Skip to main content

Security

Last updated: February 26, 2026

1. Our Commitment

Security is foundational to CrowdProof. We handle reputation data, cryptographic proofs, and financial interactions across multiple blockchains. We take a defense-in-depth approach to protecting our systems and your data.

2. Smart Contract Security

  • All contracts are written in Solidity 0.8.24 with overflow protection built-in
  • UUPS proxy pattern for upgradeable contracts with strict access controls
  • OpenZeppelin library usage for battle-tested implementations (ERC20, AccessControl, Pausable)
  • Comprehensive Foundry test suite with 95%+ code coverage
  • External security audit planned before mainnet deployment
  • Multi-sig ownership (Gnosis Safe) for all admin functions post-launch

3. Infrastructure Security

  • All traffic encrypted with TLS 1.3
  • HSTS enabled with 1-year max-age and includeSubDomains
  • Azure App Service with managed runtime updates
  • SQL Server with encrypted connections and parameterized queries
  • Secrets managed via Azure Key Vault (API keys, RPC URLs, database credentials)
  • Content Security Policy headers on all pages

4. API Security

  • JWT authentication via Sign-In with Ethereum (SIWE)
  • API key authentication with per-tier rate limiting
  • Input validation on all endpoints (wallet address format, query parameters)
  • CORS restricted to known origins
  • Request metering and anomaly detection

5. Zero-Knowledge Proof Security

Our ZK circuits use the Groth16 proving system with a trusted setup ceremony. Verification keys are published on-chain and can be independently verified. Proof generation uses private inputs that are never transmitted to our servers when using client-side proof generation (WASM SDK).

6. Responsible Disclosure

If you discover a security vulnerability in CrowdProof, we ask that you disclose it responsibly:

  • Email security@crowdproof.id with a detailed description of the vulnerability
  • Include steps to reproduce the issue
  • Allow us reasonable time (90 days) to address the issue before public disclosure
  • Do not exploit the vulnerability beyond what is necessary to demonstrate it

7. Bug Bounty Program

We are establishing a bug bounty program to reward security researchers who help us identify and fix vulnerabilities. Details will be published on our GitHub repository and through our Immunefi program page (coming soon).

Report a Vulnerability

Found something? We appreciate your help keeping CrowdProof secure.

Contact Security Team