Intro
Today we’re publishing the Sighash Labs smart contract audit report for ParyonUSD! The audit process spanned three passes, each round strengthening the contracts, and we’re confident the end result is a thoroughly hardened system.
Contract Security
As a decentralized stablecoin, the security of ParyonUSD’s smart contracts is paramount. As we described in the blogpost on our open-source contracts, the ParyonUSD system consists of 26 separate CashScript contracts, making it the most advanced end-user application on Bitcoin Script to date.
Finding the right external reviewer was essential. We needed someone with deep experience in complex UTXO-model smart contracts and close familiarity with the Bitcoin family of blockchains.
Sighash Labs
We worked with Sighash Labs to perform the smart contract audit. This decision came after a careful and intensive search. We found Mihael Šinkec through his work on the sCrypt compiler, work on OP_CAT protocols and his zero-knowledge tutorials, the kind of expertise we were looking for.
Audit Preparation
To prepare for the audit, we spent significant effort making the code audit-ready with comprehensive inline comments and detailed supporting documentation. Throughout the audit process, we continued to improve the code comments, variable naming and contract documentation. You can find the contract_overview and contract_safety docs in the contracts repo.
As part of our preparation, we also contributed back to the broader BCH ecosystem by helping expand and improve the CashScript documentation, including new CashTokens, Transaction Lifecycle and Adversarial Analysis guides.
Audit Process
The audit with Sighash Labs started on October 1st, 2025, and ultimately spanned three passes:
First pass: Initial review of the contract system. Multiple issues were identified spanning all severity levels, including a critical-rated issue related to interest-earning flows.
Second pass: After a remediation period, all findings were verified as resolved and the changes re-audited. However, as we detailed in our postponement blogpost, a bug in the redemption logic was introduced during the remediation.
Third pass: After the redemption bug was discovered and fixed, we conducted a thorough internal review of all contracts and documentation before freezing the revised code. Sighash Labs then performed a full re-audit of the final contract state. The third pass came back clean, no outstanding issues.
The audit process was highly valuable. All findings were fully resolved and verified across the three passes, resulting in the thoroughly hardened system we have today. The depth and rigor of the audit is visible in the report itself.
Audit Report
Now, for the report itself - here is the full ParyonUSD audit report by Sighash Labs. We have also added the audit report to the open-source contracts repo at github.com/ParyonUSD/contracts.
The smart contract audit was a success, with no outstanding issues on the final pass. With the audit completed, ParyonUSD is ready for launch. 🦾
What’s Next
A second audit report by Sayoshi Nakamario (Lifestone Labs), who found the redemption bug, is still being finalized and will be published separately.
Addendum: Verification
The contracts repo has a clean git history, so you won’t find the original commit hashes from the audit report directly. Instead, the audit identifies snapshots by their git tree hashes, which are based on repo content and remain stable across history rewrites.
You can list tree hashes for all commits with git log --format="%T %s". The three audit passes correspond to these tree hashes:
- First pass:
873f00ce... - Second pass:
7446726a... - Third pass:
e8b122a7...
Changes made after the third pass (documentation, comments, the ParyonUSD rename) do not affect the compiled contract bytecode. You can verify this yourself, see bytecode-verification.md in the contracts repo for instructions.
Join the Conversation
Stay informed about our progress and dive deeper into the details of the ParyonUSD project by following our updates. We invite you to be part of the discussion and join the community.
- Follow ParyonUSD on X: x.com/ParyonUSD
- Join the ParyonUSD group on Telegram: t.me/ParyonUSD
In our Telegram group, you’ll have the opportunity to engage directly with the team, ask questions, share your thoughts, and be part of the ongoing conversation as we build ParyonUSD together!