Skip to content

Smart Contract Security

Canonical

Purpose

This document defines security expectations for smart contracts.

Requirements

  • Do not invent production addresses.
  • Do not claim audits unless verified.
  • Document upgradeability and admin permissions.
  • Isolate treasury-sensitive flows.
  • Validate token, reward, and governance behavior against implementation.

Risk

Smart contracts can fail, be exploited, or behave differently than intended.

Draft Controls

Smart contract documentation must distinguish planned, local, testnet, audited, deployed, paused, deprecated, and production-gated states. It must not publish production addresses, deployment status, audit status, upgrade authority, treasury controls, or execution claims without evidence.

Contract-facing documentation should identify:

  • contract purpose and owner;
  • deployment status if verified;
  • audit or review status if verified;
  • upgrade and pause assumptions;
  • privileged roles;
  • treasury or token movement sensitivity;
  • known limitations and unresolved review items.

Publication Boundary

This page does not certify any contract as audited, secure, deployed, or production-ready. Contract claims require implementation evidence, security review, and governance/coordinator approval where applicable.

Released as living documentation for the Axodus ecosystem.