Security audit of `stealth-announcer` Soroban contract

[truthixify]

Labels: Stellar Wave, stellar, audit, security, drips, help-wanted
Tier: L (1–2 weeks)
Type: audit

Context

contracts/stellar/stealth-announcer/ is the Soroban contract that emits stealth address announcements consumed by every Wraith client and indexer. It is event-only (no storage), so the attack surface is narrow — but because every payment flows through it, even a low-severity issue compounds across the entire protocol.

Today the contract has only its in-tree unit tests (#[cfg(test)] modules). It has never been independently reviewed.

We need a full security audit from a contributor with Soroban experience.

Scope

Review the entire crate (lib.rs, any helpers, Cargo.toml dependencies). For each finding, document:

1. Description — what is the issue?
2. Severity — Critical / High / Medium / Low / Informational, using the Trail of Bits severity matrix.
3. Reproduction — a Rust #[test] that demonstrates the issue, or a soroban-cli invocation that triggers it.
4. Recommendation — a concrete fix.

Specific areas we want covered (non-exhaustive):

• Event payload integrity — can a caller forge caller field, oversize metadata, or smuggle malicious data through ephemeral_pub_key?
• Auth model — require_auth() placement, who can call announce, can it be called from CPI by a malicious contract?
• Resource exhaustion — extremely long metadata, repeated calls, event spam pricing.
• Soroban-specific footguns — Env::events().publish topic ordering, type confusion across SDK versions.
• Dependency review — pin versions, audit transitive soroban-sdk features.
• Comparison against the ERC-5564 reference behavior — semantic parity with the EVM Announcer.

Acceptance criteria

• Markdown audit report committed at contracts/stellar/stealth-announcer/audits/2026-XX-author.md.
• One Rust test per finding (in a new tests/audit.rs module) reproducing the issue. Tests that demonstrate safe behavior should be marked #[test] #[should_panic] or assert the panic message.
• Markdown changelog entry under ## Unreleased summarizing the review.
• Disclosure timeline if anything Critical/High is found — coordinate via security@usewraith.xyz before publishing.

Resources

• Soroban auth model: https://developers.stellar.org/docs/build/guides/auth
• Reference EVM contract: contracts/evm/contracts/ERC5564Announcer.sol
• Whitepaper §3.2 (Stellar) for the cryptographic assumptions the contract must honor.

Deliverable format

Reports follow this template:

# stealth-announcer audit — <author> — <date>

## Summary
3–5 sentences.

## Findings table
| ID | Severity | Title | Status |

## Findings
### WA-ANN-01 — <Title>
**Severity:** ...
**Reproduction:** ...
**Recommendation:** ...

[Hallab7]

@Hallab7 has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

I would like to work on this issue

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Hallab7 to this issue.

[AGWAM001]

@AGWAM001 has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Would love to work on this issue please

ℹ️ Repo Maintainers: To accept this application, review their application or assign @AGWAM001 to this issue.

[johnephraim949-web]

@johnephraim949-web has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hello I'll please love to work on this issue as I have strong experience on solving issues. Thank you sir

ℹ️ Repo Maintainers: To accept this application, review their application or assign @johnephraim949-web to this issue.

[gloskull]

@gloskull has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hello,

I’m a developer with 4 years of hands-on experience working on production-grade systems and contributing to collaborative, open-source environments. I’ve carefully read through this issue and fully understand the problem it addresses, the expected outcomes, and the constraints outlined in the acceptance criteria.

I’m comfortable taking ownership from start to finish: reviewing the existing codebase and related context, designing a clean and maintainable solution, implementing it with attention to edge cases and correctness, and validating everything with appropriate tests and documentation where required. I place strong emphasis on clarity, reliability, and aligning closely with the project’s existing patterns and standards, so the final result is easy to review and integrate.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @gloskull to this issue.

[drips-wave]

Congratulations, @gloskull! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 2, 2026.

🧑‍💻 @gloskull: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