Security

beta

Audit status, security measures, and responsible disclosure

Audit Status

Last auditMarch 2026

TypeFull-stack automated review

ScopeSDK, CLI, Server, Indexer, Contracts, CI/CD

20 / 22 REMEDIATED2 DEFERRED

No vulnerabilities enabling direct fund theft were found. All critical and high-severity findings have been remediated.

Deferred (infrastructure changes)

M-3Stronger scrypt KDF parameters for key encryption

L-5Migrate CI/CD to short-lived AWS credentials (OIDC)

Every push and PR runs lint, typecheck, 317 tests, CodeQL analysis, dependency audit, and license compliance.

Private keys are generated and stored locally, encrypted with AES-256-GCM and scrypt KDF. We never have access to your keys.

All transactions are simulated (dry-run) before signing. Move abort codes are mapped to user-friendly error messages.

Fee changes require a 7-day on-chain timelock. Fees are hard-capped at 5% in the smart contract. Two-step admin transfer.

Gas sponsorship is automatically paused when SUI price moves >20% in one hour, preventing oracle manipulation.

GitHub Actions pipeline runs CodeQL static analysis, dependency audits, and license compliance checks on every push and weekly.

317 tests across 20 files covering unit, integration, and adapter compliance — including multi-protocol orchestration edge cases.

If you discover a security vulnerability, please report it responsibly. Do not open a public GitHub issue.

ResponseAcknowledgment within 48 hours