Security

Security at bonuz

bonuz is the Human Layer protocol, and security is its foundation. Every protocol, smart contract, and piece of infrastructure we use is audited, battle-tested, or trusted at scale by tens of millions of users.

✓Core protocols audited by Hacken (score: 10/10).
✓ERC-4337 account abstraction powered by Biconomy (audited by Spearbit, Cyfrin, and others).
✓Key infrastructure (Web3Auth) audited by CertiK, Cure53, Kudelski Security — SOC 2 Type II certified, now under ConsenSys security framework.
✓Cross-chain routing via LI.FI (audited by Quantstamp, Spearbit, Cantina) and 1inch (OpenZeppelin, 13+ audits).
✓All infrastructure providers independently audited by firms including Trail of Bits, CertiK, Spearbit, OpenZeppelin, OtterSec, and others.

Protocols: Engagement, bonuz IDEntities: Bonuz Inc. (St. Lucia)Apps: Bonuz Technology DMCC (Dubai)

Smart Contract Audit

10/10

Hacken Verified

All core bonuz protocol contracts (Engagement protocol and bonuz ID protocol) are audited by Hacken with a perfect score, covering state machines, permissions, and integration points.

View Hacken Audit Report Contact security team

Smart Contract Security

Hacken 10/10

All Bonuz Inc. (St. Lucia) core protocol contracts, including the Engagement protocol and bonuz ID protocol, have been independently audited by Hacken, with a 10/10 result.

The audit covers:

✓Engagement lifecycle safety (issue, active, redeem, expire)

✓bonuz ID permission and event logic

✓Onchain attestation and identity record updates

✓Anti-fraud protections for redemptions and state changes

✓Integration points for account abstraction and paymasters

Open Hacken audit report →

Auditor: HackenScope: Engagement protocolScope: bonuz ID protocolScore: 10/10

Trusted & Audited Infrastructure

Industry-Grade

bonuz relies on infrastructure that powers major Web3 wallets, exchanges, and protocols. These providers undergo regular audits by top-tier cybersecurity firms such as Trail of Bits, CertiK, Cure53, Spearbit, OpenZeppelin, Quantstamp, OtterSec, Hacken, ChainSafe, Cyfrin, and others. Several hold SOC 2 Type II and ISO 27001 certifications.

Web3Auth (ConsenSys)

MPC / TSS Login

Secure, Web2-simple onboarding via MPC/TSS key infrastructure. Web3Auth secures tens of millions of users across wallets and apps. SOC 2 Type II certified. Acquired by ConsenSys (June 2025).

Audited by: CertiK, Cure53, Kudelski Security

ConsenSys enterprise security: ISO 27001:2022, bug bounty, ConsenSys Diligence

View Web3Auth audits →Trust Center →

Zerion

AA & Wallet Infra

Wallet and account abstraction infrastructure trusted by millions of users, with robust smart account design and ongoing audits.

Audited by: Trail of Bits, Cure53, PeckShield, Secfault Security

Bug bounty via Immunefi. Open-source codebase.

Zerion security overview →

Biconomy

ERC-4337 AA

ERC-4337 account abstraction infrastructure for smart accounts, paymasters, gas sponsorship, bundling, and session keys in the bonuz ecosystem.

Audited by: Spearbit, Cyfrin, Zenith, Pashov (Nexus smart accounts)

DeFiSafety score: 92/100

Biconomy security & audits →

LI.FI

Bridge & DEX Aggregation

Cross-chain bridge and DEX aggregation protocol, aggregating 100+ bridges across 40+ networks for optimal cross-chain routing in bonuz.

Audited by: Quantstamp, Code4rena, Spearbit, Cantina ($500K security competition)

LI.FI documentation →View audit reports →

Alchemy

RPC & Nodes

Enterprise-grade RPC and node infrastructure with SOC 2 Type II, ISO 27001, and ISO 27018 certifications, used by leading Web3 projects.

Security posture: SOC 2 Type II, ISO 27001, ISO 27018, enterprise security audits

Alchemy security →

Helios

Verified RPC

Developed by a16z. High-integrity RPC focused on correctness and verification, with open-source Rust implementation and community reviews.

Helios GitHub →

Jupiter

Solana Routing

Solana's leading swap and routing aggregator, processing billions in volume with audited routing contracts.

Audited by: OtterSec, Sec3, Offside Labs, MixBytes, Zenith

Jupiter security & docs →

1inch

Aggregation

Multi-chain DEX aggregation contracts that rank among the most audited in DeFi, underpinning bonuz swap aggregation.

Audited by: OpenZeppelin (13+ audits), ChainSafe, ChainSecurity, Hacken, ConsenSys Diligence, SlowMist

1inch audit repository →

Account Abstraction Security

ERC-4337 by Biconomy

bonuz uses ERC-4337 smart accounts powered by Biconomy for execution. This enables smart accounts, paymasters, gas sponsorship, bundling, and session keys, while keeping users fully self-custodial.

✓Smart accounts are self-custodial; users remain in control

✓Paymasters sponsor only selected, capped bonuz ecosystem actions

✓Bundling and validation go through audited entry points

✓Session keys are scoped and revocable

Important

The wallet itself is not "fully gasless." Instead, bonuz sponsors gas on selected core actions (e.g. ID updates, Engagement claims and redemptions), so for users the experience feels gasless while remaining transparent and secure onchain.

Operational Security & Monitoring

Runtime Safety

Protocol Monitoring

✓Continuous monitoring of protocol events and critical metrics
✓Anomaly and fraud detection for suspicious patterns
✓Secure QR/NFC flows with anti-double-spend protections
✓Rate limiting and guardrails for sensitive actions

Identity & Data

✓Permissioned bonuz ID reads and writes
✓User-controlled visibility and scopes on identity records
✓Regular internal reviews for new protocol versions
✓Threat modeling before major upgrades

User Protection & Mission

Self-Sovereignty

Even though bonuz feels "Web2-simple," users remain fully sovereign:

✓Assets are held in self-custodial smart accounts

✓No centralized custody or pooled user funds

✓Every action is onchain and transparent

✓Identity data and attestations are permissioned and user-controlled

The Human Layer must be safe, reliable, and sovereign. If it isn't secure, it doesn't ship.

bonuz exists to make blockchains usable for normal people and brands, without giving up the core promise of Web3: self-custody over money, identity, passes, and reputation.