Nexus has published the results of an independent security audit conducted over a six-week engagement period. The audit was performed by a specialist firm with expertise in Tor-hosted applications and cryptographic system review. The scope covered the platform's web application stack, its escrow and transaction logic, PGP key management infrastructure, and Tor onion service configuration. The results confirm no critical vulnerabilities, with a small number of medium and low-severity findings that have since been remediated.
Audit Scope and Methodology
The engagement was structured as a grey-box assessment: the auditors received documentation of the platform's architecture and were given read access to relevant configuration files and application code, but conducted their testing from an external perspective without access to production databases or private cryptographic material. The methodology included static code analysis, dynamic application testing against a production-equivalent staging environment, cryptographic protocol review, and Tor circuit security evaluation.
A key focus was the escrow system, which holds cryptocurrency funds on behalf of transacting parties. The auditors specifically tested for logic errors that could allow funds to be released to the wrong party, double-spend conditions, and race conditions in the finalization process. No exploitable issues were found in this area. The escrow logic received a positive assessment, noting the multi-layered validation before any fund release and the requirement for PGP-signed confirmation in high-value transactions.
Findings and Remediation
The audit identified four findings in total: zero critical, zero high, two medium, and two low severity. The two medium-severity findings related to rate limiting on specific API endpoints -- an attacker with persistent access to the Tor network could have attempted automated enumeration. Both have been remediated with request throttling and circuit-aware rate limiting. The two low-severity findings were configuration recommendations that have been implemented.
No findings related to user data exposure, cryptographic weakness, or fund security were identified. The auditors noted positively that the platform's JavaScript-disabled design substantially reduces the attack surface compared to typical web applications, and that PGP-mandatory vendor communications prevent server-side interception of transaction-related messages.
Commitment to Ongoing Security Review
The platform intends to conduct annual independent security audits with rotating firms to ensure no single auditor develops blind spots. In the intervening periods, the internal security team performs monthly penetration testing exercises on staging infrastructure and quarterly reviews of dependency packages for known vulnerabilities. Users can verify the authenticity of this announcement by checking the platform's PGP-signed warrant canary, which is updated monthly and accessible through the Enter Marketplace page. For guidance on verifying PGP signatures, see the anti-phishing guide.