Fortuna

Ready to strengthen your defenses?

Let's discuss your next
security milestone
CONTACT
CASE STUDIES
ARWEAVE

ArS3nal gateway: A secure native Rust solution for Arweave

CLIENT

Arweave

SERVICE

Research

INDUSTRY

Crypto

YEAR

2025

We built a native Rust client for ArS3nal, an S3-compatible Arweave gateway, focusing on correctness, efficiency, and safety. Using Rust's type system, we eliminated common bugs, enforced safe operations at compile time, and created a fast, resource-efficient, and secure library fully compatible with the existing ecosystem.

Problem

Existing Arweave tooling is built primarily for the JavaScript/TypeScript ecosystem. These tools often lack strong guardrails, handle sensitive data haphazardly, and use resources inefficiently.

For ArS3nal, we needed a solution written in Rust that avoided these shortcomings while remaining fully compatible with the existing ecosystem. This was difficult for several reasons:

  • No Formal Specs: We had to build without formal specifications or interoperability tests.
  • Non-Standard Crypto: Aspects of Arweave's use of cryptography deviate from standards and required precise handling.
  • L2 Complexity: To guarantee maximum compatibility, we needed comprehensive support for L2 (Bundles).

Solution

We chose a "greenfield" approach. Instead of porting existing libraries—and inheriting their shortcomings—we built everything from first principles.

This allowed us to use Rust's type system to build an API that is idiomatic and hard to misuse. We moved most correctness checks to compile time to prevent runtime errors or—even worse—data corruption. Our architecture relies on:

  • Unrepresentable Invalid States: We used the type system to ensure invalid states cannot exist in the code.
  • Strict Access Control: We allow only specific, "blessed" methods for instantiating or converting certain types.
  • The Typestate Pattern: We used the typestate pattern to enforce the correct order of operations and safe state transitions.
  • Integrated Authentication: We treated data authentication as a core requirement enforced by the type system, not an afterthought.
  • Guarded Secrets: We placed key material behind specific "guard types." This prevents accidental disclosure and makes interaction with sensitive data intentional and easier to audit.

Key results

01

The resulting library is significantly faster and more resource-efficient than existing tools. Crucially, it is easy to use correctly and hard to use incorrectly.

02

By strictly enforcing these constraints, we created a library that is immune to multiple categories of common bugs. In fact, the strict environment helped us catch several subtle bugs during development that would have likely slipped through in a looser environment.

03

Because the library is 100% Rust with no external system dependencies, it allows developers to build highly portable apps, including those compiled to WASM.

Explore related
case studies

Client: RustCrypto: RSA-PSS Interoperability

SERVICE

Research

YEAR

2025

We updated the RustCrypto RSA library to improve interoperability for RSA signature verification

Fortuna updated RustCrypto RSA to securely verify legacy RSA-PSS signatures with unknown salt lengths while preserving constant-time execution.

EXPLOREEXPLORE
Floating Point Group

SERVICE

Security Architecture

YEAR

2022

Enhancing crypto trading reliability and security at Floating Point Group

We helped Floating Point Group secure and scale their trading API, modernize infrastructure, and strengthen engineering practices.

EXPLOREEXPLORE

Let's discuss your next security or compliance milestone

Scale with securityScale with security