Security

• • Kani plus proptest formal-method invariants in CI. 3 of 5 wired today; 5 of 5 by Month 6.
• • Dual oracle (Chainlink + Pyth) with 50 bps tolerance and 60 s freshness on every Plinth price read.
• • 3-keeper redundancy with economic slashing.
• • Praetor 3-of-5 multisig plus 48-hour PraetorTimelock on every parameter change.
• • ERC-7201 namespaced storage for safe upgrades.
• • Per-adapter per-block notional cap on Coffer.
• • Postern Kill Switch revokes every Sigil mandate plus every ERC-7715 session key in one batched tx.

A cross-cutting code review covering contracts, adapters, off-chain services, frontend, and honesty disclosures runs on every release cycle. Each row below names the file, the finding, and the resolution status. The table refreshes on every page load against the latest published audit register.

Email security@useatrium.me. We respond within 48 hours. Critical issues are triaged same-day. PGP key at /.well-known/pgp.asc.

• • Year 1 testnet: bug bounty program standup pending. Interim disclosure via security@useatrium.me. Same-day triage.
• • Year 2 mainnet flip: formal Immunefi-style program live before the flip. Tier target set on board sign-off.

Three venues (Aave V3, Pyth equity feeds, Hyperliquid) are mocked or relayed on testnet because the real upstream is not on Sepolia. Plus interim states for admin (deployer EOA pending Safe ceremony) and liquidation (monitoring-only pending keeper stake). Each item named explicitly with mechanism + timeline at /docs/honesty.