Security & audits.
The threat model, the trust boundaries, and how to reach us when something breaks. Adunai runs on Base Sepolia testnet and is pre-audit: a single external audit of the complete v1 system gates mainnet, and nothing ships there before it clears.
Treat every contract as pre-audit code. Thirty-five contracts are live on Base Sepolia testnet, no real users, no real volume, no mainnet. Mainnet addresses publish after audit close, never before it.
Where things stand today
The complete v1 surface, 35 contractshas been live on Base Sepolia since 2026·07·01, deployed in one broadcast, 34 of 35 source-verified on Basescan. The payment routing rail ships dormant: ProtocolConfig's five-token whitelist (USDC, USDT, EURC, cbBTC, WETH) is live, while PaymentsRouter's routing whitelist arms only through the 14-day timelock. The SDK is in-repo (@adunai/sdkApache-2.0); the npm release lands with the Phase 1 public release. Current state, kept current: /status.
The audit posture
One external firm engagement, one consolidated deliverable, covering the complete v1 system: 35 contracts plus 3 patches to previously shipped contracts. Per-contract scope notes inside the bundle keep auditor attention on each contract's actual change surface; remediation tracks against the bundle, not per-contract. Firm selection has not begun, it is a Phase 0→1 activity (Cowork shortlists candidate firms; the founder selects).
Three artifacts publish in full when the engagement runs: the engagement letter, the report, and the remediation log. Until then this protocol is pre-audit, and every page on this site says so. The audit gates mainnet, it is the door, not a decoration.
Threat model, three layers
Most of what can hurt a protocol like this is not a code bug. The whitepaper (§8) and the internal security-domains map separate three layers, each defended differently:
| Layer | Covers | Defended by |
|---|---|---|
| L1, Code | Reentrancy, oracle abuse, governance bypass, storage collisions, arithmetic, signature replay, DoS | Self-audit, fuzzing, invariant testing, then the external firm audit. Provably closable, pre-deploy. |
| L2, Crypto-economic | Agent-network fraud, fake liquidity, Sybil-at-scale, double settlement, stablecoin depeg | Mechanism design on-chain where expressible, adversarial red-teaming, live monitoring. |
| L3, Social & operational | SIM-swap, credential compromise, community capture, telecom collusion, coercion | Recovery primitives, wallet design, operational policy, live monitoring. Code mitigates; it does not fix. |
The honest scope line: an audit, the firm's or our own, can prove L1 closed and surface L2 and L3 as design and monitoring requirements. It cannot fix a SIM-swap or a liquidity run in code, and we do not claim it can.
Trust boundaries, who is trusted for what
Every party the protocol extends trust to is an attack surface. The working map:
| Party | Trusted for | Bounded by |
|---|---|---|
| Attesters | Issuing typed, signed claims about a DID | Per-schema accreditation, revocable; attestations carry per-schema expiry; benign identity-scoped issuance requires the subject's consent, while regulatory and adverse records are issued without it by design |
| Verifiers | Reading what a user has granted, a lender, a landlord, an app running Sign in with Adunai | SelectiveDisclosure: the grant is the gate, not the caller. Reputation bundles verify item-by-item |
| Guardians | Acting in the user's interest on recovery | User-chosen quorum with auto-derived majority; may veto an abandonment claim; cannot move funds or act alone |
| Rate signers | Signing honest settlement rates | SignerRegistry threshold, EIP-712 signatures; signer registration is a Phase 2 governance action |
| Cash-in / cash-out agents (Phase 2) | Matching off-chain fiat to on-chain claims | Staked collateral, settlement-anchored dispute intake, reputation down-ranking. Rails dormant in Phase 0 |
| Base, the L2 | Ordering and inclusion | Inherited, sequencer trust is Base's today, monitored rather than enforced by us |
| The Foundation | Stewarding upgrades, pauses, and configuration | The thirteen Charter Articles (I–XIII), the 14-day timelock, the bounded emergency pause, and no role at all over the sovereignty surfaces below |
Two contracts are deliberately outside everyone's reach: GuardianRegistry and AbandonmentRegistry are non-upgradeable, non-pausable, and role-free. An abandonment claim runs a 60–90-day timelock, vetoable by the current key or registered guardians, and by no one else, the Foundation included. No new surface may block a user's portability or identity merge. The Foundation holds no equity in any builder and picks no winners; aID is a reference implementation and a reference-wallet design preview is public, neither is a favorite.
Governance guardrails
- Every upgrade walks the full path. RFC with a 14-day public comment window → Technical Advisory Council review → 5-of-9 approval by the nine-signer multi-sig (directors, technical advisors, ecosystem representatives) → the 14-day OpenZeppelin timelock. There is no upgrade path around the timelock.
- The emergency pause is bounded. Charter §4.3: 7 of 9 signers, 14 days at most unless community ratification extends it. Emergency patches may bypass the RFC; they never bypass the timelock.
- On-chain voting is the Year 3 roadmap direction: not a live mechanism today.
Note the Phase 0 caveat, stated plainly: the Foundation is in pre-formation (Mauritius intended, subject to counsel), and testnet governance keys sit in placeholder shape until entity activation. The production role model, timelock as admin, multisig as operator, is already wired on Sepolia.
Coordinated disclosure
Found something? Write to [email protected]. We aim to acknowledge reports promptly; a formal disclosure policy and SLA publish with entity activation. A PGP key publishes then too; until then, email is the channel.
- Report privately first, give us reasonable time to remediate before publishing.
- A proof-of-concept against testnet state is welcome; destructive exploitation beyond the proof is not.
- Findings against pre-audit testnet code are exactly what this phase is for. We would rather read your report now than a post-mortem later.
Bug bounty
A scaled bug bounty is a Phase 1 deliverable, arriving with the public testnet and the SDK's first public release. There is no reward program yet, and we say so rather than imply one, today, coordinated disclosure through [email protected] is the path, and credit is given where credit is due. Background on why security precedes speed here: the protocol overview and Adunai, explained.