Audits
Our position: an unaudited protocol asking for mainnet deposits is asking for trust it hasn't earned. loom's mainnet launch is gated on an independent third-party audit — not soft-launched ahead of it.
Internal review (published)
Before commissioning an external review, we audited ourselves and published the result in the repository — findings, severities, and fixes, in English and Chinese (audit/ in the repo). It is an internal review by the team's own tooling and standards; we publish it because you should see our homework, not as a substitute for independence.
What it covers: the full trust model with on-chain role verification, a solvency-invariant analysis (lUSD supply == Σ receipt debt), the peg-corridor model, venue liveness, marketplace safety, the points system's sybil surface, and an itemized mainnet-readiness checklist.
What it changed — findings fixed and verified on-chain during the review cycle:
| Finding | Fix |
|---|---|
| Marketplace could settle trades against already-redeemed (husk) receipts | Marketplace v2: every trade entry rejects spent claims — regression-tested including the cancel-listing → redeem → accept-bid path |
| Junk 1-wei bids could bloat per-receipt bid arrays | 1 lUSD minimum bid, enforced in code |
| The app displayed gross redeemable values (before the yield fee) | Every displayed claim is now net — what you see is what you get |
| Legacy contracts inflated the audited surface | Deleted; the test suite now exercises exactly the deployed stack |
Open items are tracked in the same report — including the admin-key centralization that the governance page explains, which is the top item on the mainnet checklist.
Independent audit (gating mainnet)
An external audit of the frozen mainnet scope is the launch gate. When it completes, this page will link the report and the remediation log. Until a report is linked here, treat any "loom audit" circulating elsewhere as fake.
Reporting a vulnerability
Found something? We want it before anyone else does. Contact the team through the official channels on the brand page; a formal bug bounty is planned alongside mainnet. Good-faith researchers will be treated as allies, credited, and — once the bounty is live — paid.