Security & Trust at PolyFund

PolyFund combines stablecoin-based payments with established security practices to protect transactions and platform operations.

Core principles include:

• Defense-in-depth security architecture
• Non-custodial fund handling
• Regulatory-aware system design
• Continuous monitoring and oversight

PolyFund operates on both Ethereum mainnet and Base, an Ethereum Layer 2 network developed by Coinbase. This infrastructure provides:

• Immutability: Transactions cannot be altered or reversed once confirmed
• Transparency: Transactions are publicly verifiable on-chain
• Resilience: Built on Ethereum's battle-tested infrastructure
• Decentralized settlement: Reduces reliance on centralized intermediaries

Smart contracts manage the routing of USD-backed stablecoin (USDC) donations between donors and campaign wallets.

Security measures include:

• Independent third-party security reviews
• Careful review of critical contract logic
• Multi-signature controls for administrative functions
• Time-locked upgrades with public visibility
• Responsible disclosure and vulnerability reporting processes

PolyFund is a non-custodial platform. Campaigns and donors retain control of their funds at all times.

• Secure wallet connection protocols
• Transaction signing occurs within the user's wallet, not on PolyFund servers
• PolyFund never has access to private keys

PolyFund applies reasonable and industry-standard data protection practices to safeguard user information.

• Encrypted communications between client and servers
• Restricted access to sensitive systems and data
• Segmented infrastructure to limit access exposure
• Secure backup and recovery procedures

Identity verification is handled by Coinbase, a publicly traded and regulated financial institution.

• Identity verification is performed through Coinbase's infrastructure
• PolyFund receives only verification status
• PolyFund does not store copies of identity documents

Internal access to PolyFund systems is strictly controlled.

• Role-based access control (RBAC)
• Multi-factor authentication for internal systems
• Principle of least privilege
• Audit logging of administrative actions
• Regular access reviews and deprovisioning

PolyFund maintains processes to monitor platform activity and respond to potential security incidents.

• Ongoing monitoring for suspicious activity
• Incident response procedures for identified issues
• User notification in the event of confirmed incidents, as required

PolyFund welcomes responsible security research.

If you believe you have identified a vulnerability:

• Contact us at hello@polyfund.us
• Include detailed steps to reproduce the issue
• Allow reasonable time for investigation and resolution
• Avoid public disclosure until the issue has been addressed

We appreciate the role of the security community in helping protect users and campaigns.