Security

Security & Audits

Last updated: 23 May 2026 · v1.1

Astarter is monitored on CertiK Skynet, the security-rating platform that aggregates code audits, on-chain monitoring, team verification, bug-bounty status, and community signals into a single project profile. This page summarises what has been audited so far and how to report a vulnerability responsibly.

1. Code audit · CertiK

The full audit report PDF and Skynet’s ongoing risk score, on-chain monitor, and bug-bounty status are all on the project page above. The Skynet profile is the authoritative source · if anything on this page differs from what Skynet shows, Skynet is correct.

2. Scope of the November 2023 audit

The 2023 audit covered Astarter’s earlier Cardano-era smart-contract codebase (Haskell · Plutus). It did not cover the new Web4 / AI-agent / DePIN architecture described elsewhere on this site, which is still in pre-mainnet development.

3. Planned pre-mainnet audit

Before the Token Generation Event (currently scheduled for 2026 Q3 per the published roadmap), the following new contracts will be audited and the reports will be posted on this page:

• $AST token contract and tokenomics distribution logic
• ABox node sale and tier allocation
• Staking Mining (ABF node rewards)
• Vesting contracts for the ASTARTER Team allocation (1-year cliff, 4-year linear) and Investment Institutions allocation (1-year cliff, 4-year linear)
• Treasury and Market Capitalization Management multisig

Off-chain components · this website, the ABox node device firmware, and operator dashboards · are not part of the smart-contract audit and will be covered by separate reviews.

4. Responsible disclosure

If you believe you have found a security vulnerability in any Astarter smart contract, infrastructure, or website, please report it privately. Do not file a public GitHub issue, post on Telegram or X/Twitter, or attempt to exploit the vulnerability beyond what is necessary to demonstrate the bug.

Email: contact@astarter.io · subject line: [SECURITY]

We aim to acknowledge reports within 72 hours. Confirmed vulnerabilities will be patched and, where applicable, disclosed publicly after the fix is deployed. Reporters who follow this process and provide actionable information may be eligible for a discretionary bounty.

5. Out of scope

• Reports based on automated scanner output without a working proof of concept
• Social engineering of Astarter staff, contractors, or community members
• Denial-of-service attacks, including volumetric attacks against the website or RPC endpoints
• Vulnerabilities in third-party services (Spline, jsDelivr CDN, Telegram, etc.) · report those to the upstream vendor
• Self-XSS or vulnerabilities requiring physical access to a user's device
• Best-practice findings without a demonstrated impact (e.g., missing security headers without an exploit path)

6. Website security controls

The astarter.io site applies the following baseline controls:

• HTTPS-only delivery; mixed-content blocked
• X-Content-Type-Options: nosniff set on all pages
• Referrer-Policy: strict-origin-when-cross-origin
• Permissions-Policy denying geolocation, microphone, camera, payment, USB, and FLoC interest cohorts
• Sub-resource integrity (SRI) on third-party CDN scripts
• Service Worker scoped to astarter.io with cache-bust on version change

Additional server-side headers (HSTS, CSP, X-Frame-Options) are configured at the CDN / web-server layer.

7. Past incidents

We will publicly disclose any security incident that affects user funds, user data, or the integrity of the protocol. As of the “Last updated” date above, there have been no such incidents.

8. Contact

Security reports and questions: contact@astarter.io

A dedicated security@astarter.io alias will be enabled in a future update; until then, contact@ is the canonical channel.