Skip to content

Security: SMSDAO/TradeOS

Security

Report a vulnerability

SECURITY.md

Security Policy

Overview

GXQ Studio is a production-grade Solana DeFi platform that handles financial transactions and sensitive cryptographic operations. Security is our highest priority.

Supported Versions

We actively support and provide security updates for the following versions:

Version Supported
1.0.x
< 1.0

Security Best Practices

For Users

  1. Never share your private keys

    • Store private keys in environment variables only
    • Never commit private keys to source control
    • Use hardware wallets when possible

  2. Validate all transactions

    • Always review transaction details before signing
    • Verify recipient addresses
    • Check slippage settings

  3. Use production-grade RPC endpoints

    • Avoid public rate-limited endpoints
    • Use QuickNode, Helius, or Triton for production
    • Monitor RPC endpoint health

  4. Keep software updated

    • Regularly update to the latest version
    • Review release notes for security patches
    • Subscribe to security advisories

For Developers

  1. Code Security

    • Run npm audit regularly to check for vulnerabilities
    • Use TypeScript strict mode for type safety
    • Validate all user inputs
    • Sanitize data before processing

  2. Transaction Security

    • Always simulate transactions before sending
    • Implement proper slippage protection
    • Use MEV protection via Jito bundles for arbitrage
    • Validate all Solana addresses before transactions

  3. API Security

    • Store all API keys in environment variables
    • Implement rate limiting
    • Use HTTPS for all external communications
    • Validate API responses

  4. Production Deployment

    • Run production guardrails before deployment
    • Use separate wallets for dev/staging/production
    • Monitor transaction success rates
    • Set up alerting for failures

Production Guardrails

The system includes built-in production safety checks that validate:

  • ✅ RPC endpoint is production-grade (not public/rate-limited)
  • ✅ Wallet private key format and security
  • ✅ Minimum balance requirements
  • ✅ Network connectivity
  • ✅ Profit distribution configuration
  • ✅ Flash loan provider configuration

These checks run automatically at startup and will prevent the application from starting if critical issues are found.

To manually run production checks:

import { enforceProductionSafety } from './src/utils/productionGuardrails.js';
import { Connection } from '@solana/web3.js';

const connection = new Connection(rpcUrl);
await enforceProductionSafety(connection);

Reporting a Vulnerability

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

How to Report

DO NOT open a public GitHub issue for security vulnerabilities.

Instead, please report security issues to:

What to Include

Please provide:

  1. Description of the vulnerability
  2. Steps to reproduce the issue
  3. Potential impact assessment
  4. Suggested fix (if you have one)
  5. Your contact information for follow-up

Response Timeline

  • Initial Response: Within 48 hours
  • Status Update: Within 7 days
  • Fix Timeline: Depends on severity
    • Critical: 1-7 days
    • High: 7-14 days
    • Medium: 14-30 days
    • Low: 30-90 days

Responsible Disclosure

We follow a coordinated disclosure process:

  1. You report the vulnerability privately
  2. We acknowledge receipt and begin investigation
  3. We work on a fix and keep you updated
  4. We release the fix and credit you (if desired)
  5. Details are made public after users have had time to update

Security Features

Built-in Protections

  1. MEV Protection

    • Jito bundle integration for atomic transactions
    • Private transaction mempool
    • Front-running prevention

  2. Slippage Protection

    • Dynamic slippage calculation
    • Maximum slippage limits
    • Price impact warnings

  3. Rate Limiting

    • API call throttling
    • Transaction frequency limits
    • Automatic backoff on failures

  4. Input Validation

    • Type-safe TypeScript
    • Address validation
    • Amount validation
    • Transaction simulation before sending

  5. Error Handling

    • Graceful error recovery
    • Detailed error logging
    • Automatic retry with exponential backoff
    • Transaction failure handling

Cryptographic Operations

  • All private key operations use industry-standard libraries
  • Keys are never logged or exposed in error messages
  • Transactions are signed locally before transmission
  • No private keys are transmitted over the network

Security Audits

While GXQ Studio is a production-grade platform, we encourage:

  • Regular security reviews by the community
  • Third-party security audits
  • Continuous security monitoring
  • Bug bounty programs (coming soon)

Compliance

We strive to comply with:

  • Solana Program Library (SPL) best practices
  • DeFi security standards
  • OWASP security guidelines
  • Industry-standard cryptographic practices

Security Resources

Solana Security

DeFi Security

General Security

Contact

Acknowledgments

We thank the security researchers and community members who help keep GXQ Studio secure.

Hall of Fame

(Security researchers who have responsibly disclosed vulnerabilities will be listed here with their permission)

Remember: Security is everyone's responsibility. If you see something, say something.

Last Updated: 2025-12-23

There aren’t any published security advisories