Skip to main content

Security

Superform enforces security at multiple layers: on-chain Merkle verification for keeper operations, timelocked governance updates, circuit-breaker PPS validation, role-based access control, and continuous invariant monitoring.

Security Model

Dual Merkle Hook Validation

All keeper operations are gated by a dual Merkle tree system. A hook can only execute if the exact combination of hook address + parameters matches a leaf in one of two on-chain roots:
RootControlled ByTimelockScope
Global hooks rootSuperGovernor (governance)15 minutesProtocol-wide hooks without beneficiary-specific arguments
Strategy hooks rootCurator (primary strategist)7 daysVault-specific hooks including beneficiary-specific arguments
Both roots support guardian veto; guardians can block malicious root updates before they take effect. 
// Simplified validation logic
function _validateSingleHook(
    address strategy,
    bytes calldata hookArgs,
    bytes32[] calldata globalProof,
    bytes32[] calldata strategyProof
) internal view returns (bool) {
    bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(hookArgs))));

    // Try global root first
    if (MerkleProof.verify(globalProof, _globalHooksRoot, leaf)) return true;

    // Try strategy root
    if (MerkleProof.verify(strategyProof, strategyRoot, leaf)) return true;

    return false;
}

PPS Oracle Security

Price-per-share updates pass through multiple validation layers before acceptance:
  1. ECDSAPPSOracle validates EIP-712 signatures, quorum (≥ 2/3 weighted stake), and nonce binding
  2. SuperVaultAggregator checks future timestamps, pause state, and staleness
  3. Strategy-level checks enforce monotonicity, rate limiting, deviation bounds, dispersion thresholds, and upkeep balance
Strategies are automatically paused when:
  • PPS dispersion exceeds threshold (high standard deviation among validator submissions)
  • PPS deviation is too large (absolute change from current on-chain value)
  • Validator participation rate falls below minimum
  • Updates are stale beyond the configured window

Access Controls

RolePermission
SuperGovernorProtocol governance with strategy-level overrides; updates global hook root
Primary StrategistFull vault control: hook whitelisting, fees, deposit/redemption processing
Secondary StrategistsDay-to-day operations, everything except hook whitelisting and fees
GuardiansThreat monitoring network; veto powers for hook root updates
Validators$UP stakers that attest to PPS updates; subject to slashing for misreporting

Timelock Protections

Change TypeTimelock
Primary strategist updates7 days
Strategy hooks root7 days
Global hooks root15 minutes
Fee configuration changes7 days
Emergency withdrawal activation7 days
Post-unpause skim12 hours

Emergency Controls

Strategy Pausing - Both primary and secondary managers can pause strategies immediately. Unpausing marks PPS as stale until a fresh oracle update is posted. Banned Hook Leaves - Individual Merkle leaves can be banned without regenerating the entire tree. This provides an immediate block on specific hook + parameter combinations. Guardian Veto - Guardians can veto both global and strategy hook root updates, providing rapid response to detected threats. Emergency Withdrawals - Managers can perform emergency withdrawals by adding hooks to the strategy hooks root and executing them.

Cross-Contract Integrity

The SuperVault architecture enforces state consistency across contracts:
  • PPS Consistency - Vault uses strategy’s stored PPS for all share calculations
  • Pause Propagation - Strategy pause state affects vault deposit limits
  • Share Custody - Escrow holds shares during pending redemptions; only strategy (via vault) can burn escrowed shares
  • Asset Custody - Escrow holds fulfilled assets until the user claims them

Monitoring & Invariants

All critical properties and invariants are tested through the GetRecon invariant suite using both Echidna and Medusa across >100 million runs. They are continuously monitored through Tenderly and cron-based monitors.

Audits

Superform maintains a continuous audit program across both core and periphery contracts.
AuditorDateScopeReport
Octane SecurityNovember 2025v2-peripheryReport
0xMacroNovember 2025v2-peripheryReport
GetReconNovember 2025Invariant testingReport
SpearbitJune 2025v2-core, v2-peripheryReport
Cantina CompetitionJune 2025Competitive auditReport
Node SecurityMay 2025v2-peripheryReport
Orion SecurityAugust 2025v2-coreReport
Sujith SomraajMarch 2025Independent reviewReport