Skip to main content
Skip to main content
Polkadot logo

XCMv2 Audit Completed by Quarkslab

XCMv2 has now been audited for a second time to discover any potential cross-chain security or fairness issues, including logical bugs, denial-of-service, and incorrect lock/unlock or burn/mint on both chains

By PolkadotApril 8, 2022

XCM (Cross-Consensus Messaging format) provides a fundamental utility for the Polkadot technology stack. It enables seamless communication between blockchains as well as pallets (Substrate runtime modules) and smart contracts (including over bridges and sharded enclaves like Polkadot’s SPREE), fulfilling Polkadot’s foundational objective to be a fully-functioning, interoperable multichain ecosystem. Crucially, XCM is consensus agnostic, meaning it can be used to communicate between blockchains with differing consensus systems, and conceivably even between disparate ecosystems such as Polkadot and Ethereum.

Having a common messaging format broadens the scope of projects in the Polkadot and Substrate ecosystem, allowing cross-chain communication, a defining functionality for connecting chains and dapps not necessarily working under the same technology or consensus rules, providing a solid foundation for the future of Web3.

For background on XCM, see the recent series of blogs (Part I, Part II, Part III) by Polkadot founder Dr. Gavin Wood examining the importance and functionality of the format.

Auditing XCMv2

XCMv2, deployed first on Kusama, Polkadot’s canary network, has now been audited for a second time and is ready for production release. Because of the scope of cross-consensus messaging for the Polkadot network, it is crucial that every iteration of XCM undergoes independent review from external security organizations.

Quarkslab has completed a comprehensive second audit (a previous audit was already completed by another security firm) of XCMv2, an overview of which can be found here. The goal of this audit was to discover any potential cross-chain security or fairness issues, including logical bugs, denial-of-service, and incorrect lock/unlock or burn/mint on both chains.

The findings

Two security engineers from Quarkslab carried out the audit over a span of 50 man-days. They did not uncover any important security issues within XCMv2. Additionally, the scope of the audit included an examination of the underlying security of multiple XCM components. This makes the audit report useful for anyone interested in exploring the inner workings of XCM.

A full audit report can be found here.

Keep up to date with the latest XCM developments

Following the full audit, XCMv2 is ready for production release, and XCMv3 is currently in the final stages of development. For information on using XCM, watch the workshop from Parity’s Shawn Tabrizi. For updates, follow the xcm-format repository on GitHub, and follow Polkadot on Twitter and sign up for the newsletter.

Interested in building on Polkadot or Kusama? Get in touch!

From the blog

Polkadot Ecosystem Ignites 2025: A Year of Unprecedented Decentralization, DeFi Breakthroughs, and Global Builder Momentum

A quarter-by-quarter recap of Polkadot’s 2025 milestones, from record-breaking decentralization and DeFi growth to Polkadot 2.0 and global builder momentum.

Proof of Personhood: How Polkadot proves you're real without KYC

Proof of personhood lets you prove you're a unique human without giving up privacy. Polkadot's Project Individuality uses tattoos and video games to fight bots and enable fair airdrops for millions.

Pudgy Party: The Web3 game that hides the blockchain

Pudgy Party hit 900,000 downloads in six weeks by hiding the blockchain entirely. Built on Mythos Chain, players get custodial wallets and zero gas fees without realizing it. The game proves Web3 gaming works when blockchain infrastructure becomes invisible.

Polkadot at TechCrunch Disrupt 2025: The only blockchain in the room

Polkadot showed up at TechCrunch Disrupt 2025 as the only blockchain sponsor. With nearly 10,000 booth visitors and strong coordination across ecosystem teams, the event proved valuable for positioning Polkadot in Web2 conversations.

Why most blockchains can't handle AI (and what changes that)

Most blockchains can't handle AI's computational demands. High costs, limited speed, and storage constraints require purpose-built modular infrastructure instead.

Onboarding 21,000 users with Nova Shots: What we learned & how we move forward

How do you bring thousands of esports fans onchain without asking them to buy anything first? At three BLAST Counter-Strike events, Nova Wallet onboarded 21,000 new users through free interactive gameplay, processing 2.8 million transfers on Polkadot.

Meet the first cohort: The 5 teams selected for the DeFi Builders Program

Velocity Labs announces 5 teams selected for the DeFi Builders Program Cohort 1, building innovative financial applications on Polkadot Hub.

5 tech outages that prove decentralization can't wait

From AWS to CrowdStrike, major outages are increasing. Discover why centralized infrastructure keeps failing and how decentralization offers a solution.

Real World Assets on Polkadot: Your comprehensive guide to RWA

Real-World Assets bring physical value onto blockchain. Learn what RWAs are, how tokenization works, and why Polkadot is best for RWA projects.

Q3 2025 Polkadot DAO recap: Supply cap, treasury decisions & what's next

Here's what happened in Polkadot governance during Q3 2025: a permanent supply cap, millions in treasury funding decisions, and notable proposal rejections that exposed growing pains in how the DAO evaluates non-technical work.

Building AI on Polkadot: Why centralized compute is the wrong foundation

Build AI on Polkadot with verifiable data, cryptographic privacy, and native interoperability. 90% cost savings, no vendor lock-in, production-ready.

What Does Web3 Music Success Actually Look Like?

The Decentralized Mic brought together builders and investors actively shaping the future of Web3 music to discuss what's working, what's broken, and where the industry is headed next.

xs