do not guarantee the absence of vulnerabilities. If you integrate with or rely on the protocol, conduct your own due diligence and understand the risks.

Security model

Vana uses a defense-in-depth architecture. Three independent layers protect user data — a compromise in one layer does not expose plaintext data:
  1. Chain-level. Grants are recorded on Vana L1 — permission state is tamper-proof and publicly verifiable. No central party can modify access. Only the data owner can create or revoke a grant.
  2. Server-level. Personal Servers independently verify every request: signature validation, grant checking, scope matching, and access logging. Even if a malicious request reaches the server, it is rejected unless it carries a valid signature from a registered builder with an active grant for the requested scope.
  3. Encryption-level. Data is encrypted at rest with user-derived keys (HKDF-SHA256 from wallet signature). Storage backends never see plaintext. Even a compromised storage backend yields only encrypted blobs that cannot be decrypted without the user’s wallet signature.

Smart contract governance

Core contracts (DataPortabilityPermissions, DataPortabilityServers, DataPortabilityGrantees) are upgradeable through governance with timelocks. Major updates are audited before deployment (see the audit table below). Contract source code is verified on the block explorer.

Continuous auditing

The audit program is ongoing — new components and major changes are audited as they ship. The table below reflects completed audits; the program continues as the protocol evolves.

User-controlled revocation

Users can revoke any grant at any time. Revocation takes effect immediately at the Gateway level and is synced to the chain asynchronously. No builder or protocol operator can prevent or delay revocation. See Grants & Permissions for details.

Audit reports

Smart contracts and core protocol components are audited by independent security firms. Completed audit reports are listed below. Major protocol updates and new components are audited as they are released.
Audited component(s)AuditorReport
DLPReward & VRC20NethermindView report
Data Access v0NethermindView report
Vana ContractsNethermindView report
veVANA TokensNethermindView report
DLPRoot RestructureNethermindView report
DLPRootV2NethermindView report
Vana ProtocolHashlockView report

Responsible disclosure

If you believe you have found a security vulnerability in Vana contracts or infrastructure, report it privately. Responsible disclosure is appreciated; reports are acknowledged and addressed as promptly as possible. Email: dev@vana.org When reporting, please include:
  • Affected component or contract (and version or commit if known)
  • Steps to reproduce, with as much detail as possible
  • Impact and severity, if you have assessed it
  • Any relevant logs or proof-of-concept
Receipt is acknowledged as soon as possible; a more detailed response follows once the issue has been reproduced or triaged. Please do not disclose findings publicly until the issue has been addressed.