> ## Documentation Index > Fetch the complete documentation index at: https://docs.superform.xyz/llms.txt > Use this file to discover all available pages before exploring further. # Security Superform has been reviewed by multiple independent security firms across both core and periphery contracts. The protocol enforces security at multiple layers: onchain Merkle verification for keeper operations, timelocked governance updates, circuit-breaker PPS validation, role-based access control, and continuous invariant monitoring. ## Audits ### v2-core | Auditor | Date | Report | | ------------------- | ----------- | ----------------------------------------------------------------------------------------------------- | | Orion Security | August 2025 | [Report](https://github.com/superform-xyz/v2-core/blob/dev/audits/2025.08.22-orion.pdf) | | Cantina Competition | June 2025 | [Report](https://github.com/superform-xyz/v2-core/blob/dev/audits/2025.06.02-cantina-competition.pdf) | | Node Security | May 2025 | [Report](https://github.com/superform-xyz/v2-core/blob/dev/audits/2025.05.05-nodesecurity.pdf) | | Cantina Code | April 2025 | [Report](https://github.com/superform-xyz/v2-core/blob/dev/audits/2025.04.19-cantinacode.pdf) | | Sujith Somraaj | March 2025 | [Report](https://github.com/superform-xyz/v2-core/blob/dev/audits/2025.03.24-sujithsomraaj.pdf) | ### v2-periphery | Auditor | Date | Report | | --------------- | ------------- | ------------------------------------------------------------------------------------------------------ | | Octane Security | November 2025 | [Report](https://github.com/superform-xyz/v2-periphery/blob/dev/audits/2025.11.30-octane-security.pdf) | | 0xMacro | November 2025 | [Report](https://github.com/superform-xyz/v2-periphery/blob/dev/audits/2025.11.27-0xMacro.pdf) | | GetRecon | November 2025 | [Report](https://github.com/superform-xyz/v2-periphery/blob/dev/audits/2025.11.07-GetRecon.pdf) | | Cantina Code | June 2025 | [Report](https://github.com/superform-xyz/v2-periphery/blob/dev/audits/2025.06.30-cantinacode.pdf) | All critical properties and invariants are tested through the [GetRecon](https://getrecon.xyz/) invariant suite using both Echidna and Medusa across >100 million runs, and continuously monitored through [Tenderly](https://tenderly.co/monitoring). ## Security Model ### Dual Merkle Hook Validation All keeper operations are gated by a dual Merkle tree system. A hook can only execute if the exact combination of hook address + parameters matches a leaf in one of two onchain roots: | Root | Controlled By | Timelock | Scope | | ----------------------- | ---------------------------------------------- | ------------------ | ------------------------------------------------------------- | | **Global hooks root** | SuperGovernor (governance) | Default 15 minutes | Protocol-wide hooks without beneficiary-specific arguments | | **Strategy hooks root** | Main manager proposal via SuperVaultAggregator | Default 15 minutes | Vault-specific hooks including beneficiary-specific arguments | Both hook-root flows pass through the aggregator's configurable hook-root timelock. Protocol governance can update that delay. ### PPS Oracle Security Price-per-share updates pass through multiple validation layers before acceptance: 1. **ECDSAPPSOracle** validates EIP-712 signatures, quorum (≥ 2/3 weighted stake), and nonce binding 2. **SuperVaultAggregator** checks future timestamps, pause state, and staleness 3. **Strategy-level checks** enforce monotonicity, rate limiting, deviation bounds, dispersion thresholds, and upkeep balance Strategies are automatically paused when: * PPS dispersion exceeds threshold (high standard deviation among validator submissions) * PPS deviation is too large (absolute change from current onchain value) * Validator participation rate falls below minimum * Updates are stale beyond the configured window ### Access Controls | Role | Permission | | ------------------------- | -------------------------------------------------------------------------------------------------------------- | | **SuperGovernor** | Protocol governance with strategy-level overrides; updates global hook root | | **Primary Strategist** | Full vault control: hook whitelisting, fees, deposit/redemption processing | | **Secondary Strategists** | Day-to-day operations, everything except hook whitelisting and fees | | **Guardians** | Threat monitoring network with emergency intervention powers such as pause controls | | **Validators** | Validators that attest to PPS updates and must satisfy signature and quorum checks before updates are accepted | ### Timelock Protections | Change Type | Timelock | | --------------------------------------- | ---------------------------------------------- | | Hook-root updates (global and strategy) | Default 15 minutes, configurable by governance | | Post-unpause skim | 12 hours | | Upkeep withdrawal | 24 hours | | Min update interval changes | 3 days | | Primary strategist updates | 7 days | | Fee configuration changes | 7 days | | PPS expiration threshold updates | 7 days | ### Emergency Controls **Strategy Pausing** — Both primary and secondary managers can pause strategies immediately. Unpausing marks PPS as stale until a fresh oracle update is posted. **Banned Hook Leaves** — Individual Merkle leaves can be banned without regenerating the entire tree. This provides an immediate block on specific hook + parameter combinations. **Guardian Controls** — Guardians retain emergency intervention powers such as pause controls, allowing rapid response to detected threats. **Emergency Withdrawals** — Managers can perform emergency withdrawals through authorized hooks. Expanding that authorization still requires a hook-root proposal and execution flow before new leaves become active.