Security
Security.
Non-custodial. No omnibus account. No user private keys.
Contracts
Testnet only. Mainnet gated on audit.
Contract
Chain
Status
Audit
WrappedEquity
packages/contracts/contracts/tokenized/WrappedEquity.sol
Base
Testnet deployed
Pending
EquityFactory
packages/contracts/contracts/tokenized/EquityFactory.sol
Base
Testnet deployed
Pending
OTCEscrow
packages/contracts/contracts/escrow/OTCEscrow.sol
Base
Testnet deployed
Pending
PredictionMarket
packages/contracts/contracts/prediction/PredictionMarket.sol
Base
Testnet deployed
Pending
PredictionFactory
packages/contracts/contracts/prediction/PredictionFactory.sol
Base
Testnet deployed
Pending
Auditor shortlist
Trail of BitsOpenZeppelinConsensys Diligenceengagement pending
Selection disclosed with the engagement letter. No report claimed until published.
Bug bounty
Private preview. Reports to hello@truffle.tech.
Critical
$5,000 – $25,000Remote exploit, theft of user funds, unauthorized upgrade, signature-scheme break.
High
$1,000 – $5,000Privilege escalation, order-book manipulation, off-chain signer compromise.
Medium
$250 – $1,000Auth bypass without fund exposure, rate-limit evasion, session fixation.
Low
$50 – $250Information disclosure without impact, self-XSS, missing headers on public pages.
In scope
- • truffle.tech and all *.truffle.tech subdomains
- • Smart contracts listed above once deployed to mainnet
- • API endpoints under api.truffle.tech/v1/*
- • Truffle mobile clients once released
Out of scope
- • Third-party services (Vercel, Supabase, Clerk — report to vendor)
- • Testnet deployments prior to mainnet go-live
- • Social-engineering attacks on Truffle staff
- • Reports requiring physical access or rooted devices
- • Rate-limit issues reproducible only via single-IP flooding
Application security
Session timeout
30 min idle / 24 hr max
MFA
Optional via Clerk (TOTP + WebAuthn)
Password reset
Magic-link via verified email
CSRF
Next.js same-site cookies + origin check
Transport
HSTS, TLS 1.3, HTTP/2
CSP / headers
Published at /.well-known/security.txt
Rate limiting
Per-IP and per-account, 429 on breach
Audit logging
Write-path events persisted in audit_log
Full header inventory, CSP rules, and disclosure contact are published at /.well-known/security.txt.
Wallet permissions
- • We request signatures for specific transactions only (wrap, unwrap, order placement, settlement).
- • We never request unlimited ERC-20 approvals; each approval is scoped to the exact trade size.
- • On Base, users can revoke approvals anytime at etherscan.io/tokenapprovals.
- • On Solana, users can inspect and revoke delegations at solscan.io.
- • Truffle cannot move user funds without a user-signed message from the user's wallet.
Incident response
1
Detect
24/7 on-call with automated monitors. PagerDuty, 5-minute ack SLA.
2
Contain
Pause guardian on PredictionMarket and OTCEscrow, disable affected routes, revoke keys.
3
Notify
Email + /status banner within 2 hours of containment. Material incidents on /changelog.
4
Post-mortem
Published within 7 days — root cause, timeline, blast radius, remediation.
Responsible disclosure
- • 90-day coordinated disclosure window from first report acknowledgement.
- • We will not pursue legal action against researchers acting in good faith and within the rules below.
- • Do not access accounts or data belonging to other users. Create your own test accounts.
- • Do not degrade production service (no denial-of-service testing, no mass scraping).
- • Submit to hello@truffle.tech. PGP key available on request.
- • Hall-of-fame credit available on request; bounty payment in USDC on Base by default.