Audits & Responsible Disclosure
Operator and jurisdiction: BASIS is operated by BASIS DIGITAL INFRASTRUCTURE LTD, a Seychelles IBC (LEI: 254900IX2F2KCWNSSS64).
BASIS documents how its systems are reviewed, how vulnerabilities are reported, and how material changes are disclosed. This includes on-chain components where applicable, custody workflows, platform infrastructure, and the BHLE execution environment used for structural alpha capture. As part of its control framework, BASIS operates within internationally accredited management systems for information security and IT service management, supporting an institutional-grade approach to governance, change control, and operational resilience.
Current audit status
BASIS maintains a continuous security review program across smart contract surfaces, custody controls, platform infrastructure, and the execution stack. Independent external review is combined with internal control testing, remediation tracking, and release gating. This review program operates alongside BASIS's active ISO/IEC 27001:2022 and ISO/IEC 20000-1:2018 certifications, reinforcing a structured approach to security governance, service operations, and controlled change management.
Review scope includes the BHLE execution layer, sub-50μs latency targets, 100K+ OPS throughput assumptions, proprietary routing infrastructure, API authentication, deterministic execution guarantees, and state machine risk controls.
Where BASIS deploys on-chain logic, review scope includes staking token accounting, mint and burn permissions, reward distribution, same-token swap logic, access controls, upgrade paths, and pause conditions.
Review scope includes key generation, storage boundaries, approval workflows, withdrawal controls, segregation of duties, and incident response procedures.
Review scope includes deployment pipelines, secrets handling, monitoring, logging integrity, network controls, penetration testing, backup recovery, and operational resilience.
Audit reports, executive summaries, and remediation notes are published when release does not create unnecessary attack surface. Where redaction is required for operational safety, BASIS will still disclose scope, findings class, and remediation status.
1. Smart contract audits
When BASIS deploys externally accessible contracts, the minimum disclosure standard includes:
independent third-party review
contract scope and version disclosure
severity classification of findings
remediation status and change log
explicit statement when a feature is off-chain and outside contract scope
If a product flow has no user-facing on-chain contract exposure, BASIS states that directly.
2. Infrastructure and operational audits
Security review is not limited to contracts. BASIS also reviews the systems that support deterministic execution and fund safety. These reviews are supported by formal management processes consistent with BASIS's internationally accredited ISO/IEC 27001:2022 and ISO/IEC 20000-1:2018 certifications.
Access control
Least privilege, role separation, approval boundaries
Key management
Generation, storage, rotation, withdrawal authorization
Execution integrity
Deterministic routing behavior, math constraints, state machine checks
API security
Authentication, rate limiting, replay protection, permission scoping
Release management
Staged deployment, rollback paths, change approval, audit trail
Resilience
Monitoring, alerting, incident drills, backup recovery
Certain operational details remain confidential, including venue-level routing specifics and environment-specific security configurations. Policy-level controls, review scope, certification status, and material user-impacting changes remain public.
3. Responsible disclosure
Security contact: [email protected]
If the issue involves legal process, privacy, or sanctions exposure, copy [email protected].
Send an email to [email protected] with the subject line shown below.
Describe the affected component, impact, and reproduction steps. Include logs, transaction hashes, screenshots, or proof-of-concept material where relevant.
Avoid actions that could harm users, degrade service, access private data, or move funds without written authorization.
Wait for triage guidance before expanding testing against production systems.
Timeline commitments
Acknowledgment
Within 2 business days
Initial triage
Within 5 business days
Remediation timeline or next-action update
Within 10 business days
Good-faith researchers who act within this policy, avoid user harm, and report issues privately will be handled through a coordinated disclosure process. BASIS is evaluating a formal bug bounty program as part of its ongoing security roadmap.
4. Transparency and confidentiality
BASIS aims for policy transparency without exposing live attack surfaces.
Publicly disclosable items include:
audit scope
findings categories and remediation status
security policies
material operational changes
incident postmortem summaries where appropriate
publicly verifiable certification status for internationally accredited management systems
Operationally sensitive items that may remain confidential include:
venue allocation details
low-level routing heuristics for structural alpha capture
specific infrastructure topologies
environment-specific hardening details
5. Change control
For any critical change to user-impacting rules or risk controls, BASIS documents:
effective date
rationale
affected systems or products
backward compatibility notes
user action required, if any
At minimum, this applies to changes involving:
fees, including the current baseline of deposit 0%, withdrawal 0.05%, and swap 0.01%
withdrawal processing rules and security holds
staking eligibility or reward accounting
fixed-pool lock-up behavior
same-token 1:1 swap mechanics
execution constraints and risk-trigger logic
Security at BASIS is an ongoing control function. Trust comes from deterministic execution, constrained system design, reviewable changes, evidence-backed operations, and internationally accredited management systems that are publicly verifiable.
6. Certification disclosure
BASIS integrates certification status directly into its security and operational governance model. The active ISO/IEC 27001:2022 certification below provides public evidence that BASIS DIGITAL INFRASTRUCTURE LTD operates an internationally accredited Information Security Management System covering software development, quantitative research systems, associated IT infrastructure, and information security management.
ISO/IEC 27001:2022 certification details
Certificate Number
SC62455E
Standard
ISO/IEC 27001:2022
Status
Active
Last Updated
March 27, 2026
Certified Entity
BASIS DIGITAL INFRASTRUCTURE LTD
Address
Room 306, Victoria House, P.O Box 673, Victoria, Mahe, Seychelles
Scope
The Design and Development of Software and Quantitative Research Systems and the Management of Associated IT Infrastructure and Information Security
Accreditation
IAF (International Accreditation Forum)
Verification
BASIS DIGITAL INFRASTRUCTURE LTD also maintains an active ISO/IEC 20000-1:2018 certification for IT Service Management. Together, these internationally accredited certifications support BASIS's institutional-grade operating model and provide independent confirmation that key information security and service management processes are governed under internationally recognized standards.
Public certification records can be reviewed directly on IAF CertSearch.
Compliance Certifications
BASIS has obtained third-party compliance certifications verifiable through the SE Registrar certificate verification portal.
SOC Compliance Certificate
Certificate ID
6489581/COC/PK
Certificate Type
Certificate of Compliance
Issuing Authority
SE Registrar
Verification
GDPR Compliance Certificate
Certificate ID
6489580/COC/PK
Certificate Type
Certificate of Compliance
Issuing Authority
SE Registrar
Verification
These certifications reflect BASIS's commitment to data protection, operational security, and regulatory compliance standards applicable to institutional-grade financial infrastructure.
Last updated