← theloopbreaker.com

Security & Audit Status

Every claim on this page is verifiable. Every limitation is disclosed. We would rather lose a partnership over honest disclosure than win one on marketing.

Read this first.

Vaultfire has had zero third-party security audits. All review to date is local + AI-assisted. The contracts are open-source and deployed on-chain — anyone is welcome to read, fork, or break them. A paid audit from a Tier-1 firm currently costs more than this project earns. We'd rather tell you that than fake it.

Snapshot

AI-assisted internal review
Done9.8/10 self-rating, not a third-party audit
Third-party firm audit
NoneAspirational, contingent on funding
Governance
1-of-1 multisigMoving to multi-signer
ZK verification
BootstrapContract deployed, Router not yet wired
Critical vulnerabilities
ZeroKnown at time of deployment
Bug bounty
OpenReport to ghostkey316@proton.me

Internal audit

Performed January 27, 2026 by Claude Sonnet 4.5 as an AI-assisted infrastructure-grade review. This is not a substitute for a third-party firm audit. It is a rigorous self-disclosure.

What was reviewed

  • • All core contracts (Identity, Bonds, Oracles, Governance, Privacy)
  • • Inheritance hierarchy and access-control patterns
  • • Value transfer logic, reentrancy guards, timelocks
  • • Economic model (bond math, yield pool, flourishing-weighted distribution)
  • • Privacy architecture (anti-surveillance, ZK framework)
  • • Test coverage (225+ Python + 2,656 lines JS)

Key findings

  • ✓ Strong: ReentrancyGuard on all value transfers, 7-day distribution timelocks, explicit balance checks, safe ETH transfer patterns.
  • ✓ Strong: AI profit caps (30% / 50%) enforced at the contract level. Domination penalty (100% to human) enforced at the contract level.
  • ✓ Strong: Privacy guarantees module is immutable. Nine categories of surveillance data are explicitly banned on-chain.
  • ⚠ Noted: The Production Belief Attestation Verifier contract is deployed on Base and Avalanche with a real 48-hour timelock. It is currently in bootstrap mode — the verifier Router address and imageId are sentinel values, not yet pointed at the official RISC Zero Router or a compiled guest program. Verified on-chain.
  • ⚠ Noted: Multisig governance is currently 1-of-1. See owner powers below.

Owner powers (full disclosure)

The protocol's MultisigGovernance contract is currently a 1-of-1 multisig held by the deployer wallet. This means the deployer has the following powers. We disclose them publicly because partners deserve to know.

  • Yield pool management. The owner can withdraw ETH from the shared yield pool and adjust the minimum balance. Setting the minimum to zero would allow the pool to be drained.
  • Oracle management. The owner can add or remove oracles in the Flourishing Metrics Oracle, which can influence reported metrics.
  • Protocol pause. Bond contracts can be paused by the owner, halting new bond creation and distributions.
  • ZK image changes. The Production Belief Attestation Verifier image ID can be changed by the owner, subject to a 48-hour timelock.
  • Bridge relayers. The owner can add or remove authorized relayers on the cross-chain Teleporter Bridge and can pause the bridge.

Source: SECURITY.md. This document is maintained alongside the contracts and is the canonical source of ownership and upgrade authority.

Decentralization roadmap

StageTargetStatus
1-of-1 multisigInitial deploymentCurrent
3-of-5 multisig with independent signersPost-first-partnerPlanned
Timelock on all owner actionsWith multisig expansionPlanned
Tier-1 third-party auditOpenZeppelin / Trail of Bits / Consensys Diligence — contingent on fundingUnfunded
Wire production RISC Zero Router0x0b144e07a0826182b6b59788c34b32bfa86fb711 on Base + compile guest programBootstrap
Token-weighted governanceAfter stable ecosystemFuture

What to trust today

Safe to build on
  • • ERC-8004 identity registration
  • • Partnership Bond creation + distribution
  • • Accountability Bond creation + flourishing-weighted distribution
  • • Flourishing Metrics submission + verification
  • • x402 paid endpoints (contracts, stats, agent status)
  • • VNS name resolution
  • • Cross-chain reads (all 4 chains)
Use with caution
  • • Zero-knowledge belief attestations (verifier in bootstrap mode — not yet verifying real proofs)
  • • Teleporter Bridge for large-value cross-chain moves
  • • Staking large amounts given 1-of-1 multisig
  • • Any assumption that a Tier-1 firm has reviewed code

Bug bounty

Finding a security issue? Send an encrypted email to ghostkey316@proton.me. Please do not open a public GitHub issue for security matters.

Rewards are paid in ETH on Base, sized to severity and impact. We will publish a hall-of-fame list once the first payouts are made.

Verify this page

All 130 contractsArchitectureGitHub sourceSECURITY.md
Security & Audit Status — Vaultfire