DZap’s smart contracts are audited by independent firms. All reports are public.Documentation Index
Fetch the complete documentation index at: https://docs.dzap.io/llms.txt
Use this file to discover all available pages before exploring further.
Audit repositories
DZap Audits
Top-level repo for protocol audits across all DZap products.
ZappingContracts Audits
Per-version audit reports for the Fuse / Zap contract suite.
Audit Reports (legacy)
Older reports, still maintained at the legacy docs URL.
Smart Contract Addresses
Verify deployed contracts on each chain.
Audit partners
Specific firm names + report links land here as audits complete. Track the GitHub repos above for the latest.
Trust boundaries
| Surface | Trust model |
|---|---|
| Smart contracts | Audited; upgrades behind multi-sig + timelock. |
| Trade + Fuse APIs | Public, rate-limited; inputs validated server-side. |
| AI runtime | Local-first; keys never leave the user’s process. |
| Solvers (Fuse) | Permissionless; constrained by hash-bound intent fields (executorFeesHash, swapDataHash). |
Reporting a vulnerability
Email[email protected] with [SECURITY] in the subject. Include:
- Description of the issue.
- A proof-of-concept (if you have one).
- Affected chain / contract / endpoint.
Operational checklist
For partners integrating DZap:- ✅ API keys server-only — never in browser code.
- ✅ Verify webhook HMAC signatures (Trade API).
- ✅ Use a session-scoped key for AI agent execution; rotate regularly.
- ✅ Cap per-trade and per-day value at the application layer.
- ✅ Whitelist tokens in consumer-facing apps.