Layer-1 Blockchain Audit of QANplatform’s QVM with AI-Enhanced Depth

QANplatform engaged Hacken to conduct a comprehensive blockchain security audit of the QAN Virtual Machine (QVM), the core execution environment of its Layer-1 blockchain.

QVM is the world's first VM that allows coding smart contracts in any programming language on the blockchain. Given the complexity of the QVM—designed to run statically linked Linux binaries in a deterministic blockchain setting—the audit required a combination of deep manual review, deterministic testing, and purpose-built automation.

To meet the scale and depth required, Hacken developed and integrated a custom AI agent tailored specifically for QANplatform. This tool accelerated the audit process while enhancing test coverage across areas that are typically difficult to examine manually.

“It is always a pleasure working with the team of Hacken. They will never settle for anything but the best tools and methodology for the scope, and if it doesn't exist they will build one!” — Johann Polecsak, Co-Founder & CTO of QANplatform

Outcome

• 22 high-severity issues discovered and fixed, all verified by follow-up testing
• Increased confidence in the deterministic execution of the QVM
• AI-enhanced threat modeling and test execution
• Accelerated audit timeline without sacrificing depth
• Open-sourced AI tool made available to the community

Audit Scope

The L1 audit covered the full QVM stack, including gokvm (sandboxed VM execution), Hermit (deterministic syscall handling), language-specific compilers, and QAN’s custom build tools. We evaluated the QVM as a standalone module under stricter conditions than those found in a blockchain-integrated environment. Key audit targets included deterministic execution, syscall and memory handling, threading and race conditions, signal and timing consistency, and control over entropy sources such as randomness and system time.

The scope included over 2,800 test cases—many automatically generated and analyzed by Hacken’s AI agent—to uncover nondeterministic edge cases. The module was tested outside of a consensus layer to assess worst-case behavior in isolation.

Key Findings

Hacken identified 22 vulnerabilities, including:

• Race conditions in multithreaded execution
• Improper signal handling under concurrency
• Use of non-deterministic system calls (e.g., time, futex)
• Unhandled error codes and memory access violations
• Variability in hardware-level entropy sources

All reported issues were remediated by the QANplatform team and verified in follow-up testing.

Importantly, many of these findings would not lead to exploitable conditions in a production blockchain setup due to transaction-level protections—such as output hash mismatches resulting in transaction failure. However, testing in a stricter environment allowed Hacken to validate the QVM’s behavior beyond minimal consensus requirements.

View Full Report

The full 53-page audit report is publicly available and provides detailed analysis for each of the 22 identified issues, including severity classification, technical descriptions, remediation guidance, and reproduction steps.

For example, one issue—Thread Management ESRCH Error—was triggered when the system attempted to operate on a thread that had already exited, causing crashes under high concurrency. The report includes exact test cases, stack traces, and configuration-based mitigations.

This level of transparency makes the report a valuable learning resource for Web3 developers building complex systems in Go, Rust, or working with Layer-1 virtual machines.

 👉 Explore the full report

AI Agent Integration

Due to the projected 4–6 month timeline for a fully manual audit, Hacken developed a custom AI-powered threat modeling and test generation tool. This tool was trained specifically on the QVM architecture to:

• Generate plausible attack scenarios
• Explore nondeterministic edge cases across system calls, signals, and threads
• Accelerate test generation and result analysis

“Hacken’s custom-built AI agent was tailored specifically for QAN and delivered outstanding results. Our deep expertise in AI-driven offensive security allowed us to accelerate the audit while increasing its depth. This isn’t a replacement for traditional audits but a powerful upgrade.” — Dyma Budorin, Hacken

Together, Hacken and QAN decided to open-source the AI agent to support broader usage across similar blockchain VMs and off-chain runtime environments.

Note: The agent was not a general-purpose LLM integration; it was trained and optimized specifically for the intricacies of QAN’s virtual machine.

Strategic Impact for QANplatform

By combining deep Web3 expertise with cutting-edge AI capabilities, Hacken helped QANplatform:

• Reinforce its positioning as a quantum-resistant, secure L1 protocol
• Accelerate time-to-market without compromising audit depth
• Contribute to the open-source security tooling ecosystem

“We are proud of the successful QVM audit and excited to release Hacken's custom-built AI tool to the public… empowering anyone to build rapidly and securely on the blockchain.” — Johann Polecsak, QANplatform

About QANplatform

QANplatform is a Layer-1 blockchain platform focused on fast development and quantum-resistant security. Its core innovation—the QVM—enables deterministic execution of statically linked Linux binaries. QANplatform is a member of the Linux Foundation and the Post-Quantum Cryptography Alliance. In 2024, its technology was implemented by the first EU government project.

Learn more at qanplatform.com

About Hacken

Hacken is an end-to-end blockchain security and compliance partner for digital assets. Unlike traditional providers, Hacken was founded on blockchain principles and combines deep Web3 expertise with enterprise-grade quality, AI-powered offensive security, and globally recognized certifications.

Since 2017, Hacken has delivered over 2,000 audits—including L1 audits for NEAR, Mina, Radix, and Kaia. Hacken brings a blockchain-native, AI-powered security methodology that accelerates innovation while ensuring regulatory alignment.

Learn more at hacken.io