RedStone

We express our gratitude to the RedStone team for the collaborative engagement that enabled the execution of this Security Assessment.

RedStone is a decentralized oracle protocol that aggregates on-chain and off-chain data (such as asset price feeds) and delivers it on-chain with cryptographic proofs to ensure data integrity and authenticity to provide reliable, low-latency data for smart contracts and decentralized applications.

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

• Functional Requirements are available in the README and doc comments, detailing how to parse, validate, and aggregate data packages.

• Technical Description is partially embedded in Rust doc comments (//! lines at file heads).

• Code Comments describe core structures and logic.

Code quality

• The development environment is properly configured with Rust’s standard toolchain and optional features.

• The architecture is modular and follows good Rust design (split into coherent modules like core, types, protocol, etc.). Utility crates are separated from core logic.

• The code uses safe Rust patterns, with minimal unsafe usage.

• Each module has fairly robust test coverage.

Test coverage

Code coverage of the project is 100%. The project is a perfect example of how projects should be tested.

• The code base includes extensive unit tests in multiple modules (especially aggregator, config, processor, validator).

• The tests work correctly even for different target architectures (eg. wasm32-unkown-unkown).

RedStone Rust SDK is a library providing:

• Data Package structures and decoders (e.g., DataPackage, DataPoint, Payload), enabling applications to parse cryptographically signed price feed data.

• Configurable Aggregation for feed IDs, allowing customization of threshold-based signer validation and feed filtering.

• Modular Cryptography with multiple backends (e.g., k256 for ECDSA on Solana, or pure Rust-based secp256k1 crates).

• Environment Abstractions for logging and environment-specific implementations (e.g., StdEnv, CasperEnv, SolanaEnv).

• Utilities such as median calculation, slice filtering, and signature recovery.

This SDK is designed for flexible integration across different blockchain environments, ensuring that off-chain aggregated data can be securely transmitted on-chain with authenticity checks.

Privileged roles

This library itself does not define on-chain privileged roles. Instead, the Config structure can be set up by the integrating contract or environment to specify which signers are recognized and how many are required. Any “privileged” concept typically lives in the environment that uses this SDK (e.g., a contract’s admin can mutate the config). The library strictly enforces the signers and thresholds provided in the Config.

The scope of the project includes the following smart contracts from the provided repository:

Assets in Scope