Skip to main content
appeX

Security Overview

This page provides a summary of how appeX approaches security: the principles that guide design decisions, the specific measures in place, and where trust is required versus where operations are verifiable.

Security Principles

appeX handles real capital. Security is not a feature. It is a prerequisite for every design decision. The protocol is built around three principles:

  1. Defense in depth. No single control prevents all attacks. Multiple layers of protection overlap so that failure of any one layer does not compromise the system. Smart contract audits catch code-level issues. The bug bounty program catches what audits miss. Redemption gates prevent liquidity crises. Concentration limits prevent single-point-of-failure exposure. Each layer operates independently.
  2. Transparency over obscurity. Smart contracts are audited and published. Risk factors are documented openly in this documentation. Users make informed decisions, not blind ones. appeX believes that transparent risk disclosure builds trust. Hiding risks does not eliminate them. It transfers them to uninformed participants.
  3. Minimize trust assumptions. Onchain operations are verifiable by anyone. NAV calculations, fee distributions, staking mechanics, and LP token pricing are all executed by smart contracts. Offchain operations (borrower onboarding, credit assessment) are the primary trust boundary, and they are documented explicitly so users understand exactly where trust is required.

Security Measures

security-measures diagram
CategoryMeasuresPurpose
Smart contract securityThird-party audits, bug bounty programIdentify and eliminate code-level vulnerabilities before and after deployment
Access controlPermissioned borrower onboarding, planned multi-sig administration, role-based accessPrevent unauthorized vault draws and parameter changes
Geographic restrictionsGeofencing for restricted jurisdictions enforced at the frontend layerPrevent access from prohibited regions
Liquidity protectionRedemption gates (daily caps, available liquidity checks, per-request limits)Prevent bank-run dynamics and protect vault solvency during stress
Risk isolationVault-level capital and risk separationEnsure losses in one vault do not affect other vaults or their LPs
Capital preservationAll unborrowed capital deployed to established, audited DeFi protocols (Aave, Compound) for continuous yieldMinimize external dependency risk while ensuring capital is always productive
NAV integrityContinuous accrual, NAV refresh on every transactionPrevent timing arbitrage and ensure fair pricing for all LP transactions

Trust Boundaries

trust-boundaries diagram

appeX operates at the intersection of onchain and offchain systems. Understanding where trust is required is critical for making informed decisions about participation.

Onchain (Verifiable)

These operations will be handled onchain and independently verifiable:

  • LP deposits and redemptions
  • NAV calculations and share pricing
  • $APPEX staking and reward distribution
  • Fee distribution mechanics
  • LP token minting and burning

Offchain (Trust Required)

These operations require trust in the appeX team's judgment and processes:

  • Borrower creditworthiness assessment and onboarding decisions
  • Receivable verification and fraud checks
  • Collections management and repayment tracking
  • Fiat off-ramp operations and banking relationships
  • Borrowing limit adjustments and term modifications

The offchain layer exists because credit decisions require human judgment. Evaluating whether a company can repay its obligations, verifying that receivables are legitimate, and managing collections processes require expertise and discretion. As the protocol matures, governance will progressively decentralize these decisions.

Warning: The offchain layer is the primary trust boundary in the system. LP capital is deployed to borrowers based on offchain credit decisions made by the appeX team. While borrower onboarding is rigorous, this represents a centralization point that users should understand. See Risk Framework for a complete analysis.

Phased Security Approach

Security is not a one-time event. appeX follows a phased approach:

  1. Pre-launch. Third-party security audits of all smart contracts. Internal testing of core financial logic.
  2. Launch. Conservative initial parameters. Gradual deployment with volume limits. Monitoring for unexpected behavior.
  3. Post-launch. Ongoing bug bounty program. Continuous monitoring. Governance-driven parameter adjustments based on real usage data.

Further Reading

  • Risk Framework - Detailed analysis of every risk category and mitigation strategy
  • Audits - Third-party audit reports and findings
  • Bug Bounty - Responsible disclosure program and reward structure