The Hacken 2025 Yearly Security ReportCovers major Web3 breaches, their root causes, prevention insights, and key regulatory trends for 2026.
Learn more

Taoshi

Audit name:

[dApp] Taoshi | SDK+PTN | Aug2025

Date:

Aug 21, 2025

Table of Content

Introduction
Audit Summary
System Overview
Findings
Appendix 1. Severity Definitions
Appendix 2. Scope
Disclaimer

Want a comprehensive audit report like this?

Introduction

We express our gratitude to the Taoshi team for the collaborative engagement that enabled the execution of this dApp Security Assessment.

Taoshi builds a decentralized, AI-driven trading network on Bittensor. Their “Proprietary Trading Network (PTN)” coordinates miners (strategy providers) and validators, scoring risk-adjusted performance and distributing rewards; they also run docs and tooling (e.g., PTNCLI) for collateral and registration flows. Public materials emphasize decentralized AI for market analysis and on-chain transparency, with PTN live on Bittensor (

Document

NamedApp Code Review and Security Analysis Report for Taoshi
Audited ByStephen Ajayi
Approved ByStephen Ajayi
Websitehttps://www.taoshi.io/
Changelog11/08/2025 - Preliminary Report
Changelog21/08/2025 - Final Report
PlatformBittensor/TAO
LanguagePython
TagsCode Review, Trading, API
Methodologyhttps://hackenio.cc/dApp_methodology

  • Document

    Name
    dApp Code Review and Security Analysis Report for Taoshi
    Audited By
    Stephen Ajayi
    Approved By
    Stephen Ajayi
    Website
    https://www.taoshi.io/
    Changelog
    11/08/2025 - Preliminary Report
    Changelog
    21/08/2025 - Final Report
    Platform
    Bittensor/TAO
    Language
    Python
    Tags
    Code Review, Trading, API
    Methodology
    https://hackenio.cc/dApp_methodology

Review Scope

SDK Repositoryhttps://github.com/taoshidev/collateral_sdk
SDK initial commit Commitca2f400159ca5b7a66da0c7ddb167333fa8846e3
SDK Final commit Commitbf4a560687bfc49ef5af9c61543fa7f2969dd6f5
In Scope Files,./src/collateral_sdk/collateral.py, ./src/collateral_sdk/utils.py, ./src/collateral_sdk/errors.py, ./src/collateral_sdk/init.py
PTN Repositoryhttps://github.com/taoshidev/proprietary-trading-network
PTN Initial Scope Commitbd985942359806d7e52c5d86456bf617358005b1
PTN Final Scope Commita766fd8a334cefebe26a4d144060327d4396a94c
In Scope Files,neurons/validator.py, ptn_api/rest_server.py, vali_objects/utils/validator_contract_manager.py

  • Review Scope

    SDK Repository
    https://github.com/taoshidev/collateral_sdk
    SDK initial commit Commit
    ca2f400159ca5b7a66da0c7ddb167333fa8846e3
    SDK Final commit Commit
    bf4a560687bfc49ef5af9c61543fa7f2969dd6f5
    In Scope Files,
    ./src/collateral_sdk/collateral.py, ./src/collateral_sdk/utils.py, ./src/collateral_sdk/errors.py, ./src/collateral_sdk/init.py
    PTN Repository
    https://github.com/taoshidev/proprietary-trading-network
    PTN Initial Scope Commit
    bd985942359806d7e52c5d86456bf617358005b1
    PTN Final Scope Commit
    a766fd8a334cefebe26a4d144060327d4396a94c
    In Scope Files,
    neurons/validator.py, ptn_api/rest_server.py, vali_objects/utils/validator_contract_manager.py

Audit Summary

29Total Findings
23Resolved
5Accepted
1Mitigated

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

  • Public docs site covers installation, system requirements, and PTNCLI usage (including collateral add/withdraw flows and network targeting).

  • PTN repo README gives a clear, high-level overview, feature list, and links to dashboards/guides; repo includes a docs/folder (e.g., validator state regeneration).

  • Publish a formal API spec for REST endpoints (auth model, signature/nonce format, rate limits, error schema). An OpenAPI doc + examples would reduce client bugs.

Code quality

  • Clear module separation (validator loop vs REST vs contract manager).

  • Extensive logging and operational hooks (Slack alerts, metrics, rate limiting).

  • Sensible concurrency primitives where state is shared (locks around position updates and checkpoint generation).

System Overview

The validator exposes REST endpoints and contract hooks for collateral operations while running a Bittensor validator that ingests trading signals, weights miners, and maintains state. The companion collateral_sdk wraps contract/extrinsic interactions used by validators and tooling.

