# Security & Audits

Toros is built on the dHEDGE protocol. The smart contracts that power Toros vaults have been covered by multiple independent security audits, and the protocol maintains active bug bounty programs.

No publicly known exploits or security incidents have affected dHEDGE or Toros.

## Audit Timeline

| Date     | Auditor  | Toros Relevance                                                            | Report                                                                                                                                                                                                              |
| -------- | -------- | -------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Sep 2025 | Sherlock | Vault core, Aave V3 and yield strategy integrations                        | [PDF](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Ff03kK69OTEEthfwi6VoC%2Fuploads%2FoacAphKLdPdHKiU9sPIw%2FSherlock%20Audit%20%E2%80%93%20mStable%20Pendled%20sUSDe%20\(via%20dHEDGE\).pdf) |
| Jan 2025 | Santipu  | Aave V3 lending loops (used by leveraged tokens and yield vaults)          | [GitHub](https://github.com/santipu03/santipu03/blob/main/private-audits/dHEDGE_Aave.md)                                                                                                                            |
| Jan 2025 | Santipu  | GMX perpetual futures integration (used by leveraged tokens and 1x tokens) | [GitHub](https://github.com/santipu03/santipu03/blob/main/private-audits/dHEDGE_GMX.md)                                                                                                                             |
| Oct 2024 | Santipu  | Single-asset withdrawal logic (used when exiting Toros vaults)             | [GitHub](https://github.com/santipu03/santipu03/blob/main/private-audits/dHEDGE_SAW.md)                                                                                                                             |
| Jun 2024 | Sherlock | Vault core contracts and protocol integrations                             | [PDF](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Ff03kK69OTEEthfwi6VoC%2Fuploads%2Fo3epQZwV9tbnGp8EclE2%2FSherlock%20dhedge-audit-report.pdf)                                              |
| Jul 2021 | CertiK   | V2 core contracts (foundation of current Toros infrastructure)             | [CertiK](https://skynet.certik.com/projects/dhedge)                                                                                                                                                                 |

For the full dHEDGE security documentation, see [docs.dhedge.org/security](https://docs.dhedge.org/security).

## Perpetual Options Audit (Flat Money)

Toros Perpetual Options use [Flat Money](https://flat.money) contracts at the smart contract level. The perpetual options contracts have been audited independently through a Sherlock private audit contest.

| Date     | Auditor                    | Scope                                  | Report                                                                                                                                                                                                                                                                       |
| -------- | -------------------------- | -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Jan 2025 | Sherlock (private contest) | Flat Money perpetual options contracts | [PDF](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6jxnGsSeYJfPRFFT97Bn%2Fuploads%2FM9i0snPCGjtRP5KASAyw%2F2025.03.07%20-%20Final%20-%20Flat%20Money%20Private%20Audit%20Contest%20Report.pdf?alt=media\&token=3b2e2ebf-ac03-44af-923a-1d124393d749) |

Flat Money also maintains an active bug bounty on [Sherlock](https://audits.sherlock.xyz/bug-bounties/1) with rewards up to $50,000.

## Bug Bounty

dHEDGE maintains an active bug bounty program on [Immunefi](https://immunefi.com/bug-bounty/dhedge/).

| Severity | Reward                                             |
| -------- | -------------------------------------------------- |
| Critical | $2,000 to $50,000 (0.1% of affected funds, capped) |
| High     | $1,000                                             |

### Scope

PoolFactory-linked contracts on all supported chains (Ethereum, Polygon, Optimism, Base, Arbitrum). Includes vault implementation contracts (PoolLogic, PoolManagerLogic), contract and asset guards, and price aggregator contracts.

### Requirements

* Proof of concept required
* Testing must use local forks (no mainnet or testnet)
* Rewards paid in USDC

## Vault Permissions

Toros vault managers can only interact with whitelisted contracts and assets. This prevents unauthorized transactions with depositor funds. New protocol integrations are added through DAO-governed whitelisting.

## Smart Contract Risk

Toros products interact with multiple DeFi protocols. Each integration introduces additional smart contract risk:

* **Aave** — used by money market-based leveraged tokens and yield vaults for lending and borrowing
* **GMX** — used by perpetuals-based leveraged tokens and 1x tokens for futures positions
* **Flat Money** — provides the smart contracts powering [Toros Perpetual Options](https://docs.toros.finance/options-strategies/perpetual-options), which underpin Protected Leveraged Tokens, Covered Call, and Short Volatility strategies

Users should evaluate their risk tolerance before depositing, considering that a vulnerability in any underlying protocol could affect Toros products that depend on it.