Audits

This page documents the third-party security audits conducted on appeX Protocol smart contracts, explains what audits cover and why they matter, and provides links to completed reports.

Why Audits Matter

Smart contracts manage real capital. Unlike traditional software, smart contract bugs can lead to immediate, irreversible loss of funds. A single vulnerability in the vault contract, NAV calculation logic, or staking mechanics could compromise LP deposits.

Third-party audits provide independent review of contract code by security researchers who specialize in finding vulnerabilities. Auditors examine the code from an adversarial perspective: how could an attacker exploit this logic to steal funds, manipulate pricing, or game reward distributions?

No audit can guarantee the absence of all vulnerabilities. Audits are one layer in a defense-in-depth approach that also includes the bug bounty program, gradual deployment, and conservative initial parameters.

Audit Status

Info: Audit reports will be published here as they are completed. This section will be updated with auditor name, scope, findings summary, and a direct link to the full report.

Planned Audit Scope

The following smart contracts are within the planned scope for security audits. Final scope will be confirmed with the selected auditor(s):

What Audits Cover

Each audit is expected to evaluate the following categories. These represent the most common vulnerability classes in DeFi smart contracts:

• Logic errors. Incorrect state transitions, calculation errors, edge case failures. For example: does the NAV calculation handle the case where all advances default simultaneously? Does share pricing remain correct when the vault has zero deposits?
• Access control. Unauthorized function calls, privilege escalation, missing authorization checks. For example: can a non-approved address draw capital from the vault? Can a non-admin change protocol parameters?
• Reentrancy. Cross-function and cross-contract reentrancy vulnerabilities. For example: can a malicious contract exploit a callback during deposit or redemption to manipulate vault state?
• Oracle manipulation. NAV calculation integrity, staleness protections, and price feed dependencies. For example: can an attacker manipulate the DEX price during a protocol fee conversion to extract value?
• Economic attacks. Flash loan exploits, sandwich attacks, front-running opportunities. For example: can an attacker use a flash loan to temporarily inflate NAV and redeem at an artificially high price?
• Gas optimization. Excessive gas usage that could make critical functions prohibitively expensive or cause out-of-gas reverts during high-activity periods.
• Rounding and precision. Arithmetic rounding errors that could accumulate over many transactions and cause significant NAV drift or reward miscalculations.

Planned Audit Process

appeX intends to follow a structured audit process:

1. Pre-audit preparation. Internal code review, test coverage verification, and documentation of intended behavior for each function.
2. Auditor engagement. Independent security firms review the codebase. Multiple firms may be engaged for different contracts or for independent verification.
3. Finding resolution. All identified issues are categorized by severity (Critical, High, Medium, Low, Informational). Critical and High findings are resolved before deployment.
4. Re-audit. Fixes are verified by the auditing firm to confirm issues are resolved without introducing new vulnerabilities.
5. Publication. Final audit reports are published in full. No findings are redacted.

Audit Reports

Reports will be linked here upon completion.

Warning: Audits reduce the likelihood of smart contract vulnerabilities but cannot guarantee their absence. Multiple independent audits and an ongoing bug bounty program provide defense in depth. Audit reports will be published in full upon completion. See Bug Bounty for the responsible disclosure program.