Smart Contract Security
Have the smart contracts been audited?
Yes. All Tori smart contracts are audited by Sherlock, a leading smart contract security platform protecting over $50 billion in assets across Web3.View Audit Reports
Read our complete audit reports and findings
Is there a bug bounty program?
Yes. We maintain an active bug bounty program through Sherlock. Security researchers can earn rewards for responsibly disclosing vulnerabilities.| Severity | Reward Range |
|---|---|
| Critical | Up to $100,000+ |
| High | 50,000 |
| Medium | 10,000 |
| Low | Up to $1,000 |
How often are contracts audited?
| Event | Action |
|---|---|
| Initial deployment | Full comprehensive audit |
| Major updates | Re-audit of changed components |
| New features | Audit before deployment |
| Ongoing | Continuous bug bounty coverage |
Are the contracts upgradeable?
Yes. Contracts use upgradeable proxy patterns to allow security fixes and improvements. Safeguards in place:- Multi-signature approval required for upgrades
- Time locks on sensitive changes
- Transparent upgrade process
Asset Security
Where are funds held?
On-Chain Assets
Audited smart contracts with multi-signature controls and time locks
Off-Chain Assets
Qualified institutional custodians with segregated accounts
Are funds insured?
No. Deposits are not insured by:- Any government agency (like FDIC)
- Private insurance companies
Who are the custodians?
We work exclusively with qualified institutional custodians that meet our rigorous due diligence standards:| Requirement | What We Look For |
|---|---|
| Regulation | Licensed and regulated entities |
| Track Record | Proven history in digital asset custody |
| Security | SOC 2 compliance and industry-leading security |
| Segregation | Full segregation of client assets |
Can the team access user funds?
The protocol is designed with strict access controls:| Control | Implementation |
|---|---|
| Multi-signature | Critical operations require multiple approvals |
| Time locks | Delays on sensitive parameter changes |
| Role separation | Limited access based on function |
Verification & Transparency
How can I verify reserves?
Three ways to verify:1
Proof of Reserves
Check real-time attestations from Accountable - independent, third-party verification
2
On-Chain Data
Verify smart contract balances directly on Etherscan
3
Token Supply
Compare total trUSD supply against backing
How often are reserves verified?
Real-time. Proof of Reserves from Accountable updates continuously - not monthly or quarterly like traditional finance.Where can I see the Proof of Reserves?
| Source | What You’ll Find |
|---|---|
| Tori app | Dashboard showing live backing data |
| Accountable | Independent attestation platform |
| Etherscan | On-chain contract balances |
Monitoring & Incident Response
How is the protocol monitored?
Hypernative provides AI-powered 24/7 threat detection:| Capability | Description |
|---|---|
| Continuous surveillance | Automated monitoring of all protocol activity |
| Anomaly detection | AI identifies unusual patterns in real-time |
| Instant alerting | Immediate notification on suspicious activity |
| Risk scoring | Ongoing assessment of protocol risk levels |
What happens during a security incident?
Our incident response process:1
Detection
Automated monitoring identifies the issue immediately
2
Assessment
Rapid triage to understand severity and potential impact
3
Containment
Immediate steps to limit damage (may include pausing operations)
4
Communication
Transparent updates through official channels
5
Remediation
Fix the underlying issue
6
Post-Mortem
Analysis and implementation of preventive measures
Can the protocol be paused?
Yes. Emergency pause capabilities exist for critical situations. This is a protective measure to prevent further damage during security incidents.Protecting Yourself
How can I stay safe?
Verify URLs
Only use app.tori.finance. Bookmark it to avoid phishing sites.
Verify Contracts
Check addresses on our Contracts page before interacting.
Secure Your Wallet
Never share private keys or seed phrases with anyone. Ever.
Stay Cautious
Be skeptical of DMs, airdrops, and “support” messages.
What are common scams to watch for?
| Scam Type | Red Flags |
|---|---|
| Phishing sites | Wrong URL, requests for seed phrase |
| Fake support | DMs on social media claiming to be Tori |
| Airdrop scams | ”Free tokens” requiring wallet connection |
| Impersonation | Accounts pretending to be Tori team members |
What will Tori team NEVER do?
The Tori team will NEVER:- ❌ Ask for your seed phrase or private keys
- ❌ DM you first on social media
- ❌ Ask you to send tokens to “verify” your wallet
- ❌ Offer exclusive deals via DM
- ❌ Ask you to download software outside the official app
What security features should I use?
| Recommendation | Why |
|---|---|
| Hardware wallet | Best security for larger amounts |
| Transaction simulation | Preview what will happen before signing |
| Address whitelisting | Prevent accidental sends to wrong addresses |
| MFA on exchanges | If you’re bridging from centralized exchanges |
Reporting Issues
How do I report a security vulnerability?
Email: security@tori.finance Please include:- Clear description of the vulnerability
- Steps to reproduce
- Proof of concept (if applicable)
- Potential impact assessment
Responsible disclosure: Please don’t publicly disclose vulnerabilities before they’ve been addressed. We commit to acknowledging reports within 24 hours.
How do I report a scam or phishing attempt?
Email security@tori.finance with:- Screenshots of the scam
- URLs involved
- Any other relevant details
I think my wallet was compromised
If you suspect unauthorized activity:- Stop - Don’t make any more transactions
- Move funds - Transfer remaining funds to a new, secure wallet
- Report - Contact support@tori.finance
- Document - Save transaction hashes and screenshots
Security Approach
How does Tori approach security?
Security is multi-layered. We don’t rely on any single protection:| Layer | How It Helps |
|---|---|
| Audits | Professional review identifies issues before deployment |
| Bug bounty | Ongoing incentive for researchers to find issues |
| 24/7 monitoring | Real-time detection of anomalies and threats |
| Multi-sig | Critical operations require multiple approvals |
| Reserve fund | Buffer against adverse conditions |
What are the limitations?
No system can guarantee perfect security. We’re transparent about this:- Audits are point-in-time assessments
- New attack vectors can emerge
- DeFi is experimental by nature