Audit Strategy

Tharwa’s audit strategy is built around continuous validation, not just pre-launch sign-offs. With real capital flowing into real-world assets, the margin for error is low and the protocol is designed to meet that standard from day one.

This page outlines how Tharwa approaches smart contract audits, what’s been done, what’s in progress, and how formal verification and battle-testing are incorporated into the development lifecycle.

Multi-Stage Audit Process

Tharwa splits audits into three distinct phases:

1. Pre-Deployment Audits

Before any core contracts (thUSD, vaults, staking) are deployed, they are reviewed by one or more top-tier audit firms. This includes:

• Codebase review for logic flaws, edge cases, and best practices

• Gas optimization and DoS vulnerability checks

• Permission controls and role validation

• Upgradeable proxy pattern validation (where applicable)

✅ Stage 0 contracts have already been audited by Prism Security

2. Live Protocol Monitoring

Post-deployment, critical contracts are integrated with:

• Automated alerting tools for gas spikes, abnormal tx behavior, or unusual function calls

• Continuous fuzzing and simulation of edge cases (e.g., early vault exits, peg arbitrage cycles)

3. Re-Audits and Post-Merge Reviews

Any upgrade, new vault class, or integrated module (e.g., LayerZero bridge wrapper, new yield source adapter) goes through a dedicated audit cycle before deployment.

Formal Verification

Select modules, especially those managing collateral accounting, yield distribution, and redemption logic, undergo formal verification.

This is where logic is mathematically proven to behave as intended under all input conditions. While time- and resource-intensive, formal methods are applied to:

• thUSD mint/redeem logic

• sthUSD yield accrual calculations

• Vault maturity and redemption flows

• Oracle input validation and response timing

Who We Work With

Tharwa partners with audit providers based on module complexity and specialization. These may include:

• Prism Security

• Sherlock

• Cantina

All audit reports are published publicly when available.

Timeline & Scope

Contract Module	Status	Notes
Stage 0 Core Contracts	✅ Audited by PrismSec	Audit report
thUSD Core Logic	✅ Audited by PrismSec	Audit report
sthUSD Vault	Audit in progress	Yield distribution + vesting
Risk-On Vaults	Pending	Scheduled before Phase 2 launch
OTC Marketplace	Pending	Includes custom matching + fee logic
Confluence Engine Interface	Audit in progress	Focused on signal parsing + weight limits
Governance Contracts	Scheduled	TRWA, sTRWA, proposal thresholds

Public Security Dashboard (Coming Soon)

All audit statuses, GitHub commit hashes, and remediation timelines will be available through Tharwa’s upcoming [security dashboard].

This allows DAO voters, integrators, and institutions to verify audit progress in real time.