Security First. Always.

We treat security as a core protocol primitive, not an afterthought. Multiple independent audits, an active bug bounty, and zero incidents since mainnet launch.

AUDIT REPORTS

Independently verified by leading security firms.

Every line of protocol code has been reviewed by at least two independent auditors.

Trail of Bits

December 2025
0 Critical 2 Medium 5 Low

Comprehensive review of the Rust/Anchor programs, the SP1 Solana verifier, and the SEV-SNP attestation flow. 4,100 lines of Rust, zero critical findings.

View Full Report

OtterSec

October 2025
0 Critical 2 Medium 5 Low

Solana-focused audit covering the registry PDA, SPL Token-2022 transfer-fee hooks, and Wormhole VAA verification for inbound bridged collateral.

View Full Report

Neodyme

August 2025
0 Critical 2 Medium 5 Low

Anchor-program review covering the operator bond vault, slashing instruction authority, and Realms governance CPI permissions.

View Full Report
BUG BOUNTY

Rewarding responsible disclosure.

Our bug bounty program covers every Anchor program deployed on Solana mainnet-beta, the agent runtime, and the SP1 verifier pipeline.

Critical
$50,000

Remote code execution, fund theft, consensus manipulation, or permanent freezing of funds.

High
$25,000

Temporary freezing of funds, unauthorized state changes, or proof verification bypass.

Medium
$10,000

Griefing attacks, denial of service on non-critical paths, or information disclosure.

Low
$500

Best practice violations, informational findings, or minor UI/UX issues with security implications.

Rules & Scope

  • All NexusForge Anchor programs deployed on Solana mainnet-beta are in scope
  • Agent runtime, SP1 proof pipeline, and SEV-SNP attestation logic are in scope
  • Upstream dependencies (Anchor, solana-program, Light Protocol SDK) and frontend-only issues are out of scope
  • Reports must include a proof-of-concept transaction on devnet or detailed reproduction steps
  • First reporter of a valid vulnerability receives the bounty
  • All payouts made in USDC (SPL) to a wallet of your choice within 14 days of confirmation
TRACK RECORD

No security incidents since mainnet launch.

A transparent timeline of our security milestones since going live in June 2024.

June 2024
Mainnet Launch

NexusForge protocol goes live with initial security measures and monitoring infrastructure.

August 2025
Neodyme Audit Complete

First major third-party audit of the Anchor programs completed with zero critical findings.

September 2025
Bug Bounty Program Launch

Public bug bounty launched with up to $50,000 in rewards for critical vulnerabilities.

October 2025
OtterSec Audit Complete

Solana-specific audit of the Wormhole VAA verifier and SPL Token-2022 fee hooks completed with all findings remediated.

December 2025
Trail of Bits Audit Complete

Most comprehensive audit to date covering the full proof generation and verification stack.

April 2026
22 months · 0 incidents

Continuous monitoring, regular penetration testing, and active bug bounty program.

RESPONSIBLE DISCLOSURE

Found a vulnerability?

We take every report seriously. Please disclose responsibly and we'll work with you to resolve issues quickly.

Email security@nexusforge.io
PGP Key 0x7A3B 9F2E 1D4C 8B5A
Response Time Within 24 hours

Please do not disclose vulnerabilities publicly before we've had a chance to investigate and remediate. We commit to responding within 24 hours and keeping you updated throughout the process.