d-bis/proxmox
4
0
Fork 0
Code Issues 2 Pull Requests 13 Actions Packages Projects Releases Wiki Activity
Files
4ebf2d79029c17fb8678fbf9dcd9e71bbb399235
proxmox/docs/04-configuration/etherscan/CWUSDC_SECURITY_AND_AUDIT_DISCLOSURE.md
defiQUG 4ebf2d7902
Some checks failed
Deploy to Phoenix / validate (push) Failing after 1s
Details
Deploy to Phoenix / deploy (push) Has been skipped
Details
Deploy to Phoenix / deploy-atomic-swap-dapp (push) Has been skipped
Details
Deploy to Phoenix / cloudflare (push) Has been skipped
Details
chore(repo): sync operator workspace (config, scripts, docs, multi-chain) 
Add optional Cosmos/Engine-X/act-runner templates, CWUSDC/EI-matrix tooling,
non-EVM route planner in multi-chain-execution (tests passing), token list and
extraction updates, and documentation (MetaMask matrix, GRU/CWUSDC packets).

Ignore institutional evidence tarballs/sha256 under reports/status.

Validated with: bash scripts/verify/run-all-validation.sh --skip-genesis

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-11 16:25:08 -07:00

3.8 KiB
Raw Blame History

cWUSDC Security and Audit Disclosure

Status: institutional controls disclosure for provider submissions while formal external audit evidence is not yet recorded in this repo.

Current Audit Posture

No formal third-party audit URL is recorded in the current cWUSDC Etherscan evidence packet.

Until a formal audit is available and submitted through Etherscan's audit route, provider-facing materials must use this posture:

The cWUSDC Mainnet contract is source-verified and ABI-visible on Etherscan. A formal third-party audit URL has not yet been recorded in the current submission packet. DBIS maintains operational controls, source verification evidence, supply attestations, and monitoring reports; this should not be represented as a completed third-party audit.

Verified Contract Evidence

Latest dossier evidence reports:

Field Value
Contract 0x2de5F116bFcE3d0f922d9C8351e0c5Fc24b9284a
Verified true
Contract name CompliantWrappedToken
Compiler v0.8.20+commit.a1b79de6
Optimization enabled, 200 runs
EVM version london
Proxy 0
ABI available true

Evidence:

reports/status/cwusdc-etherscan-value-dossier-latest.json

Operational Controls

Control Current evidence
Source verification Etherscan getsourcecode check in dossier
Supply monitoring cwusdc-supply-circulating-attestation-latest.*
Provider readiness monitoring cwusdc-provider-handoff-latest.*
Etherscan Value monitoring cwusdc-etherscan-value-propagation-latest.*
Cross-chain boundary disclosure CWUSDC_ETHERSCAN_BRIDGE_CROSSCHAIN_LAYER_MAP.md
Mainnet-only supply policy CWUSDC_SUPPLY_AND_CIRCULATING_METHODOLOGY.md
Role/control snapshot reports/status/cwusdc-mainnet-role-audit-latest.md

Remaining Audit Tasks

Priority Task Status
P0 Identify whether a formal audit exists for CompliantWrappedToken Open
P0 If audit exists, add URL/hash to this packet and Etherscan submission Open
P1 If no audit exists, publish unaudited status in provider packet Complete in this disclosure
P1 Add admin/owner/mint/burn role review artifact Complete as read-only known-candidate snapshot; unknown role members still require event/deployment-log review
P1 Add incident-response contact and escalation path to public docs Complete in provider packet

Latest Role Snapshot

Latest read-only role audit:

reports/status/cwusdc-mainnet-role-audit-latest.json
reports/status/cwusdc-mainnet-role-audit-latest.md

Current observed candidate role state:

  • deployer has DEFAULT_ADMIN_ROLE.
  • cwBridgeMainnet (0x2bF74583206A49Be07E0E8A94197C12987AbD7B5) has MINTER_ROLE and BURNER_ROLE.
  • The checked relay/router/pool/vault candidates do not have DEFAULT_ADMIN_ROLE, MINTER_ROLE, or BURNER_ROLE.
  • MINTER_ROLE and BURNER_ROLE are administered by DEFAULT_ADMIN_ROLE.

The event-log reconstruction currently observes the deployer as the effective admin and the Mainnet cW bridge as the effective minter/burner. Limitation: provider log limits or pruned responses can still require independent deployment-record review before treating this as a formal audit.

Incident Response

Purpose Contact / URL
Provider submissions submissions@d-bis.org
User support support@d-bis.org
Security / responsible disclosure https://d-bis.org/security
General contact https://d-bis.org/contact
Trust metadata https://d-bis.org/.well-known/trust.json

Provider Boundary

Do not write:

cWUSDC is audited.

Unless a formal audit URL is attached and verified.

Use:

cWUSDC is source-verified on Etherscan; formal third-party audit evidence is not yet recorded in the current submission packet.
Reference in New Issue View Git Blame Copy Permalink