Perihelion Protocol moves user funds across chains. We take security seriously and welcome responsible disclosure from the community.
⚠️ Perihelion is unaudited and under active development. Do not use it with mainnet funds you are not prepared to lose until the first audited release.
The protocol has not yet reached a stable release. Until v1.0.0, only the
main branch is supported, and on-chain formats may change between commits.
| Version | Supported |
|---|---|
main |
✅ (pre-release) |
| tagged | — (none yet) |
Please do not open a public GitHub issue for security vulnerabilities.
Instead, report privately via one of:
- GitHub Security Advisories — use the "Report a vulnerability" button on the repository's Security tab (preferred).
- Email — contact the maintainers at the address listed on the organization
profile, with subject line
PERIHELION SECURITY.
When reporting, please include:
- A description of the vulnerability and the component affected
(
contracts/soroban,contracts/evm,sdk,solver, orrelayer). - Steps to reproduce, ideally with a failing test or proof-of-concept.
- The potential impact and, if known, a suggested mitigation.
| Stage | Target turnaround |
|---|---|
| Acknowledgement | within 3 business days |
| Initial assessment | within 7 business days |
| Fix & coordinated disclosure | severity-dependent |
We will keep you informed throughout, credit you in the advisory (unless you prefer to remain anonymous), and coordinate a disclosure timeline with you.
In scope:
- The Soroban settlement contract (
contracts/soroban) - The EVM escrow contract (
contracts/evm) - The SDK, solver, and relayer where a bug could lead to loss of funds, unauthorized settlement, or replay
Out of scope (report, but lower priority):
- Issues requiring a compromised LayerZero DVN set (a documented Phase-1/2 trust assumption — see the threat matrix)
- Denial-of-service that only delays settlement without risking funds
- Findings in third-party dependencies without a Perihelion-specific exploit path
We will not pursue or support legal action against researchers who:
- make a good-faith effort to avoid privacy violations, data destruction, and service interruption, and
- report promptly and do not exploit the issue beyond what is necessary to demonstrate it.
Thank you for helping keep Perihelion and its users safe.