Skip to main content

Documentation Index

Fetch the complete documentation index at: https://yieldxyz.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Security & Incident History

Last Updated: January 2025 Yield.xyz operates with security as a first-class design principle. We are SOC 2 Type I compliant (issued December 2025), with SOC 2 Type II currently in progress (expected by end of March 2026), and follow a layered, defense-in-depth security model across infrastructure, transactions, and protocol integrations.

Zero Security Breaches

No Incidents to Date

Yield.xyz has had no security breaches, hacks, or loss of client funds since inception.

Safeguards Against Malicious Transactions

Yield.xyz follows a zero-trust transaction model. All transactions returned by the API are unsigned and must be explicitly reviewed and signed by the client’s custody or signing infrastructure. We provide Yield.xyz Shield, a transaction validation layer that allows clients to programmatically verify:
  • Target contract addresses
  • Function selectors and calldata
  • Token approvals and spend limits
Shield is specifically designed to prevent man-in-the-middle and payload-tampering attacks, including attack classes similar to recent industry incidents (e.g., Kiln / SwissBorg vulnerabilities), where malicious calldata or altered approvals could be injected between transaction construction and signing. By validating intent and call data before custody signing, Shield ensures only expected, deterministic transactions are ever approved. When combined with institutional custody systems (e.g., Fireblocks), this provides strong defense-in-depth protection across the full transaction lifecycle.

Learn More About Shield

Transaction validation library documentation

Protection Against Compromised Protocols

Yield.xyz continuously monitors protocol health, integration behavior, and validator performance. For validator-based staking, we maintain SLAs with our preferred validator partners covering uptime and operational reliability.

Key Safeguards

  • Non-custodial architecture: Yield.xyz does not autonomously execute transactions or move client funds. All capital movements require explicit client-side review and signing through the client’s custody or signing infrastructure (e.g., MPC, HSM, custodians).
  • Access controls: Access to Yield.xyz APIs and dashboards is restricted to authenticated and authorized users, with permissions scoped per client and per environment.
  • Change management: New protocol and yield integrations are introduced through a documented review and change-management process prior to production deployment.

If a Protocol Becomes Unsafe

If a protocol or yield becomes unsafe, paused, or compromised:
  1. The yield is marked as maintenance / deprecated / disabled via metadata
  2. New deposits are blocked where appropriate
  3. Clients are proactively notified through designated communication channels
If a protocol risk or security issue is identified after deployment, Yield.xyz follows a documented incident response and escalation process, including containment actions and proactive client communication. Affected yields remain accessible for position monitoring and safe exits, and are only re-enabled once the protocol is deemed safe to operate again.

Third-Party Monitoring

As an additional fail-safe mechanism, clients may integrate third-party on-chain risk and monitoring tools such as Hypernative, enabling independent detection of DeFi protocol incidents or abnormal behavior alongside Yield.xyz controls for layered risk management.

Fines and Penalties

Yield.xyz has not incurred any fines or penalties related to security incidents.

Volume and Scale

Yield.xyz operates at production scale across multiple institutional and enterprise clients:
MetricValue
API Calls250M+ per month
Total Volume Processed$1B+ across staking, DeFi, and vault-based yields
ClientsGrowing set of institutional, wallet, and fintech clients
More granular metrics—such as exact client counts, per-client volumes, and request breakdowns—can be shared as ranges or exact figures under NDA, depending on disclosure requirements.

External Audits and Validation

Security is reinforced through a combination of internal controls, external audits, and regulatory engagement:

Regulatory Engagement

Yield.xyz views proactive coordination with regulators as a key part of its compliance approach and has engaged in discussions aligned with applicable requirements of the French Monetary Authority (Autorité des marchés financiers – AMF) in connection with an integration for a French neobank.

Third-Party Security Audits

Trail of Bits

Security Assessment - Q3 2024

Zellic

Smart Contract Audits - Q1 2025 & Q3 2024
Audit reports include:

Ongoing Security Practices

  • Penetration testing and vulnerability assessments
  • Remediation cycles
  • Engagement with in-house white-hat security engineers
  • External security researchers
Audit summaries, penetration test reports, and supporting documentation can be shared under NDA as part of due diligence.

Trust Center

For additional transparency, security posture, and trust artifacts, please refer to our Trust Center:

Trust Center

https://trust.yield.xyz

Reporting Security Issues

If you discover a security vulnerability, please report it responsibly.

Contact

Email: security@yield.xyz

What to Include

  • Detailed description of the vulnerability
  • Steps to reproduce
  • Potential impact assessment
  • Any suggested mitigations

Our Commitment

  • We will acknowledge receipt within 24 hours
  • We will provide an initial assessment within 72 hours
  • We will keep you informed of remediation progress
  • We recognize responsible disclosures (with permission)
Please do not publicly disclose vulnerabilities before we have had an opportunity to investigate and remediate.

Contact

Security Team: security@yield.xyz General Support: support@yield.xyz