Infrastructure security auditing is a proactive process to identify and mitigate vulnerabilities in the foundational systems that support blockchain applications. Unlike smart contract audits, which focus on on-chain logic, infrastructure audits assess the off-chain components: RPC endpoints, validator nodes, indexing services, and the underlying cloud or bare-metal environments. The goal is to prevent attacks that target these critical services, such as RPC hijacking, consensus manipulation, or data availability failures, which can lead to fund loss or network instability. A thorough audit follows a risk-based approach, prioritizing components based on their exposure and the value they secure.
LABS
Guides
How to Audit Infrastructure Security Practices
A developer-focused guide to systematically auditing the security of blockchain infrastructure components, including consensus mechanisms, peer-to-peer networking, data storage, and execution layers like EVM and SVM.
Chainscore © 2026
introduction
WEB3 SECURITY
How to Audit Infrastructure Security Practices
A systematic guide for developers and security engineers to evaluate and harden the security of blockchain infrastructure components like RPC nodes, validators, and indexers.
The audit process begins with asset discovery and mapping. Create an inventory of all infrastructure components, including their purpose, software versions, network configurations, and data flows. For a typical Web3 stack, this includes: - Execution Clients (Geth, Erigon, Nethermind) - Consensus Clients (Prysm, Lighthouse, Teku) - RPC Node Providers (public endpoints, load balancers) - Indexers (The Graph, Covalent) - Data Storage (databases, IPFS nodes). Document all access controls, API keys, and administrative interfaces. This map reveals the attack surface and is essential for scoping the security review.
Next, conduct a configuration review against security benchmarks. Misconfigurations are a leading cause of breaches. Check for: - Network Security: Are RPC ports (8545, 8546) exposed to the public internet without authentication or rate limiting? Is peer-to-peer traffic (30303, 9000) properly firewalled? - Access Controls: Are SSH keys used instead of passwords? Is multi-factor authentication enabled for all administrative consoles (AWS, GCP, validator dashboards)? - Software Hygiene: Are all clients patched to the latest stable version? Are automated update mechanisms in place? Use tools like sslyze for TLS configuration checks and nmap for port scanning to validate your findings.
A critical phase is secret and key management assessment. Private keys for validator nodes, fund wallets, and API tokens must be stored securely. Audit how secrets are generated, stored, and accessed. Avoid storing keys in environment variables or code repositories. Instead, use hardware security modules (HSMs), cloud KMS (like AWS KMS or GCP Cloud KMS), or dedicated key management services (e.g., HashiCorp Vault). Verify that validator withdrawal credentials are set to a secure, non-custodial address. For node operators, ensure the keystore directory permissions are restricted and encrypted at rest.
Finally, evaluate monitoring, logging, and incident response capabilities. Effective detection is key to responding to active threats. Audit logs should capture: - Node Health: Peer counts, sync status, and block propagation times. - Security Events: Failed login attempts, unexpected RPC calls, or large withdrawal requests. - System Metrics: CPU, memory, and disk I/O to detect cryptojacking or DDoS attacks. Tools like Prometheus, Grafana, and the ELK stack are commonly used. Establish clear alerting thresholds and a runbook for common incidents, such as a validator going offline or an RPC endpoint being exploited for spam.
The audit concludes with a remediation report and continuous improvement plan. Prioritize findings by severity (Critical, High, Medium, Low) and provide concrete remediation steps, such as "Implement JWT authentication for the Engine API." Security is not a one-time event. Schedule regular re-audits, especially after major client updates or infrastructure changes. Adopting a framework like the SSDF (Secure Software Development Framework) or referencing OWASP Top 10 for APIs can provide structure for ongoing security hygiene, ensuring your infrastructure remains resilient against evolving threats.
prerequisites
PREREQUISITES FOR INFRASTRUCTURE AUDITS
How to Audit Infrastructure Security Practices
A systematic guide to evaluating the foundational security of blockchain nodes, RPC endpoints, and validator setups before engaging in smart contract or protocol reviews.
