The only feature we never trade off.
No admin EOA anywhere in production. Two independent audits + public Cantina contest pre-mainnet. Continuous bug bounty up to $250k. Coordinated disclosure at security@gitsea.io.
Two firms + a public contest, pre-mainnet.
Trail of Bits
EngagedCore (RepoVault, Splits, RoyaltyRouter)
Spearbit
EngagedCredit, Insurance, Markets
Cantina contest
ScheduledFull surface
Internal review
ContinuousContinuous
Pre-mainnet
The protocol is on Base testnet ahead of audit completion. Do not deposit anything you can't afford to lose until two completed audit reports + an active bug bounty are published with the mainnet release.
Up to $250,000 for a critical finding.
Continuous public bounty on Cantina. Payouts in USDC from the protocol treasury.
Direct theft from any vault · $GSEA mint bypass · timelock bypass
Block governance · global score manipulation · bypass slashing
Material griefing · market price manipulation
Single-repo DoS · non-critical UI inconsistency
Successful claims also slash the bonds of any DID that vouched for the cluster.
How we think about the things that could go wrong.
Repo takeover
Multi-maintainer splits-change requires 2 signers + 24h timelock for >25% reweights. Repo-owner transfer is explicit, never silent.
Stream griefing
Usage telemetry is opt-in beacons cross-checked against the commit graph. Unverified streams cap at fallback rate. RoyaltyRouter authority is gated by RepoVault's authorized set.
PR market manipulation
Counterparty graph analysis. Author-merger conflict-of-interest slashes profits. Round-tripping detected by timing + counterparty heuristics.
Insurance griefing
Optimistic claims with claimant bond. Curator multisig review with slashing for false claims.
Credit score sybil
Soulbound credentials require a separate merger to sign. Vouching is bonded — proven sybil clusters burn the voucher's bond. Public sybil bounty.
Governance capture
Quorum + timelock + culture of off-chain temp checks. Emergency multisig with rotation, can only pause specific subsystems for 24h, never move funds.
Full STRIDE/DREAD analysis lives at gitsea/security/threat-model.md once we publish it post-audit.
What runs in production.
- →No admin EOA anywhere in the production stack.
- →Deployer keys rotate post-deployment; addresses become immutable owners of upgrades through the timelock.
- →Oracle operators run independent infrastructure — no shared hosting.
- →Emergency multisig (5-of-9, public roster) can pause specific subsystems for 24h max, never move funds, never mint $GSEA.
- →Public incident runbooks.
How to reach us.
- →Vulnerabilities → security@gitsea.io (PGP fingerprint at
/security/pgp). - →90-day default disclosure window. We publish after fix.
- →Website / bot / API issues? Same address. Coordinated disclosure, never legal threats.
- →For bounty submissions, use the Cantina form — the email is reserved for first-contact and time-sensitive issues.
Find something? Get paid for it.
The bug bounty is for the public — independent researchers, users, agents. Anyone who can prove an issue can claim.