If you discover a security vulnerability in Sweep, please report it responsibly:
- DO NOT open a public GitHub issue
- Email security concerns to: security@sweep.exchange (or create a private security advisory)
- Include detailed steps to reproduce the vulnerability
- Allow up to 72 hours for an initial response
- Never share your private keys or seed phrases
- Verify transaction details before signing
- Use hardware wallets for significant amounts
- Check contract addresses against official sources
# NEVER commit .env files with real values
# Always use .env.example as a template
cp .env.example .env
# Edit .env with your actual values- Use Kubernetes secrets or a secrets manager (Vault, AWS Secrets Manager) in production
- Never hardcode API keys or private keys in source code
- Rotate keys regularly
- Use separate keys for development/staging/production
Before every commit:
# Check for secrets in staged files
git diff --cached | grep -iE "(api_key|apikey|secret|password|token|private)"
# Use git-secrets or similar tools
git secrets --scan| Control | Description |
|---|---|
| Ownable | Admin functions restricted to owner |
| Pausable | Emergency pause capability |
| ReentrancyGuard | Protection against reentrancy attacks |
| Permit2 | Gasless approvals with deadline protection |
| Deadline checks | All operations have expiration |
| Control | Description |
|---|---|
| Rate Limiting | Per-IP and per-wallet rate limits |
| Authentication | SIWE (Sign-In with Ethereum) |
| Input Validation | Zod schemas on all endpoints |
| x402 Payments | Prevents spam via payment requirement |
Multi-oracle price validation prevents price manipulation:
- Primary Sources: Chainlink, Pyth
- Secondary Sources: CoinGecko, DefiLlama, DexScreener
- Confidence Scoring: Prices must pass multiple validation checks
- Staleness Checks: Reject prices older than threshold
Before sweeping any token:
- ✅ Honeypot detection (simulated buy/sell)
- ✅ Liquidity check (minimum threshold)
- ✅ Holder count verification
- ✅ Contract verification
- ✅ Known scam token list check
These files should NEVER be committed with real values:
| File | Purpose | Safe Version |
|---|---|---|
.env |
Environment variables | .env.example |
k8s/secrets-*.yaml |
K8s secrets | k8s/secrets.yaml (template) |
*.key, *.pem |
Private keys | Never commit |
wallet.json |
Wallet exports | Never commit |
| Component | Status | Last Audit |
|---|---|---|
| Smart Contracts | 🟡 Pending | - |
| API Server | 🟡 Pending | - |
| Frontend | 🟡 Pending | - |
We use Dependabot and Snyk to monitor dependencies:
# Check for vulnerabilities
npm audit
# Update dependencies
npm updateIn case of a security incident:
- Pause contracts via guardian multisig
- Revoke compromised keys immediately
- Notify affected users if funds at risk
- Document and remediate the vulnerability
- Post-mortem and implement preventive measures
- Security: security@sweep.exchange
- General: team@sweep.exchange
- Discord: [Sweep Community]