Checklist

All items in the list below needs to be satisfied.

• Is the Snap repository publicly accessible and linked in this ticket: https://github.com/qubic/qubic-mm-snap
• Is the Snap distributed on npm and linked in this ticket: https://www.npmjs.com/package/@qubic-lib/qubic-mm-snap
• Has an audit been performed and the audit report attached or linked in this issue: yes
• Is a complete list of discovered vulnerabilities from the audit documented in this issue?
• For vulnerabilities that have been deemed necessary to be addressed, are the links to the fixes attached to this issue?
• For vulnerabilities that have been deemed not necessary to be addressed, is a reason for each of them documented in this issue?
• The corresponding pull request in this repo has been merged.

Audit details

url: https://sayfer.io/audits/metamask-snap-audit-report-for-qubic/

Security Assessment Summary

Unpinned Dependency Versions (SAY-01)

• Status: Fixed | Risk: Low
• Impact: Floating dependencies could expose the Snap to supply-chain attacks.
• Fix: Pinned exact versions in package.json.

Insufficient Test Coverage (SAY-02)

• Status: Fixed | Risk: Informational
• Impact: Lack of unit tests increased the risk of undetected bugs.
• Fix: Added unit tests for major functionalities.