Understanding NafuSec
Learn how NafuSec scans Soroban smart contracts, how our risk analysis works, and what our findings mean for your security decisions.
Overview
NafuSec is an automated security scanner for Soroban smart contracts on the Stellar blockchain. We combine static code analysis, WASM bytecode inspection, and on-chain heuristics to identify potential vulnerabilities and security risks in deployed contracts.
Every scan produces a risk score from 0 to 100 (with letter grades A–F), detailed findings with severity levels, and actionable remediation guidance. Our analysis is designed to complement—not replace—professional security scans and audits.
Our Mission
NafuSec exists to help secure the Stellar network. We believe that accessible, transparent security tooling is essential for the growth and trust of the Soroban ecosystem. By making automated contract scanning available to developers and token holders, we aim to raise the baseline security awareness and reduce the risk of preventable vulnerabilities.
We charge a nominal fee of 10,000 NAFU per scan (currently valued at a few cents in USD)—not to profit, but to align incentives with the Nafuloo ecosystem. Every scan paid in NAFU increases visibility and trading volume for Nafuloo, creating a sustainable model where security and community growth reinforce each other. We believe this approach is fairer than traditional closed-source security services that gatekeep security analysis behind expensive paywalls.
Our commitment is to continuous improvement: as the Soroban ecosystem evolves, so will our scanner. We regularly update our ruleset based on emerging vulnerabilities, community feedback, and Stellar best practices.
How It Works
When you submit a contract ID for scanning, NafuSec performs the following steps:
1On-Chain Verification
We query the Stellar RPC to verify the contract exists and fetch its WASM bytecode hash. This ensures we are analyzing the actual deployed code, not GitHub source or outdated versions.
2WASM Bytecode Retrieval
We fetch the full WASM bytecode from the Stellar ledger and verify its SHA-256 hash against the on-chain hash. We then extract the contract specification, function signatures, and imports/exports.
3Static Code Analysis
We run 20+ security rules against the WASM bytecode, checking for common vulnerabilities such as missing require_auth, upgradeability risks, mint/burn control issues, and storage safety concerns.
4On-Chain Activity Analysis
We analyze recent transaction history, deployer account age, invocation patterns, and event data from Stellar Horizon and Soroban RPC to assess real-world usage and risk patterns.
5Multi-Dimensional Risk Scoring
We compute separate risk scores for code quality, activity patterns, impact potential, and exploitability. These are combined into a composite score (0–100) with a letter grade (A–F).
6Report Generation
We generate a detailed report with findings, severity levels, code evidence, on-chain metrics, and remediation guidance. An LLM-assisted summary provides plain-language context for non-technical readers.
Methodology
Static Code Analysis
Our static analysis engine examines the WASM bytecode for patterns associated with common vulnerabilities:
- Authorization checks: Detection of missing require_auth on privileged functions
- Upgradeability risks: Identification of upgrade functions and upgrade history
- Token control: Detection of mint, burn, freeze, and clawback functions
- Storage safety: Analysis of storage TTL and state persistence patterns
- Cross-contract risks: Detection of external contract calls and dependencies
- Arithmetic safety: Identification of overflow/underflow patterns and precision issues
- Error handling: Detection of panic patterns and unwrap() calls
On-Chain Heuristics
Beyond code analysis, we examine real-world contract behavior:
- Deployer trust: Analysis of deployer account age and history
- Usage maturity: Invocation count, unique callers, and failure rates
- Admin centralization: Detection of single-key admin control
- Activity patterns: Recent transaction history and event logs
Data Freshness & Limitations
All on-chain data is sourced from Stellar Horizon (transaction history) and Soroban RPC (recent events). Soroban RPC retains approximately 7 days of event history. We do not have access to historical ingestion or long-term indexers, so our activity claims are qualified as "recent-window" data only. This is noted in every report.
Risk Scoring
Our risk score is a composite of four independent dimensions, each contributing to the final grade:
Code Risk (40% weight)
Measures the severity and count of code-level vulnerabilities detected in the WASM bytecode. Critical findings have higher impact than low-severity issues.
Activity Risk (20% weight)
Evaluates deployer trust, usage maturity, and real-world activity patterns. A contract with no invocations or a very new deployer carries higher activity risk.
Impact (20% weight)
Assesses what the contract can do—does it have mint/burn functions, upgrade capabilities, or clawback logic? Higher capability = higher potential impact.
Exploitability (20% weight)
Measures how easy it would be to exploit detected vulnerabilities. Missing auth on state-changing functions with no admin control = high exploitability.
Data Confidence: Each report includes a confidence level (High, Medium, Low) based on whether the WASM was successfully fetched and verified, whether the contract spec was extracted, and the quality of on-chain activity data available.
Grade Scale
Limitations & Transparency
NafuSec is a powerful tool, but it has important limitations. Understanding these limitations is critical for making informed decisions:
Automated Analysis Only
NafuSec uses pattern matching and heuristics. It cannot understand intent, business logic, or complex control flows the way a human security analyst can. False positives and false negatives are possible.
