Security is the primary concern for Helio. We set the highest possible standards for protocol security and user safety
When you participate in Web3 activities such as buying NFTs, investing in DeFi or using payment solutions such as Helio, you are exposed to certain risks. As a Web3 user you can mitigate these risks with best practices. In addition to your personal security, it's our job to help you understand the technical risks of using Helio and how we mitigate them.
Merchant verification & user safety
Helio offers merchant verification (KYC) and various safety tools to help you make & accept payments with peace of mind. Learn more here:
Helio is a decentralised payments protocol, which means funds flow directly from the user to the merchant's wallet. Transactions are secured by the blockchain and can't be reversed. Before purchasing on Helio Pay Links, always check that the merchant can be trusted with our easy to use safety features below.
The Helio payments protocol operates across blockchains including Solana and EVM chains such as Ethereum and Polygon. If the blockchain were to be attacked successfully, the funds on Helio could be at risk. Solana has been audited by Kudelski Security and is a blockchain that operates with a hybrid consensus mechanism (integrating Tower BFT and Proof-of-History).
Smart Contract risks
In Web3, any protocol can potentially be attacked by hackers. They look for loopholes and bugs that allow them to abuse the protocol for their gain. We focus heavily on security and regularly conduct formal audits. The smart contract framework that powers Helio is Audited routinely by Ackee Blockchain, a leader in blockchain security audits and assessments. Their audits allow us to further improve the security standard of our protocol. In addition, we regularly conduct pen-test, and vulnerability tests on our infrastructure.
The Helio Bug Bounty Program is designed to encourage & reward responsible disclosure of any potential vulnerabilities. This system allows us to continually improve our security measures and ensure that remains a trusted payments platform for our merchants and users.
We evaluate reported bugs based on their severity, with rewards allocated on a case by case basis.
The scope of our Bug Bounty Program encompasses vulnerabilities and bugs found in deployed Helio contracts and our blockchain interactions including the code housed within our GitHub repositories.
However, we kindly note that the following areas fall outside of the Program's scope:
Contracts under third-party management and not directly controlled by us
Issues that have already been identified and documented in the audits for the above-mentioned contracts
Bugs found in third-party contracts or applications that make use of our contracts
The Helio app, web interface, or any other materials unrelated to contract functionality
For your submission to be considered for a reward under this Program, the following conditions must be met:
Uncover a previously undisclosed, non-public vulnerability, not known to our team and within the confines of this Program.
Be the first to report this unique vulnerability to [email protected], adhering to our disclosure guidelines.
Furnish enough details to allow our engineers to replicate and rectify the vulnerability.
Refrain from exploiting the vulnerability in any manner, including public disclosure or for any gain (excluding the reward from this Program).
Maintain privacy and confidentiality of the vulnerability, only reporting it privately to us.
Ensure a good faith effort to avert violations of privacy, data destruction, or disruption or degradation of any assets within the scope.
Avoid submitting vulnerabilities caused by an underlying issue that has already been rewarded under this Program.
Engage in lawful and ethical behavior when disclosing the bug, free of threats, demands, or coercion.
Be a minimum of 18 years old. If you're younger, ensure your vulnerability submission is accompanied by parental or guardian consent.
Confirm that you're not a current or former employee, vendor, or contractor who participated in the development of the code related to the bug in question.
Adhere to all the eligibility criteria of the Program.