9.1 Audit Philosophy

A mature audit culture begins long before an external firm reviews byte-code and continues long after the final report lands in a public repository. NXT therefore pursues an “audit-by-design” strategy. The process starts at the architecture phase, where threat-model workshops map every user story against the STRIDE framework (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege). Engineers must document mitigations for each identified vector before a single line of production code is written. These pre-coding threat models are stored in an open directory that anyone can reference, turning design documentation into a live checklist for future refactors.

When code reaches pull-request stage, automated gates run static-analysis tools for re-entrancy, arithmetic overflow, and gas griefing. Only PRs with zero critical findings can be assigned to human reviewers. Every reviewer signs their commit with a hardware key and leaves line-item notes that are captured by a GitHub Action into a tamper-proof log, creating a chain of custody from idea to merge. The merge itself triggers test-suite execution across multiple EVM forks (Hardhat, Ganache, Foundry) to catch compiler-specific behaviour.

External audits are rotated across multiple top-tier firms so that no single vendor develops monocular familiarity—and corresponding blind spots—with the codebase. Each firm produces a scoping document co-signed by NXT’s internal security lead and a token-holder-elected community reviewer. Scoping documents list what is in and out of scope, the assumed threat actors, and the acceptance criteria for remediation. Reports are delivered in two phases: a private draft and a public final. The private draft gives the engineering team a window—never longer than fourteen days—to patch critical issues before public disclosure. All findings, including the “won’t-fix” items along with detailed rationales, appear in the final report to avoid whitewashing.

A key philosophical stance is that audits are not “security stickers” for marketing. Instead, they are living artefacts. Every material code change—defined as any modification altering storage layout, external-facing API, or economic parameters—invalidates prior audits. A governance rule forces re-audit of the affected modules before main-net deployment. Audit metadata (commit hash, toolchain version, auditor signature) is published on-chain via a Registry contract so that dApps and wallets can query a token or contract address and confirm the newest audit status in real time.

Metrics track audit effectiveness: mean time-to-patch for critical findings, percentage of “won’t-fix” items that later become incidents, and post-audit exploit density. These numbers feed back into bounty payouts and vendor rotation schedules. By institutionalising threat modeling, automated gating, multi-vendor audits, transparent disclosure, and quantitative score-keeping, NXT transforms “audit” from a compliance checkbox into a continuous, data-driven discipline.