> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dzap.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & Audits

> Audit reports, security partners, and disclosure.

DZap's smart contracts are audited by independent firms. All reports are public.

## Audit repositories

<CardGroup cols={2}>
  <Card title="DZap Audits" icon="github" href="https://github.com/DZapIO/audits">
    Top-level repo for protocol audits across all DZap products.
  </Card>

  <Card title="ZappingContracts Audits" icon="github" href="https://github.com/DZapIO/DZapZappingContracts/tree/master/audits">
    Per-version audit reports for the Fuse / Zap contract suite.
  </Card>

  <Card title="Audit Reports (legacy)" icon="file-shield" href="https://docs.dzap.io/product/audit-reports">
    Older reports, still maintained at the legacy docs URL.
  </Card>

  <Card title="Smart Contract Addresses" icon="file-contract" href="/products/contracts">
    Verify deployed contracts on each chain.
  </Card>
</CardGroup>

## Audit partners

<Note>
  Specific firm names + report links land here as audits complete. Track the GitHub repos above for the latest.
</Note>

## Trust boundaries

| Surface           | Trust model                                                                                   |
| ----------------- | --------------------------------------------------------------------------------------------- |
| Smart contracts   | Audited; upgrades behind multi-sig + timelock.                                                |
| Trade + Fuse APIs | Public, rate-limited; inputs validated server-side.                                           |
| AI runtime        | Local-first; keys never leave the user's process.                                             |
| Solvers (Fuse)    | Permissionless; constrained by hash-bound intent fields (`executorFeesHash`, `swapDataHash`). |

## Reporting a vulnerability

Email `support@dzap.io` with `[SECURITY]` in the subject. Include:

* Description of the issue.
* A proof-of-concept (if you have one).
* Affected chain / contract / endpoint.

We acknowledge within 24h. Critical issues qualify for a bounty.

## Operational checklist

For partners integrating DZap:

* ✅ API keys server-only — never in browser code.
* ✅ Verify webhook HMAC signatures (Trade API).
* ✅ Use a session-scoped key for AI agent execution; rotate regularly.
* ✅ Cap per-trade and per-day value at the application layer.
* ✅ Whitelist tokens in consumer-facing apps.
