| Version | Security Support |
|---|---|
| v2.2.x | ✅ Full support |
| v2.1.x | ✅ Full support |
| v2.0.x | |
| < v2.0 | ❌ No longer supported |
If you discover a security vulnerability in ReserveBTC, please help us protect our users by following responsible disclosure:
📧 Email: reservebtcproof@gmail.com
⏱️ Response Time: Within 24 hours
🔒 Encryption: PGP key available on request
When reporting a vulnerability, please provide:
- Description - Clear explanation of the vulnerability
- Impact - Potential consequences if exploited
- Steps to Reproduce - Detailed reproduction steps
- Proof of Concept - Code or screenshots (if applicable)
- Suggested Fix - Your recommendations (optional)
❌ Do NOT open a public GitHub issue for security vulnerabilities
❌ Do NOT exploit the vulnerability on production systems
❌ Do NOT publicly disclose before we've had time to fix it
- ✅ Reentrancy Protection - All state-changing functions protected
- ✅ Access Control - Committee-based multi-signature authorization
- ✅ Integer Overflow - Solidity 0.8+ built-in protection
- ✅ CEI Pattern - Checks-Effects-Interactions enforced
- ✅ Gas Optimization - Production-ready efficiency
- ✅ Emergency Pause - Circuit breaker mechanism
- ✅ 32 security tests covering all attack vectors
- ✅ Cryptographic attack prevention (8 tests)
- ✅ Injection attack blocking (7 tests)
- ✅ Input validation (12 tests)
- ✅ Protocol compliance (3 tests)
- ✅ DoS prevention (1 test)
- ✅ Valid signature acceptance (1 test)
- ✅ 24/7 Monitoring - 99.9% uptime
- ✅ Multi-source Verification - 3 independent sources
- ✅ Consensus Mechanism - 2/3 sources must agree
- ✅ Emergency Burns - Automatic protection when fees < 0.001 ETH
- ✅ Spike Protection - Large balance change validation
- ✅ State Persistence - Zero data loss on restart
- ✅ AES-256-GCM Encryption - All sensitive data encrypted
- ✅ User Privacy - Address hashing for anonymity
- ✅ Audit Trail - Complete operation logging
- ✅ GDPR Compliance - Privacy-first design
| Category | Tests | Status |
|---|---|---|
| Frontend | 67 | ✅ 100% PASS |
| Smart Contracts | 206 | ✅ 100% PASS |
| BIP-322 Security | 32 | ✅ 100% PASS |
| Bitcoin Provider | 45 | ✅ 100% PASS |
| TOTAL | 350 | ✅ 100% PASS |
Smart Contract Security:
- Oracle Tests: 45 tests
- RBTCSynth Tests: 28 tests
- FeeVault Tests: 31 tests
- VaultWrBTC Tests: 25 tests
- FeePolicy Tests: 31 tests
- E2E Tests: 30 tests
- Security Canary: 16 tests
BIP-322 Security:
- Cryptographic Attacks: 8 tests
- Injection Attacks: 7 tests
- Input Validation: 12 tests
- Protocol Attacks: 3 tests
- DoS Prevention: 1 test
- Legitimate Operations: 1 test
Response Time: < 1 hour
Examples:
- Smart contract vulnerabilities allowing fund loss
- Oracle committee private key compromise
- Multi-source consensus failure
- Emergency burn system malfunction
Response Time: < 4 hours
Examples:
- Oracle malfunction causing incorrect minting
- Fee system exploitation
- Access control bypass
- Single source verification failure
Response Time: < 24 hours
Examples:
- Non-critical smart contract bugs
- Performance degradation
- Documentation security issues
- Minor UI/UX vulnerabilities
Response Time: < 1 week
Examples:
- Code quality improvements
- Minor optimization opportunities
- Documentation updates
ReserveBTC implements complete BIP-322 verification for all standard Bitcoin address types:
- ✅ Native SegWit (P2WPKH) -
bc1q... - ✅ Taproot (P2TR) -
bc1p... - ✅ SegWit (P2SH-P2WPKH) -
3... - ✅ Legacy (P2PKH) -
1...
- ✅ Native SegWit -
tb1q... - ✅ Taproot -
tb1p... - ✅ SegWit -
2... - ✅ Legacy -
m...,n...
| Date | Version | Auditor | Status | Critical Issues |
|---|---|---|---|---|
| Oct 2025 | v2.2 | Internal | ✅ PASS | 0 |
| Sep 2025 | v2.1 | Internal | ✅ PASS | 0 |
| Aug 2025 | v2.0 | Internal | ✅ PASS | 0 |
Latest Audit Report: SECURITY_AUDIT_REPORT.md
Status: Not currently available
We're planning to launch a bug bounty program in the future. Check back for updates.
For now, please report vulnerabilities directly to our security team.
- Never share your Bitcoin private keys - ReserveBTC never asks for them
- Verify signatures yourself - Use your own Bitcoin wallet
- Monitor your FeeVault balance - Keep at least 0.001 ETH to prevent emergency burns
- Check Oracle status - Visit oracle.reservebtc.io/status
- Use environment variables - Never hardcode secrets
- Validate all inputs - Client and server-side
- Follow CEI pattern - Checks-Effects-Interactions
- Test thoroughly - Run all 350 security tests
- Monitor production - Watch for unusual patterns
- Secure API keys - Rotate regularly
- Rate limiting - Implement on your side
- Error handling - Don't expose sensitive data
- Audit logs - Keep complete records
| Document | Description |
|---|---|
| Security Audit Report | Complete smart contract audit |
| BIP-322 Security Audit | BIP-322 implementation security |
| Test Status | Detailed test results |
| Oracle Security | Live Oracle monitoring |
In case of a security incident, our team will:
- Acknowledge within 1 hour for critical issues
- Investigate root cause and impact
- Contain the incident to prevent further damage
- Fix the vulnerability with tested patch
- Communicate with affected users transparently
- Post-mortem document lessons learned
Subscribe to security updates:
- Watch this repository on GitHub
- Enable security alerts (Settings → Security alerts)
- Follow us on Twitter @reserveBTC
- Email reservebtcproof@gmail.com to join security mailing list
We thank the following for improving our security:
- Bitcoin Core developers for BIP-322 specification
- MegaETH team for infrastructure support
- OpenZeppelin for security best practices
- Our community for responsible disclosure
Report issues responsibly and help us keep ReserveBTC secure for everyone.
Last Updated: October 2025
Protocol Version: v2.2
Network: MegaETH Testnet
Security Status: 🟢 PRODUCTION READY
ReserveBTC Protocol — Security-First Bitcoin DeFi