Contracts
Every address. Every chain.
Canonical contract addresses for every deployed Forexiz protocol module. Click any address to view the bytecode on Arbiscan or Basescan.
View address registryFIG. 08Forexiz · Protocol SystemProtocol
Security
Security without gatekeeping.
Traditional brokers use regulation as a proxy for security. We use cryptography, blockchain verification, and transparency. Here's exactly how your funds are protected.
Cryptography · Not regulationv1.0
Audit · Contracts · Bounty
What we publish.
Security claims that don't link to a verifiable artifact don't count. Below is everything we expose for independent review — contract addresses, audit firms, and the bug bounty.
Audits
Audit pendingExternal review by named firms.
Phase 2 vault audit is in firm-selection. Phase 3 commitments audit runs alongside. Reports published in full as they complete — including findings we did NOT fix and our reasoning.
Bounty
Launches Phase 2Up to $250k for critical bugs.
Bug bounty launches at Phase 2 mainnet deploy via Immunefi. Tiered rewards from $1k informational to $250k critical, scoped to the deployed protocol contracts.
Disclosure policySecurity architecture
Multiple layers of protection, from your browser to the blockchain.
Transport Encryption
Every connection between your device and Forexiz is encrypted with 256-bit TLS (SSL). Data in transit cannot be intercepted, read, or modified by third parties.
We enforce HTTPS with HSTS headers. Certificate managed via Cloudflare with full SSL mode. All API traffic, WebSocket connections, and page loads are encrypted.
Credential Security
SIWE (Sign-In with Ethereum, EIP-4361) is the primary auth path — your wallet signs a message, no password to store. Email/Google passwords (recovery path only) are hashed with bcrypt + per-user salt.
OAuth sign-ins (Google, Telegram) use industry-standard token exchange flows. No password reaches our database for OAuth or wallet users. The auth-service verifies SIWE signatures via viem and issues short-lived HS256 JWTs scoped to the Forexiz audience.
Session Management
JWT tokens are short-lived with automatic refresh. If a token is compromised, it expires quickly. Refresh tokens are rotated on each use and bound to your device.
Axios interceptors automatically handle token refresh — you never see an expired session. Logging out invalidates all active sessions.
Segregated Fund Handling
User deposits are handled separately from operational funds. Your trading balance is your trading balance — not mixed with platform operations.
Withdrawal requests are processed against your available balance. Funds in open positions are reserved and cannot be withdrawn until the position is closed.
On-Chain Deposit Verification
Every USDC deposit is a transfer to the verified ForexizCollateral vault on Arbitrum One (0xad7A0E…1e77). You can verify it on Arbiscan — independently, without trusting us.
The vault contract is verified — its source code is public on Arbiscan. Three load-bearing invariants hold: vault balance ≥ totalCollateral + accruedFees; only withdraw / liquidate / emergencyExit can decrease the balance; the operator role cannot transfer to itself.
Infrastructure Security
Hosted on Google Cloud Platform with Cloudflare edge protection. DDoS mitigation, WAF rules, and rate limiting protect the platform from attacks.
PM2 process management with automatic restart. Nginx reverse proxy with security headers. Regular security updates and dependency audits.
What we don't store
The most secure data is data that doesn't exist. We minimize what we collect.
We don't store your passport or ID documents — we never ask for them
We don't store your bank account details — we don't accept bank transfers
We don't store your private keys — you control your own wallet
We don't track your browsing activity — no third-party analytics pixels
We don't sell your data — ever, to anyone
Regulation vs cryptography
Traditional approach
- • Regulated by a financial authority
- • Trust based on license number
- • Deposits in traditional banks
- • Investor compensation schemes
- • Audited by accounting firms
- • Requires identity verification
Forexiz approach
- • Verified by blockchain immutability
- • Trust based on on-chain transparency
- • Non-custodial USDC vault on Arbitrum One
- • Merkle commitments — live on Arbitrum
- • Staged-by-TVL audit path (see AUDIT-PREP.md)
- • Permissionless — wallet signature is your auth
Coming next
Security features in our decentralization roadmap.
External smart-contract audit
Pre-mainnet TVL band: Slither + Mythril CI gates + public repo. Independent solo audit at mainnet TVL; Cantina or Code4rena at $10M+; Trail of Bits / Spearbit / OpenZeppelin at $50M+.
Public bug bounty (Immunefi)
Bounty disclosure policy is Immunefi-ready. Live program funded once vault TVL crosses $1M; until then, responsible disclosures earn writeups + named credit on /trust/audits.
Timelock on governance
Phase 6b: every admin Safe action routed through an OpenZeppelin Timelock. 48h notice on every parameter change; community can exit before any governance action takes effect.