> For the complete documentation index, see [llms.txt](https://docs.bitvault.finance/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.bitvault.finance/security/audits.md).

# Audits

&#x20;

* C4 audit: <https://code4rena.com/reports/2025-04-bitvault>
* Chain Defenders Audit: <https://github.com/Chain-Defenders/portfolio><br>

## VaultCraft Audits

### Paladin <a href="#paladin" id="paladin"></a>

* [20240616\_Paladin\_VaultCraft\_Final\_Report.pdf](https://384295866-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDCUWGERi18R9emmxWwO2%2Fuploads%2FUTItaeo9bDLr48XB5CFT%2F20240616_Paladin_VaultCraft_Final_Report.pdf?alt=media\&token=6a048b88-4355-489e-aeec-dfff319072e1)

### gjaldon <a href="#gjaldon" id="gjaldon"></a>

* Multi-strategy audit: <https://gist.github.com/gjaldon/f3d1e2410f6e52370c8f19e72b98ea5c>&#x20;

### **Code4rena**

* [Contest details & results](https://code4rena.com/contests/2023-01-popcorn-contest)
* [The Ones in the Arena: PopcornDAO](https://medium.com/code4rena/the-ones-in-the-arena-popcorn-dao-af45db3793b8) (blog post byC4)
* [Github repo](https://github.com/code-423n4/2023-01-popcorn)

### **BlockSec**

* [blocksec\_popcorn\_v1.0-signed.pdf](https://384295866-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDCUWGERi18R9emmxWwO2%2Fuploads%2FgF4N9JVFD9kYVbxfqUOJ%2Fblocksec_popcorn_v1.0-signed.pdf?alt=media\&token=452a1fd8-84e6-4131-badc-4cfbe2d4584e)<a href="https://384295866-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDCUWGERi18R9emmxWwO2%2Fuploads%2FgF4N9JVFD9kYVbxfqUOJ%2Fblocksec_popcorn_v1.0-signed.pdf?alt=media&#x26;token=452a1fd8-84e6-4131-badc-4cfbe2d4584e" class="button secondary">Open</a>

### **Salus Security**

* [ML rapid detection smart contract coverage](https://docs.google.com/spreadsheets/d/199NqAJW0HqGwGO_l11GWZqYGRlfsCmbRW6mJr3lq36M/edit?usp=sharing)

### **0xRuhum - C4 white hat audit**

* [Popcorn Audit](https://gist.github.com/0xruhum/4252cee7e84da6bb5b0a19ed00b5e34e)

### **Zokyo**

* [Smart Contract Audit](https://938792658-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDCUWGERi18R9emmxWwO2%2Fuploads%2FmBWIydyZzVeNBuK3u5an%2FZokyo%20Audit.pdf?alt=media\&token=2b1014dc-cf57-4130-a0ad-1b3721419ebe)

**G0 Group**

* [Security Review](https://938792658-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDCUWGERi18R9emmxWwO2%2Fuploads%2F0NB6k44GVu1IW2B2mOcG%2FPopcornMay2022.pdf?alt=media\&token=4e851e48-0df7-4e3c-b165-8217838ca043)

## Liquity V2 Audits

* [ChainSecurity - Core Protocol Audit Report](https://www.chainsecurity.com/security-audit/liquity-bold-smart-contracts), December 2024
* [Dedaub - Core Protocol Audit Report I](https://dedaub.com/audits/liquity/liquity-v2-aug-28-2024/), August 2024
* [Dedaub - Core Protocol Audit Report II](https://dedaub.com/audits/liquity/liquity-v2-second-audit-nov-11-2024/), November 2024
* [Certora - Formal Verification](https://certora.cdn.prismic.io/certora/Z1tLJJbqstJ98b8J_LiquityVerificationReport.pdf), December 2024
* [Coinspect - Bold Core Smart Contract Audit](https://www.coinspect.com/doc/Coinspect%20-%20Smart%20Contract%20Audit%20-%20Liquity%20-%20Bold%20-%20v241231.pdf), December 2024
* [Coinspect - Bold Governance Audit](https://www.coinspect.com/doc/Coinspect%20-%20Smart%20Contract%20Audit%20-%20Liquity%20-%20Bold%20Governance%20-%20v250120.pdf), January 2025
* [ChainSecurity -Governance Smart Contract Audit](https://www.chainsecurity.com/security-audit/liquity-v2-governance), January 2025
* [Dedaub - Governance Audit 1](https://dedaub.com/audits/liquity/liquity-v2-governance-1st-audit-aug-12-2024/), August 2024
* [Dedaub - Governance Audit 2](https://dedaub.com/audits/liquity/liquity-v2-governance-2nd-audit-nov-11-2024/), November 2024
* [Dedaub - Governance Audit 3](https://dedaub.com/audits/liquity/liquity-v2-governance-3rd-audit-dec-22-2024/), January 2025
* [Recon - Liquity Security Review](https://github.com/GalloDaSballo/bold-review), October 2024

### Liquity V2 Updates as of May 19, 2025

**Pull Request** [**889**](https://github.com/liquity/bold/pull/889): this fix removes the collateral compensation parameter in order to reduce the incentive that an attacker might have to trigger liquidation via redistributions of collateral instead of via the stability pool.

In BitVault's setup, opening a trove and borrowing bvUSD will be subject to whitelisting, and allowed parties will have to keep high Collateralization Ratio (> 150%), thus reducing the probability of liquidation events at all.

Furthermore, whitelisting is applied to liquidations as well, so we really don’t see this as an attack surface given liquidations will be carried out by known partners that don’t intend to manipulate the system for profit.&#x20;

**Pull Request** [**890**](https://github.com/liquity/bold/pull/890/files#diff-5adf4c8e77b6c6b3386cc4f4ea10b2fa143de797b6dbb75316c5cabdef910328) **&** [**893**](https://github.com/liquity/bold/pull/893)**: access control for addManager/removeManagers.**&#x20;

This fix introduces a shortcut on how managers (entities that can perform operations on behalf of a trove owner), are set. Specifically, a removeManager (an entity that can withdraw collateral/debt from the position) is now automatically assumed to be addManager (an entity that can add collateral/repay debt) as well.

This is purely a QOL update, before that, you would need to explicitly set both add and remove managers, with no different behavior.&#x20;

**Pull Request** [**891**](https://github.com/liquity/bold/pull/891) - this fix allows that all troves in a branch can be closed. Before that wasn’t possible as at least 1 trove was supposed to stay always open in a branch.

This isn’t really an issue as it can be easily mitigated by having one position with minimal debt/collateral open to allow bigger branches to get closed.&#x20;

**Pull Request** [**895**](https://github.com/liquity/bold/pull/895) - this fix add msg.sender to owner and ownerIndex params in the hashing function to determine the position troveId

As Liquity stated, this is purely informational and not a bug, as a check for colliding troveId when opening a trove existed already, so there is no risk of overwriting open positions.
