• Hacken
  • Blog
  • Case Studies
  • Case Study: Hacken’s Audit of EBSI Smart Contracts

Case Study: Hacken’s Audit of EBSI Smart Contracts

9 minutes

By Hacken

BREAKING: Hacken performed smart contract audits for the European Blockchain Services Infrastructure (EBSI), contributing to the safety and reliability of digital public services across Europe.

EBSI: Europe’s Blockchain Revolution

Imagine a digital Europe where public services are secure, transparent, and, above all, trusted – all thanks to the power of blockchain. Enter EBSI – the European Blockchain Services Infrastructure, an initiative by the European Commission and the European Blockchain Partnership. This powerhouse of European nations, including all EU member states plus Norway and Liechtenstein, joined forces in 2018. Their aim? Use blockchain to craft sterling public services for all Europeans.

Let’s unpack EBSI:

1. Blockchain Beyond the Hype: EBSI isn’t about jumping on the blockchain bandwagon. It’s about extracting real solutions from this technology, based on today’s use cases requirements. Grouped as “use case families,” EBSI identifies and tackles key business issues across industries. Take “track & trace” – it’s like giving every item its unique digital fingerprint. And then there’s “verifiable credentials,” a gold standard in digital trust, “making information easy to verify, but impossible to fake” by using the ledger as a trusted source of information about the issuers of data

2. Trust Me, I’m Verified: Among the Use Case Families, EBSI’s “verifiable credentials” shine bright. It’s about making digital verification smooth and foolproof. How? By giving power to the people. Trusted issuers of credentials register their details on the blockchain first – for example, a university will register its accreditation as an educational body. This registration is handled by smart contracts, which are transparent, accountable, and automated pieces of software deployed in a blockchain. Then, they issue documents as Verifiable Credentials to individuals, who store them in their digital wallets – this happens entirely off-chain. If you hold a credential, you decide who verifies it and when, and it is never shown to anyone else. And with the EBSI Conformant wallet, this control is just a click away. The verification relies on blockchain and only checks the reliability of the issuers of credentials. Simple, privacy-preserving, and decentralised. 

Powered by smart contracts, the technology is already revolutionizing cross-border educational opportunities in Europe. Graduates validate foreign degrees effortlessly, and PhD candidates access specialized courses abroad with ease. Students benefit locally using a European student card, while Erasmus-validated transcripts simplify higher degree pursuits. Posted workers, equipped with a portable document A1, can now work in other European countries with a proof of their insured status. 

Through EBSI, anything could be made into a Verifiable Credential. As long as a claim is made by a reputable organisation about someone, this claim can be turned into a credential that is stored in a wallet. From a user’s perspective, it works like a charm through conformant wallets that store digital certifications and identity information – the perfect wallet for the digital age.

3. A Future-Forward Vision: Verifiable Credentials is only a glimpse of EBSI’s grand plan. It’s paving the way for a transparent and trustworthy digital Europe, where governments play an active role in providing trust in the decentralised, Web3 ecosystems of tomorrow. Think of EBSI as more than a tech project – it’s Europe’s beacon in a new digital age. By standing firm on global standards, such as W3C’s Verifiable Credentials, prioritizing user control, and banking on blockchain’s strengths, EBSI is shaping a future where technology and trust go hand in hand.

In a nutshell, EBSI is reimagining a digital Europe that’s secure, open, and inclusive. And with its innovative approach, the future looks exciting!

Importance Of Smart Contract Auditing For EBSI

As a trusted digital platform, EBSI heavily depends on smart contracts to operate efficiently. With EBSI’s vast user base and the sensitive data it handles, it’s crucial that these smart contracts are secure and reliable. This is where the need for thorough smart contract auditing comes in.

How EBSI Functions: At the heart of EBSI’s innovation lies its technological backbone, integrating APIs, smart contracts, and the decentralized ledger. These components seamlessly converge to offer trusted information to users, ensuring that every transaction recorded on the EBSI ledger is reliable, transparent, and secure. Whenever a business activity happens within EBSI, it’s carried out through EBSI’s APIs. These APIs, in turn, call upon smart contracts to perform operations and record transactions on the EBSI ledger.

EBSI’s Secure Ledger: At the center lies its decentralized ledger—a repository of all transactions, resistant to any tampering. Like all blockchains, once a transaction is added, it cannot be altered. Specialized registries, like the Trusted Issuers registry (which stores the accreditations of issuers of Verifiable Credentials), add another layer of trust.

Decentralization Across Europe: EBSI’s services are distributed across a European network of nodes, eliminating the risk of a centralized failure point. These nodes are managed by vetted operators, all adhering to strict governance and security protocols.

Role of Smart Contracts: EBSI has a set of APIs available to users to interact with its blockchain ledger. For example, an employer verifying the authenticity of a diploma Verifiable Credential will call an API to read the relevant entry in the Trusted Issuers Registry. But the real action happens through smart contracts. They are the gatekeepers, ensuring that operations only proceed when necessary conditions are met. EBSI has tight controls on these contracts, ensuring only legitimate operations go through. For example, the Smart Contracts ensure that only accredited trusted issuers are able to record transactions on the trusted issuers’ registry.

In conclusion, auditing the smart contracts used by EBSI is not just about checking code. It’s about ensuring trust, integrity, and the seamless operation of a platform aiming to revolutionize digital trust in Europe.

