Security & Audits
Audit Reports
| Auditor | Scope | Date | Status |
|---|---|---|---|
| TBD | VarlaCore, VarlaPool, CollateralManager | Q1 2026 | Scheduled |
| TBD | VarlaOracle, LiquidationEngine | Q1 2026 | Scheduled |
⚠ Pre-audit
Varla contracts have not yet been audited. Use at your own risk until audits are complete and published.
Security Practices
Smart contract design
Minimal proxy patterns, no delegatecall to external contracts, explicit reentrancy guards, and conservative math (rounding against the protocol).
Oracle security
Conservative pricing (min of spot and TWAP), staleness checks, liquidity thresholds, and multi-keeper redundancy prevent oracle manipulation.
Access control
Admin functions are behind a multi-sig with timelock. No single key can modify protocol parameters. Governance actions have a minimum delay before execution.
Emergency procedures
The protocol includes a guardian role that can pause borrowing and liquidation in emergencies. Pausing does not affect lender withdrawals.
Bug Bounty
ℹ Coming soon
A formal bug bounty program with tiered rewards is being finalized. In the meantime, please report any security issues directly.
How to Report
Email: security@varla.xyz
1
Describe the issue
Include a clear description, steps to reproduce, and potential impact assessment.
2
Do not exploit on mainnet
Please do not exploit any vulnerabilities on mainnet or publicly disclose before we've had time to respond.
3
Give us time to respond
We aim for initial acknowledgment within 48 hours.
Scope (Preview)
| In Scope | Out of Scope |
|---|---|
| VarlaCore | Test/mock contracts |
| VarlaPool | Third-party dependencies |
| VarlaOracle | Frontend/UI issues |
| Liquidation contracts | Already known issues |
| VarlaInterestRateStrategy | Theoretical attacks without proof |
| VarlaAccessManager |
Severity Levels (Preview)
| Severity | Description | Reward |
|---|---|---|
| Critical | Direct loss of user funds | TBD |
| High | Significant risk to funds or protocol operation | TBD |
| Medium | Limited risk; requires specific conditions | TBD |
| Low | Minor issues; no direct fund risk | TBD |