Security
Irys is a Layer-1 programmable datachain. Mainnet launched November 2025. This page documents how to report security issues, how we handle abuse on our network, and how to verify that a site claiming to be Irys is actually Irys.
Reporting a security vulnerability
Found a vulnerability in Irys protocol, infrastructure, or client software? Contact us at security@irys.xyz. We respond within two business days.
We follow standard coordinated disclosure: 90 days from report to public disclosure, with extensions available for complex issues.
Reporting abusive content on the Irys network
Irys is a permissionless data network. Anyone can upload content through uploader.irys.xyz and retrieve it through gateway.irys.xyz. We do not pre-screen uploaded content.
If you have found content hosted via Irys that violates our acceptable use policy (phishing, malware, CSAM, content that violates US law), report it through our abuse reporting form. We action confirmed abuse reports within 24 hours.
For threat-intelligence teams and security vendors
If your threat-intelligence feed has classified an Irys-operated domain or subdomain, contact security@irys.xyz with the specific classification and evidence. We respond within two business days with our assessment and any remediation evidence.
Common context for classifier teams:
uploader.irys.xyzandgateway.irys.xyzare legitimate Irys infrastructure for uploading content to and retrieving content from the Irys datachain.- Because the network is permissionless, third parties have at times uploaded phishing or malware content that resolves through our gateway. We treat this as abuse and remove it on detection. The same dynamic affects IPFS and Arweave gateways.
- Classifying the parent
irys.xyzbased on third-party content uploaded through our gateway harms a legitimate Layer-1 blockchain project. We are happy to provide takedown evidence, server logs, and corporate verification on request.
Subdomain inventory
The following subdomains are operated by Irys. Any other subdomain claiming irys.xyz is not authorized and should be reported to security@irys.xyz.
| Subdomain | Purpose |
|---|---|
irys.xyz | Marketing site, blog, whitepaper |
docs.irys.xyz | Developer documentation |
portal.irys.xyz | Quests and ecosystem hub |
explorer.irys.xyz | Mainnet block explorer |
testnet-explorer.irys.xyz | Testnet block explorer |
uploader.irys.xyz | Content upload endpoint (permissionless; subject to abuse takedown) |
gateway.irys.xyz | Content retrieval gateway (permissionless; subject to abuse takedown) |
node1.irys.xyz and node2.irys.xyz | Production bundling nodes |
devnet.irys.xyz | Devnet endpoint for developers |
testnet-rpc.irys.xyz | EVM JSON-RPC for testnet |
arweave-tools.irys.xyz | Legacy tooling documentation |
Additional operated domains
Beyond the irys.xyz subdomains above, Irys operates the following domains. They are listed here so threat-intelligence teams can correctly attribute them to Irys and distinguish them from impersonators.
| Domain | Status | Purpose |
|---|---|---|
bundlr.network | Active — 301 redirect to irys.xyz | Legacy project domain. Irys was formerly Bundlr Network — same team, same project. Redirects to the current Irys domain (irys.xyz). |
irysnetwork.com | Active | Serves marketing-site assets for irys.xyz (e.g., OpenGraph images). Operated by Irys. |
datasprite-cdn.com | Active | Content-delivery and network infrastructure for the Irys datachain. Permissionless content path — subject to the same abuse-takedown process as gateway.irys.xyz. |
dataspritecdn.com | Registered, not active | Defensive registration. Not currently serving traffic. |
datachain-cdn.com | Registered, not active | Defensive registration. Not currently serving traffic. |
datachaincdn.com | Registered, not active | Defensive registration. Not currently serving traffic. |
datasprite-cdn.com is segmented by environment. The following hostnames (and their wildcard children) are in use:
| Hostname pattern | Purpose |
|---|---|
mainnet-1.datasprite-cdn.com*.mainnet-1.datasprite-cdn.com | Mainnet CDN environment |
devnet-1.datasprite-cdn.com*.devnet-1.datasprite-cdn.com | Devnet CDN environment |
irys-test-1.datasprite-cdn.com*.irys-test-1.datasprite-cdn.com | Testnet CDN environment |
legacy.datasprite-cdn.com*.legacy.datasprite-cdn.com | Legacy CDN environment |
The wildcard children are expected: the content path is permissionless, so individual content can resolve on its own subdomain. Abuse appearing on these hostnames is third-party content and is handled through the takedown process described above.
If dataspritecdn.com, datachain-cdn.com, or datachaincdn.com are later brought into service, they are expected to follow the same mainnet-1 / devnet-1 / irys-test-1 / legacy environment pattern. This inventory and the Last updated date on security.txt will be updated at the time those domains go active.
Known impersonators
The following domains are NOT operated by Irys and have been used in phishing campaigns. Do not interact with them:
irys.vu— confirmed Angel Drainer phishing kitethgasfoundation.app— reported phishing domain impersonating the Irys gateway (served a “gateway.irys.xyz” page title). Flagged by PhishDestroy and multiple VirusTotal vendors; offline as of last check.
To verify a domain belongs to Irys, check our official channels (next section) before connecting a wallet or signing a transaction.
Verification of official Irys channels
The official Irys project operates through the following verified channels:
- Website: irys.xyz
- Documentation: docs.irys.xyz
- GitHub: github.com/Irys-xyz
- X / Twitter: @irys_xyz
- Discord: discord.gg/irys
- Token listings: Coinbase, CoinGecko, CoinMarketCap
The Irys project was previously known as Bundlr Network. The Bundlr team and the Irys team are the same, and bundlr.network is operated by Irys (see Additional operated domains above).
Project legitimacy
For threat-intelligence teams performing due diligence:
- Mainnet launched November 25, 2025 (press release)
- Series A funding led by CoinFund
- Founding team identifiable on LinkedIn and via GitHub commit history
- Token listed on Coinbase, MEXC, tracked by CoinGecko and CoinMarketCap
- Open-source SDK published under MIT license
Acknowledgments
We thank security researchers who responsibly disclose issues affecting Irys.
(No public acknowledgments yet. To responsibly disclose a vulnerability and be listed here, contact security@irys.xyz.)