Security First: Full Audit Report and Bug Bounty Program Are Live

Dear RWANFTFI community!

A lot of you have been asking about the audit, how it works, what's been verified, and how the security side of the protocol actually holds up under scrutiny. So let's walk through it properly, in one place.

Two links you should have open.

The first one is the CertiK Skynet page for the project: 👉 skynet.certik.com/projects/rwanftfi

The second one is the full audit report, available directly on the platform: 👉 app.rwanftfi.com/security

Bookmark both. The first is where the live, public-facing security data lives, and where every future security event (including bug bounty activity) gets reflected in real time. The second is the actual audit document — the full PDF, the one you read end to end if you want to understand exactly what was tested and what passed.

Now, what was actually audited.

The entire smart contract architecture has been verified by CertiK. That includes the full Diamond contract structure (EIP-2535), which is the foundation the entire RWANFTFI protocol is built on. This isn't a single contract being audited in isolation. It's a pool of contracts, working together through a unified proxy architecture, and CertiK signed off on the whole thing.

Worth pausing on the Diamond architecture for a second, because it matters.

This isn't a stock template. The Diamond contract used here is a custom implementation, designed specifically for products of this scale. It's the architecture that lets us split functionality across multiple modules (Facets), keep them upgradable independently, and stay clear of the 24KB contract size limit that single-contract projects keep running into. It's also the foundation for everything coming next on the FinPro side — Lending, additional financial products, RWA integrations. All of that plugs into the same audited base. Building on something CertiK already verified is the whole point.

Now, the part announced yesterday.

The Bug Bounty program is live.

If you genuinely understand smart contract security — if you read Solidity for fun, if you've found vulnerabilities in other protocols before, if "Diamond pattern" doesn't sound like jargon to you — there's a real path now to earn rewards by stress-testing RWANFTFI's contracts. The program runs through CertiK's official platform, not through DMs or random Telegram chats. That's the only legitimate channel.

If you find something real, the team rewards it. The size of the reward scales with the severity of the finding, which is the standard model on CertiK's bounty platform. Every active bounty event, every report, every payout — all of it gets reflected publicly on the project's Skynet page.

This is intentional. Security in Web3 doesn't get stronger by promising it gets stronger. It gets stronger by being tested, in public, by people who actually know what they're looking at, with rewards on the table for finding problems before bad actors do. That's the entire idea behind a bounty program, and that's the model we're plugging into.

For everyone else who isn't a security researcher — and that's most of you — the practical takeaway is simple. The protocol's foundation has been independently audited by one of the most established security firms in the space. The audit is public, the architecture is public, the bounty program is public. There's no "trust us, it's safe." There's a CertiK report you can read, a Skynet page you can monitor, and a bounty channel that incentivizes the entire ethical hacker community to keep poking at the contract on an ongoing basis.

Security comes first here, and we mean that the way an engineer means it, not the way a marketing slide means it.

Two links again, so they're easy to grab:

🔒 Live security page on CertiK Skynet: skynet.certik.com/projects/rwanftfi

📄 Full audit report (PDF): app.rwanftfi.com/security

Read it. Verify it. Ask questions. And if you happen to be one of the people who can actually break contracts for a living — welcome. The bounty is open.