Security Policy
LightChallenge is a stake-weighted competition protocol on LightChain mainnet
(chain ID 9200), with a parallel testnet environment at
uat.lightchallenge.app (chain ID 8200).
Real LCAI is custodied by LightchallengeTreasury on mainnet.
Reporting a Vulnerability
Email: security@lightchallenge.app (security only) General contact: team@lightchallenge.app
Do not open a public GitHub issue, post in Discord, or tweet about unpatched issues. Coordinated disclosure timeline:
| Step | Target |
|---|---|
| Acknowledgement | within 48 h |
| Initial severity assessment | within 7 d |
| Fix in testing | depends on severity (see below) |
| Public disclosure | by mutual agreement, default 90 d after report |
Please include: a clear description, reproduction steps, suspected impact, and
(if applicable) suggested mitigation. PGP key for sensitive reports is
published at https://lightchallenge.app/.well-known/pgp-key.asc (coming).
Bug Bounty
Until a formal Immunefi/HackenProof program launches, LightChallenge runs a self-hosted bounty:
| Severity | Definition | Reward (USD-equivalent in LCAI) |
|---|---|---|
| Critical | Direct theft of user funds, treasury drain, or permanent freezing of more than 1 % of TVL | $5,000 – $25,000 |
| High | Theft of yield/fees, denial-of-service that requires contract redeploy, signer bypass on the AIVM attestor | $1,000 – $5,000 |
| Medium | Theft or freeze of less than 1 % of TVL, griefing that requires manual ops to resolve, off-chain auth bypass | $250 – $1,000 |
| Low | Information leak (non-PII), logic bugs without economic impact, gas griefing | $100 – $250 |
| Informational | Code-quality, optimisations, missing event emissions | swag / hall-of-fame credit |
Reward sizing is at the discretion of the maintainers and is influenced by: exploit reproducibility, blast radius (is one user affected or all?), whether the report includes a working PoC, and whether the issue was already known internally. Reports must be original — duplicate or already-known issues receive credit but no payout.
Safe Harbor
The following actions are explicitly authorised for security researchers acting in good faith under this policy:
- Testing against the testnet environment (
uat.lightchallenge.app, chain 8200) at any time. - Reading on-chain mainnet state, querying the public API, fuzzing testnet contracts.
- Disclosing the issue to LightChallenge maintainers via the channels above.
LightChallenge will not pursue civil or criminal action against researchers who follow this policy. We will treat reports as confidential and will not share your identity without your consent.
The following are out of scope for safe harbor:
- Attacks against mainnet user funds or live mainnet state mutations.
- DoS / load testing against production infrastructure (Vercel, Fly, Neon).
- Social engineering of LightChallenge staff or community members.
- Phishing of LightChallenge users.
- Physical attacks on infrastructure or personnel.
Scope
In scope
- Smart contracts (
contracts/) deployed on chain 9200 (mainnet) and 8200 (testnet) - Webapp API routes (
webapp/app/api/) onlightchallenge.appanduat.lightchallenge.app - Off-chain workers and indexers (
offchain/) running on Fly.io (lc-workers,lc-workers-uat,lc-gateway) - Mobile app (
mobile/) — iOS only at the moment - The Discord bot (
discord-bot/)
Out of scope
- Third-party dependencies — please report upstream and CC us
- LightChain protocol contracts (AIVM, validator infra, bridge) — report to the LightChain team
- Frontend cosmetic / browser-compat issues
- Findings only reproducible by an attacker who already controls the protocol owner key
- The
invest/subtree — this is a separate product (lc-investrepo) with its own disclosure process
Audit Status
| Audit | Scope | Status |
|---|---|---|
| Internal review (2026-04) | Contracts + API + off-chain pipeline | Complete |
| External audit | Mainnet contracts (9 contracts, ~3 000 LoC) | Engagement scheduled — see Audit Schedule below |
Audit Schedule
We are accepting quotes from auditors with a track record on consumer fitness/gaming dApps and EVM L1s. Target firms: Pashov, MixBytes, Hacken, Cantina, Spearbit. Engagement window: Q3 2026.
If you are an auditor or know one we should talk to, email partnerships@lightchallenge.app.
Security Architecture (Summary)
Smart Contracts
- All user funds held in
LightchallengeTreasury—Lightchallengecontract holds zero balance - Pull-based claims via Treasury allowances — winners cannot be censored once a verdict is recorded
- 2-step admin transfer on critical contracts
- Verifier address immutable after the first participant joins
- Cancel blocked after winners are recorded
- Minimum stake + fee invariants validated on every challenge create
Verdict Authority
LightchallengeAttestorrecords EIP-712 verdicts signed by an off-chain signer fleet- Multi-signer (M-of-N) is supported by the contract (
attestMulti,setThreshold); current production threshold is being raised from 1 to 2 - Owner can rotate signers at any time (
setAttestor(addr, bool)) - Old signatures cannot be replayed — each
(challengeId, subject)pair is one-shot
API & Auth
- EIP-191 wallet-signature on state-mutating endpoints (5-minute window)
- Tx-receipt fallback for mobile clients where
personal_signis not available — verifiesfromandtomatch expectations - Admin endpoints fail-closed (no dev bypass)
- Rate limiting on relay + sensitive endpoints
- RPC proxy restricted to read-only methods
- Sanitised error responses
Data
- OAuth tokens encrypted at rest (AES-256-GCM)
- SSL/TLS enforced on all DB connections in production
- PII redaction in API responses
- Evidence payload size limits
Off-chain Pipeline
- 12-block confirmation buffer (reorg-safe under normal conditions)
- Idempotent event processing — duplicate events are no-ops
- Verdict-gated AIVM dispatch — only passing verdicts trigger payout flows
- Daily-refresh DB alerts for pipeline-age, misrouted-pool, and stuck-challenge anomalies
Known Limitations (Disclosed)
- Single-signer attestor (being remediated) — mainnet currently has one authorised signer; threshold is being raised to 2 of 3.
- Owner role centralisation — protocol owner is a 2-of-3 multi-sig but actions are not yet behind a Timelock. Treasury withdrawals and signer rotation are immediate.
- Reorg recovery — confirmation buffer of 12 blocks. Reorgs deeper than
12 blocks require manual reconciliation via
scripts/ops/reconcileMisroutedPools.ts. - Rounding dust — integer division in fee splits can leave sub-wei amounts in Treasury buckets. Sweepable.
- No upgrade pattern — contracts are immutable. A discovered bug requires redeploy + state migration (no proxy in front of the contracts).
Hall of Fame
We publicly credit researchers who responsibly disclose. With your consent, your handle and a one-line summary will appear here after the issue is fixed and disclosed.
(empty — be the first!)