Skip to content

Security: Radiant-Core/RadiantMM

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
v3.x
v1.x ❌ Deprecated (UNSAFE — DO NOT DEPLOY)

Audit Status

The v3 paired-UTXO CPMM has undergone an internal red-team audit with live regtest exploitation. All identified issues (R1–R6) are fixed and re-verified on Radiant-Core v3.1.1 regtest. The full audit is in SECURITY-AUDIT.md.

Remaining blockers before mainnet funds:

  1. External security audit — not yet procured. See docs/EXTERNAL-AUDIT-PACKAGE.md.
  2. Testnet soak — plan ready but not executed. See docs/TESTNET-SOAK-PLAN.md.

Do NOT use this contract with significant funds until both are complete.

Known Design Decisions (disclosed, not bugs)

  • R3 — Single-custodian trust model: withdraw() lets the pool owner remove all RXD with one signature. No LP-share accounting, timelock, or multi-LP model. An LP-share covenant design exists in docs/LP-SHARE-COVENANT-DESIGN.md but is not yet implemented.
  • R4 — Pool size cap: R·T ≤ 2^53−1 (~9e15). Pools funded past this are permanently untradeable. buildGenesis rejects out-of-range reserves at creation.

Reporting a Vulnerability

How to Report

  1. Do NOT create a public GitHub issue for security vulnerabilities
  2. Email: info@radiantfoundation.org
  3. Include:
    • Description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Suggested fix (if any)

Response Timeline

  • Initial Response: Within 24 hours for critical issues
  • Status Update: Within 3 days
  • Resolution Target: Within 14 days for critical issues

Dependencies

  • @radiant-core/radiantjs - Cryptographic operations
  • @radiantblockchain/constants - Protocol constants

Security Checklist for Users

Before using RadiantMM:

  • Verify you're using the official v3 contract (not the deprecated v1)
  • Confirm the external audit and testnet soak are complete
  • Start with small amounts
  • Understand the single-custodian trust model (R3)
  • Monitor your positions regularly
  • Never invest more than you can afford to lose

Last updated: July 2026 Status: Internal audit complete — awaiting external audit + testnet soak

There aren't any published security advisories