| Version | Supported |
|---|---|
| v3.x | ✅ |
| v1.x | ❌ Deprecated (UNSAFE — DO NOT DEPLOY) |
The v3 paired-UTXO CPMM has undergone an internal red-team audit with live regtest exploitation. All identified issues (R1–R6) are fixed and re-verified on Radiant-Core v3.1.1 regtest. The full audit is in SECURITY-AUDIT.md.
Remaining blockers before mainnet funds:
- External security audit — not yet procured. See
docs/EXTERNAL-AUDIT-PACKAGE.md. - Testnet soak — plan ready but not executed. See
docs/TESTNET-SOAK-PLAN.md.
Do NOT use this contract with significant funds until both are complete.
- R3 — Single-custodian trust model:
withdraw()lets the pool owner remove all RXD with one signature. No LP-share accounting, timelock, or multi-LP model. An LP-share covenant design exists indocs/LP-SHARE-COVENANT-DESIGN.mdbut is not yet implemented. - R4 — Pool size cap:
R·T ≤ 2^53−1(~9e15). Pools funded past this are permanently untradeable.buildGenesisrejects out-of-range reserves at creation.
- Do NOT create a public GitHub issue for security vulnerabilities
- Email: info@radiantfoundation.org
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Initial Response: Within 24 hours for critical issues
- Status Update: Within 3 days
- Resolution Target: Within 14 days for critical issues
@radiant-core/radiantjs- Cryptographic operations@radiantblockchain/constants- Protocol constants
Before using RadiantMM:
- Verify you're using the official v3 contract (not the deprecated v1)
- Confirm the external audit and testnet soak are complete
- Start with small amounts
- Understand the single-custodian trust model (R3)
- Monitor your positions regularly
- Never invest more than you can afford to lose
Last updated: July 2026 Status: Internal audit complete — awaiting external audit + testnet soak