SECURITY AUDITS & ATTESTATIONS

INDEPENDENT VERIFICATION OF SMART CONTRACT SECURITY AND PLATFORM INFRASTRUCTURE

1. Smart contract audit

Preliminary scope includes:

• Access control and role-based permission verification
• Reentrancy and flash loan attack surface analysis
• NAV oracle manipulation resistance testing
• Withdrawal timelock bypass attempt testing
• ERC-4626 inflation attack vector assessment (virtual offset implementation)
• Gas optimization review

Upon completion, the full audit report will be published at this location and referenced on-chain via IPFS CID.

2. Infrastructure security

2.1 Key management

• All signing operations executed via OpenZeppelin Defender (AWS KMS-backed)
• No private keys stored in application code or environment variables
• Hardware wallet (Ledger) required for Gnosis Safe multisig operations

2.2 Monitoring & circuit breakers

• Tenderly real-time transaction monitoring with automated pause triggers
• 1% NAV deviation circuit breaker (on-chain)
• 48-hour withdrawal timelock (on-chain)
• Upstash Redis rate limiting at edge layer

2.3 Custody model

• Non-custodial: investors retain wallet signing authority at all times
• Platform treasury managed via 3-of-5 Gnosis Safe multisig

3. Third-party attestations

4. On-chain verification

Contract address (Base Sepolia): 0xadf424091b032a6ddad11ac718380532bf480dca

Verification: BaseScan verified (when published for the deployment).

Source code: Public where deployed and verified.

All NAV updates are recorded on-chain with corresponding IPFS CID references for data provenance verification.

Point-in-time audits and attestations do not guarantee future security. See also Smart contract risk and Technology risk.