Elygius Fund
Contact

Security

Audits & Security

Review our audit history, bug bounty program, and the initiatives we take to strengthen the security of the protocol.

Smart Contract Audits

Our smart contracts undergo regular independent audits by leading security firms. Below is the full history of audits conducted, ordered newest to oldest. All audit reports are publicly available on our GitHub.

MixBytes

|January 2025

Product Pricing Changes contract

iosiro

|September 2024

Long Term Limit Order contract

Chaos Labs

|October 2023

Economic audit of RAMM design and mechanism

Spearbit

|Nov 2022 – Mar 2023

Full V2 protocol audit — all module contracts

Solidified

|April 2011

Pre-mainnet launch — full smart contract system

Bug Bounty Program

We maintain an active bug bounty program through Immunefi to incentivize responsible disclosure of vulnerabilities. Whitehat hackers who discover and responsibly report vulnerabilities in our smart contract system are rewarded based on the severity of the finding. Bounties are paid in stablecoins.

Critical

Up to $1,000,000

High

Up to $50,000

Medium

Up to $25,000

Low

Up to $5,000

Security Practices

Regular smart contract audits are a critical component of our security posture, but they are not the only measure we take to protect the protocol and its users. Our security framework includes multiple layers of protection.

Reentrancy protection.All state-changing functions that handle asset transfers are protected with OpenZeppelin's ReentrancyGuard to prevent reentrancy attacks.

Access control. Critical contract functions are restricted to authorized roles. Only the designated relayer can execute gasless token transfers, and only the contract owner can modify system parameters such as the relayer address and treasury wallet.

Policy deduplication. Each insurance policy is identified by a unique bytes32 policy ID. The contract enforces that no policy can be executed more than once, preventing replay attacks.

Safe token transfers.All ERC-20 interactions use OpenZeppelin's SafeERC20 library, which handles non-standard tokens (like USDT) that don't return a boolean on transfer.

Infrastructure security. Our backend relayer infrastructure uses encrypted key storage, rate limiting, and monitoring. Private keys are never exposed to client-side code.

Emergency procedures. The contract owner has the ability to rescue stuck ETH or tokens from the contract and redirect them to the treasury, ensuring no funds are permanently locked.

Responsible Disclosure

If you discover a vulnerability in our smart contracts or infrastructure, please disclose it responsibly through our bug bounty program on Immunefi. Do not publicly disclose vulnerabilities before they have been addressed. For security-related inquiries, contact us.