As a non-dev investor, the 2025 audit was concerning to me, because much of my investment was based on NNS security compared to Ethereum smart contracts. ChatGPT gave me this and I was wondering if anyone could speak to this:
A 2025 peer-reviewed analysis published on arXiv revealed that while the ICP protocol itself is robust, developers of dApps sometimes introduce vulnerabilities through poor design practices.
Key Findings from the Report:
66% of audited canisters contained medium-to-high severity flaws, mostly due to:
Incorrect handling of state updates before asynchronous calls (violates ICP’s async safety principles).
Lack of robust access control in dApps using user-signed messages (especially social or DeFi dApps).
Improper use of inter-canister calls that reintroduce logical equivalents of reentrancy in multi-step workflows.
Failure to use cycle management best practices, leading to dApps that could be DoSed due to running out of cycles.
The key nuance: These are application-layer mistakes, not flaws in the ICP protocol or NNS. Just like how Solidity is secure in theory, but DeFi hacks still happen due to user/developer error.
The paper was written by the Foundation members (including myself). The main observation is that a certain architectural choice (async messaging) made by ICP that, on the one hand, allows ICP apps to run a lot faster than, say, Ethereum, also makes it more likely to introduce a particular kind of bug (reentrancy). This is not ICP specific, there are many other blockchains (we looked at NEAR and MultiversX in the paper) that make the same architectural choice. We also present tools for preventing such bugs.
The 66% figure cited is correct, but note that all of these were before the apps/contracts were released to production (during internal reviews). The “lack of robust access control” and “failure to use cycle management best practices” are just ChatGPT bullshitting, the paper doesn’t talk about these things.
The key nuance: These are application-layer mistakes, not flaws in the ICP protocol or NNS. Just like how Solidity is secure in theory, but DeFi hacks still happen due to user/developer error.