Summary Of Hacken’s Audit Approach And Methodology

Hacken adopted a systematic and rigorous approach to auditing EBSI’s smart contracts. Our audit incorporated the following principles:

  1. Thorough Analysis: A deep dive into each smart contract to understand its functionality and design.
  2. Automated Scanning: Using advanced tools to scan for common vulnerabilities.
  3. Manual Review: To catch complex, logic-based vulnerabilities that automated tools might miss.
  4. Continuous Feedback: Engaging with the EBSI team to discuss potential concerns and ensure alignment.

Testimonial from the EBSI team:
“Hacken’s meticulous approach to the audit process ensured that our smart contracts were reviewed comprehensively. Their professionalism and dedication were evident throughout the audit.”

In essence, Hacken’s smart contract audit process is a harmonious blend of human expertise and technological prowess, ensuring EBSI’s smart contracts stand resilient against any attacks. Let’s break it down.

It began with the pre-audit stage. Here, EBSI was presented with an overview of its functional requirements, technical description, development environment, and unit tests.

Next followed the overall review, during which Hacken’s auditors scrutinized the code. Guided by EBSI’s documentation, this phase was pivotal in establishing a clear understanding of the smart contract’s architecture.

Subsequently, the automated tool scan was initiated. Deploying specialized tools for Solidity like Slither, Mythril, and Echidna, and cross-referencing with the SWC registry—a comprehensive database of known vulnerabilities—the audit ensured a rigorous check for potential lapses.

Informed by this, data flow diagrams were drawn with Solgraph. These visual representations facilitated a structured approach to the contracts’ operations, streamlining the eventual line-to-line review – the most crucial step of the entire audit process.

The testing phase proved invaluable. EBSI’s existing tests were evaluated and complemented with additional tests when necessary. This phase also involved simulating real-world scenarios to unearth any hidden vulnerabilities.

Post analysis, the team convened for a collaborative discussion. Here, findings were studied, debated, and remediation strategies were outlined. Every vulnerability was paired with a solution, ensuring the contracts’ fortification.

The culmination of these rigorous steps was a comprehensive report handed to EBSI. Furthermore, a security score was provided, offering a quantifiable measure of the contracts’ robustness.

EBSI Smart Contract Audit

Our Solidity audit encompassed 63 EBSI’s smart contracts, vital for services like authenticating transactions, guaranteeing the integrity of tamper-proof registries, enabling interactions through the EBSI API, and maintaining decentralization of EBSI Ledger.

While the specifics about vulnerabilities cannot be shared, we can confirm that our findings played a significant role in strengthening the security and functionality of EBSI’s operations, ensuring its commitment to transparency and trust remains unshaken. They achieved a perfect average security score of 10 across all smart contracts involved, an exceptional accomplishment in this field. Moreover, the EBSI team was quick and decisive in addressing identified issues.

The final scores are exceptionally high for all the audited services.

ServiceBrief DescriptionScore
DID-REGISTRY-V4A section for DIDs documents’ storage and management9.8/10
TRUSTED-ISSUERS-REGISTRY A service anchor for Trusted Issuers, enabling verification of issuer DIDs and their authorization10/10
TRUSTED-SCHEMAS-REGISTRYA service anchor for verifying trusted schemas and their statuses10/10
TRUSTED-APPS-REGISTRYAn anchor of trust, listing trusted apps and their details for access management across EBSI services8.1/10
TRUSTED-POLICIES-REGISTRYA service facilitating authorization across the project9.9/10
TIMESTAMPA service for storing versioned hashes9.6/10
BOOTSTRAPA set of libraries used throughout the project9.7/10
PROXYA service offering proxy functionality10/10

Together, all these contracts create a powerful Identity Management & Authentication and Storage platform.

Hacken’s Promise For Ongoing Support To EBSI’s Growth And Security

Reflecting on our collaboration, the EBSI Team shared:
“Hacken’s audit was invaluable for EBSI. Their insights and recommendations have significantly enhanced our platform’s security and reliability. We are grateful for their expertise.”

We are profoundly grateful and honored by the trust placed in us by EBSI and cherish the constructive feedback. But Hacken’s commitment does not end here. We pledge our continuous support to EBSI, ensuring its growth and security align with evolving technologies and threats. As the European Commission continues to be an emblem of trust and innovation, Hacken is ready to stand by its side, safeguarding its integrity and excellence.


EBSI operates as a trusted digital platform, and its functionality relies heavily on smart contracts. These digital contracts execute operations when specific conditions are met. Given the public nature of EBSI and the critical data it handles, ensuring the utmost security, efficiency, and reliability of these smart contracts becomes imperative. Thus, a comprehensive smart contract audit provided by Hacken was essential to mitigate potential vulnerabilities and maintain the trust and reliability that EBSI promises to its users.

From a broader perspective, EBSI is not merely a technological project; it’s a testament to Europe’s commitment to fostering innovation, trust, and efficiency in the digital age. Its purpose-driven approach, backed by the power of blockchain, has the potential to redefine standards of verification, interaction, and trust for businesses, governments, and citizens alike.

EBSI’s commitment to leveraging blockchain for the public good is commendable. With Hacken’s expertise, we are ensuring that this commitment is upheld with unwavering security, trust, and efficiency.

to our newsletter

Be the first to receive our latest company updates, Web3 security insights, and exclusive content curated for the blockchain enthusiast.в

Speaker Img

Table of contents

Tell us about your project

Follow Us

Read next:

More related
  • Blog image
    Ensuring the Integrity of VeChain’s Account Abstraction Layer: A Case Study

    2 min read

    Case Studies

  • Blog image
  • Blog image
More related →

Trusted Web3 Security Partner