> For the complete documentation index, see [llms.txt](https://docs.nodo.xyz/public/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.nodo.xyz/public/developer-and-technical-documentation/audits-and-security.md).
# Audits & Security
Smartcontract, Frontend, Backend and AI Agent codes were audited by 3rd party, all reported issues were resolved and deployed before public launch.
3 Major Issues with the Security
1. Security Audit process
1. Backend/Frontend
2. Smart contract audit
3. Strategy
| # | Contract | Description | Audit Progress | Audited by |
| - | ----------------------------- | ---------------------------------------------- | -------------- | ----------- |
| 1 | Vault contract | Hold Token contract | DONE | Hashlock |
| 2 | NDLP contract | mint LP token contract | DONE | Hashlock |
| 3 | Cetus Integration contract | Integration contract with Cetus | DONE | Hashlock |
| 4 | Momentum Integration contract | Integration contract with Momentum | DONE | Hashlock |
| 5 | Backend/Frontend Audit | All Backend, Frontend codes and AI Agent codes | DONE | QuillAudits |
| 6 | AI API Audit |
| DONE | QuillAudits |
| 7 | Vault contract | Hold Token contract | DONE | FailSafe |
| 8 | NDLP contract | mint LP token contract | DONE | FailSafe |
| 9 | Momentum Integration contract | Integration contract with Momentum | DONE | FailSafe |
View the full audit reports here:
{% file src="/files/hnhNUwNLZT8KPjCIZczp" %}
{% file src="/files/Pg1o9iWgctXjwbYYf7PT" %}
{% file src="/files/TmxgHYqAxEchEJskxVBr" %}
{% file src="/files/bOeR4ZHX5hNuyB7007No" %}
{% file src="/files/eIRzeUSICvrOkiBXmdUi" %}
{% file src="/files/7bNmHesZaK1iTctwlvTe" %}
{% file src="/files/eis4RJPBzF1OFW5tEA1q" %}
{% file src="/files/i06Oxn52baTJRvUF6ivz" %}
{% file src="/files/jfwPO4mpocX0u8OOyRTy" %}
Post-launch, we will maintain regular security checks and audits to ensure continued platform safety.
## 1. External Audits
### 1.1. Smart contracts
Frequency: Mandatory before each major release deployment
Implementation Process:
* Auditor Selection: Prioritize firms with DeFi experience
* Preparation: Provide complete codebase, documentation, test cases, deployment scripts
* Process:
* Depend on Audit firm
* Final report with severity classification (Critical/High/Medium/Low)
* Follow-up: Fix all Critical/High issues, re-audit if necessary
### 1.2. Application
Frequency: Quarterly
#### 1.2.1. Backend API Security:
* Authentication/Authorization: API key management
* Input Validation: SQL injection, NoSQL injection, command injection testing
* Rate Limiting: API abuse testing, brute force protection
* Business Logic Flaws: Privilege escalation, workflow bypass attempts
#### 1.2.2. Frontend Security:
* XSS Testing: Reflected, Stored, DOM-based XSS in all input fields
* CSRF Protection: Verify anti-CSRF tokens and SameSite cookies
* Content Security Policy: Validate CSP headers effectiveness
* Authentication Flow: Session management
#### 1.2.3. Specific DeFi Focus:
* Vault Logic Testing: Deposit limits, emergency withdrawals
* Transaction Manipulation: Attempt to manipulate deposit/withdrawal amounts
#### 1.3. Infrastructure
Frequency: Every 6 months
Implementation Process:
* Cloud Security Assessment:
* Review policies and permissions
* Network security groups, VPC configuration
* Storage policies, database access controls
* Logging & monitoring setup validation
* Container Security:
* Image vulnerability scanning
* Runtime security policies
* Secrets management in containers
* CI/CD Pipeline Security:
* Source code repository access controls
* Build environment security
* Deployment permissions & approval workflows
* Secrets injection mechanisms
## 2. Internal Audits
### 2.1. Code Review Security
Frequency: Continuous (every PR)
Mandatory Security Checklist for each PR:
* Complete input validation
* Sensitive data not logged
* Error handling doesn't leak information
* Rate limiting for new endpoints
* Database queries parameterized
SAST Tools Integration:
* Detect hardcoded private keys/secrets
* Identify unsafe arithmetic operations
* Flag missing access controls
-> Block merge if issues exist
### 2.2 AI System Security
Frequency: Monthly
#### 2.2.1. AI Execution Monitoring
Real-time Status Tracking
* Health Check Logs:
* Monitor AI service availability with regular health checks
* Track API response times and system latency
* Monitor resource utilization (CPU, memory, network)
* Implement automated service restart on failures
* Execution Status:
* Track whether AI decisions are being executed or skipped
* Monitor decision execution latency and success rates
* Log execution failures with detailed error information
* Implement decision queuing and retry mechanisms
* Performance Metrics:
* Log processing time for each AI decision cycle
* Monitor memory usage and garbage collection patterns
* Track system load and resource bottlenecks
* Implement performance alerts and auto-scaling
* Error Tracking:
* Capture and categorize all AI system exceptions
* Implement error severity levels and escalation procedures
* Track error patterns and root cause analysis
* Maintain error resolution documentation
Vault Information Monitoring
* Position Changes:
* Log all vault position modifications triggered by AI decisions
* Track position entry and exit points with timestamps