Infrastructure security forms the bedrock of any blockchain application. An audit that only examines smart contracts while ignoring the underlying node software, RPC configuration, and network architecture is incomplete. This guide outlines the prerequisite checks for assessing the security posture of the infrastructure that hosts decentralized applications. We focus on attack surface analysis, access control validation, and operational resilience for systems like Geth, Erigon, Besu, and consensus clients.
Begin by mapping the entire deployment architecture. Identify all components: execution clients, consensus clients, RPC endpoints (HTTP, WebSocket, IPC), database layers, load balancers, and monitoring tools. For each, document the version, configuration files, and network exposure. Use tools like nmap for port scanning and ss or netstat to verify listening services. A common flaw is exposing the Ethereum JSON-RPC port (8545 by default) to the public internet without authentication, which can lead to remote code execution or fund theft.
Next, audit access controls and authentication. Verify that administrative interfaces (like the Grafana dashboard for prometheus metrics or the lighthouse validator client API) are not publicly accessible. Check for the use of strong, unique passwords and API keys stored in environment variables, not in code. For cloud deployments (AWS, GCP, Azure), review Identity and Access Management (IAM) policies to ensure the principle of least privilege. Ensure TLS/SSL termination is correctly configured for all RPC endpoints to prevent man-in-the-middle attacks.
Examine the node software's configuration for security-hardening. Key checks include: disabling personal account management APIs (e.g., personal_*), enabling RPC rate limiting, and configuring CORS headers restrictively. For consensus clients, validate the slashing protection database is secure and immutable. Check that the JWT secret used for Engine API communication between execution and consensus clients is a cryptographically strong, randomly generated value stored in a secure location.
Finally, assess operational security and monitoring. The infrastructure must have robust logging (sent to a secure, centralized service like Loki or Elasticsearch), intrusion detection systems (like Wazuh or Falco), and a defined incident response plan. Verify that automated security updates are enabled for the OS and node software, and that there is a tested disaster recovery process for validator key loss or node failure. A secure infrastructure audit concludes with a report detailing vulnerabilities, their CVSS scores, and concrete remediation steps, such as implementing a reverse proxy like nginx with authentication in front of RPC endpoints.
audit-framework
A FRAMEWORK FOR WEB3 TEAMS
How to Audit Infrastructure Security Practices
A systematic approach to evaluating the security posture of the critical infrastructure supporting your blockchain application, from node providers to RPC endpoints.
Auditing infrastructure security is distinct from smart contract auditing. It focuses on the operational backbone: the node providers, RPC endpoints, indexers, and oracles that your dApp depends on. A failure here can lead to downtime, data corruption, or censorship, even if your contracts are flawless. The goal is to assess reliability, data integrity, censorship resistance, and operational security of these external services. Start by mapping your entire dependency graph to understand every third-party component in your stack.
Establish clear evaluation criteria for each infrastructure component. For node/RPC providers, assess: geographic decentralization (jurisdictional risk), historical uptime and performance (SLAs vs. real-world data), supported networks and methods, and fee structures. Use tools like Chainlist for discovery and public dashboards or POKT Network's Portal for performance metrics. For oracles and indexers, verify the data sourcing methodology, update frequency, and cryptographic proofs of data authenticity, such as Chainlink's decentralized oracle networks or The Graph's attestation signatures.
Conduct hands-on testing to validate provider claims. For RPC endpoints, script calls to critical methods like eth_getBalance, eth_sendRawTransaction, and eth_getLogs under load to test rate limits and latency. Check for consistency by comparing block heights and transaction receipts across multiple providers. Audit the security of your integration: are API keys properly scoped and stored as environment variables? Is there a failover mechanism in place? Libraries like ethers.js and web3.py allow easy configuration of fallback providers, which is a critical resilience feature.
