Audit Reports
All TAG IT smart contracts undergo rigorous security audits by leading firms. We are committed to maintaining the highest security standards for our decentralized product authentication platform.
Audit Summary
Below is a comprehensive overview of all security audits conducted on TAG IT Network smart contracts:
| Date | Auditor | Scope | Critical | High | Medium | Low | Status |
|---|---|---|---|---|---|---|---|
| Jan 2024 | CertiK | Full Protocol | 0 | 0 | 2 | 5 | Resolved |
| Oct 2023 | Trail of Bits | Core Contracts | 0 | 1 | 3 | 8 | Resolved |
| Jun 2023 | OpenZeppelin | Initial Review | 1 | 2 | 4 | 6 | Resolved |
All critical, high, and medium severity findings from our audits have been addressed and verified by the respective audit firms.
Latest Audit - January 2024
Our most recent comprehensive audit was conducted by CertiK, one of the leading blockchain security firms.
Audit Scope
- TagItRegistry.sol - Core product registration and authentication contract
- TagItToken.sol - ERC-20 utility token with staking mechanisms
- OwnershipTransfer.sol - Secure ownership transfer protocol
- DisputeResolution.sol - Decentralized dispute handling system
- NFCVerifier.sol - On-chain NFC signature verification
Findings Summary
The CertiK audit identified the following issues, all of which have been resolved:
- Medium (2): Gas optimization improvements in batch operations
- Low (5): Code quality enhancements and documentation updates
TAG IT Network maintains a 94/100 security score on CertiK Skynet, placing us in the top tier of audited DeFi protocols.
Critical Issues Resolved
No critical issues were found in the January 2024 audit, demonstrating the maturity of our codebase following previous audit remediation efforts.
Previous Audits
October 2023 - Trail of Bits
Trail of Bits conducted an in-depth security assessment focusing on our core authentication contracts.
Key Findings (All Resolved)
- High (1): Reentrancy vulnerability in ownership transfer function - Fixed by implementing checks-effects-interactions pattern and ReentrancyGuard
- Medium (3): Access control improvements, input validation enhancements, and event emission consistency
- Low (8): Code documentation, naming conventions, and gas optimizations
June 2023 - OpenZeppelin
Our initial smart contract audit was performed by OpenZeppelin, establishing the security foundation for TAG IT Network.
Key Findings (All Resolved)
- Critical (1): Integer overflow in token minting function - Fixed by upgrading to Solidity 0.8.x with built-in overflow checks
- High (2): Improper access control on admin functions and missing pause functionality
- Medium (4): Frontrunning vulnerabilities, timestamp dependencies, and upgrade mechanism improvements
- Low (6): Code quality and best practice recommendations
Always verify you are interacting with our official contract addresses listed in the Contract Addresses documentation. Phishing contracts may attempt to impersonate TAG IT Network.
Bug Bounty Program
TAG IT Network maintains an active bug bounty program to incentivize responsible disclosure of security vulnerabilities.
Reward Tiers
| Severity | Reward Range | Examples |
|---|---|---|
| Critical | $50,000 - $100,000 | Fund theft, contract takeover, permanent DoS |
| High | $10,000 - $50,000 | Significant fund loss risk, access control bypass |
| Medium | $2,500 - $10,000 | Limited fund loss, griefing attacks |
| Low | $500 - $2,500 | Minor issues, informational findings |
Scope
The following are in scope for our bug bounty program:
- All deployed smart contracts on Polygon Mainnet
- TAG IT REST and GraphQL APIs
- Web application at dashboard.tagit.network
- Mobile applications (iOS and Android)
How to Report
- Document the vulnerability with clear reproduction steps
- Include proof-of-concept code if applicable
- Submit your report to security@tagit.network
- Wait for our security team to acknowledge receipt (within 24 hours)
- Work with our team to verify and remediate the issue
Our bug bounty program is also hosted on Immunefi, providing additional protection and a trusted platform for security researchers.
Security Contact
We take security seriously and encourage responsible disclosure of any vulnerabilities.
Responsible Disclosure Policy
- Do provide detailed reports with reproduction steps
- Do give us reasonable time to respond (minimum 90 days)
- Do make a good faith effort to avoid privacy violations and data destruction
- Don't publicly disclose vulnerabilities before they are fixed
- Don't access or modify other users' data
- Don't perform actions that could harm our users or services
Contact Information
- Email: security@tagit.network
- PGP Key: Available on our security page
- Response Time: Initial response within 24 hours
Security researchers acting in good faith and following our responsible disclosure policy are protected under our Safe Harbor agreement. We will not pursue legal action against researchers who comply with our guidelines.
Download Reports
Full audit reports are available for download below:
- CertiK Audit Report - January 2024 (PDF)
- Trail of Bits Audit Report - October 2023 (PDF)
- OpenZeppelin Audit Report - June 2023 (PDF)
All PDF reports are cryptographically signed. You can verify authenticity by checking the digital signatures against our public key.