Audit evidence PDF
Security verification summary
Generated by the public audit-evidence workflow. Covers static analysis, source hashing, regression evidence, and triage. Not a formal third-party audit certificate.
QANPlatform testnet demo. No real-value assets or economic value.
Security & Verification
Contract safety evidence, in one place
This page is the trust and transparency hub for qbitmarket contracts. It keeps the plain-language summary, public source, automated security evidence, deployment verification, and live contract addresses together so you do not need to piece them together from technical files.
If the site, your wallet prompt, and Qanscan do not show the same contract target, do not sign.
Deployment report PDF
Deployment manifest and verification
Generated by the deployment pipeline. Records constructor args, initializer calldata, compiler settings, the deployed address matrix, and bytecode verification proof.
What this proves
Public source and ABIs exist for review.
Automated checks run against the public contract package.
Deployment manifests record constructor/init data and bytecode verification inputs.
Known automated-tool findings are documented instead of hidden.
Step 1
Start from public source
The Solidity source, ABI surface, deployment tooling, and publication docs are exported to the public contracts repository so anyone can inspect the exact contract package being published.
Step 2
Build the bundled QAN source deterministically
The deployment pipeline generates bundled contract source and a verification manifest that records constructor args, initializer calldata, compiler settings, and the deployed address matrix.
Step 3
Compare compiled output with deployed code
Bytecode verification recompiles from the manifest, normalizes metadata references, and checks that the resulting runtime bytecode matches the code already deployed on-chain.
Step 4
Cross-check the live addresses yourself
The final step is simple: compare the contract address shown in qbitmarket, in your wallet prompt, and on Qanscan. If those do not line up, cancel the transaction.
Evidence Links
Inspect the proof yourself
The first links are always available. The run-specific links can be filled with the current evidence URLs as rollout environments mature.
Audit evidence PDF
Security verification summary generated by the public audit-evidence workflow. Covers static analysis, source hashing, and regression evidence.
Deployment report PDF
Deployment manifest and verification report generated by the deployment pipeline. Records constructor args, initializer calldata, compiler settings, address matrix, and bytecode proof.
Public contracts repository
Curated public publication surface for source, ABIs, docs, workflows, and release artifacts.
Contract CI workflow
Public compile/test/deployment-script validation workflow for the contract surface.
Contract audit evidence workflow
Public workflow that uploads Slither/Mythril reports, tool versions, and machine-readable evidence artifacts.
Contract operations workflow
Manual deployment and verification workflow surface. Protected environments should gate real deploys.
Latest deployment run
The specific workflow run used as the current deployment evidence reference.
Latest on-chain bytecode verification run
The specific verification run that proves bundled source reproduces the deployed runtime bytecode.
Latest audit evidence bundle
Artifact or release page containing the PDF summary, tool versions, static analysis outputs, audit summary docs, and the verification manifest.
Latest verification manifest
Machine-readable deployment manifest with addresses, constructor args, initializer data, and bytecode metadata.
Live Address Matrix
Contracts currently surfaced by the site
These are the addresses qbitmarket is currently showing in its own config. Open each one on Qanscan and compare it against your wallet prompt before signing.
MarketplacePrimaryProxy
0x9e60006E676780B106758Ab1a46B8e5b8C847fC7
User-facing primary-market proxy address.
MarketplacePrimaryImplementation
0xa2f30757E709e9950f52C4da0359050c997EB3A8
Implementation logic behind the transparent proxy.
MarketplacePrimaryProxyAdmin
0x71FA3c15a55E3979df70B035DAb3bE3f644dBbC6
Upgrade admin. Never the end-user transaction target.
MarketplaceSecondaryERC721
0xc1008aAc6666A9667B6c4598956E58b9F06530A7
ERC-721 listings, offers, and auctions.
MarketplaceSecondaryERC1155
0x57001AA020bc917Cb69866Ed41ED67bA15424228
ERC-1155 listings, offers, and auctions.
CollectionFactory
0xaF0a76423688e2353DEF2A6B75e83DC79aBbEc0A
Creates new ERC-721 and ERC-1155 collection contracts.
PaymentTokenFactory
0xeFc32a82642649Bf3e50cf464E3F1fbFbc0B2A90
Creates payment-token contracts surfaced by the site.
What to compare in your wallet
Check the site origin first: qbitmarket should be running from the expected domain or your trusted local development origin.
Check the network second: qbitmarket currently targets QAN TestNet for these rollout and verification flows.
Check the contract target third: the address in the wallet prompt should match the contract address shown here and on Qanscan for the action you just triggered.
Finally, check the action itself: approval, listing, offer, auction, Buy & Mint, or collection creation should match the button you just clicked. If the action and target do not line up, cancel.
Useful Jump Points