Security

Last updated: June 30, 2026

This page describes ImplicitEx's security posture and responsible disclosure process. If you have found a security issue, see the reporting section below.

Security Posture

ImplicitEx operates with a security-conscious approach throughout development and deployment:

• Conservative soft-launch scope with transfer limits
• Smart contract source-verified on Polygonscan
• Negative-path and edge-case testing before each gate
• Deployment gated on smoke test evidence
• Role separation between deployer, owner, and treasury
• Incident-response planning in place before live traffic
• No admin key or backdoor in the transfer contract
• Transfer execution requires explicit user wallet confirmation at every step

Responsible Disclosure

If you discover a security vulnerability in ImplicitEx, please report it to security@implicitex.com.

Include in your report:

• A clear description of the issue
• Steps to reproduce the vulnerability
• The potential impact if exploited
• Any relevant transaction hashes, addresses, or code references

Please do not publicly disclose the issue before coordinating with the ImplicitEx team. We will acknowledge receipt, investigate, and provide updates as work proceeds.

Disclosure Scope

In scope:

• Smart contract vulnerabilities in the ImplicitEx contract
• Frontend logic errors that could lead to incorrect transaction behavior
• Wallet or RPC integration security issues
• Injection, XSS, or content security policy bypasses
• Authentication or authorization gaps in any admin surface

Out of scope:

• Network-level denial-of-service attacks
• Social engineering of team members
• Testing against production with real user funds without prior authorization
• Vulnerabilities in third-party services ImplicitEx does not control (MetaMask, WalletConnect, Circle, Polygon, public RPC providers)
• Issues that require physical access to a user's device

What Not to Do

• Do not test against production using real funds
• Do not attempt to drain user wallets or contract balances
• Do not extract, store, or publish user data encountered during research
• Do not perform destructive, irreversible, or denial-of-service actions

Response Expectations

We will acknowledge receipt of valid reports within a reasonable time and provide updates as investigation proceeds. Reporters who follow this responsible disclosure process and wish to be credited will be acknowledged upon resolution, if desired.

Third-Party Security

ImplicitEx does not control MetaMask, WalletConnect, Circle, Polygon, or public RPC providers. Security issues in those systems should be reported directly to their respective maintainers.

See also: Contract Addresses · Legal