Finally, document your findings and create a continuous monitoring plan. Your audit report should detail each provider's strengths, risks, and a justification for their selection. Establish ongoing checks: monitor for synchronization delays, unusual error rates, or changes in provider ownership/policies. Consider using decentralized infrastructure networks like Pocket Network or Ankr that inherently provide multi-provier redundancy. The framework is not a one-time task but a living process that must evolve with your application and the broader infrastructure landscape.
audit-tools
INFRASTRUCTURE SECURITY
Essential Audit Tools and Resources
A curated list of tools, frameworks, and methodologies for systematically auditing the security of blockchain infrastructure, from node configuration to network architecture.
04
Node Configuration Hardening
Securing the underlying node software (Geth, Erigon, Besu) is critical. Key audit practices include:
- RPC Security: Disable public HTTP-RPC, use authenticated endpoints, and restrict methods (e.g., disable
personal,eth_sendTransaction). - Peer-to-Peer (P2P) Limits: Configure max peers and whitelist trusted nodes to reduce attack surface.
- System Hardening: Run nodes as non-root users, use firewalls, and ensure filesystem permissions are restrictive.
- Monitoring: Implement logging, metric collection (Prometheus), and alerting for anomalous activity.
05
Consensus & Fork Monitoring
Auditing infrastructure requires monitoring for consensus failures and chain reorganizations. Tools and techniques include:
- Erigon's
rpcdaemon: Provides advanced debug and trace APIs to inspect chain data and node health. - Ethereum Execution API Spec: Use standardized endpoints (
eth/v1/*) to check sync status and node version. - Fork Monitors: Set up alerts using services like Ethereum Nodes or custom scripts tracking finality, block propagation times, and uncle rates.
- Slashing Protection: For validator clients, verify slashing protection history is correctly exported and imported during migrations.
06
Infrastructure as Code (IaC) Security
Audit the deployment and orchestration code for node infrastructure. This includes:
- Terraform/Ansible Scripts: Check for hardcoded secrets, overly permissive security group rules, and unencrypted storage.
- Docker Configurations: Audit Dockerfiles for unnecessary root privileges, outdated base images, and exposed ports.
- Kubernetes Manifests: Verify resource limits, network policies, and pod security contexts are set.
- Secrets Management: Ensure private keys, JWT secrets, and API keys are managed via tools like HashiCorp Vault or cloud KMS, not in plaintext.
COMPONENT AUDIT
Infrastructure Layer Security Checklist
A comparison of security practices across common Web3 infrastructure components.
| Security Component | Minimal Practice | Recommended Practice | Enterprise-Grade Practice |
|---|---|---|---|
Node Client Diversity | Single client (e.g., Geth) | Two major clients (e.g., Geth + Nethermind) | Three+ clients with load balancing |
Validator Key Management | Hot wallet on server | HSM or MPC for validator keys | Geographically distributed MPC with quorum |
RPC Endpoint Security | Public RPC endpoint | API key authentication + rate limiting | Private gateway with DDoS protection (e.g., Cloudflare) |
Database Encryption | Data at rest unencrypted | Full disk encryption (LUKS) | Application-layer encryption + key management service |
Secret Management | Environment variables in plaintext | Vault (HashiCorp, AWS Secrets Manager) | Dynamic secrets with automatic rotation (< 24h) |
Access Control (SSH) | Password authentication | SSH key pairs + bastion host | Certificate-based SSH with short-lived credentials |
Infrastructure as Code (IaC) Security | Manual server configuration | Terraform/Ansible with version control | IaC scanning (Checkov, Snyk) in CI/CD pipeline |
Incident Response Time SLA | Best effort | < 1 hour for critical alerts | < 15 minutes with automated playbooks |
consensus-audit
CONSENSUS LAYER SECURITY
How to Audit Infrastructure Security Practices
A systematic guide for evaluating the operational security of validators, RPC nodes, and other critical blockchain infrastructure components.
