Documentation Index
Fetch the complete documentation index at: https://docs.superform.xyz/llms.txt
Use this file to discover all available pages before exploring further.
Superform has been reviewed by multiple independent security firms across both core and periphery contracts. The protocol enforces security at multiple layers: onchain Merkle verification for keeper operations, timelocked governance updates, circuit-breaker PPS validation, role-based access control, and continuous invariant monitoring.
Audits
v2-core
| Auditor | Date | Report |
|---|
| Orion Security | August 2025 | Report |
| Cantina Competition | June 2025 | Report |
| Node Security | May 2025 | Report |
| Cantina Code | April 2025 | Report |
| Sujith Somraaj | March 2025 | Report |
v2-periphery
| Auditor | Date | Report |
|---|
| Octane Security | November 2025 | Report |
| 0xMacro | November 2025 | Report |
| GetRecon | November 2025 | Report |
| Cantina Code | June 2025 | Report |
All critical properties and invariants are tested through the GetRecon invariant suite using both Echidna and Medusa across >100 million runs, and continuously monitored through Tenderly. Security Model
Dual Merkle Hook Validation
All keeper operations are gated by a dual Merkle tree system. A hook can only execute if the exact combination of hook address + parameters matches a leaf in one of two onchain roots:
| Root | Controlled By | Timelock | Scope |
|---|
| Global hooks root | SuperGovernor (governance) | Default 15 minutes | Protocol-wide hooks without beneficiary-specific arguments |
| Strategy hooks root | Main manager proposal via SuperVaultAggregator | Default 15 minutes | Vault-specific hooks including beneficiary-specific arguments |
PPS Oracle Security
Price-per-share updates pass through multiple validation layers before acceptance:
- ECDSAPPSOracle validates EIP-712 signatures, quorum (≥ 2/3 weighted stake), and nonce binding
- SuperVaultAggregator checks future timestamps, pause state, and staleness
- Strategy-level checks enforce monotonicity, rate limiting, deviation bounds, dispersion thresholds, and upkeep balance
Strategies are automatically paused when:
- PPS dispersion exceeds threshold (high standard deviation among validator submissions)
- PPS deviation is too large (absolute change from current onchain value)
- Validator participation rate falls below minimum
- Updates are stale beyond the configured window
Access Controls
| Role | Permission |
|---|
| SuperGovernor | Protocol governance with strategy-level overrides; updates global hook root |
| Primary Strategist | Full vault control: hook whitelisting, fees, deposit/redemption processing |
| Secondary Strategists | Day-to-day operations, everything except hook whitelisting and fees |
| Guardians | Threat monitoring network with emergency intervention powers such as pause controls |
| Validators | Validators that attest to PPS updates and must satisfy signature and quorum checks before updates are accepted |
Timelock Protections
| Change Type | Timelock |
|---|
| Hook-root updates (global and strategy) | Default 15 minutes, configurable by governance |
| Post-unpause skim | 12 hours |
| Upkeep withdrawal | 24 hours |
| Min update interval changes | 3 days |
| Primary strategist updates | 7 days |
| Fee configuration changes | 7 days |
| PPS expiration threshold updates | 7 days |
Emergency Controls
Strategy Pausing — Both primary and secondary managers can pause strategies immediately. Unpausing marks PPS as stale until a fresh oracle update is posted.
Banned Hook Leaves — Individual Merkle leaves can be banned without regenerating the entire tree. This provides an immediate block on specific hook + parameter combinations.
Guardian Controls — Guardians retain emergency intervention powers such as pause controls, allowing rapid response to detected threats.
Emergency Withdrawals — Managers can perform emergency withdrawals through authorized hooks. Expanding that authorization still requires a hook-root proposal and execution flow before new leaves become active.
