Security
Verify before you trust
- Bytecode — compare SonicScan code hash to signed release artifacts.
- Addresses — match GitHub release manifest; ignore social media screenshots.
- Signatures — verify
CHECKSUMS.sha256.sigwithRELEASE_SIGNING_KEY.pemin the public tree. - App origin — use
app.aegisprotocol.organdtge.aegisprotocol.orgonly.
Threat model (summary)
| Risk | Mitigation |
|---|---|
| Fake tokens / auctions | Official announcements only; AGS not live until we say so |
| Phishing sites | Bookmark official URLs |
| Malicious relayers | User-signed intents; review relayer reputation |
| RPC surveillance | Run your own node or trusted provider |
| Circuit drift | Governance timelock on verifier upgrades |
Reporting
Security issues: use the contact path in the public GitHub SECURITY.md — do not disclose exploitable bugs on Telegram first.
Audits
Audit reports publish with releases when available. Formal verification artifacts may be restricted pre-general-availability.