TrustSecurity & Responsible Disclosure
iArcana is built to keep custody with the user and make signing decisions easier to inspect. Security reports are welcome and handled carefully.
Last updated: June 6, 2026Security principles
- Signing and private-key operations remain on the user's device.
- Recovery phrases, private keys, passwords, vault keys and biometrics are excluded from Mind.
- Transaction reviews expose recipients, amounts, routes, fees and relevant warnings before signing.
- WalletConnect requests and connected dapps are presented for explicit user approval.
Report a vulnerability
Send security reports privately to contact@iarcana.xyz. Include the affected component, clear reproduction steps, impact and any supporting evidence. Do not include private keys, recovery phrases or real user data.
Responsible research
Use test accounts and testnet assets only. Avoid privacy violations, service disruption, social engineering, destructive testing and accessing data that is not yours. Give us reasonable time to investigate before publishing details.
Not a guarantee
Security controls reduce risk but cannot eliminate it. Users remain responsible for device security, credential backups, dapp selection and every transaction they approve.