* Monitor position size changes and exposure levels
* Implement position reconciliation checks
* Balance Tracking:
* Monitor vault balance changes before and after AI decisions
* Track asset allocation changes and rebalancing events
* Implement balance reconciliation with external sources
* Alert on unexpected balance discrepancies
* Transaction Validation:
* Verify AI-initiated transactions are executed correctly
* Compare intended vs. actual transaction outcomes
* Monitor transaction fees and slippage
* Implement transaction replay capabilities for debugging
#### 2.2.2. AI Decision Output Validation
Request/Response Logging
* Input Parameters:
* Log all parameters sent to AI (market data, vault state, risk parameters)
* Capture data timestamps and source information
* Track parameter changes and their impact on decisions
* Implement parameter validation and sanitization
* Decision Output:
* Capture AI recommendations (buy/sell/hold, quantities, prices)
* Log decision confidence scores and reasoning metadata
* Track decision timing and execution delays
* Implement decision format validation
* Execution Results:
* Track actual execution versus AI recommendations
* Monitor execution slippage and market impact
* Log execution success/failure rates
* Implement execution quality metrics
Output Accuracy Assessment
* Decision Verification:
* Compare AI output against predefined business rules
* Validate decision logic consistency
* Implement rule-based decision validation
* Track rule violation rates and patterns
* Constraint Validation:
* Ensure AI decisions respect position limits and risk parameters
* Validate compliance with regulatory requirements
* Implement automatic constraint enforcement
* Log constraint violations and corrective actions
* Consistency Checks:
* Validate decision logic consistency across similar market conditions
* Track decision pattern variations and anomalies
* Implement decision similarity scoring
* Alert on inconsistent decision patterns
* Performance Tracking:
* Measure AI decision accuracy over time
* Track profitability and risk-adjusted performance
* Implement performance benchmarking
* Generate performance attribution reports
* Backtesting Results:
* Regular validation against historical performance data
* Track backtesting methodology and parameter settings
* Monitor backtesting accuracy and prediction quality
* Implement backtesting result validation and verification
#### 2.2.3. Data Source Validation & Tracking
API Response Monitoring
* Data Feed Validation:
* Log all API calls to price feeds with response details
* Capture response times, data freshness, and completeness
* Monitor for API failures, timeout errors, and rate limiting
* Track data source reliability scores and uptime metrics
* Response Quality Assessment:
* Validate API response formats and data integrity
* Monitor for missing or corrupted data fields
* Implement data quality scoring mechanisms
* Track data provider SLA compliance
Input Data Verification
* Price Data Validation:
* Compare prices across multiple sources for consistency
* Log price deviations and outliers with severity levels
* Track data latency and staleness metrics
* Validate price format and implement range checks
* Market Data Tracking:
* Monitor trading volume and liquidity metrics
* Track order book depth and spread data
* Log market volatility indicators and trend analysis
* Capture external market events affecting decisions
* Data Lineage Tracking:
* Track data flow from sources through AI processing
* Maintain audit trail of data transformations
* Implement data versioning and historical tracking
* Monitor data pipeline performance and bottlenecks
### 2.3. Data Service
Frequency: Bi-weekly
Data Integrity Checks:
* Price sanity checks
* Volume validation
* Liquidity checks
Database Security:
* Query Performance: Monitor for suspicious query patterns
* Backup Integrity: Test backup restoration procedures
* Access Control Review: Verify least privilege principles
Monitoring Setup:
* Real-time API response time monitoring
* Data freshness alerts (stale data detection)
* Error rate thresholds and alerting
* Suspicious access pattern detection
## 3. Continuous Monitoring
Frequency: Real-time Security Monitoring (24/7)
Smart Contract Monitoring:
* Large Withdrawals: Alert if single withdrawal > $100k
* Emergency Pause Events: Immediate alert if emergency functions triggered
* Failed Transactions: Pattern detection for repeated failures
* Gas Price Anomalies: Alert if gas usage deviates >50% from normal
Authentication Anomalies:
* Impossible Travel: Login from 2 distant locations in short timeframe
* New Device Logins: Alert when login from unrecognized devices
* Privilege Escalation: Alert when user role changes
Transaction Pattern Analysis:
* Suspicious Patterns: High-frequency micro transactions
* Liquidity Manipulation: Large deposits followed by immediate withdrawals
Dashboard Requirements:
* Real-time transaction volume & success rates
* Active vault positions & risk metrics
* Security incident timeline
* Network health metrics (latency, throughput)
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://docs.nodo.xyz/public/developer-and-technical-documentation/audits-and-security.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.