FNC Token
Security · Audits · Responsible Disclosure

Security at FNC Token

Immutable contracts. Hard caps. Independent audits. No backdoors. Below is every guarantee, every audit status, and how to report a vulnerability.

Audit status

Audit Firm 1 (TBD)

Pending

Phase 0 + Phase 3 (token, governance, staking, treasury, redemption)

Scheduled: Q3 2026

Report TBD

Audit Firm 2 (TBD)

Pending

Cross-review — focus on Treasury invariants + Merkle distributor

Scheduled: Q4 2026

Report TBD

No audits complete yet — this is testnet.

FNC is currently live on Sepolia testnet. Tokens have no monetary value. Mainnet deployment will not proceed until both audit firms have signed off and all reported issues are remediated.

Hard guarantees

No mint function

The token has a fixed supply of 1,000,000,000 FNC. There is no mint() function in the contract — supply cannot increase, ever.

src/FreeNatoCashToken.sol → no mint(), constructor mints once and only once

No honeypot

Standard ERC-20 transfer logic with no transfer fee, no blocklist, no flag that disables transfers. Ownership of the token contract is renounced.

token.owner() == address(0) on Etherscan

No proxy upgrade

All contracts are deployed final. There is no UUPS / Transparent / Beacon proxy. The bytecode you see on Etherscan is the bytecode forever.

No upgrade slot in storage; constructor immutable

24-hour timelock

Every treasury action requires a successful governance proposal followed by a 1-day execution delay via TimelockController. Bad proposals can be cancelled inside the delay window.

TimelockController.getMinDelay() == 86400

Hard-coded policy caps

TreasuryPolicy enforces constitutional limits (daily buyback %, weekly redemption %, stable floor, oracle freshness) that even a passed DAO vote cannot exceed.

TreasuryPolicy bounds checked in setters

Selector whitelist on treasury

TreasuryVault.addAllowedCall(target, selector) gates every external interaction. Arbitrary calldata cannot be passed — only explicitly approved function selectors execute.

TreasuryVault.execute() checks allowedCalls[target][selector]

Bug bounty

Pending Launch

A bug bounty program will launch on Immunefi alongside mainnet deployment. Until then, please report any findings via responsible disclosure below.

Critical
$50,000
High
$15,000
Medium
$5,000
Low
$500

Report a vulnerability

If you discover a security issue, please report it privately. Do not open a public issue or post about it on social media until we've had a chance to acknowledge and triage.

GitHubPrivate advisory

What to include

  • · Detailed description of the vulnerability
  • · Step-by-step reproduction (PoC code if applicable)
  • · Affected contracts / addresses / commit hash
  • · Your assessment of severity and impact
  • · Optional: how you would fix it

We commit to acknowledging your report within 48 hours and providing a triage status within 5 business days.

Read full documentation

Protocol architecture & developer reference

Proof of reserve

Independently verifiable on-chain math

Treasury composition

Every asset backing FNC, live