Auditing infrastructure security begins with a threat model specific to the consensus layer. For a validator, key assets include the signing keys, the node's network access, and its uptime. The primary threats are key compromise (through malware or physical access), network-based attacks like DDoS, and software vulnerabilities in the client (e.g., Prysm, Lighthouse, Teku). A thorough audit assesses controls across these vectors, moving beyond the theoretical security of the protocol to the practical security of its implementation and operation.
Start by examining key management hygiene. Validator keys should never be stored on internet-connected machines. Audit for the use of hardware security modules (HSMs) or dedicated signing devices like the Web3Signer. Check key generation procedures: were mnemonic phrases created in an air-gapped environment? Review access controls: how many individuals have access to the keys, and what is the approval process for signing operations? For node operators, the use of non-custodial staking services like Obol or SSV Network introduces different trust assumptions that must be evaluated.
Next, assess node and network hardening. The node should run on a minimal, updated OS. Audit firewall rules to ensure only necessary ports (e.g., TCP 9000 for libp2p, 8545 for RPC if needed) are exposed. Verify the use of reverse proxies (like Nginx) and DDoS protection (Cloudflare, AWS Shield) for RPC endpoints. Check for security monitoring: are there intrusion detection systems (IDS), log aggregation (ELK stack), and alerts for abnormal resource usage or slashable events? A systemctl status check is not enough; you need evidence of proactive security logging.
Software and dependency management is critical. Audit the process for client updates: how quickly are security patches applied after a release? Are nodes running a diverse mix of consensus clients (Prysm, Lighthouse, Nimbus) to mitigate client-specific bugs? Check for automated monitoring of fork choice and attestation performance. For cloud deployments, review IAM policies to ensure the principle of least privilege—the instance should not have unnecessary permissions to other cloud resources.
Finally, evaluate physical and organizational security. For large operators, where is the data center located? What are its physical access controls? Review the incident response plan: is there a documented procedure for a key compromise, a node failure, or a network attack? Test backup and recovery processes: how long does it take to rebuild and sync a node from backups? The audit report should provide actionable recommendations, such as "Implement HSM-based signing within 90 days" or "Enforce multi-client diversity across 30% of nodes."
networking-storage-audit
NETWORKING AND STORAGE LAYERS
How to Audit Infrastructure Security Practices
A technical guide for security researchers and developers on evaluating the foundational security of Web3 infrastructure, focusing on node networking and data storage.
Auditing a blockchain node's networking layer begins with analyzing its peer-to-peer (P2P) protocol implementation. Key areas include verifying the correct use of libp2p or a custom stack, checking for proper peer discovery mechanisms (like Kademlia DHT or DNS-based seed lists), and ensuring secure transport encryption (e.g., TLS 1.3, Noise Protocol). You must test for common vulnerabilities such as eclipse attacks, where an attacker isolates a node by monopolizing its connections, and sybil attacks, where an attacker creates many fake identities. Tools like Wireshark for packet analysis and custom scripts to simulate malicious peers are essential for this phase.
The storage layer audit focuses on how the node persists chain data, state, and private keys. Examine the database choice (e.g., LevelDB, RocksDB) for known CVEs and configuration hardening. For consensus nodes, scrutinize the validator key management lifecycle: how keys are generated, encrypted at rest, loaded into memory, and used for signing. A critical check is ensuring private keys are never exposed in logs, environment variables, or error messages. Audit the implementation of the chain's state trie (like Ethereum's Merkle Patricia Trie) for correct caching and pruning logic, as flaws here can lead to state corruption or denial-of-service.
Real-world audits must verify defense-in-depth at the host level. This includes checking that the node software runs with minimal OS privileges (non-root user), filesystem permissions are restrictive, and unnecessary network ports are closed. Review the configuration of any adjacent services, such as the RPC/API endpoint (e.g., Ethereum's JSON-RPC). It should be bound to localhost or protected by a firewall; public exposure often leads to theft via eth_sendTransaction calls. For storage, ensure full disk encryption is used for any persistent volumes holding sensitive data, complementing application-layer encryption.
