Our Approach Security is foundational to Tori Finance. We employ a defense-in-depth strategy with multiple layers of protection, partnering with industry-leading security providers to safeguard user assets.
Our security philosophy: trust but verify . Every critical component is independently audited, monitored, and attested.
Security Partners We work exclusively with established, reputable security providers:
Sherlock Smart Contract Audits Comprehensive audits with ongoing bug bounty coverage
Hypernative Real-Time Monitoring AI-powered 24/7 threat detection and prevention
Accountable Proof of Reserves Independent, real-time reserve attestations
Smart Contract Security Audits by Sherlock All Tori smart contracts are audited by Sherlock, a leading smart contract security platform protecting over $50 billion in assets across Web3.
What’s Audited Description Core Protocol Main protocol contracts and logic Staking Contracts strUSD staking and unstaking Access Control Administrative functions and permissions Integrations Third-party integrations and bridges
View Audit Reports → Bug Bounty Program We maintain an active bug bounty program through Sherlock to incentivize responsible disclosure of potential vulnerabilities.
How it works:
Security researchers can report vulnerabilities for rewards
Severity-based payouts for valid findings
Responsible disclosure process
Quick response to reported issues
Real-Time Monitoring Hypernative Protection Hypernative provides AI-powered threat detection with comprehensive monitoring:
Capability Description 24/7 Surveillance Continuous automated monitoring of all protocol activity Anomaly Detection AI identifies unusual patterns that may indicate threats Instant Alerting Immediate notifications on suspicious activity Proactive Prevention Automated response to detected threats Risk Scoring Continuous assessment of protocol risk levels
What We Monitor
Smart contract interactions
Large or unusual transactions
Governance activities
Known attacker addresses
Protocol parameter changes
External dependencies
Proof of Reserves Accountable Attestations Accountable provides real-time, independent attestations on reserves and financials. This transparency enables anyone to verify the backing of trUSD at any time.
What’s attested:
Total assets under management
Asset composition
Liability coverage ratio
Reserve fund status
Custody verification
Why This Matters Unlike traditional finance where you trust institutions with your assets, Tori’s Proof of Reserves allows cryptographic verification:
Independent - Third-party attestation, not self-reportedReal-time - Continuous verification, not periodicVerifiable - Anyone can check at any timeTransparent - Full visibility into backing
Asset Security & Custody All assets are held in institutional-grade secure custody:
On-Chain Assets Security Layer Implementation Audited Contracts All contracts audited by Sherlock Multi-Signature Critical operations require multiple approvals Time Locks Delays on sensitive parameter changes Access Control Role-based permissions for all functions
Off-Chain Assets Security Layer Implementation Institutional Custodians Qualified custodians with insurance Segregated Accounts User funds separate from operations Counterparty Standards Rigorous due diligence on all partners Geographic Diversification Reduce single-point-of-failure risk
User funds are never commingled with operational funds. All assets are held in segregated accounts with qualified custodians.
Operational Security Our team follows strict operational security practices:
Access Control Practice Description Multi-Factor Authentication Required for all team access Hardware Security Modules For key management and signing Principle of Least Privilege Minimal access for each role Regular Access Reviews Periodic audits of access rights
Incident Response Phase Actions Detection Automated monitoring and alerting Assessment Rapid triage and severity classification Containment Immediate steps to limit impact Remediation Fix underlying issues Communication Transparent updates to users Post-Mortem Analysis and preventive measures
Responsible Disclosure Reporting Vulnerabilities If you discover a security vulnerability, please report it responsibly:
Email: security@tori.finance Please do NOT:
Publicly disclose vulnerabilities before they’ve been addressed
Exploit vulnerabilities beyond what’s needed to demonstrate the issue
Access or modify other users’ data
What to Include When reporting:
Detailed description of the vulnerability
Steps to reproduce
Potential impact assessment
Suggested fix (if any)
Our Commitment
Acknowledge receipt within 24 hours
Provide updates on remediation progress
Credit reporters (if desired) after fixes are deployed
No legal action against good-faith researchers
Continuous Improvement Security is an ongoing process, not a destination. Our approach:
Practice Description Ongoing Audits Regular reviews as the protocol evolves Bug Bounty Incentivize white-hat discovery of issues 24/7 Monitoring Real-time threat detection and response Industry Best Practices Stay current with security developments
While we employ extensive security measures, no system can guarantee perfect security. Audits are point-in-time assessments, and new challenges can emerge. This is why we use multiple layers of protection. See Risk Disclosures for more information. Next Steps 
