Skip to main content
Security audits are essential for DeFi protocols. This page details TED Protocol’s audit status and security practices.

Audit Status

Completed audits. Primary audits covering core contracts and bridge integrations are scheduled for Q1 2025. Auditor details will be announced when finalized. Continuous security. Automated scanning runs continuously through internal tools, dependency monitoring via Dependabot, and static analysis using Slither.

Audit Scope

Core contracts included in security audits cover the DiamondProxy (entry point), FXSwapFacet (swap routing logic), DEX adapters for Curve Finance and Uniswap V3 integration, bridge facets for Circle CCTP, LayerZero OFT, and Wormhole, plus the AdminFacet for governance functions. Token contracts are fully audited: the TEDP token (ERC-20 + OFT standard) receives a full audit, and the OFT Adapter for LayerZero V2 receives an integration audit.

Security Practices

Development process. All code changes are reviewed by multiple developers. Unit, integration, and fuzz testing are required for every change. Automated vulnerability scanning runs on all commits. Extended testnet deployment precedes any mainnet release. Test coverage targets include over 95% coverage for unit tests, over 80% for integration tests, fuzz tests covering all critical paths, and invariant tests for core accounting logic. All testing is in progress. Security patterns. TED Protocol implements industry-standard security patterns: reentrancy protection (mutex locks during execution), role-based access control, and pausability for emergency response. All patterns follow OpenZeppelin’s battle-tested implementations.

Bug Bounty Program

TED Protocol operates a bug bounty program to incentivize responsible disclosure. Rewards scale with severity: critical vulnerabilities (direct loss of funds, protocol insolvency) can earn up to $100,000; high severity issues (significant loss potential, major functionality broken) up to $25,000; medium severity (limited loss, moderate impact) up to $5,000; and low severity (minor issues, best practice violations) up to $1,000. In scope: Smart contracts on supported chains, bridge integrations, TEDP token contracts, and cross-chain messaging logic. Out of scope: Frontend/UI issues, third-party services, previously reported issues, and social engineering attacks. Reporting. Submit security vulnerabilities to [email protected]. Include a detailed description of the vulnerability, steps to reproduce, potential impact assessment, and suggested fix if applicable. Response times: initial acknowledgment within 24 hours, severity assessment within 48 hours, resolution timeline based on severity.

Third-Party Dependencies

TED Protocol relies on well-audited dependencies. OpenZeppelin contracts are the industry standard. Curve Finance has been audited by Trail of Bits and Quantstamp with $2B+ TVL. Uniswap V3 has Trail of Bits audits with $3B+ TVL. LayerZero V2 has been audited by Zellic and Quantstamp with $10B+ secured. Wormhole has undergone multiple audits post-2022 with $3B+ TVL. Circle CCTP is institutional-grade with $25B+ USDC secured. Dependency management includes locked versions in package files, automated vulnerability alerts, regular dependency updates, and no unaudited external calls.

Emergency Procedures

Incident response follows a structured timeline. Detection happens immediately through automated monitoring alerts. Assessment by the security team occurs within one hour. Response (pausing affected components) happens within two hours. User communication follows within four hours. Resolution deploys as needed based on severity. Emergency controls use multi-sig authorization: pause requires 2-of-5 signatures (for suspected exploits), unpause requires 3-of-5 (when issues are resolved), and emergency upgrades require 4-of-5 (for critical fixes).

Transparency

Open source. All TED Protocol smart contracts are open source and verified on block explorers. GitHub: github.com/tedprotocol. Contract verification is available on Etherscan, Arbiscan, Basescan, and other relevant explorers. Upgrade history. All contract upgrades are documented with upgrade rationale, code changes, audit status, and timelock period.