November 01, 2023

Focusing on EVM and Cosmos SDK chains, Beosin provides security services for the Celestia ecosystem

Celestia, a modular blockchain focused on data availability, is about to be launched and modular blockchains have become a hot topic in the market once again. By decoupling public chain functions, Celestia mainly assumes the functions of consensus layer and data availability layer, providing a simpler and more flexible solution for building decentralized applications and blockchains.

In this article, we will analyze Celestia's architecture and technology in detail to help you understand Celestia and its ecological development, as well as explain the best practices to build applications on the Celestia and to strengthen the security of projects.

What is Celestia?

Celestia is a modular Layer1 whose job is to order transactions and verify if the published data is available. The core concept of Celestia is to implement a modular blockchain architecture, so that developers can get rid of the limitations of a single architecture during the development process of building a blockchain.

Celestia's modularity is divided into execution layer, settlement layer, and consensus and data availability layer, as shown in the following figure:

1.  Execution layer

It is composed of Rollups and responsible for executing transactions. Celestia uses Rollups to provide diverse options for the execution layer. In addition to supporting Optimistic Rollup and zkRollup, Rollup solutions such as dYmension, Eclipse, and Fuel built based on Celestia make it possible to connect Cosmos and Solana ecosystem.

2.  Settlement layer

What is currently worthy of attention is the settlement layer Cevmos developed by Celestia in cooperation with Evmos. It will build the recursive Rollup of EVM based on Evmos. Each Rollup built on Cevmos has a two-way bridge with Cevmos, which can redeploy existing Rollup contracts and applications on Ethereum, reducing the workload required for application migration.

3.  Consensus and data availability layer

This layer is responsible for data availability and consensus mechanism. Data in all formats will be delivered to the data availability layer. The system incentivizes nodes to store data through TIA token and nodes use Reed-Solomon encoding and specialized Namespaced Merkle Trees to ensure data availability.

Celestia Security Practices

Due to its modular architecture, Celestia supports multiple programming languages and virtual machines, such as Solidity and Rust (CosmWasm), at both the settlement and execution layers. The modular feature of Celestia means that developers are not limited to these languages. They can use any existing languages and virtual machines, or even define their own languages and virtual machines, such as FuelVM and its programming language Sway.

Solidity best security practices

If you develop an application on Cevmos or other Rollup that supports EVM, the development process and required tools are almost identical to those on Ethereum, and the application can also be migrated to other EVM-compatible public chains. Following the following security guidelines can improve your project’s contract security:

1.  All smart contracts may have vulnerabilities

For Cevmos or new Rollups that support EVM, the problem of contract vulnerabilities cannot be ignored. Therefore, when the project team develops the contract, it should set up an emergency pause function in the contract and formulate a risk response plan to quickly respond and repair vulnerabilities when risks arise.

2.  Solidity does not have floating point numbers

When it comes to arithmetic operations, the accuracy of the results needs to be considered, especially when calculating the number and price of tokens. Developers should pay attention to the order of operations, use higher-precision data types such as uint256 to store variables, and then perform operations.

3.  Contract upgrades

Developers should pay attention to the following points:

● Avoid calling external libraries in the deploy contract, because it is difficult to predict how external libraries will affect the contract's storage access.

● During the upgrade process, be careful not to overwrite the data of stored variables.

● Try to avoid doing anything in the constructor function.

4.  Use multi-signature wallets

Project teams need to consider using multi-signature wallets to manage project treasury and smart contracts. Multi-signature accounts need to be held by multiple entities to avoid potential access control risks.

CosmWasm Security Practices

If developers plan to build applications on the Cosmos, they will use CosmWasm when developing smart contracts. Following the following security guidelines can improve the contract security:

1.  Be prepared for potential attacks

Similar to developing contracts using Solidity, developers need to consider how to face attacks and fix vulnerabilities. Therefore, developers need to build upgradable smart contracts and develop risk response plans.

2.  Be aware of addr type deserialization

The addr type of CosmWasm is not validated during deserialization, which indicates that the addr type has unexpected deserialization characteristics. Therefore, it is recommended to specify the type and validate it after deserializing addr.

3.  Be careful about arithmetic operations

In the CosmWasm contract, developers need to pay attention to the risk of integer overflow or division by zero. It is recommended that developers use CosmWasm Uint256 and Uint512 types and use the math function full_mul() that does not overflow.

4.  Avoid infinite loop

The CosmWasm contract may get stuck in an infinite loop by calling itself back in the ACK handler if developers transfer data packets between two CosmWasm contracts. They should be aware that an infinite loop will consume a large amount of gas fees.

Protocol Security Practices

1.  Smart contract audit

Smart contract audit is to systematically test and review the smart contract code to discover potential security loopholes as much as possible, eliminate security risks, and ensure that the code has no business logic loopholes and conforms to the expected operating process and results. Regular security audits of the project's smart contracts are crucial. It is recommended that the audit be conducted after the contract development is completed and before the mainnet is deployed.

As a world-leading blockchain security team, Beosin focuses on blockchain security and formal verification technologies, provides detailed and comprehensive security audits for EVM and Cosmos ecological applications, and is committed to providing advanced solutions for the entire blockchain ecosystem. Safety and security. Previously, Beosin has completed the security audit of Kryptonite, the largest liquidity staking protocol in the Cosmos public chain Sei ecosystem, to protect Sei's staking services.

2.  Formal verification

Formal verification is different from security auditing. It is based on strict mathematical proofs and provides complete coverage of the program to prove that the code implementation meets security or functional requirements.

Beosin takes full advantage of the wide application range of static analysis and the high accuracy of dynamic analysis, and uses the self-developed high-performance Beosin VaaS, a formal verification tool to automatically perform formal verification of smart contract codes to discover things that are difficult to discover in pure manual audits or traditional testing.


Celestia is a modular Layer1 with great potential, featuring scalability, flexibility and interoperability. Currently, Celestia's ecosystem is still in the early stages. While exploring modular solutions, developers can effectively improve project security by following the above security practices.

Beosin is a leading global blockchain security company co-founded by professors from world-renowned universities and there are 40+ PhDs in the team. It has offices in Singapore, Hong Kong, Japan and other 10+ countries and regions. With the mission of "Securing Blockchain Ecosystem", Beosin provides "All-in-One" blockchain security solution covering Smart Contract Audit, On-chain Risk Monitoring & Alert, KYT AML, and Crypto Tracing. Beosin has already audited more than 3000 smart contracts including famous Web3 projects PancakeSwap, DODO, DeBox and Ankr and all of them are monitored by Beosin EagleEye. The KYT AML are serving 100+ institutions including Hashkey, Cobo, OpenBlock, Aegis and Celer.


If you need any blockchain security services, welcome to contact us:

Official Website Beosin EagleEye Twitter Telegram LinkedIn

Related Project

Related Project Secure Score

Guess you like
Learn More
  • Blockchain Security Recap of October: $51.61M Lost in Attacks

    November 01, 2023

  • Beosin KYT Analysis of Virtual Currency Addresses Associated with Hamas Sanctions

    November 03, 2023

  • Analysis of $2.18 Million Loss in Hacker Attack on OnyxProtocol

    November 03, 2023

  • Beosin Research | Risks in Flashloans in Solidity

    November 07, 2023

Join the community to discuss.