Security & custody

Built to pass the audit you have not been asked to pass yet.

Meridian operates as a non-custodial protocol. Funds remain in your multisig at all times. Every transaction is co-signed by your organization and verified deterministically against on-chain policy before execution. The system was designed under the assumption that any individual component — including the protocol team — may eventually be untrusted.

01 — Custody model Non-custodial by architecture

Meridian never holds principal.

Funds are held in a multisig wallet controlled by the client. Meridian executes transactions only when an instruction is signed by both the client's quorum and the protocol's policy verifier. There is no Meridian-controlled hot wallet, no rehypothecation, no spread.

Custody typeNon-custodial. Client multisig is sole signer of value-bearing transactions.
Multisig minimum2-of-3 for low-tier policies · 3-of-5 for treasury-wide policies
Hardware supportLedger, Trezor, Fireblocks MPC, Safe{Wallet} on TON
Hot wallet exposureNone. Protocol holds no principal at any time.
SpreadNone. Meridian charges a published basis-point fee per executed instruction.

02 — Audits Independent review

Reviewed by the firms institutional clients already trust.

Meridian smart contracts have been reviewed by Trail of Bits and OtterSec. Operational controls are under SOC 2 Type II review with a Big 4 firm. All audit reports are published in full — including findings the protocol team disagrees with — and re-issued after every contract upgrade.

Audit register PUBLISHED REPORTS

Scope	Firm	Date	Status	Findings
Treasury executor + policy verifier	Trail of Bits	Q1 2026	Resolved	2 medium · 4 informational	Report →
Treasury executor v0.3	OtterSec	Q4 2025	Resolved	1 high · 3 medium · 7 informational	Report →
$MRD vesting + treasury contracts	Trail of Bits	Q1 2026	Final report Q2	—	Status →
SOC 2 Type II — operational	Big 4 (engagement signed)	In progress	Observation period	—	Engagement →
ISO 27001 information security	Schellman	Target Q3 2026	Pre-engagement	—	—

03 — Compliance Sanctions, AML, KYB

Sanctions screeningChainalysis KYT on every counterparty address. OFAC, EU, UK, UN lists screened in real time.
Counterparty KYBSumsub for entity verification. UBO disclosure required for activations > $250k / month.
Travel ruleFATF travel-rule data exchanged for transactions > $1,000 USD equivalent via Notabene.
Suspicious activityFiled via the licensed money-transmitter partner where applicable.

Operating entityMeridian Treasury Ltd. · Cayman Islands · CIMA-acknowledged virtual asset service provider.
US affiliateMeridian Operations Inc. · Delaware C-corp · operations and engineering.
EU affiliateMeridian Treasury OÜ · Estonia · MiCA-aligned posture.
Fiat railsBridge.xyz partner integration · MSB-1042-N1 (illustrative).

04 — Operational security Internal controls

Security treated as a discipline, not a checklist.

The Meridian engineering team operates under controls aligned with SOC 2 and ISO 27001. Production access is segregated, every change is reviewed, every artifact is signed, and every meaningful action — including by the team itself — is logged on-chain.

Production accessBastion-only, hardware-key MFA, just-in-time elevation, full session recording.
Code reviewTwo-reviewer minimum on every merge to production. No solo admin-key holders.
Artifact signingSigstore signatures verified at deploy time. Reproducible builds for the SDK.
Secret managementHSM-backed signing. No long-lived secrets in CI. No secrets in source control.
Vulnerability disclosurePublic bug-bounty program · payouts up to $1,000,000 for critical findings.
Incident response24/7 on-call. RTO 1h, RPO 5m for the policy verifier. Public post-mortems within 14 days.
Status pagestatus.meridian.fi · component-level uptime, signed historical record.

05 — Threat model What we assume can fail

Meridian is designed under explicit, written assumptions.

The protocol's safety properties are stated up front, not implied. Each property is enforced by either contract logic or signed multisig authorization, not by trust in any operator.

Compromised protocol teamCannot move client funds. Cannot modify or front-run executed transactions. Can only propose contract upgrades, which require client multisig sign-off and a 14-day timelock.
Compromised single client signerCannot execute alone. Multisig threshold prevents lone signer action. 24h cooldown on rotating signers.
Compromised RPC / indexerDetectable. Settlement is verified against multiple independent TON nodes; divergence triggers automatic pause.
Compromised price oracleFX rebalancing requires two-source confirmation within tolerance band. Outside tolerance, instructions queue for manual review.
Censorship by a counterpartyOut of scope. Meridian cannot force external acceptance. Failed deliveries are surfaced and refundable per policy.
Regulatory action against an entityOperating entities are jurisdictionally diversified. Protocol logic is not dependent on any single entity remaining operational.

06 — Vulnerability disclosure Reporting a finding

Found something? Tell us before you tell anyone else.

Meridian operates a public bug bounty with payouts of up to $1,000,000 for critical findings in production contracts. Researchers acting in good faith are protected under our safe-harbor policy. We confirm receipt within 24 hours and target initial triage within 72 hours.

REPORT security@meridian.fi · PGP key on file
PROGRAM Immunefi · Meridian protocol →
SCOPE Treasury executor, policy verifier, vesting contract, $MRD jetton

Take the security review to your board.

Request the full security packet — audit reports, threat model, jurisdictional structure, and SOC 2 progress letter — under NDA.

Request the security packet Back to overview