Security and audits
Security in DeFi has two halves. One is the code: has it been reviewed by people who know how to break it? The other is you: can you avoid the scams that target users directly? Frax has a long audit history on the first; this page covers it, and then gives you the habits that handle the second.
The audit history
Frax has been reviewed repeatedly since launch, by several of the better-known firms in the space, and more recently by its own dedicated security group. The table below summarizes the public record. For the audit reports themselves and any work newer than this page, see the official documentation.
| Date | Auditor | Scope |
|---|---|---|
| Nov 2020 | CertiK | Frax (initial protocol) |
| Jun 2021 | Trail of Bits | Frax core |
| Dec 2021 | Trail of Bits | Frax core (Q4) |
| Apr 2022 | Shipyard / Macro | Frax protocol |
| Aug 2022 | Trail of Bits | Fraxswap & FPI |
| Sep 2022 | Code4rena | frxETH |
| Nov 2022 | Trail of Bits | Fraxlend & Fraxferry |
| Jan 2023 | Trail of Bits | Fraxlend & veFPIS |
| Jul 2023 | Trail of Bits | FrxGov (governance) |
| Oct 2023 | Trail of Bits | FXB, sFRAX, frxETH redemption queue, Frax oracles |
| Jan 2024 | Trail of Bits | Fraxtal (then Fraxchain) |
| 2024 | Frax Security Cartel | frxETH V2, Fraxtal, VestedFXS, Flox and more |
| Oct 2024 | Certora | BAMM |
| Mar 2025 | Frax Security Cartel | Fraxtal North Star |
What an audit does and does not mean
An audit is a skilled review at a point in time. A clean report is meaningful evidence of diligence, but it is not a guarantee that code is bug-free, and it does not cover changes made afterward. Read audits as one input into your own risk judgment, alongside the risks page — not as a green light.
Protecting yourself from phishing
Here is an uncomfortable truth: most people who lose crypto are not victims of a contract exploit. They are tricked into handing over access. The attacker does not need to break the code if they can fool the person. These habits prevent the large majority of those losses.
- Never share your seed phrase. No legitimate site, team member or "support" agent will ever ask for it. Anyone who does is stealing from you.
- Check the domain, character by character. Scammers register lookalike domains with swapped or extra letters. Bookmark the real ones and use the bookmark instead of typing or searching.
- Distrust urgency. "Claim now," "your funds are at risk," and countdown timers are pressure tactics. Slow down; urgency is the scam.
- Be wary of wallet connections. Only connect a wallet to applications you trust and reached through a verified link. This information hub never asks you to connect a wallet.
- Ignore unsolicited DMs. Real teams do not message first offering help, airdrops or "audits." Treat every unsolicited offer as hostile.
- Verify contract addresses from official sources. Copy them from the documentation or GitHub, not from a tweet, a reply or a search ad.
A note on this domain
This site is an information hub published on an authorized alternative domain for regions where the main Frax site is unreachable. It is read-only: there is nothing to sign, connect or approve here. If you ever land on a page using this branding that asks you to connect a wallet or enter a seed phrase, leave — it is not us.
For the official, real-time sources you should bookmark, see the about page, which lists the documentation, GitHub and community channels.