Security
Centrifuge has best-in-class security process, with highlights including
- 16 security reviews to date for the Centrifuge protocol.
- Launched on mainnet in 2019, 0 exploits.
- Extensive invariant test suite.
The protocol codebase is fully immutable, and any emergency functions are locked behind a 72-hour timelock.
Security reviews
Protocol
| Auditor | Scope | Date | Engagement | Report |
|---|---|---|---|---|
| Macro | Merkle Proof Manager | June 2025 | Security review | Public soon |
| Electisec | Spoke/Vaults | June 2025 | Security review | Public soon |
| Spearbit | V3.0 | May 2025 | Security review | Public soon |
| burraSec | Gateway | May 2025 | Security review | Report |
| xmxanuel | V3.0 | May 2025 | Security review | Report |
| Alex the Entreprenerd | V3.0 | Apr 2025 | Review + invariant testing | Report |
| burraSec | Gateway | Apr 2025 | Security review | Part 1 Part 2 |
| xmxanuel | V3.0 | Mar 2025 | Security review | Report |
| Spearbit | V2.1 | Feb 2025 | Security review | Report |
| Recon | V2.0 | Jan 2025 | Invariant testing | Report |
| Spearbit | V2.0 | July 2024 | Security review | Report |
| Spearbit | Morpho integration | June 2024 | Security review | Report |
| Alex the Entreprenerd | V2.0 | Mar - Apr 2024 | Review + invariant testing | Part 1 Part 2 |
| Spearbit | V1.0 | Oct 2023 | Security review | Report |
| SRLabs | V1.0 | Sep 2023 | Security review | Report |
| Code4rena | V1.0 | Sep 2023 | Competitive audit | Report |
Operational securitiy
The core team contributing to Centrifuge has completed an operational security review with OPSEK.
Bug bounty
Centrifuge runs an active bug bounty program, available on https://centrifuge.io/security.