Automated scanning and manual code review are complementary. Use static analysis tools (Slither, Semgrep) on the node client's codebase to find logic bugs in message handling or state transitions. For dynamic analysis, employ fuzzing frameworks (like AFL++ or libFuzzer) against the P2P message deserialization routines and the database interface. Manually review the fork choice rule and block/transaction gossip protocols, as these are complex and critical for consensus safety. Always reference the official protocol specifications (e.g., Ethereum's execution and consensus specs) as the ground truth for expected behavior.
Finally, produce a report that prioritizes findings by impact and likelihood. A critical finding might be "Validator private key material is stored in a world-readable file." A high-severity finding could be "The node's P2P identity is not authenticated, allowing trivial eclipse attacks." Include concrete proof-of-concept code or command-line instructions to reproduce each issue. The goal is to provide the project team with actionable, specific remediation steps, such as implementing peer authentication using signed peer records or moving to a hardware security module (HSM) for key storage.
execution-audit
EXECUTION LAYER SECURITY
How to Audit Infrastructure Security Practices
A systematic guide to evaluating the foundational security of EVM and SVM node infrastructure, from RPC endpoints to validator configurations.
Auditing execution layer infrastructure requires moving beyond smart contract code to examine the operational security of the nodes themselves. Key areas include RPC endpoint security, validator client configuration, and network-level protections. For EVM chains, this means scrutinizing Geth, Erigon, or Nethermind clients. For Solana, it involves auditing the solana-validator setup. Common risks include exposed RPC ports, unencrypted peer-to-peer traffic, and insecure administrative APIs that could lead to chain reorganization or denial-of-service attacks.
Begin by mapping the attack surface. Document all externally facing services: the JSON-RPC endpoint (ports 8545/8546 for HTTP/WebSocket), the P2P discovery port (30303 for Geth, 8000-8100 for Solana), and any metrics or monitoring ports (e.g., Grafana). Use network scanning tools like nmap to verify only intended ports are open. Check that RPC methods are properly restricted; public nodes should disable dangerous methods like eth_sendTransaction, personal_unlockAccount, or debug_traceTransaction to prevent unauthorized transaction submission and information leakage.
Validator security is critical for chain integrity. Audit the configuration files (e.g., geth.toml, validator.yml). Ensure the JWT secret for Engine API communication is properly generated, stored as a file with 600 permissions, and never logged. Verify that the --authrpc.jwtsecret path is correctly set. For Solana, check the --identity and --vote-account keypair files are encrypted and stored offline when possible. A common finding is weak --max-peers settings, which can make a node susceptible to eclipse attacks by limiting its view of the honest network.
Implement defense-in-depth at the network layer. Nodes should be behind a firewall with strict ingress/egress rules. Consider using a reverse proxy (like Nginx) for the RPC endpoint to add rate limiting, request filtering, and SSL/TLS termination. For cloud deployments, audit security groups and IAM roles to follow the principle of least privilege. Monitor system logs for failed login attempts and unusual syncing behavior. Tools like the Ethereum Node Watchdog or Solana Validator Health Check scripts can automate checks for chain head lag, peer count, and memory usage.
Finally, establish a continuous security posture. Infrastructure audits are not one-time events. Automate configuration checks using infrastructure-as-code tools like Ansible or Terraform to enforce baselines. Monitor for CVEs related to the client software (e.g., Geth, Lighthouse, Solana Labs releases) and have a patching protocol. Document an incident response plan for scenarios like a validator key compromise or a sustained DDoS attack. The goal is to create a resilient, observable node operation that maintains liveness and correctness under adversarial conditions.
