forexiz
FIG. 09·5
Forexiz · Audit plan
Trust · Audits · Staged

Audits, on a schedule
that scales with risk.

Audit cost should scale with TVL at risk. The contract surface is ~20 KB single-vault with invariant + fork test coverage already in place. Most of what auditors typically catch on greenfield code is already locked down. Below: the staged path.

Current statusTier 1 / 5
Pre-mainnet TVL band

Slither + Mythril CI gates. Public repo. Informational bounty pending. 20 Slither findings reviewed (all noise — false-positive reentrancy, accepted-convention timestamp checks). Mythril clean.

§ 02 · The staged path
Cost · scales with TVL at risk
Tier
01
You are hereYou are here
Pre-mainnet · no TVL
  • Slither + Mythril (CI gates)
  • Public repo, public issues
  • $2k informational bounty pending
Budget
$0–2k
Lead time
days
Tier
02
Next tierTriggered by deploy
Mainnet launch · no TVL
  • Solo independent auditor (pashov, t1mu, ck.spearbit, mooncatcher)
  • 1–2 week focused review of Phase 2/3 surface
  • Findings published with our responses
Budget
$5–15k
Lead time
2–4 weeks
Tier
03
PlannedAuto-armed at threshold
$1M – $10M TVL · live capital
  • Live Immunefi bug bounty ($10–50k tiered)
  • Second independent solo for fresh-eyes coverage
Budget
$10–25k
Lead time
2–4 weeks
Tier
04
PlannedSingle firm engagement
$10M – $50M TVL · institutional
  • Cantina solo engagement OR Code4rena contest pot
Budget
$30–60k
Lead time
4–6 weeks
Tier
05
PlannedTier-1 firm + retainer
$50M+ TVL · systemic
  • Trail of Bits / Spearbit / OpenZeppelin firm engagement
Budget
$80–150k
Lead time
4–10 weeks
§ 03 · Honest disclosure
Why not $80k upfront
80%
of audit value

A good audit pass is 80% your prep + 20% the auditor's pattern recognition. The 80% is already done.

Pay for an audit when you need fresh adversarial eyes on contract logic. Don't pay for one to validate things you can validate yourself: compile-time properties (Slither, Mythril, forge fmt), property invariants (24,576 assertions per run already), coverage gaps (forge coverage shows them for free), gas regressions (forge snapshot --check).

The $40k+ firm tier is not a launch requirement — it's how you de-risk once there's actual money on the line.

Read AUDIT-PREP.md
§ 04 · Findings handling
Public · Versioned

Protocol

Critical / High
Fix in private fork; do not deploy until resolved.
Medium
Fix or document why we accept the risk in docs/SECURITY-FINDINGS.md.
Low / Informational
Triage, fix when convenient.
Disagreements
Respond in writing to the firm; we sometimes disagree, that is fine.

We publish the full report after fixes ship — including findings we did NOT fix and our reasoning. Audit hiding is a smell.

§ 05 · Bug bounty
[email protected] · PGP

Responsible
disclosure.

Disclose privately first. Email [email protected] (PGP key fingerprint published on the security policy). Do not exploit, do not exfiltrate funds, do not test on mainnet beyond what is needed to demonstrate. We respond within 48h.

Until live ImmunefiPhase 4 · Post-$1M TVL
  • A public writeup with named credit on /trust/audits
  • Discretionary bounty in USDC for high-severity findings
  • A spot in the Hall of Fame on the public security policy
Security disclosure policy
Back to Trust hub