Security

peg.fun has not had a full external audit. The production contracts have been through an extensive internal review (static analysis, symbolic proofs, 50,000-run invariants, mainnet-fork integration tests), but the absence of a paid third-party audit is a real and accepted risk. Use peg.fun at your own discretion. See Risks for the full posture.

Reporting a vulnerability

If you find a security issue in any peg.fun contract or service, contact us privately first. Public disclosure before remediation puts holders and creators at risk, even when the finding is in our favor.

Do not:

  • Open a public GitHub issue.
  • Post in a public Telegram or Discord channel.
  • Tag accounts on Twitter / X.

Do:

We aim to acknowledge within 48 hours. Critical findings (fund loss, unlimited mint, permanent state corruption) get faster turnaround.

What is in scope

These surfaces are in scope for security review:

  • Smart contracts under contracts/src/:
    • PegFactory.sol, atomic deploy of token + hook + curve + creator vault.
    • PegToken.sol, the ERC-20 + object-mint guard.
    • PegHook.sol, bonding curve, migration trigger, fee accumulator, post-graduation routing.
    • DirectSwap.sol, the permissionless router for buy/sell routes that satisfy the object-mint guard.
    • PegRenderer.sol, on-chain SVG renderer.
    • TreasuryVault.sol, CreatorVault.sol, fee custody and rotation.
  • Indexer (packages/indexer/), data correctness, RPC trust assumptions, schema invariants.
  • Frontend (packages/web/), wallet-signing security, EIP-712 implementation, AI session token handling.
  • Verification worker (packages/verification-worker/). AI session fee verification.

What is NOT in scope

These are intentional behaviors, not bugs:

  • Aggregator and v3-router buyers losing object minting. Documented in aggregator-loss. Reports of this behavior will be acknowledged but not treated as findings.
  • Burned LP after graduation. This is a feature, not a vulnerability. See LP burn.
  • Renounced ownership post-migration. peg.fun cannot recover funds or upgrade contracts post-graduation. This is the deliberate trade-off documented in Risks.
  • Issues that require the founder's seed phrase, signed transactions from the founder's wallet, or any operator-trusted access. These are outside the threat model.

What we cannot offer

  • No funded bug bounty at v1. peg.fun does not run an Immunefi / Cantina / public-bounty pot at this stage. The email channel above is the only path, v2 may reintroduce a funded bounty if treasury TVL warrants it.
  • No formal CVE assignment. Findings are documented in the internal review log after remediation. We will credit you in the patch release notes with whatever attribution you prefer (name, handle, or anonymous).

Responsible disclosure timeline

We follow a standard responsible-disclosure timeline:

  • Acknowledgement: within 48 hours of receipt.
  • Triage and severity classification: within 7 days.
  • Patch and verification: depends on severity. Critical and high-severity findings get priority.
  • Public disclosure: after the patch is deployed and confirmed in production. We coordinate timing with you.

What we do internally

The contracts go through this stack before any production deploy:

  • ≥ 90% Foundry test coverage on src/ overall, ≥ 95% on critical paths (hook, weight math, fee accumulator).
  • 50,000-run invariant testing on the balance-weight math and fee distribution invariants.
  • Halmos symbolic proofs of the vault solvency invariant.
  • Slither + Aderyn static analysis with HIGH/CRITICAL findings blocking CI.
  • Mainnet-fork integration tests against the real Uniswap v4 PoolManager bytecode.
  • Internal Claude-driven code review, exhaustive sweep over the production contracts.
  • Public Sepolia testnet drills before each mainnet ship.

This stack reduces risk but does not eliminate it. We do not claim "audited", only "internally reviewed with the strongest tooling we could line up."

Why we ship without a paid audit

Two reasons:

  1. Solo-founder economics. A serious Code4rena warden engagement or a Spearbit / Cantina audit costs $50-200k, peg.fun does not have that budget pre-mainnet.
  2. The internal review is non-trivial. Combined Slither + Aderyn + Halmos + 50k invariants + mainnet-fork integration tests + an internal review pass covers a wide surface. Not as wide as a paid audit, but much wider than "no review at all."

If you are uncomfortable with this trade-off, do not use peg.fun. We respect the choice and will revisit the audit posture as treasury TVL grows.

Related

  • Risks, the long-form trade-off discussion.
  • How peg.fun works, the mechanism every reviewer should read first.