Comprehensive Security Audit Completed with Quantstamp

A successful security audit and penetration test of Alluvial’s API highlighted robust implementation.

Comprehensive Security Audit Completed with Quantstamp

Alluvial has successfully completed a comprehensive security audit, including a whitebox penetration test, conducted by Quantstamp, a leading blockchain security firm. Focused on the Alluvial API, this audit underscores Alluvial’s commitment to maintaining the highest standards of security, reliability, and operational integrity.

Quantstamp’s audit included an architecture review, functional testing, computer-aided verification, manual review, and whitebox penetration testing. Overall, the audit confirmed that Alluvial's application and infrastructure follow security best practices, with no high-severity vulnerabilities identified.

Key areas of focus included input validation, authorization, authentication mechanisms, and business logic vulnerabilities. The robust implementation of authentication tokens provided by Auth0 and the effective validation of user inputs and JSON bodies were particularly noted.

The report included 19 total findings, with 0 high severity findings, 5 medium severity findings (4 fixed, 1 acknowledged), 5 low severity findings (2 fixed, 3 acknowledged), 0 undetermined severity findings, and 9 informational findings (1 unresolved, 2 fixed, 6 acknowledged).

Importance of auditing offchain components

Security audits are crucial not only for protocol code, but also for the offchain components that support blockchain operations. Offchain elements such as APIs and deployment configurations can present significant security risks if not properly audited and secured.

This successful audit highlights Alluvial's dedication to security best practices and our proactive approach to identifying and mitigating potential vulnerabilities as we support the development of the Liquid Collective protocol and foster participation in proof of stake blockchains.

Commitment to security

Founded in 2017, Quantstamp's mission is to securely onboard the next billion users to web3 through its best-in-class security products and services. Their team comprises cybersecurity experts from globally recognized organizations, including Microsoft, AWS, BMW, Meta, and the Ethereum Foundation. With over 500 audits performed and more than $200 billion in digital asset risk secured, Quantstamp's experience and dedication to security are evident.

For further details or inquiries about Alluvial’s security practices and audits, please contact us directly. We thank Quantstamp for their thorough and professional assessment, and we look forward to continuing our security-focus to ensure the highest levels of trust in our products and services.

About Quantstamp

Quantstamp is a global leader in blockchain security, on a mission to secure the future of web3.

Founded in 2017, the team has honed its expertise through hundreds of audits and worked with some of the top projects in the industry including Ethereum 2.0, Solana, Binance Smart Chain, Visa, TON, Sandbox, Alchemy, Pendle, Stacks, and many more. To date, Quantstamp has performed 750+ audits and secured over $200 billion in digital asset risk from hackers. In addition to providing an array of security services, Quantstamp facilitates the growth and longevity of the web3 space through strategic investments and acting as a trusted advisor to help projects scale.

To learn more head to our website or follow us on Twitter/X @Quantstamp

About Alluvial

Alluvial is a software development company offering a suite of enterprise-grade staking products and services. Alluvial is focused on enabling mainstream adoption and participation in proof of stake blockchains. Learn more at

Please note

Liquid staking via the Liquid Collective protocol and using LsETH involves significant risks. You should not enter into any transactions or otherwise engage with the protocol or LsETH unless you fully understand such risks and have independently determined that such transactions are appropriate for you.

Any discussion of the risks contained herein should not be considered to be a disclosure of all risks or a complete discussion of the risks that are mentioned. The material contained herein is not and should not be construed as financial, legal, regulatory, tax, or accounting advice.