Audit & Security
Last updated: 2026-05-06 · Public Beta
STATUS: Internal review only. No third-party audit yet. A formal audit will be commissioned before exiting beta. Treat early TVL conservatively.
Internal review summary
- 0 critical, 0 high, 2 medium, 5 low, 7 informational findings — all resolved or accepted.
- Slither static analysis run on all 7 contracts.
- 25 Hardhat unit tests covering vault accounting, margin, liquidation, EIP-712 settlement.
- OpenZeppelin contracts pinned to
5.0.2(Solidity 0.8.23 compatible).
Deployed contracts
All contracts on XDC Mainnet (chainId 50). Verify on XDCScan.
| Contract | Address |
|---|---|
| PRFI Token | 0xF2A04Be3c2187b47bc9B476a6A7af19356Be96b3 |
| USDC (test, MockUSDC) | 0xd09a6AeD9bfBe2fdf11bdaF1557d0E53d6182c3A |
| Vault | 0x8f7fBdfBEEABe46296BDb48FF019Ac66E02E27f9 |
| Oracle | 0x88fc3F29b8F550Cdf0dB9FFa047AB09d9b9B8e47 |
| PerpEngine | 0xEf4D632a481ad179c61F68D39E805bb6500CCa8B |
| OrderBookSettlement | 0x9e22077ea6c8bdf1DA5F58BD7809D3c7C2020D81 |
| Staking | 0x24cCcDd01d97bFd01540102AB1D5975c499bE645 |
Operational security
- Operator key (hot) can only push oracle prices and settle off-chain matched orders. Cannot pause, cannot grant roles, cannot withdraw insurance fund.
- Admin key controls pause/unpause, parameter updates, and role grants. Will migrate to a multisig before significant TVL.
- Server hardening: SSH key-only, fail2ban, auto security updates, modern TLS, strict CSP, daily encrypted DB backups (14d retention).
Reporting vulnerabilities
If you discover a security bug, please do not exploit it. Email security@xdctrade.xyz with details. Bounty paid case-by-case during beta. See also our Risk Disclosure.