Security & risk

Audits

Our position: an unaudited protocol asking for mainnet deposits is asking for trust it hasn't earned. loom's mainnet launch is gated on an independent third-party audit — not soft-launched ahead of it.

Internal review (published)

Before commissioning an external review, we audited ourselves and published the result in the repository — findings, severities, and fixes, in English and Chinese (audit/ in the repo). It is an internal review by the team's own tooling and standards; we publish it because you should see our homework, not as a substitute for independence.

What it covers: the full trust model with on-chain role verification, a solvency-invariant analysis (lUSD supply == Σ receipt debt), the peg-corridor model, venue liveness, marketplace safety, the points system's sybil surface, and an itemized mainnet-readiness checklist.

What it changed — findings fixed and verified on-chain during the review cycle:

FindingFix
Marketplace could settle trades against already-redeemed (husk) receiptsMarketplace v2: every trade entry rejects spent claims — regression-tested including the cancel-listing → redeem → accept-bid path
Junk 1-wei bids could bloat per-receipt bid arrays1 lUSD minimum bid, enforced in code
The app displayed gross redeemable values (before the yield fee)Every displayed claim is now net — what you see is what you get
Legacy contracts inflated the audited surfaceDeleted; the test suite now exercises exactly the deployed stack

Open items are tracked in the same report — including the admin-key centralization that the governance page explains, which is the top item on the mainnet checklist.

Independent audit (gating mainnet)

An external audit of the frozen mainnet scope is the launch gate. When it completes, this page will link the report and the remediation log. Until a report is linked here, treat any "loom audit" circulating elsewhere as fake.

Reporting a vulnerability

Found something? We want it before anyone else does. Contact the team through the official channels on the brand page; a formal bug bounty is planned alongside mainnet. Good-faith researchers will be treated as allies, credited, and — once the bounty is live — paid.