Security

Security, disclosure, and audit references

Please report vulnerabilities privately. Do not publish proof-of-concept details in public issues, open chat rooms, or social posts before the issue is triaged and mitigated.

support@paragonchain.orgPrivate Discord handoff

What to include

The fastest reports are the ones we can reproduce quickly and assess clearly.

  • Affected URL, route, API, contract, or component
  • Clear reproduction steps and expected impact
  • Any proof of concept, transaction hash, or wallet addresses involved
  • Whether approvals, signatures, funds, or user data are at risk

Good-faith disclosure

Research that avoids privacy violations, destructive actions, and fund movement will be treated as defensive disclosure. We still require private coordination before public release.

Audits and monitoring

Independent review and runtime monitoring are part of the current launch posture.

CertiK
External security review reference for core Paragon components.
Tenderly Monitoring
Operational monitoring reference used for runtime visibility and incident response.
Hypernative
Risk monitoring partner reference for proactive threat visibility.

Current launch controls

These are the main application-level controls currently active in the launch stack.

Exact-amount swap approvals instead of unlimited approvals
Route and execution payload validation before wallet execution
Per-route quote freshness and price acceptance checks
Rate limiting and bounded caching on swap quote endpoints
Shared browser security headers and hardened CSP baseline
Private vulnerability disclosure process and internal triage checklist