Security

Security you can verify

Audited contracts and prover, a live bug-bounty, slashing that protects the network, and an ENISA-aligned posture — evidenced, not asserted.

Audits

Audits.

Contracts and the prover are reviewed by independent auditors. We link reports where they exist and label the rest honestly — a claimed audit with no report is not an audit.

Pre-launch — reports not yet public

The network is pre-mainnet. Audit engagements are in progress; published reports will be linked here as they complete. Until then, treat the items below as scope, not evidence.

Settlement & bridge contractsreport —// pre-launch

Prover & verifierreport —// pre-launch

Staking & slashing logicreport —// pre-launch

When a report is public it links here directly. See the systems under review in the architecture.

Proving

The prover and settlement security.

Security does not rest on trust in operators. Every state transition is proven with zero-knowledge and settled to Ethereum, so correctness is checked by maths and by L1, not asserted.

The proof system.

A valid proof is the only way a transition is accepted. An invalid one cannot be made to verify, so a dishonest operator cannot forge state.

Read the prover design →

Settlement to Ethereum.

Proofs settle to Ethereum, so the network inherits L1 finality. The settlement is a transaction you can open — not a claim you have to take on faith.

Read the settlement model →

Slashing

Slashing as a safety mechanism.

Slashing is not punishment for its own sake. It is the economic backstop that makes a provable fault expensive, so the rational operator stays honest and online.

What slashing protects against

Slashing burns an operator's bonded stake for a provable fault — equivocation, signing conflicting state, or a safety violation the protocol can prove. It raises the cost of attacking the network above any gain, and it backs the finality the network settles to Ethereum. Confirmed conditions and amounts are published in the docs.

See slashing from the operator side

Bug bounty

Bug bounty.

Independent researchers are paid to break the network before an attacker does. The scope and reward bands below are indicative pre-launch and will be confirmed when the programme opens.

Programme statusopening// indicative — confirm

Scopecontracts · prover · bridge// indicative — confirm

Critical reward band—// indicative — confirm

High reward band—// indicative — confirm

Submission channelsecurity@openstatestack.network// indicative — confirm

No figure here is a promise of payment. Reward bands and in-scope assets are fixed by the published programme rules when it opens.

Disclosure

Responsible disclosure.

If you find a vulnerability, report it privately and give us time to fix it before disclosing. We publish a security.txt so the contact is machine-discoverable.

Where to report.

Email the security team directly. Please do not open a public issue for a vulnerability, and do not test against mainnet assets.

security@openstatestack.network

security.txt

The disclosure contact and policy are published at a well-known path, per RFC 9116, so tools and researchers can find them without guessing.

/.well-known/security.txt

Posture

Posture.

What we align to, stated precisely. Alignment is a posture, never a certification we do not hold — each chip links to the standard or the evidence behind it.

ENISA-alignedaligned, not certified ZK by designprivacy at every hop Settles to EthereumL1 finality

ZK by design · settles to Ethereum · permissionless

ENISA-aligned describes the posture the network is built to, not a certification held. The claim is upgraded to evidence only when there is evidence to link.

Verify it, then operate it.

Security here is evidenced, not asserted. Read the proofs, then run a node or open the explorer.

Run a node Open the explorer