Security & Trust
Audits & security process
How we approach audits, monitoring, and incident response.
Audit status
We will publish:
- audit partners (when engaged)
- dates and scope
- links to reports (when available)
Scope
Aqua0's vaults, adapters, and Composer are built on audited OpenZeppelin primitives (ERC4626Upgradeable,
AccessControlUpgradeable, PausableUpgradeable, UUPSUpgradeable, UpgradeableBeacon) rather than
custom re-implementations of that plumbing. Audit effort is scoped to the thin Aqua0-specific layer
built on top of those primitives — the async (ERC-7540) request/claim path and its settlement guard,
the hybrid PnL harvest/reconciliation/clawback logic, adapter wiring, and the Composer's routing and
authorization — not a re-audit of the underlying OpenZeppelin code itself.
Security process (high-level)
- staged deployments and controlled rollouts
- monitoring and alerting
- fast incident response and clear communications
We avoid publishing operational details that would meaningfully increase attack surface.