Validating Privacy in Web3: MPC and gcEVM Audits for COTI

COTI and partner, Soda Labs, two prominent builders of privacy-preserving blockchain infrastructure, engaged Hacken to review the foundations of their Web3 stack.

What followed were two blockchain protocol audits—covering both the MPC protocol and the gcEVM execution layer—that identified and remediated over 20 issues in total. The reviews confirmed the security of the cryptographic backend and validated execution-layer modifications, marking an important step forward for on-chain privacy.

Setting the Stage

COTI is advancing a privacy-focused Layer 2 solution for Ethereum that enables computation on encrypted data through an on-chain implementation of garbled circuits, pioneered by Soda Labs . This approach allows multiple parties to jointly compute over private inputs without exposing intermediate values—addressing confidentiality while maintaining usability. Unlike traditional zero-knowledge systems, garbled circuits support multi-party data sources and lower client-side overhead, making them suitable for broader applications in decentralized finance.

Soda Labs specializes in building privacy-preserving infrastructure for Web3, combining MPC, zero-knowledge proofs, and other privacy-enhancing technologies. Their first major product, gcEVM, integrates garbled circuits directly into an EVM-compatible execution layer. By partnering with COTI, Soda Labs aims to deliver confidentiality guarantees while maintaining EVM interoperability.

To prepare this stack for deployment, both teams turned to Hacken’s 8+ years of battle-tested expertise in independent security reviews.

Hacken’s Blockchain Protocol Audits

Hacken, an end-to-end blockchain security and compliance partner for digital assets, applied its Layer 1 Audit and Analysis Framework (L1AAF), developed from years of auditing base-layer protocols. The methodology combines static and dynamic analysis, automated tooling, adversarial testing, and manual line-by-line review. This ensures both cryptographic soundness and systemic resilience are validated before production release.

Audit of the MPC Protocol

The MPC protocol is a garbled circuit–based multiparty computation library by Soda Labs, forming the cryptographic backbone for confidential computation in COTI’s privacy layer.

The audit focused on serialization, key management, cryptographic padding, and replay protection. It uncovered:

• 1 critical issue in key and input serialization, resolved with a hardened encryption pipeline.
• 2 medium-severity issues in ciphertext padding and replay protection, remediated with stronger safeguards.
• 7 low-severity issues, including hardcoded secrets and debug logs, all removed.

Together, these fixes resulted in a secure, auditable foundation for confidential computation based on garbled circuits. View the full audit report here.

Audit of gcEVM

The gcEVM is modified fork of Go-Ethereum, designed to embed privacy-preserving computation directly into the execution layer. It introduces a custom MPC precompile for encrypted transaction processing and uses a sequencer–executor–validator node structure under CO2 consensus to manage block production.

The audit assessed execution logic, consensus, error handling, and gas pricing. It identified:

• 1 medium-severity vulnerability in gas pricing for MPC operations (GetUserKey, Shl, Shr), resolved through corrected mappings.
• 12 low-severity issues, including incomplete gRPC error handling, reliance on deprecated functions, and a centralized token emission mechanism. All were addressed or mitigated, with design trade-offs documented.

The result was a validated execution environment capable of securely and efficiently handling private computation. View the full audit report here.

On-Chain Privacy, Secured

Together, the MPC protocol and gcEVM form the core of Soda Labs’ privacy stack, combining cryptographic guarantees with execution-level enforcement. Hacken’s audits ensured all critical and medium-severity issues were resolved and validated through remediation checks.

The business outcomes for COTI and Soda Labs are as follows:

• cryptographic assurance of the MPC core
• verified execution integrity of the gcEVM
• documented roadmap for decentralization planning.

For the broader Web3 ecosystem, this work represents a step toward integrating advanced privacy-enhancing technologies into production blockchains. By combining independent third-party reviews with rigorous remediation, COTI and Soda Labs demonstrated that privacy-preserving execution can be both performant and secure.