Protect Your Project Today
Strengthen your project with the largest web3 security provider.
A CertiK security expert will review your request and follow up shortly.

CertiK’s Audit of the Torus Distributed Key Generation Protocol

News ·Announcements ·
CertiK’s Audit of the Torus Distributed Key Generation Protocol

A series of thorough security assessments was carried out for Torus to audit and verify the Distributed Key Generation protocol.

What is Torus?

Torus is a user-friendly, secure, non-custodial key management system for DApps. The Distributed Key Generation protocol allows more nodes to participate in the process, which prevents a centralized point of failure.

The sole objective of the audit was to verifyTorus’ implementation of the DKG protocol against the provided specifications and scope:

  1. The audit work was scoped to a specific commit of the source code

  2. The code was verified against the specifications and literature provided by the client, which includes:

    Secure Distributed Key Generation for Discrete Log Based Cryptosystems

    Distributed Key Generation in the Wild

    AVS and PSS

  3. Particular files within the scope

  4. Node state transitions in each function were carefully verified against their specification

  5. Go programming best practices were enforced to improve general performance and minimize the chances of run-time panicking.

Digging Into the Audit

The overall goal of this code review was to help Torus protect their users by finding and fixing known vulnerabilities that could cause unauthorized access, loss of funds, cascading failure and/or other vulnerabilities. Alongside each security finding, potential remediations are suggested with best practices kept in mind.

The primary focus was to look at the messages processing functions of the package. Specifically, we analyzed how the keygen nodes are defined and how their state changes are triggered by messages.

We inspected every module within the scope to ensure that:

  1. The message routes the message to the correct processing function
  2. The functions process corresponding messages correctly according to the scope
  3. The messages are sent to the correct nodes

Summary and Revisions

In total we found one minor issue and other smaller shortcomings that Torus has already worked to remediate and update their codebase to maintain the highest commitment to security.

Overall we found that the module follows all the best practices and adheres to all the provided specifications. Moreover, other desirable properties of DKG include:

  1. Liveness: all wait states that a node enters are eventually satisfied
  2. Correctness: all honest nodes decide on the same value of selected sets of AVSS
  3. Efficiency: the overall DKG has uniformly bounded communication complexity
  4. Secrecy: no malicious nodes can compute the private key, otherwise it would break the discrete algorithm.

About CertiK

CertiK is a technology-led blockchain security company founded by Computer Science professors from Yale University and Columbia University built to prove the security and correctness of smart contracts and blockchain protocols.

CertiK’s mission of every audit is to apply different approaches and detection methods, ranging from manual, static, and dynamic analysis to ensure that the project is checked against known attacks and potential vulnerabilities. CertiK leverages a team of seasoned engineers and security auditors to apply testing methodologies and verifications on the project, in turn creating a more secure and robust software system.

CertiK has serviced more than 100 clients with high quality auditing and consulting services, ranging from stablecoins such as Binance’s BGBP and Paxos Gold to decentralized oracles such as Band Protocol and Tellor.

Related Blogs

Skynet Wrench Attacks Report
Reports ·Security Reports

Skynet Wrench Attacks Report

In 2025, wrench attacks unfortunately crossed a critical threshold. What was once treated as an edge-case risk has become a structural threat to digital asset ownership. Attackers are no longer acting opportunistically; they are operating as organized, transnational groups that combine OSINT-driven targeting, social engineering, and extreme physical violence to extract private keys.

CertiK’s Path Forward: Advancing Trust, Transparency, and Web3 Infrastructure
News ·Announcements

CertiK’s Path Forward: Advancing Trust, Transparency, and Web3 Infrastructure

As conversations at the 2026 World Economic Forum at Davos-Klosters, Switzerland continue to influence how global leaders engage with emerging technologies, one message is becoming increasingly clear: Web3 is entering a new phase defined by institutional participation, regulatory engagement, and long-term infrastructure.

CertiK and NEXUS Sign Memorandum of Understanding to Enhance Security, Auditing, and Stablecoin Infrastructure
News ·Announcements

CertiK and NEXUS Sign Memorandum of Understanding to Enhance Security, Auditing, and Stablecoin Infrastructure

CertiK recently signed a memorandum of understanding (MOU) with NEXUS, the blockchain infrastructure behind South Korea-listed company CROSS Protocol, to enhance security, auditing, and stablecoin infrastructure of the CROSS ecosystem. This MOU agreement is the beginning of a long-term collaboration between CertiK and NEXUS, in light of accelerated adoption in on-chain gaming and the need for security to keep pace with blockchain-based transactions.