Inscope repositories files

  • proprietary-trading-network (PTN)

    • neurons/validator.py — main validator process: wallet & metagraph init, axon handlers, request processing, state sync, weighting, API bootstrap.

    • ptn_api/rest_server.py — Flask/Waitress REST server: miner position reads and collateral routes (deposit/withdraw/balance), API-key plumbing, nonce checks, metrics/logging.

    • vali_objects/utils/validator_contract_manager.py — validator-side wrapper that uses the collateral SDK to decode extrinsics and call deposit/withdraw/balance with vault credentials.

  • collateral_sdk

    • src/collateral_sdk/collateral.py

    • src/collateral_sdk/utils.py

    • src/collateral_sdk/errors.py

    • src/collateral_sdk/__init__.py (Python SDK for collateral interactions; repo includes README, tests, and examples.)

Findings

Code
Title
Status
Severity
F-2025-1211Lack of Coldkey–Hotkey Ownership Binding on /collateral/withdraw
fixed

Critical
F-2025-1211Nonce Verified Before Signature & Bound to Wrong Identity (Pre-Auth Nonce Consumption)
fixed

High
F-2025-1211Incorrect Address Derivation / Ambiguous H160 Mapping
fixed

High
F-2025-1211Unvalidated SS58 → H160 Mapping with Implicit Truncation
fixed

Medium
F-2025-1211Unvalidated Program Address Could Allows Interaction with Wrong/Malicious Contract
fixed

Medium
F-2025-1210Insecure Private Key Handling Pattern
fixed

Medium
F-2025-1210No Assertion of callmodule/callfunction in deposit() Validation
fixed

Medium
F-2025-1205Insecure Private Key Handling in Memory
fixed

Medium
F-2025-1204Unsynchronized Access to lastordertime_cache
fixed

Medium
F-2025-1204Unintended Use of Validator Wallet for Collateral Operations
accepted

Medium
1-10 of 29 findings

Protect your dApp with insights like these.

Appendix 1. Severity Definitions

Severity

Description

Critical
These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.

High
These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.

Medium
These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.

Low
These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.

  • Severity

    Critical

    Description

    These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.

    Severity

    High

    Description

    These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.

    Severity

    Medium

    Description

    These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.

    Severity

    Low

    Description

    These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.

Appendix 2. Scope

The scope of the project includes the following endpoints from the provided repository:

Scope Details

SDK Repositoryhttps://github.com/taoshidev/collateral_sdk
SDK initial commit Commitca2f400159ca5b7a66da0c7ddb167333fa8846e3
SDK Final commit Commitbf4a560687bfc49ef5af9c61543fa7f2969dd6f5
In Scope Files,./src/collateral_sdk/collateral.py, ./src/collateral_sdk/utils.py, ./src/collateral_sdk/errors.py, ./src/collateral_sdk/init.py
PTN Repositoryhttps://github.com/taoshidev/proprietary-trading-network
PTN Initial Scope Commitbd985942359806d7e52c5d86456bf617358005b1
PTN Final Scope Commita766fd8a334cefebe26a4d144060327d4396a94c
In Scope Files,neurons/validator.py, ptn_api/rest_server.py, vali_objects/utils/validator_contract_manager.py

  • Scope Details

    SDK Repository
    https://github.com/taoshidev/collateral_sdk
    SDK initial commit Commit
    ca2f400159ca5b7a66da0c7ddb167333fa8846e3
    SDK Final commit Commit
    bf4a560687bfc49ef5af9c61543fa7f2969dd6f5
    In Scope Files,
    ./src/collateral_sdk/collateral.py, ./src/collateral_sdk/utils.py, ./src/collateral_sdk/errors.py, ./src/collateral_sdk/init.py
    PTN Repository
    https://github.com/taoshidev/proprietary-trading-network
    PTN Initial Scope Commit
    bd985942359806d7e52c5d86456bf617358005b1
    PTN Final Scope Commit
    a766fd8a334cefebe26a4d144060327d4396a94c
    In Scope Files,
    neurons/validator.py, ptn_api/rest_server.py, vali_objects/utils/validator_contract_manager.py

Assets in Scope

.
src
collateral_sdk
__init__.py - . › src › collateral_sdk › __init__.py
collateral.py - . › src › collateral_sdk › collateral.py
errors.py - . › src › collateral_sdk › errors.py
utils.py - . › src › collateral_sdk › utils.py
neurons
validator.py - neurons › validator.py
ptn_api
rest_server.py - ptn_api › rest_server.py
vali_objects
utils
validator_contract_manager.py - vali_objects › utils › validator_contract_manager.py

Disclaimer