Skip to content

Security

Verify before you trust

  1. Bytecode — compare SonicScan code hash to signed release artifacts.
  2. Addresses — match GitHub release manifest; ignore social media screenshots.
  3. Signatures — verify CHECKSUMS.sha256.sig with RELEASE_SIGNING_KEY.pem in the public tree.
  4. App origin — use app.aegisprotocol.org and tge.aegisprotocol.org only.

Threat model (summary)

RiskMitigation
Fake tokens / auctionsOfficial announcements only; AGS not live until we say so
Phishing sitesBookmark official URLs
Malicious relayersUser-signed intents; review relayer reputation
RPC surveillanceRun your own node or trusted provider
Circuit driftGovernance timelock on verifier upgrades

Reporting

Security issues: use the contact path in the public GitHub SECURITY.md — do not disclose exploitable bugs on Telegram first.

Audits

Audit reports publish with releases when available. Formal verification artifacts may be restricted pre-general-availability.

Static documentation — wallets connect to Sonic RPC directly.