> ## Documentation Index
> Fetch the complete documentation index at: https://yieldxyz.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Notice

> Yield.xyz Security & Incident History

## Security & Incident History

**Last Updated: January 2025**

Yield.xyz operates with security as a first-class design principle. We are **SOC 2 Type I compliant** (issued December 2025), with **SOC 2 Type II currently in progress** (expected by end of March 2026), and follow a layered, defense-in-depth security model across infrastructure, transactions, and protocol integrations.

***

## Zero Security Breaches

<Card title="No Incidents to Date" icon="shield-check">
  Yield.xyz has had **no security breaches, hacks, or loss of client funds** since inception.
</Card>

***

## Safeguards Against Malicious Transactions

Yield.xyz follows a **zero-trust transaction model**. All transactions returned by the API are unsigned and must be explicitly reviewed and signed by the client's custody or signing infrastructure.

We provide **Yield.xyz Shield**, a transaction validation layer that allows clients to programmatically verify:

* Target contract addresses
* Function selectors and calldata
* Token approvals and spend limits

Shield is specifically designed to prevent man-in-the-middle and payload-tampering attacks, including attack classes similar to recent industry incidents (e.g., Kiln / SwissBorg vulnerabilities), where malicious calldata or altered approvals could be injected between transaction construction and signing.

By validating intent and call data before custody signing, Shield ensures only expected, deterministic transactions are ever approved.

When combined with institutional custody systems (e.g., Fireblocks), this provides strong defense-in-depth protection across the full transaction lifecycle.

<Card title="Learn More About Shield" icon="shield-check" href="/documentation/shield-security/shield">
  Transaction validation library documentation
</Card>

***

## Protection Against Compromised Protocols

Yield.xyz continuously monitors protocol health, integration behavior, and validator performance. For validator-based staking, we maintain SLAs with our preferred validator partners covering uptime and operational reliability.

### Key Safeguards

* **Non-custodial architecture**: Yield.xyz does not autonomously execute transactions or move client funds. All capital movements require explicit client-side review and signing through the client's custody or signing infrastructure (e.g., MPC, HSM, custodians).
* **Access controls**: Access to Yield.xyz APIs and dashboards is restricted to authenticated and authorized users, with permissions scoped per client and per environment.
* **Change management**: New protocol and yield integrations are introduced through a documented review and change-management process prior to production deployment.

### If a Protocol Becomes Unsafe

If a protocol or yield becomes unsafe, paused, or compromised:

1. The yield is marked as **maintenance / deprecated / disabled** via metadata
2. New deposits are **blocked** where appropriate
3. Clients are **proactively notified** through designated communication channels

If a protocol risk or security issue is identified after deployment, Yield.xyz follows a documented incident response and escalation process, including containment actions and proactive client communication.

Affected yields remain accessible for position monitoring and safe exits, and are only re-enabled once the protocol is deemed safe to operate again.

### Third-Party Monitoring

As an additional fail-safe mechanism, clients may integrate third-party on-chain risk and monitoring tools such as **Hypernative**, enabling independent detection of DeFi protocol incidents or abnormal behavior alongside Yield.xyz controls for layered risk management.

***

## Fines and Penalties

Yield.xyz has not incurred any fines or penalties related to security incidents.

***

## Volume and Scale

Yield.xyz operates at production scale across multiple institutional and enterprise clients:

| Metric                     | Value                                                     |
| -------------------------- | --------------------------------------------------------- |
| **API Calls**              | 250M+ per month                                           |
| **Total Volume Processed** | \$1B+ across staking, DeFi, and vault-based yields        |
| **Clients**                | Growing set of institutional, wallet, and fintech clients |

More granular metrics—such as exact client counts, per-client volumes, and request breakdowns—can be shared as ranges or exact figures under NDA, depending on disclosure requirements.

***

## External Audits and Validation

Security is reinforced through a combination of internal controls, external audits, and regulatory engagement:

### Regulatory Engagement

Yield.xyz views proactive coordination with regulators as a key part of its compliance approach and has engaged in discussions aligned with applicable requirements of the French Monetary Authority (Autorité des marchés financiers – AMF) in connection with an integration for a French neobank.

### Third-Party Security Audits

<CardGroup cols={2}>
  <Card title="Trail of Bits" icon="magnifying-glass">
    Security Assessment - Q3 2024
  </Card>

  <Card title="Zellic" icon="file-contract">
    Smart Contract Audits - Q1 2025 & Q3 2024
  </Card>
</CardGroup>

**Audit reports include:**

* [Zellic - Smart Contract Security Assessment (OAV) - Q1 2025](https://github.com/Zellic/publications/blob/master/StakeKit%20-%20Zellic%20Audit%20Report.pdf)
* [Zellic - Smart Contract Security Assessment (Fee Wrapper) - Q3 2024](https://github.com/Zellic/publications/blob/master/StakeKit%20FeeWrapper%20-%20Zellic%20Audit%20Report.pdf)

### Ongoing Security Practices

* Penetration testing and vulnerability assessments
* Remediation cycles
* Engagement with in-house white-hat security engineers
* External security researchers

Audit summaries, penetration test reports, and supporting documentation can be shared under NDA as part of due diligence.

***

## Trust Center

For additional transparency, security posture, and trust artifacts, please refer to our Trust Center:

<Card title="Trust Center" icon="building-shield" href="https://trust.yield.xyz">
  [https://trust.yield.xyz](https://trust.yield.xyz)
</Card>

***

## Reporting Security Issues

If you discover a security vulnerability, please report it responsibly.

### Contact

**Email:** [security@yield.xyz](mailto:security@yield.xyz)

### What to Include

* Detailed description of the vulnerability
* Steps to reproduce
* Potential impact assessment
* Any suggested mitigations

### Our Commitment

* We will acknowledge receipt within **24 hours**
* We will provide an initial assessment within **72 hours**
* We will keep you informed of remediation progress
* We recognize responsible disclosures (with permission)

<Warning>
  Please do not publicly disclose vulnerabilities before we have had an opportunity to investigate and remediate.
</Warning>

***

## Contact

**Security Team:** [security@yield.xyz](mailto:security@yield.xyz)

**General Support:** [support@yield.xyz](mailto:support@yield.xyz)
