AUDIT
EPITAPH PROTOCOL — Security Audit Report v0.1.0 EpitaphCore.sol · EpitaphVault.sol · EpitaphRegistry.sol Audit Status: PENDING — Scheduled Q3 2026 EPITAPH PROTOCOL — Security Audit Report v0.1.0 EpitaphCore.sol · EpitaphVault.sol · EpitaphRegistry.sol
root@epitaph:~# cat /audit/report.md

Security Audit Report

EPITAPH PROTOCOL v0.1.0 · PREPARED FOR PUBLIC DISCLOSURE

Audit Pending
The Epitaph Protocol smart contracts have not yet undergone a formal third-party security audit. A full audit with Cantina or Code4rena is scheduled for Q3 2026.

This document outlines our internal security review, known limitations, and planned audit scope. Use on mainnet at your own risk until audit is complete.

Overview

FieldDetail
ProtocolEpitaph Protocol
Versionv0.1.0
Audit FirmPending — Cantina / Code4rena
Audit StatusSCHEDULED Q3 2026
Primary NetworkBase (Mainnet)
LanguageSolidity ^0.8.24
FrameworkHardhat + OpenZeppelin v5
Lines of Code~420 (EpitaphCore.sol)

Audit Scope

The following contracts are in scope for the formal audit:

ContractDescriptionPriority
EpitaphCore.solMain will protocol — deploy, execute, revokeCRITICAL
EpitaphVault.solAsset custody during execution windowHIGH
EpitaphRegistry.solWill indexing and lookupMEDIUM

Internal Review

Our internal security review identified and addressed the following before public deployment:

0
Critical
0
High
2
Medium
3
Low
4
Informational
9
Total

Findings

EP-01
Reentrancy in ETH distribution loop
MEDIUM FIXED

Description: The _distributeETH() function made external calls inside a loop without following checks-effects-interactions pattern.

Resolution: Added ReentrancyGuard modifier to executeWill(). State updated to EXECUTED before any external calls.

EP-02
Guardian confirmation bitmask overflow edge case
MEDIUM FIXED

Description: The 3-bit bitmask used for guardian confirmations had an edge case when all three bits were set simultaneously.

Resolution: Added explicit bounds check. AlreadyConfirmed error now correctly prevents double-confirmation at bit level.

EP-03
Missing zero-address validation for fee recipient
LOW FIXED

Resolution: ZeroAddress custom error added. Validated in constructor and setFeeRecipient().

EP-04
No maximum cap on beneficiary share BPS rounding
LOW FIXED

Resolution: Strict equality check (totalShares == 10000) enforced. Dust accumulates in contract, swept by owner.

EP-05
Large message string allows gas DoS on deployment
LOW FIXED

Resolution: MAX_MESSAGE_LENGTH = 1024 bytes enforced. Larger messages should use IPFS with hash stored on-chain.

Security Properties

Responsible Disclosure

To report a security vulnerability, email security@epitaph-agent.xyz. Do not open a public GitHub issue for security vulnerabilities. We aim to respond within 48 hours and patch within 7 days.

EPITAPH PROTOCOL v0.1.0 · epitaph-agent.xyz · GitHub