Protocol
Security
Audits, bug bounty, emergency response, and the threat model. We treat security as the only feature we never trade off.
Audits
| Auditor | Scope |
|---|---|
| Trail of Bits | Core contracts (RepoVault, Splits, RoyaltyRouter) |
| Spearbit | Credit, Insurance, Markets |
| Cantina contest | Full surface |
| Internal review | Continuous |
Reports are published in the public gitsea/audits repository, hash-anchored on Arweave, and linked from every contract's source header.
Bug bounty
A continuous public bounty runs on Cantina with payouts in USDC funded by the protocol treasury.
| Severity | Max payout (USDC) | Examples |
|---|---|---|
| Critical | 250,000 | Direct theft from any vault; mint of $GSEA; bypass of timelock. |
| High | 50,000 | Block governance; manipulate score globally; bypass slashing. |
| Medium | 10,000 | Griefing that costs users meaningful gas; price manipulation in markets. |
| Low | 1,000 | DoS on a single repo; non-critical UI inconsistency. |
Submission flow, scope, and rules in the bounty program page.
Sybil bounty
A separate pool for proving sybil clusters in the credit-score system:
| Severity | Payout (USDC) |
|---|---|
| Proven cluster ≥ 50 DIDs | 20,000 + slashed bonds |
| Proven cluster ≥ 10 DIDs | 5,000 + slashed bonds |
| Single sybil with material harm | 500–2,000 |
A successful claim slashes the bonds of any DID that vouched for the cluster and reroutes them to the sybil-hunter and the sleeper pool.
Threat model (selected)
We model and document defenses for, at minimum:
- Repo takeover. Attacker compromises maintainer GitHub credentials and tries to redirect splits. Defense: splits changes require two signers on multi-maintainer repos, plus a 24h timelock for >25% changes.
- Stream griefing. Attacker spams fake imports to drain a payer's treasury. Defense: usage telemetry requires opt-in beacons + commit-graph cross-checks; unverified streams capped at fallback rate.
- PR market manipulation. Round-tripping, wash trading, author-merger collusion. Defense: counterparty graph analysis, slashing of merger if conflict-of-interest detected, market authority gating.
- Insurance griefing. Spam claims, fake incidents. Defense: optimistic claims with claimant bond; curator multi-sig review; slashing for false claims.
- Score inflation. Vouching rings, self-merging, off-network DID minting. Defense: vouching bonds, repo equity gating, cross-org diversity reward.
- Governance capture. Concentrated stake votes through a bad proposal. Defense: quorum, timelock, off-chain temp-check culture, emergency multi-sig with rotation.
A full STRIDE / DREAD analysis is in gitsea/security/threat-model.md.
Emergency pause
A small multi-sig (5-of-9, members published) can pause specific subsystems for up to 24 hours when an active exploit is detected. Any pause that hasn't been ratified by full governance within 7 days auto-reverts.
The pause cannot:
- Move user funds.
- Mint or burn $GSEA.
- Change governance parameters.
- Pause
RepoVaultdeposits or withdrawals to splits-holders.
Operational security
- No admin EOA anywhere in the production stack.
- Deployer keys rotate post-deployment; addresses become immutable owners of upgrades through the timelock.
- Oracle operators run independent infrastructure; no shared hosting.
- Public operational runbooks for incident response.
Disclosure
Vulnerabilities → security@gitsea.io (PGP key fingerprint published). 90-day default disclosure window; we publish after fix.
For things you find about us (the website, the bot, the API), the same address — coordinated disclosure, never legal threats.
Related
- Smart contracts — what's actually deployed.
- Architecture — what's on chain vs. off.
- Governance — how parameters that bound risk get changed.