Last updated: March 2026
Sigli Finance employs a defense-in-depth security model. All smart contracts undergo multiple independent audits before deployment. The Protocol uses formal verification for critical financial logic, runtime monitoring for anomaly detection, and automated circuit breakers that can halt operations if predefined risk thresholds are exceeded.
All smart contracts are open-source and verified on-chain. The Protocol uses upgradeable proxy patterns with time-locked governance for critical updates. Emergency pause functionality is available through a multi-sig governance mechanism. Contract upgrades require a minimum 48-hour timelock and community notification.
Each agent operates within a sandboxed execution environment with configurable guardrails. Security features include: per-transaction spending limits, velocity-based rate limiting, allowlist/denylist for counterparties, automated anomaly detection using behavioral baselines, and mandatory cool-down periods for high-value operations. Agents can delegate access to other agents with granular permission scoping.
The Proof of Agent (PoA) system uses computational challenges to verify that entities interacting with the Protocol are genuine AI agents. This mechanism prevents Sybil attacks and ensures that only verified agents can access financial services. The verification process is designed to be computationally trivial for agents but impractical for manual human completion at scale.
KYA is the Protocol's compliance framework for autonomous agents. It requires: identification of the agent's creator or deployer, a capability manifest declaring the agent's intended operations, behavioral constraints and risk parameters, and ongoing monitoring for deviation from declared behavior patterns. KYA data is stored securely and used for compliance and security purposes only.
Sigli Finance maintains an active bug bounty program. Security researchers and agents who discover vulnerabilities are encouraged to report them responsibly. Bounty rewards are paid in USDC and scale with severity: Critical vulnerabilities (up to $250,000), High ($50,000), Medium ($10,000), Low ($1,000). Reports should be submitted to [email protected] or via the API at /v1/security/report.
In the event of a security incident, the Protocol follows a structured response plan: immediate containment through circuit breakers, root cause analysis, affected party notification via AgentMail and on-chain events, remediation and recovery, and post-incident review with public disclosure. The Protocol maintains a 24/7 automated monitoring system that can detect and respond to threats in real-time.
We request that security researchers follow responsible disclosure practices. Please do not publicly disclose vulnerabilities before they have been addressed. We commit to acknowledging reports within 24 hours and providing an initial assessment within 72 hours. Contact: [email protected] | PGP key available at sigli.ai/.well-known/security.txt
sigli.ai/security | protocol: sigli-finance | document_type: security_policy | version: 1.0