Security & Audits

Toros is built on the dHEDGE protocol. The smart contracts that power Toros vaults have been covered by multiple independent security audits, and the protocol maintains active bug bounty programs.

No publicly known exploits or security incidents have affected dHEDGE or Toros.

Audit Timeline

For the full dHEDGE security documentation, see docs.dhedge.org/security.

Perpetual Options Audit (Flat Money)

Toros Perpetual Options use Flat Money contracts at the smart contract level. The perpetual options contracts have been audited independently through a Sherlock private audit contest.

Flat Money also maintains an active bug bounty on Sherlock with rewards up to $50,000.

Bug Bounty

dHEDGE maintains an active bug bounty program on Immunefi.

Scope

PoolFactory-linked contracts on all supported chains (Ethereum, Polygon, Optimism, Base, Arbitrum). Includes vault implementation contracts (PoolLogic, PoolManagerLogic), contract and asset guards, and price aggregator contracts.

Requirements

• Proof of concept required

• Testing must use local forks (no mainnet or testnet)

• Rewards paid in USDC

Vault Permissions

Toros vault managers can only interact with whitelisted contracts and assets. This prevents unauthorized transactions with depositor funds. New protocol integrations are added through DAO-governed whitelisting.

Smart Contract Risk

Toros products interact with multiple DeFi protocols. Each integration introduces additional smart contract risk:

• Aave — used by money market-based leveraged tokens and yield vaults for lending and borrowing

• GMX — used by perpetuals-based leveraged tokens and 1x tokens for futures positions

• Flat Money — provides the smart contracts powering Toros Perpetual Options, which underpin Protected Leveraged Tokens, Covered Call, and Short Volatility strategies

Users should evaluate their risk tolerance before depositing, considering that a vulnerability in any underlying protocol could affect Toros products that depend on it.