Security Overview
Platform security measures and protective systems
Security Overview
Spray and Play employs comprehensive security measures to protect user funds and platform integrity. Security is our highest priority.
Critical Reminder: Never share your seed phrase or private keys with anyone. Spray and Play team members will NEVER ask for your credentials.
Security Philosophy
Our approach to security follows three core principles:
1. Defense in Depth - Multiple layers of protection
2. Transparency - Open verification of all contracts
3. User Control - You maintain custody of your assets
Platform Security Measures
🔐 Smart Contract Security
| Measure | Implementation | Status |
|---|---|---|
| Multi-Sig Wallets | All treasury and reserve wallets require multiple signatures | ✅ Active |
| Timelock Contracts | Critical operations have a 24-48 hour delay | ✅ Active |
| Upgradeable Proxies | Contracts can be patched for security fixes | ✅ Active |
| Emergency Pause | Circuit breakers for critical vulnerabilities | ✅ Active |
🛡️ Infrastructure Protection
- Cold Storage: 95% of funds kept in offline wallets
- DDoS Protection: Enterprise-grade traffic filtering
- Rate Limiting: API and transaction throttling
- Real-time Monitoring: 24/7 anomaly detection
- Automated Alerts: Instant notification of suspicious activity
🔍 Continuous Monitoring
Our security team monitors:
- On-chain transactions for unusual patterns
- Smart contract interactions
- Price oracle integrity
- Reserve health metrics
- Admin key activity
User Protection Features
Session Security
- Automatic Logout: Sessions expire after 24 hours of inactivity
- Device Tracking: Alerts for new device logins
- IP Whitelisting: Optional geographic restrictions
- 2FA Support: Two-factor authentication for sensitive actions
Transaction Safeguards
Gasless Verification: All deposits show a preview before requiring blockchain confirmation
- Deposit Confirmations: 3-12 confirmations required based on chain
- Withdrawal Delays: Large withdrawals have time delays
- Address Verification: Whitelist withdrawal addresses
- Slippage Protection: Automatic limits on price impact
Verified Contracts
All Spray and Play smart contracts are:
- ✅ Open Source - Viewable on GitHub and block explorers
- ✅ Verified - Source code published on Etherscan/Solscan
- ✅ Audited - Reviewed by independent security firms
- ✅ Bug Bounty - Active rewards for vulnerability disclosure
Contract Addresses
View all verified contract addresses on our Smart Contracts page.
Incident Response
Response Timeframes
| Severity | Response Time | Description |
|---|---|---|
| Critical | < 1 hour | Active exploit or fund risk |
| High | < 4 hours | Significant vulnerability |
| Medium | < 24 hours | Moderate security issue |
| Low | < 72 hours | Minor concern |
Communication Channels
In the event of a security incident:
1. Immediate: Discord announcement
2. Within 1 hour: Detailed incident report
3. Post-resolution: Full post-mortem published
Security Audits
Completed Audits
| Firm | Scope | Date | Status |
|---|---|---|---|
| Trail of Bits | Reserve Wallet, Spray Contracts | Q1 2026 | ✅ Completed |
| OpenZeppelin | Governance, Timelock | Q1 2026 | ✅ Completed |
| CertiK | Full Platform | Q1 2026 | 🔄 In Progress |
Audit Reports
All audit reports are publicly available:
- Trail of Bits Report
- OpenZeppelin Report
- CertiK Report (coming soon)
Bug Bounty Program
We reward security researchers who responsibly disclose vulnerabilities.
Reward Tiers
| Severity | Reward | Example |
|---|---|---|
| Critical | Up to $100,000 | Direct fund theft, infinite minting |
| High | Up to $50,000 | Significant fund risk, admin takeover |
| Medium | Up to $10,000 | Data leakage, DoS attacks |
| Low | Up to $2,000 | Best practice violations |
Scope
In scope for bug bounties:
- Smart contracts (Reserve, Spray, Payout)
- Web application (app.playtrenches.xyz)
- API endpoints
- Authentication systems
Out of Scope
- Third-party dependencies
- Already known issues from audits
- Social engineering attacks
- Physical security
How to Report
1. Email: security@playtrenches.xyz
2. Include detailed description and proof of concept
3. Allow 48 hours for initial response
4. Responsible disclosure required
Important: Do not publicly disclose vulnerabilities until they are fixed and we authorize disclosure.
Best Practices for Users
✅ Do
- Use a hardware wallet for large amounts
- Verify contract addresses before approving transactions
- Enable 2FA on your account
- Regularly review your active positions
- Keep your wallet software updated
❌ Don't
- Share your seed phrase with anyone
- Approve unlimited token spend limits
- Click suspicious links in DMs
- Ignore transaction preview warnings
- Use public WiFi without a VPN
Security Resources
Contact Security Team
- Email: security@playtrenches.xyz
- PGP Key: Download
- Response Time: < 24 hours
---
Last Updated: February 2026
Next Audit: Q2 2026