FlashStack takes security seriously. As a flash loan protocol handling valuable assets, we prioritize the security of our smart contracts and the safety of our users' funds.
| Version | Supported |
|---|---|
| 1.0.x | β Yes (Current) |
| < 1.0 | β No |
- Atomic Transactions: All flash loans execute atomically - if repayment fails, the entire transaction reverts
- No Custody: FlashStack never holds user funds
- Collateral Verification: All collateral checks happen on-chain via PoX-4
- Zero Inflation: Guaranteed by atomic mint-burn cycles
- β³ Status: Pending audit (scheduled Q1 2026)
- π§ͺ Testing: 100% success rate across 8 receiver contracts
- π Volume Tested: 27M sBTC processed without failures
We appreciate responsible disclosure of security vulnerabilities.
For critical vulnerabilities (affecting funds or protocol operation):
- DO NOT create a public GitHub issue
- Contact us privately via:
- Twitter DM: @FlashStackBTC
- Email: [Coming soon - check repository for updates]
For non-critical issues (documentation, minor bugs):
- Create a public issue on GitHub
Please provide:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact (severity assessment)
- Suggested fix (if you have one)
- Your contact information for follow-up
Subject: [SECURITY] Brief description
Severity: [Critical/High/Medium/Low]
Description:
[Detailed description of the vulnerability]
Steps to Reproduce:
1.
2.
3.
Potential Impact:
[What could an attacker do?]
Suggested Fix:
[Optional - your ideas for fixing it]
Contract Affected:
[e.g., flashstack-core.clar, function: flash-mint]
Disclosure Timeline Preference:
[When you're comfortable with public disclosure]
We are committed to responding quickly:
| Severity | First Response | Fix Timeline | Public Disclosure |
|---|---|---|---|
| Critical | 24 hours | 7 days | After fix deployed |
| High | 48 hours | 14 days | After fix deployed |
| Medium | 5 days | 30 days | After fix deployed |
| Low | 7 days | 60 days | Immediate (GitHub issue) |
- π Status: Coming Soon (Q1 2026)
- π° Rewards: Based on severity and impact
- π Scope: All smart contracts in
/contractsdirectory
- Critical: Up to 10,000 STX or equivalent sBTC
- High: Up to 5,000 STX
- Medium: Up to 1,000 STX
- Low: Recognition + swag
Exact amounts TBD and dependent on fundraising success
-
Verify Contract Addresses
- Always verify you're interacting with official FlashStack contracts
- Check contract addresses on our official docs
-
Test Small Amounts First
- Start with small flash mint amounts
- Verify everything works before scaling up
-
Understand Risks
- Flash loans require technical knowledge
- Ensure your receiver contract is thoroughly tested
- Failed repayments revert entire transactions
-
Review Receiver Contracts
- Audit any receiver contract before using it
- Test extensively on devnet/testnet first
- Be cautious with third-party receivers
-
Implement Flash Receiver Trait
(impl-trait .flash-receiver-trait.flash-receiver-trait)
-
Always Repay Loan + Fee
(let ((fee (/ (* amount u50) u10000))) ;; Your logic here (try! (contract-call? .sbtc-token transfer (+ amount fee) borrower (as-contract tx-sender) none)) )
-
Validate Inputs
(asserts! (> amount u0) err-invalid-amount)
-
Test Thoroughly
- Test on devnet first
- Simulate edge cases
- Test with large amounts
- Verify fee calculations
-
Handle Errors Gracefully
- Use descriptive error codes
- Return clear error messages
- Test failure scenarios
When a vulnerability is fixed:
- Private Fix: Develop and test fix in private repository
- Review: Internal code review
- Deploy: Deploy to testnet for verification
- Notify: Contact vulnerability reporter
- Public Release: Release fix to mainnet
- Disclosure: Publish security advisory
- Recognition: Credit reporter (if desired)
We support security researchers who:
- Act in good faith
- Follow responsible disclosure
- Don't exploit vulnerabilities
- Don't access/modify user data
- Don't perform DoS attacks
We will not pursue legal action against security researchers who follow these guidelines.
None yet - this is our first public release
- Project Lead: Matt Glory
- GitHub: @mattglory
- Twitter: @FlashStackBTC
We recognize and thank security researchers who help improve FlashStack:
Coming soon - be the first!
Last Updated: December 2025 Version: 1.0
Thank you for helping keep FlashStack and the Bitcoin DeFi ecosystem secure! π‘οΈβ‘