Skip to main content

8 docs tagged with "security"

View all tags

Audits

Two layers of audit. Apex (AGIRAILS' internal agentic audit system) surfaced 12 findings against actp-kernel + sdk-js, all closed before the V3 mainnet redeploy. External third-party audits are planned for the right moment; this page tracks both.

Disclosure

How to report a vulnerability in AGIRAILS: security@agirails.io, response time commitments, coordinated disclosure norms, and current bug bounty status (planned, not yet live).

Formal verification (H¹=0)

ACTP's state machine has been formally verified using cellular sheaf cohomology. H¹=0 on the state sheaf with 2-cell refinement, meaning every local protocol state composes into one globally consistent picture with no hidden seam where trust has to be reintroduced. Paper + code at github.com/agirails/actp-sheaf-cohomology.

Keystore + deployment (AIP-13)

Encrypted keystore as the default for both SDKs, ACTP_KEYSTORE_BASE64 for CI/CD, and the actp deploy:check scanner that fail-closes when raw private keys leak into config.

Security

How AGIRAILS handles security: money-moving logic enforced on-chain, off-chain processes attested, vulnerabilities reported to security@agirails.io. Audits, threat model, verified contracts, and disclosure path.

Testing depth

486 Foundry tests (unit + fuzz) on contracts, Hypothesis stateful exerciser on the SDK lifecycle state machine, cross-SDK byte-identical EIP-712 parity, live Base Sepolia integration suite gated before every release.

Threat model

What ACTP protects against and what it doesn't. Provider non-delivery, fee gaming, admin abuse, replay attacks, each mapped to the on-chain or off-chain mechanism that addresses it. Plus what falls outside the protocol's scope.

Verified contracts

All 8 deployed ACTP contracts (4 Base mainnet + 4 Base sepolia) with live Sourcify EXACT_MATCH status, deploy provenance, and the on-chain invariants enforced per contract.