Security

Last updated May 2026

Auspex is a non-custodial client. Every trade you place is signed by your wallet and submitted to the Polymarket CLOB; we never hold your funds and never hold the keys that authorize a transfer.

What this means in practice

You sign every order.Buy YES / Buy NO / cancel — each goes through your wallet's signature prompt (or, after you derive a CLOB API key, through a credential your wallet authorized once and stored locally).
Your CLOB credentials live in memory.When you first place a trade, Auspex derives Polymarket API credentials from your wallet signature. Those credentials sit in browser memory for the session. They aren't persisted to localStorageand they aren't shipped to our servers.
Funds stay on Polygon.Your USDC balance sits in your Polymarket proxy wallet (a smart contract you own). Auspex can read it via the public Polymarket API, but it can't move it without your signature.

Bridging USDC

The Bridge dialog uses Across Protocol to move USDC from any supported chain into Polygon USDC.e. Across is an audited, permissionless bridge with relayer-based settlement. You sign the source-chain transaction in your wallet; the funds land in your Polymarket proxy on Polygon a few minutes later. Auspex doesn't take a cut.

What can still go wrong

This is crypto. There are real failure modes worth knowing about:

Smart-contract risk.Polymarket's CTF contracts, the Polymarket proxy contract, the Across spoke pool, and Polygon's USDC.e bridge are all third-party systems. They have been audited; they are not invincible.
Phishing.The connect-wallet flow goes through Privy. If you see a popup from a different provider, that's a phishing site, not us.
Market resolution.Markets resolve based on UMA (Polymarket's oracle). Disputed resolutions are rare but do happen. We don't control resolution and we don't back-stop bad outcomes.
Bugs in Auspex.We test, but we're a small team. If you find an issue that puts user funds at risk, please email us before disclosing it publicly (contact in the docs).

Reporting a vulnerability

If you find a security issue that could affect users, please send a description to security [at] auspex.to. We'll respond within 48 hours and credit you (with your permission) in the changelog.

MarketPMSourceStateΔ to triggerRCDaysΔ24hVol 24h

What this means in practice

You sign every order.Buy YES / Buy NO / cancel — each goes through your wallet's signature prompt (or, after you derive a CLOB API key, through a credential your wallet authorized once and stored locally).

Your CLOB credentials live in memory.When you first place a trade, Auspex derives Polymarket API credentials from your wallet signature. Those credentials sit in browser memory for the session. They aren't persisted to localStorageand they aren't shipped to our servers.

Funds stay on Polygon.Your USDC balance sits in your Polymarket proxy wallet (a smart contract you own). Auspex can read it via the public Polymarket API, but it can't move it without your signature.

Bridging USDC

What can still go wrong

This is crypto. There are real failure modes worth knowing about:

Smart-contract risk.Polymarket's CTF contracts, the Polymarket proxy contract, the Across spoke pool, and Polygon's USDC.e bridge are all third-party systems. They have been audited; they are not invincible.

Phishing.The connect-wallet flow goes through Privy. If you see a popup from a different provider, that's a phishing site, not us.

Market resolution.Markets resolve based on UMA (Polymarket's oracle). Disputed resolutions are rare but do happen. We don't control resolution and we don't back-stop bad outcomes.

Bugs in Auspex.We test, but we're a small team. If you find an issue that puts user funds at risk, please email us before disclosing it publicly (contact in the docs).