Skip to main content
Superform has been reviewed by multiple independent security firms across both core and periphery contracts. The protocol enforces security at multiple layers: onchain Merkle verification for keeper operations, timelocked governance updates, circuit-breaker PPS validation, role-based access control, and continuous invariant monitoring.

Audits

v2-core

AuditorDateReport
Orion SecurityAugust 2025Report
Cantina CompetitionJune 2025Report
Node SecurityMay 2025Report
Cantina CodeApril 2025Report
Sujith SomraajMarch 2025Report

v2-periphery

AuditorDateReport
Octane SecurityNovember 2025Report
0xMacroNovember 2025Report
GetReconNovember 2025Report
Cantina CodeJune 2025Report
All critical properties and invariants are tested through the GetRecon invariant suite using both Echidna and Medusa across >100 million runs, and continuously monitored through Tenderly.

Security Model

Dual Merkle Hook Validation

All keeper operations are gated by a dual Merkle tree system. A hook can only execute if the exact combination of hook address + parameters matches a leaf in one of two onchain roots:
RootControlled ByTimelockScope
Global hooks rootSuperGovernor (governance)15 minutesProtocol-wide hooks without beneficiary-specific arguments
Strategy hooks rootCurator (primary strategist)7 daysVault-specific hooks including beneficiary-specific arguments
Both roots support guardian veto; guardians can block malicious root updates before they take effect.

PPS Oracle Security

Price-per-share updates pass through multiple validation layers before acceptance:
  1. ECDSAPPSOracle validates EIP-712 signatures, quorum (≥ 2/3 weighted stake), and nonce binding
  2. SuperVaultAggregator checks future timestamps, pause state, and staleness
  3. Strategy-level checks enforce monotonicity, rate limiting, deviation bounds, dispersion thresholds, and upkeep balance
Strategies are automatically paused when:
  • PPS dispersion exceeds threshold (high standard deviation among validator submissions)
  • PPS deviation is too large (absolute change from current onchain value)
  • Validator participation rate falls below minimum
  • Updates are stale beyond the configured window

Access Controls

RolePermission
SuperGovernorProtocol governance with strategy-level overrides; updates global hook root
Primary StrategistFull vault control: hook whitelisting, fees, deposit/redemption processing
Secondary StrategistsDay-to-day operations, everything except hook whitelisting and fees
GuardiansThreat monitoring network; veto powers for hook root updates
Validators$UP stakers that attest to PPS updates; subject to slashing for misreporting

Timelock Protections

Change TypeTimelock
Primary strategist updates7 days
Strategy hooks root7 days
Global hooks root15 minutes
Fee configuration changes7 days
Emergency withdrawal activation7 days
Post-unpause skim12 hours

Emergency Controls

Strategy Pausing — Both primary and secondary managers can pause strategies immediately. Unpausing marks PPS as stale until a fresh oracle update is posted. Banned Hook Leaves — Individual Merkle leaves can be banned without regenerating the entire tree. This provides an immediate block on specific hook + parameter combinations. Guardian Veto — Guardians can veto both global and strategy hook root updates, providing rapid response to detected threats. Emergency Withdrawals — Managers can perform emergency withdrawals by adding hooks to the strategy hooks root and executing them.