Status
Phase: live
The protocol is live on Sui mainnet. You can claim places, buy them, expand territory, collect tax — all the core mechanics work. Smart contracts have passed an independent security audit with zero remaining blockers.
Security Audit
An independent security audit covered both on-chain packages (mercatr, mercatr_market) across 13 production modules.
| Metric | Value |
|---|---|
| Total findings | 30 |
| Fixed | 15 |
| Critical / High | 0 remaining |
| Medium | 7 (design-level, non-blocking) |
| Low | 10 |
| Informational | 2 |
| Mainnet blockers | 0 |
All security-critical findings have been resolved:
- LifecycleCap bypass — revoked capabilities could authorize mutations. Fixed: all mutation entrypoints now verify the cap against the authorized set.
- Metadata orphaning — admin removal path skipped metadata cleanup. Fixed: removal now delegates to the full cleanup pipeline.
- Premium inflation via repeated buyouts — reclassified as intentional. The protocol now exposes explicit Bump Price and Drop Price controls, replacing the old second-wallet workaround with first-class owner actions.
The full audit report is public and versioned alongside the code.
What's Live
Everything you need to use merca.earth:
- Claim & trade — register places, buy them from others, get paid when someone buys yours
- Territory ops — expand into unclaimed land, acquire slices from neighbors, rebalance borders, merge places
- Tax collection — earn from smaller places inside your territory, collect before buckets expire
- Premium defense — raise your buyout price to discourage attackers
- Visual layer — name your place, upload artwork, add a description
What This Means For You
- It works. Core mechanics are live — you can claim, buy, sell, expand, and collect tax right now.
- It's audited. Smart contracts passed an independent security audit with zero critical blockers.
- Know the rules. Read Contest Rules & Risks before spending SUI, and Treasury & Admin for who controls what.