Skip to content

Security: luxfi/standard

Security

SECURITY.md

Lux Standard Security

Overview

The Lux Standard smart contract stack implements comprehensive security practices including automated continuous auditing, fuzz testing, and static analysis integrated into our CI/CD pipeline.

Continuous Security Pipeline

Our security infrastructure runs automatically on every push and pull request:

Tool Purpose Frequency
Slither Static analysis, vulnerability detection Every PR
Echidna Property-based fuzzing (Trail of Bits) Every PR
Medusa Fast parallel fuzzing (Trail of Bits) Every PR
Semgrep SAST with Solidity-specific rules Every PR
CodeQL Deep semantic analysis Every PR
Aderyn Rust-based Solidity analyzer Every PR
Forge Fuzz Native Foundry invariant testing Every PR

Additionally, the full security suite runs weekly via scheduled GitHub Actions.

CI/CD Workflows

  • Build & Test: .github/workflows/ci.yml - Compilation and unit tests
  • Security Analysis: .github/workflows/security.yml - Full security suite
  • Deployment: .github/workflows/deploy.yml - Controlled deployments

Security Tools Configuration

Slither (Static Analysis)

slither contracts/ --exclude-dependencies --sarif results.sarif

Echidna (Fuzzing)

Configuration: echidna.yaml

echidna . --contract TestContract --config echidna.yaml

Medusa (Parallel Fuzzing)

Configuration: medusa.json

medusa fuzz --config medusa.json

Audit History

Internal Audits

Date Auditor Scope Findings
2026-01-31 Claude AI (Opus 4.5) Full stack 25 Critical, 41 High, 40 Medium

External Audits

Date Auditor Scope Report
TBD Trail of Bits Full stack Pending
TBD OpenZeppelin Governance Pending

Vulnerability Disclosure

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly:

  1. Email: security@lux.network
  2. Bug Bounty: Immunefi Program (Coming Soon)

Please do NOT:

  • Open public GitHub issues for security vulnerabilities
  • Exploit vulnerabilities on mainnet
  • Share vulnerability details publicly before fix

Severity Classification

Severity Response Time Bounty Range
Critical 24 hours $50,000 - $250,000
High 72 hours $10,000 - $50,000
Medium 1 week $2,500 - $10,000
Low 2 weeks $500 - $2,500

Security Best Practices

Smart Contract Security

  1. Checks-Effects-Interactions: All state changes before external calls
  2. Reentrancy Guards: Applied to all fund-moving functions
  3. Access Control: Role-based permissions via OpenZeppelin
  4. Upgrade Safety: UUPS pattern with Ownable2Step
  5. Oracle Staleness: MAX_PRICE_STALENESS checks on all feeds
  6. Signature Security: ECDSA.recover for all signature verification

Testing Standards

  • Unit Tests: 100% coverage on critical paths
  • Fuzz Tests: 1000+ runs per invariant
  • Invariant Tests: Protocol-wide property verification
  • Integration Tests: Full deployment flow testing

Monitoring & Alerting

On-Chain Monitoring

  • OpenZeppelin Defender for transaction monitoring
  • Forta for real-time threat detection
  • Custom alerts for large transfers and admin actions

Incident Response

  1. Detection: Automated alerts + community reports
  2. Triage: Security team assessment within 1 hour
  3. Response: Pause mechanisms for critical issues
  4. Communication: Status page + Discord announcements
  5. Remediation: Fix deployment + post-mortem

Related Documentation

Last updated: 2026-01-31

There aren’t any published security advisories