SECURITY MATRIX
Common Infrastructure Vulnerabilities and Mitigations
A comparison of critical vulnerabilities in Web3 infrastructure, their potential impact, and recommended mitigation strategies.
| Vulnerability / Attack Vector | Risk Level | Potential Impact | Primary Mitigation |
|---|---|---|---|
RPC Node Centralization | HIGH | Single point of failure, censorship, downtime | Use decentralized RPC providers (e.g., ANKR, Pocket Network) or run redundant nodes |
Validator Key Management | CRITICAL | Total loss of staked funds, slashing, network compromise | Use hardware security modules (HSMs) or MPC wallets (e.g., Fireblocks, Gnosis Safe) |
Load Balancer Misconfiguration | MEDIUM | Service disruption, DDoS susceptibility, uneven traffic | Implement health checks, rate limiting, and Web Application Firewall (WAF) rules |
Cloud Metadata Service Exposure | HIGH | Instance takeover, credential theft, lateral movement | Disable IMDSv1, enforce IMDSv2, and apply strict IAM policies on cloud instances |
Container Image Vulnerabilities | MEDIUM | Privilege escalation, remote code execution | Use minimal base images, scan with tools like Trivy/Grype, and enforce image signing |
Secrets Management in CI/CD | CRITICAL | Private key leakage, unauthorized deployments | Use secret managers (Vault, AWS Secrets Manager) and never hardcode secrets in repositories |
Insufficient Logging & Monitoring | MEDIUM | Undetected breaches, delayed incident response | Implement centralized logging (Loki, ELK Stack) and real-time alerts for anomalous activity |
INFRASTRUCTURE SECURITY
Frequently Asked Questions (FAQ)
Common questions and troubleshooting for developers evaluating the security of blockchain infrastructure, including RPC providers, validators, and node services.
Infrastructure security refers to the measures and practices that protect the underlying services your dApp relies on, such as RPC endpoints, archival nodes, and validator clients. Unlike smart contract audits, which focus on on-chain logic, infrastructure security assesses the off-chain components that can be single points of failure.
A compromised or unreliable RPC provider can lead to:
- Censored transactions being dropped from the mempool.
- Stale or forked data causing incorrect application state.
- Downtime that renders your dApp unusable.
For example, if your dApp's frontend uses a single RPC endpoint that goes offline, all user interactions fail. This makes evaluating provider redundancy, data integrity, and operational security a foundational step for any serious project.
resource-links
SECURITY AUDIT REFERENCES
Further Resources and Documentation
Primary documentation and tooling references for auditing infrastructure security practices. These resources are used by auditors, cloud security teams, and protocol engineers to validate controls, identify misconfigurations, and enforce security baselines in production environments.
conclusion
CONTINUOUS IMPROVEMENT
Conclusion and Next Steps
Infrastructure security is not a one-time audit but an ongoing discipline. This guide has provided a framework for evaluating key areas, from node security to smart contract dependencies.
A successful audit produces a prioritized list of findings. The next step is to create a clear remediation plan. Critical vulnerabilities, such as an exposed validator key or a compromised RPC endpoint, require immediate action. High and medium-severity issues, like outdated client software or insufficient monitoring, should be scheduled for resolution in the next development cycle. Documenting each fix and retesting is crucial for closing the loop.
To institutionalize security, integrate these practices into your development lifecycle. Adopt infrastructure-as-code (IaC) tools like Terraform or Pulumi to ensure consistent, version-controlled deployments. Implement continuous integration/continuous deployment (CI/CD) pipelines that run security scans, such as checking for secrets in code with TruffleHog or analyzing container images with Trivy, before deployment to production environments.
Staying current is a continuous requirement. Subscribe to security advisories for all core components you use: the Ethereum Foundation, Consensys (for Besu/Teku), Chainlink, and The Graph. Participate in ecosystem working groups and consider engaging professional auditing firms for periodic, in-depth reviews. Your security posture is only as strong as your commitment to maintaining it over time.