# Audits & Security
Smartcontract, Frontend, Backend and AI Agent codes were audited by 3rd party, all reported issues were resolved and deployed before public launch.
3 Major Issues with the Security
1. Security Audit process
1. Backend/Frontend
2. Smart contract audit
3. Strategy
| # | Contract | Description | Audit Progress | Audited by |
| - | ----------------------------- | ---------------------------------------------- | -------------- | ----------- |
| 1 | Vault contract | Hold Token contract | DONE | Hashlock |
| 2 | NDLP contract | mint LP token contract | DONE | Hashlock |
| 3 | Cetus Integration contract | Integration contract with Cetus | DONE | Hashlock |
| 4 | Momentum Integration contract | Integration contract with Momentum | DONE | Hashlock |
| 5 | Backend/Frontend Audit | All Backend, Frontend codes and AI Agent codes | DONE | QuillAudits |
| 6 | AI API Audit |
| DONE | QuillAudits |
| 7 | Vault contract | Hold Token contract | DONE | FailSafe |
| 8 | NDLP contract | mint LP token contract | DONE | FailSafe |
| 9 | Momentum Integration contract | Integration contract with Momentum | DONE | FailSafe |
View the full audit reports here:
{% file src="" %}
{% file src="" %}
{% file src="" %}
{% file src="" %}
{% file src="" %}
{% file src="" %}
{% file src="" %}
{% file src="" %}
{% file src="" %}
Post-launch, we will maintain regular security checks and audits to ensure continued platform safety.
## 1. External Audits
### 1.1. Smart contracts
Frequency: Mandatory before each major release deployment
Implementation Process:
* Auditor Selection: Prioritize firms with DeFi experience
* Preparation: Provide complete codebase, documentation, test cases, deployment scripts
* Process:
* Depend on Audit firm
* Final report with severity classification (Critical/High/Medium/Low)
* Follow-up: Fix all Critical/High issues, re-audit if necessary
### 1.2. Application
Frequency: Quarterly
#### 1.2.1. Backend API Security:
* Authentication/Authorization: API key management
* Input Validation: SQL injection, NoSQL injection, command injection testing
* Rate Limiting: API abuse testing, brute force protection
* Business Logic Flaws: Privilege escalation, workflow bypass attempts
#### 1.2.2. Frontend Security:
* XSS Testing: Reflected, Stored, DOM-based XSS in all input fields
* CSRF Protection: Verify anti-CSRF tokens and SameSite cookies
* Content Security Policy: Validate CSP headers effectiveness
* Authentication Flow: Session management
#### 1.2.3. Specific DeFi Focus:
* Vault Logic Testing: Deposit limits, emergency withdrawals
* Transaction Manipulation: Attempt to manipulate deposit/withdrawal amounts
#### 1.3. Infrastructure
Frequency: Every 6 months
Implementation Process:
* Cloud Security Assessment:
* Review policies and permissions
* Network security groups, VPC configuration
* Storage policies, database access controls
* Logging & monitoring setup validation
* Container Security:
* Image vulnerability scanning
* Runtime security policies
* Secrets management in containers
* CI/CD Pipeline Security:
* Source code repository access controls
* Build environment security
* Deployment permissions & approval workflows
* Secrets injection mechanisms
## 2. Internal Audits
### 2.1. Code Review Security
Frequency: Continuous (every PR)
Mandatory Security Checklist for each PR:
* Complete input validation
* Sensitive data not logged
* Error handling doesn't leak information
* Rate limiting for new endpoints
* Database queries parameterized
SAST Tools Integration:
* Detect hardcoded private keys/secrets
* Identify unsafe arithmetic operations
* Flag missing access controls
-> Block merge if issues exist
### 2.2 AI System Security
Frequency: Monthly
#### 2.2.1. AI Execution Monitoring
Real-time Status Tracking
* Health Check Logs:
* Monitor AI service availability with regular health checks
* Track API response times and system latency
* Monitor resource utilization (CPU, memory, network)
* Implement automated service restart on failures
* Execution Status:
* Track whether AI decisions are being executed or skipped
* Monitor decision execution latency and success rates
* Log execution failures with detailed error information
* Implement decision queuing and retry mechanisms
* Performance Metrics:
* Log processing time for each AI decision cycle
* Monitor memory usage and garbage collection patterns
* Track system load and resource bottlenecks
* Implement performance alerts and auto-scaling
* Error Tracking:
* Capture and categorize all AI system exceptions
* Implement error severity levels and escalation procedures
* Track error patterns and root cause analysis
* Maintain error resolution documentation
Vault Information Monitoring
* Position Changes:
* Log all vault position modifications triggered by AI decisions
* Track position entry and exit points with timestamps
* Monitor position size changes and exposure levels
* Implement position reconciliation checks
* Balance Tracking:
