Effective Date: March 15, 2026
Contact: security@parad0xlabs.com
| Track | Status |
|---|---|
| Third-party audit | Not completed |
| AI-assisted internal review | Completed for the public repo |
| Public consistency checks | Available via npm run check:public |
| Root canonical verifier path | Published and compile-tested |
| Root canonical proof flow | Published and locally reproducible via tests/canonical-proof-flow.test.mjs |
| Public withdraw payout path | Disabled/fail-closed until amount+recipient binding is promoted into the canonical proof bundle |
| Root update authority | Restricted by RootAuthorityConfig in the current root source |
| Mainnet release assurance | Not established |
Send reports to security@parad0xlabs.com with:
- a clear description of the issue
- reproduction steps
- impact assessment
- proof-of-concept material if safe to share
This repository currently publishes:
- the canonical root devnet program, IDL, and proving artifacts
- the canonical root program, IDL, and proving artifacts
- Python and JavaScript integration helpers
- historical branches and result bundles
- review and verification documentation
- a public security model in
SECURITY_MODEL.md
If you report an issue that depends on unpublished infrastructure or unpublished source code, say so explicitly.
If your report depends on a historical branch or artifact bundle, say which track you mean:
- canonical root
historical/null-minthistorical/root-toy-prototype
There is currently no funded public bug bounty program attached to this repository.
- Report privately first.
- Give reasonable time to assess the issue.
- Avoid harming users or third-party infrastructure.
- Do not claim a completed external audit where none exists.