Resources

Addresses, audits, and the bounty timeline.

One page for every operational fact a builder or CFO might need to cite. No marketing copy.

Deployed addresses

Sepolia

The SDK's DEPLOYED_ADDRESSES export resolves these by chainId at runtime, never hand-paste them.

fhe-vesting · factory
live · audit in progress
0xA877…3150
fhe-airdrop · factory
live · audit in progress
0xbE6A…cd4c
fhe-disperse · singleton
live · also live on mainnet
0x710d…DBb4

Deployed addresses

Ethereum mainnet

fhe-disperse · singleton
live · audit publication pending
0x4fC0…cC70
fhe-vesting · factory
pending audit + mainnet KMS
Pending
fhe-airdrop · factory
pending audit + mainnet KMS
Pending

Audit posture

Where each product stands

Three FHE products. One mainnet-live. Two pending external audit + Zama KMS mainnet readiness.

Mainnet live

fhe-disperse

Singleton + per-user OZ clones. Live on Sepolia and Ethereum mainnet. Audit report publication pending; the singleton itself is in production traffic.

Audit in progress

fhe-vesting

LibClone factory with packed immutable args. Sepolia live. Mainnet pending audit close and Zama KMS readiness against Ethereum mainnet.

Audit in progress

fhe-airdrop

LibClone factory with EIP-712 gated claims. Sepolia live. Mainnet bring-up tracks fhe-vesting on the same audit + KMS gate.

Why fhe-disperse went mainnet first

Lower audit surface area, no LibClone determinism, no packed immutable args. The Zama relayer + KMS dependency is shared across all three products, so once the audit publishes for vesting + airdrop, they flip on the same infrastructure that already powers fhe-disperse in mainnet production.

Bounty timeline

Zama code-bounty cohort

External developers ship full apps against this published surface. Friction lands in a public feedback loop that drives CHANGELOG releases.

Now
Pre-launch hardening
SDK surface freezing, docs site building, integrator dogfooding inside the monorepo.
Week 1
Bounty kick-off
Zama announces; external developers begin submitting via the published @tokenops/sdk surface.
Week 4
Mid-cohort sync
Aggregate friction goes into docs/feedback/triaged; a CHANGELOG release lands the addressed items.
Audit close
Mainnet flip
fhe-vesting + fhe-airdrop land on mainnet; DEPLOYED_ADDRESSES update; minor SDK release.

Operational pages

Every resource the launch playbook references

The six leaves below carry the on-call playbook: how to report a vuln, where the changelog lives, what the SDK + docs collect, who answers what.

SecurityThreat model, audit posture, responsible disclosure.Mainnet readinessThe six gates before flipping a product to Ethereum mainnet.ChangelogPer-version highlights, what landed, what broke.Telemetry policyWhat the SDK + docs collect via SdkTelemetry / DocsTelemetry.ContributingFeedback inbox, PR workflow, contribution bar.SupportInbox + security email + Discord + GitHub, with SLAs.

Security disclosure

Reach the maintainers

If you found a real issue, mail security@tokenops.xyz. Bounty-cohort friction lands in the docs/feedback/inbox/ on the repo.

For high-severity issues (privilege escalation, money loss, ACL bypass, signature forgery against the EIP-712 domain), do not file public issues, email security@tokenops.xyz and we'll respond within 48 hours.

For DX / type / docs issues: open a structured entry in docs/feedback/inbox/ on the SDK repo with the severity label (blocker / major / minor / nit). The feedback-triager runs every cycle.