Audit Reports

TRTH takes security review seriously: smart contracts handle user funds, randomness, and long-lived parameters. This page summarizes what has been completed publicly and what to expect next.

Internal review (March 2026)

In March 2026, the protocol completed an internal security audit focused on core contracts—including TrueBitcoinToken, EpochRewardsV1, Genesis, LiquidityBootstrap, FeeSink, ChainlinkVrfWordAdapter, and ProtocolTimelock—and their interactions with operational services (orchestrator, indexer, Proof-API).

The internal review emphasized threat modeling, access control, economic edge cases, and integration assumptions (VRF fulfillment, keeper liveness, and oracle configuration).

Note

An internal audit is a strong engineering gate, but it is not a substitute for independent, third-party assurance on production deployments.

External audits

We maintain a standing goal to publish external audit reports from recognized firms as they complete. When available, summaries and PDF links will appear on this page.

External audit links (placeholder): Future external audit report — TBD

Caution

Always verify that an audit report matches the exact deployed bytecode and chain you interact with. Upgrades or parameter changes can invalidate prior conclusions.

How to stay current

Watch official announcements for:

• New audit releases and scope (which contracts and versions).
• Remediation status for any findings.
• Configuration changes gated by the timelock.

For user-facing risks, see Risk Factors.