* Monitor vault balance changes before and after AI decisions
* Track asset allocation changes and rebalancing events
* Implement balance reconciliation with external sources
* Alert on unexpected balance discrepancies
* Transaction Validation:
* Verify AI-initiated transactions are executed correctly
* Compare intended vs. actual transaction outcomes
* Monitor transaction fees and slippage
* Implement transaction replay capabilities for debugging
#### 2.2.2. AI Decision Output Validation
Request/Response Logging
* Input Parameters:
* Log all parameters sent to AI (market data, vault state, risk parameters)
* Capture data timestamps and source information
* Track parameter changes and their impact on decisions
* Implement parameter validation and sanitization
* Decision Output:
* Capture AI recommendations (buy/sell/hold, quantities, prices)
* Log decision confidence scores and reasoning metadata
* Track decision timing and execution delays
* Implement decision format validation
* Execution Results:
* Track actual execution versus AI recommendations
* Monitor execution slippage and market impact
* Log execution success/failure rates
* Implement execution quality metrics
Output Accuracy Assessment
* Decision Verification:
* Compare AI output against predefined business rules
* Validate decision logic consistency
* Implement rule-based decision validation
* Track rule violation rates and patterns
* Constraint Validation:
* Ensure AI decisions respect position limits and risk parameters
* Validate compliance with regulatory requirements
* Implement automatic constraint enforcement
* Log constraint violations and corrective actions
* Consistency Checks:
* Validate decision logic consistency across similar market conditions
* Track decision pattern variations and anomalies
* Implement decision similarity scoring
* Alert on inconsistent decision patterns
* Performance Tracking:
* Measure AI decision accuracy over time
* Track profitability and risk-adjusted performance
* Implement performance benchmarking
* Generate performance attribution reports
* Backtesting Results:
* Regular validation against historical performance data
* Track backtesting methodology and parameter settings
* Monitor backtesting accuracy and prediction quality
* Implement backtesting result validation and verification
#### 2.2.3. Data Source Validation & Tracking
API Response Monitoring
* Data Feed Validation:
* Log all API calls to price feeds with response details
* Capture response times, data freshness, and completeness
* Monitor for API failures, timeout errors, and rate limiting
* Track data source reliability scores and uptime metrics
* Response Quality Assessment:
* Validate API response formats and data integrity
* Monitor for missing or corrupted data fields
* Implement data quality scoring mechanisms
* Track data provider SLA compliance
Input Data Verification
* Price Data Validation:
* Compare prices across multiple sources for consistency
* Log price deviations and outliers with severity levels
* Track data latency and staleness metrics
* Validate price format and implement range checks
* Market Data Tracking:
* Monitor trading volume and liquidity metrics
* Track order book depth and spread data
* Log market volatility indicators and trend analysis
* Capture external market events affecting decisions
* Data Lineage Tracking:
* Track data flow from sources through AI processing
* Maintain audit trail of data transformations
* Implement data versioning and historical tracking
* Monitor data pipeline performance and bottlenecks
### 2.3. Data Service
Frequency: Bi-weekly
Data Integrity Checks:
* Price sanity checks
* Volume validation
* Liquidity checks
Database Security:
* Query Performance: Monitor for suspicious query patterns
* Backup Integrity: Test backup restoration procedures
* Access Control Review: Verify least privilege principles
Monitoring Setup:
* Real-time API response time monitoring
* Data freshness alerts (stale data detection)
* Error rate thresholds and alerting
* Suspicious access pattern detection
## 3. Continuous Monitoring
Frequency: Real-time Security Monitoring (24/7)
Smart Contract Monitoring:
* Large Withdrawals: Alert if single withdrawal > $100k
* Emergency Pause Events: Immediate alert if emergency functions triggered
* Failed Transactions: Pattern detection for repeated failures
* Gas Price Anomalies: Alert if gas usage deviates >50% from normal
Authentication Anomalies:
* Impossible Travel: Login from 2 distant locations in short timeframe
* New Device Logins: Alert when login from unrecognized devices
* Privilege Escalation: Alert when user role changes
Transaction Pattern Analysis:
* Suspicious Patterns: High-frequency micro transactions
* Liquidity Manipulation: Large deposits followed by immediate withdrawals
Dashboard Requirements:
* Real-time transaction volume & success rates
* Active vault positions & risk metrics
* Security incident timeline
* Network health metrics (latency, throughput)