Our Approach
Security is foundational to Tori Finance. We employ a defense-in-depth strategy with multiple layers of protection, partnering with industry-leading security providers to safeguard protocol assets. Our security philosophy: trust but verify. Every critical component is independently audited, monitored, and attested.Security Partners
We work exclusively with established, reputable security providers:Sherlock
Smart Contract AuditsComprehensive audits with ongoing bug bounty coverage
Hypernative
Real-Time MonitoringAI-powered 24/7 threat detection and prevention
Accountable
Proof of ReservesIndependent, real-time reserve attestations
Smart Contract Security
Audits
All Tori smart contracts are audited by Sherlock, a leading smart contract security platform protecting over $50 billion in assets across Web3.| What’s Audited | Description |
|---|---|
| Core Protocol | Main protocol contracts and logic |
| Staking Contracts | strUSD staking and unstaking |
| Access Control | Administrative functions and permissions |
| Integrations | Third-party integrations and bridges |
Bug Bounty Program
We maintain an active bug bounty program through Sherlock to incentivize responsible disclosure of potential vulnerabilities. How it works:- Security researchers can report vulnerabilities for rewards
- Severity-based payouts for valid findings
- Responsible disclosure process
- Quick response to reported issues
Real-Time Monitoring
Hypernative Protection
Hypernative provides AI-powered threat detection with comprehensive monitoring:| Capability | Description |
|---|---|
| 24/7 Surveillance | Continuous automated monitoring of all protocol activity |
| Anomaly Detection | AI identifies unusual patterns that may indicate threats |
| Instant Alerting | Immediate notifications on suspicious activity |
| Proactive Prevention | Automated response to detected threats |
| Risk Scoring | Continuous assessment of protocol risk levels |
What We Monitor
- Smart contract interactions
- Large or unusual transactions
- Governance activities
- Known attacker addresses
- Protocol parameter changes
- External dependencies
Proof of Reserves
Accountable Attestations
Accountable provides real-time, independent attestations on reserves and financials. This transparency enables anyone to verify the backing of trUSD at any time. What’s attested:- Total assets under management,
- Liability coverage ratio,
- Reserve fund status, and more.
Why This Matters
Unlike traditional finance where you trust institutions with your assets, Tori’s Proof of Reserves allows cryptographic verification:- Independent - Third-party attestation, not self-reported
- Real-time - Continuous verification, not periodic
- Verifiable - Anyone can check at any time
- Transparent - Full visibility into backing
Asset Security & Custody
All assets are held in institutional-grade secure custody:On-Chain Assets
| Security Layer | Implementation |
|---|---|
| Audited Contracts | All contracts audited by tier-1 firms |
| Multi-Signature | Critical operations require multiple approvals |
| Time Locks | Delays on sensitive parameter changes |
| Access Control | Role-based permissions for all functions |
Off-Chain Assets
| Security Layer | Implementation |
|---|---|
| Institutional Custodians & Partners | Qualified, vetted counterparties |
| Segregated Accounts | Protocol reserves separate from operations |
| Counterparty Standards | Rigorous due diligence on all partners |
| Geographic Diversification | Reduce single-point-of-failure risk |
Protocol reserves are never commingled with operational funds. All assets are held with qualified custodians, institutional partners, or through regulated instruments.
Operational Security
Our team follows strict operational security practices:Access Control
| Practice | Description |
|---|---|
| Multi-Factor Authentication | Required for all team access |
| Hardware Security Modules | For key management and signing |
| Principle of Least Privilege | Minimal access for each role |
| Regular Access Reviews | Periodic audits of access rights |
Incident Response
| Phase | Actions |
|---|---|
| Detection | Automated monitoring and alerting |
| Assessment | Rapid triage and severity classification |
| Containment | Immediate steps to limit impact |
| Remediation | Fix underlying issues |
| Communication | Transparent updates to users |
| Post-Mortem | Analysis and preventive measures |
Responsible Disclosure
Reporting Vulnerabilities
If you discover a security vulnerability, please report it responsibly: Email: [email protected]What to Include
When reporting:- Detailed description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fix (if any)
Our Commitment
- Acknowledge receipt within 24 hours
- Provide updates on remediation progress
- Credit reporters (if desired) after fixes are deployed
- No legal action against good-faith researchers
Continuous Improvement
Security is an ongoing process. Our approach:| Practice | Description |
|---|---|
| Ongoing Audits | Regular reviews as the protocol evolves |
| Bug Bounty | Incentivize white-hat discovery of issues |
| 24/7 Monitoring | Real-time threat detection and response |
| Industry Best Practices | Stay current with security developments |
While we employ extensive security measures, no system can guarantee perfect security. Audits are point-in-time assessments, and new challenges can emerge. This is why we use multiple layers of protection. See Risk Disclosures for more information.
Next Steps
Audit Reports
View detailed security audit reports
Contracts
View contract addresses
Backing Details
How trUSD is backed
Risk Disclosures
Understand all the risks