Security First
Security Center
Secure SDLC, threat modeling, contract testing, bug bounty, and incident response. Production deploys only after audit and approval.
No Automatic Production Deployment
Solana Devnet
Status: NOT YET DEPLOYED
The Solana presale program and token will be deployed to devnet for testing before mainnet.
Ethereum Sepolia
Status: NOT YET DEPLOYED
The Ethereum contribution contract will be deployed to Sepolia testnet for testing before mainnet.
Secure SDLC
Testing & Validation
Threat Model
Documented and maintained threat model covering contract, frontend, backend, and infrastructure attack surfaces.
Architecture Diagram
Published system architecture showing all components, data flows, and trust boundaries.
Contract Tests
Unit, integration, and property-based tests for all smart contract functions.
Access-Control Tests
Verification that only authorized roles can perform privileged operations.
Reentrancy Tests
EVM components tested for reentrancy vulnerabilities using standard attack patterns.
Integer/Overflow
Integer and overflow validation for all arithmetic operations.
Duplicate-Claim Tests
Claim registry tested to prevent double-claiming of allocations.
Oracle Analysis
Oracle manipulation analysis where external data sources are used.
Frontend Security
- Content Security Policy (CSP) headers
- Frontend injection protections (input sanitization)
- Rate limiting on API endpoints
- Anti-bot controls (transaction ordering, CAPTCHA)
- No authoritative calculations in frontend JavaScript
- Wallet transaction signing verified server-side where applicable
CI/CD Security Gates
- Dependency scanning in CI/CD pipeline
- Secret scanning to prevent credential leaks
- CI/CD security gates blocking vulnerable builds
- Infrastructure-as-code with version control
- Monitoring and alerting (Sentry or equivalent)
- Automated test suite on every pull request
Deployment Gates
Each gate must be passed before production deployment:
Legal review by qualified counsel
RequiredSecurity audit by independent third-party firm
RequiredTestnet acceptance testing (Solana devnet, Ethereum Sepolia)
RequiredTreasury multisig configuration verified
RequiredFinal tokenomics approval by project owner
RequiredContract Pause Process
The presale contract includes a pause function for emergencies (e.g., discovered vulnerability). Pause requires multisig approval. If paused:
- New contributions are blocked immediately
- Existing contributions remain recorded on-chain
- Incident is disclosed in the transparency center
- Resume requires multisig approval after remediation
Incident Response Runbook
Detect: Monitoring alerts or community reports identify a potential incident.
Assess: Security engineer evaluates severity and impact.
Contain: If needed, pause presale contract via multisig. Isolate affected systems.
Eradicate: Remove the root cause — patch, redeploy, or revoke compromised access.
Recover: Restore service from known-good state. Verify integrity.
Notify: Publish incident report in transparency center. Notify affected users.
Post-mortem: Document lessons learned and preventive measures.
Bug Bounty Program
A bug bounty program will be launched to incentivize responsible disclosure of vulnerabilities. Details (scope, rewards, rules) will be published after contract deployment.
Scope
Contracts + Frontend
Rewards
Tiered by severity
Status
PENDING LAUNCH
Audit Reports
Audit providers will be selected via RFP. No audit reports exist yet. Reports will be published in the Transparency Center after completion.