Security & Audits
Audit Reports
| Auditor | Scope | Date | Status |
|---|---|---|---|
| Pashov AI | VarlaCore, VarlaOracle, OracleUpdaterRouter, VarlaLiquidator | March 2026 | Complete (3 rounds) |
| Nemesis | VarlaCore, VarlaPool, VarlaOracle, VarlaLiquidator, VarlaStaking, VarlaInterestRateStrategy, VarlaMath, VarlaLiquidationMath | March 2026 | Complete |
| Plamen | Full protocol — 31 contracts including all core, liquidation, oracle, governance, and staking modules | March 2026 | Complete |
⚠ Audited — use at your own risk
Varla contracts have undergone multiple independent security reviews. Audits reduce but do not eliminate risk. Do not deposit more than you can afford to lose.
Security Practices
Smart contract design
Explicit reentrancy guards on all state-mutating entry points, conservative math (rounding against the protocol in favor of lenders/protocol reserve), and ReentrancyGuard on every external-facing function. Upgradeable variants use OpenZeppelin's Initializable pattern with storage gaps.
Oracle security
Conservative pricing (min of spot and TWAP), configurable staleness checks, liquidity thresholds with per-tier low-liquidity LTV decay, stale-recovery grace periods, and an EIP-712 OracleUpdaterRouter for parallel nonce lanes — removing the single-EOA bottleneck.
Access control
All privileged functions use OpenZeppelin AccessManager with role-based access control (RBAC). Roles include ADMIN, RISK_MANAGER, ORACLE_UPDATER, and LIQUIDATOR — each scoped to specific function selectors. Governance (Governor + Timelock) is planned as the long-term admin layer above RBAC.
Emergency procedures
The protocol includes VarlaProxyAdmin with a pause capability for proxy-deployed contracts. Pausing stops borrowing and liquidation but does not affect lender withdrawals. Manual position invalidation in VarlaOracle provides a per-position kill switch.
Bug Bounty
ℹ Coming soon
A formal bug bounty program with tiered rewards is being finalized. In the meantime, please report any security issues directly.
How to Report
Email: security@varla.xyz
1
Describe the issue
Include a clear description, steps to reproduce, and potential impact assessment.
2
Do not exploit on mainnet
Please do not exploit any vulnerabilities on mainnet or publicly disclose before we've had time to respond.
3
Give us time to respond
We aim for initial acknowledgment within 48 hours.
Scope (Preview)
| In Scope | Out of Scope |
|---|---|
| VarlaCore | Test/mock contracts |
| VarlaPool | Third-party dependencies |
| VarlaOracle | Frontend/UI issues |
| VarlaLiquidator | Already known issues |
| VarlaMergeLiquidator | Theoretical attacks without proof |
| VarlaConvertLiquidator | |
| VarlaInterestRateStrategy | |
| OracleUpdaterRouter | |
| VarlaAccessManager | |
| VarlaProxyAdmin | |
| Market adapters |
Severity Levels (Preview)
| Severity | Description | Reward |
|---|---|---|
| Critical | Direct loss of user funds | TBD |
| High | Significant risk to funds or protocol operation | TBD |
| Medium | Limited risk; requires specific conditions | TBD |
| Low | Minor issues; no direct fund risk | TBD |