Limited Historical Data
On-chain activity data comes from Soroban RPC (7-day window) and Horizon (recent operations). We do not have access to historical indexers or long-term activity archives. Activity claims should not be interpreted as all-time statistics.
No Access to Private Code
We analyze only the deployed WASM bytecode. If a contract has been upgraded or if the source code differs from the deployed bytecode, our analysis reflects the deployed version only.
Evolving Ruleset
Our security rules are continuously updated as new vulnerabilities emerge. A contract that scored well in the past may score differently if new rules are added. We do not retroactively rescan all contracts.
No Guarantee of Accuracy
While we strive for accuracy, NafuSec may miss vulnerabilities or produce false positives. Our findings should be treated as one input in a broader security assessment, not as a definitive verdict.
Legal Disclaimers
NOT A PROFESSIONAL AUDIT
The results of scans and risk analysis conducted on this site do not constitute an official security audit, professional security review, or legal opinion. NafuSec is an automated tool designed for informational purposes only. The findings, scores, and recommendations provided are generated by algorithms and should not be relied upon as a substitute for a comprehensive professional security audit conducted by qualified security professionals.
CONSULT QUALIFIED PROFESSIONALS
Before deploying, investing in, or relying on any smart contract, you should consult with qualified security professionals, legal counsel, and financial advisors. NafuSec findings should be used as one input in a broader due diligence process, not as the sole basis for decision-making. The responsibility for security assessment and risk management rests entirely with you.
NO WARRANTIES
NafuSec is provided "as is" without any warranties, express or implied. We do not warrant that the service will be uninterrupted, error-free, or that all vulnerabilities will be detected. We make no representations about the accuracy, completeness, or reliability of the findings. Use of NafuSec is at your own risk.
LIMITATION OF LIABILITY
To the fullest extent permitted by law, NafuSec and its operators shall not be liable for any direct, indirect, incidental, special, consequential, or punitive damages arising from your use of this service, including but not limited to: loss of funds, loss of data, business interruption, reputational harm, or any other damages, even if advised of the possibility of such damages. This limitation applies regardless of whether such damages arise from contract, tort, strict liability, or any other legal theory.
NO INVESTMENT ADVICE
NafuSec does not provide investment advice, financial advice, or recommendations to buy, sell, or hold any token or contract. Scan results should not be interpreted as investment recommendations. All investment decisions are your responsibility. Consult with a qualified financial advisor before making any investment decisions.
THIRD-PARTY DATA
NafuSec relies on data from Stellar Horizon, Soroban RPC, and other third-party sources. We do not control these sources and cannot guarantee their accuracy or availability. Any errors or delays in third-party data may affect our analysis.
INDEMNIFICATION
You agree to indemnify and hold harmless NafuSec, its operators, and contributors from any claims, damages, losses, or expenses (including legal fees) arising from your use of this service or reliance on its findings.
CHANGES TO SERVICE
NafuSec reserves the right to modify, suspend, or discontinue the service at any time without notice. We may update our rules, change our methodology, or alter our findings without retroactively updating previous reports.
Frequently Asked Questions
What does a high score mean?▼
A high score (A or B grade) indicates that our automated analysis found fewer code-level vulnerabilities and positive on-chain activity patterns. However, a high score does not guarantee the contract is safe. Professional audits may still uncover issues our scanner missed.
What does a low score mean?▼
A low score (D or F grade) indicates that our analysis detected significant code-level vulnerabilities or concerning on-chain patterns. This does not mean the contract is definitely exploitable—it means you should investigate further and consider professional review before interacting with it.
Can I trust NafuSec's findings?▼
NafuSec is a useful tool for rapid security assessment, but it should not be your only source of truth. Combine NafuSec findings with professional audits, community feedback, and your own due diligence. We are transparent about our limitations and encourage healthy skepticism.
Why do you charge NAFU?▼
We charge a nominal 10,000 NAFU per scan (currently valued at a few cents in USD) to align incentives with the Nafuloo ecosystem. This is not about profit—it’s about creating a sustainable model where security tooling and community growth reinforce each other. Every scan paid in NAFU increases Nafuloo's visibility and trading volume, benefiting all NAFU holders.
How often are your rules updated?▼
We continuously monitor the Soroban ecosystem and update our ruleset as new vulnerabilities emerge and best practices evolve. Updates are deployed automatically. We do not retroactively rescan all contracts, so older reports may not reflect the latest rules.
Can I request a custom audit?▼
NafuSec is an automated service only. For professional custom audits, please reach out to established security firms in the Stellar ecosystem. We recommend consulting with multiple auditors for critical contracts.
What data do you store?▼
We store scan results (findings, scores, reports) associated with your wallet address. We do not store personal information beyond what is necessary to process your scan. Scan results are retained for historical reference and record-keeping. See our privacy policy for details.