# Audit Strategy

Tharwa’s audit strategy is built around continuous validation, not just pre-launch sign-offs. With real capital flowing into real-world assets, the margin for error is low and the protocol is designed to meet that standard from day one.

This page outlines how Tharwa approaches smart contract audits, what’s been done, what’s in progress, and how formal verification and battle-testing are incorporated into the development lifecycle.

<figure><img src="/files/ChW7M5zsbIrTOjrcdwvQ" alt=""><figcaption></figcaption></figure>

### Multi-Stage Audit Process

Tharwa splits audits into three distinct phases:

#### 1. **Pre-Deployment Audits** - **Completed**

All core contracts have been audited by **PrismSec** before mainnet deployment:

{% tabs %}
{% tab title="sthUSD Audit" %}
**Audit Results Summary:**

**Audit Report**: [PrismSec sthUSD Analysis](https://github.com/tharwa-finance/contracts-v0/blob/main/audits/prismsec_tharwa_sthUSD_audit.pdf)
{% endtab %}

{% tab title="thBonds Audit" %}
**Audit Results Summary:**

**Contract**: `0xAc02FF90bC709A134cD4Ad0b50BaB8be9e0f504e` **Audit Report**: [PrismSec Bonds Analysis](https://github.com/tharwa-finance/contracts-v0/blob/main/audits/prismsec_tharwa_bonds_audit.pdf)
{% endtab %}
{% endtabs %}

{% hint style="info" %}
Stage 0 contracts have already been audited by [Prism Security](https://github.com/tharwa-finance/contracts-v0/blob/main/audits/prismsec_tharwa_review.pdf)
{% endhint %}

#### 2. **Live Protocol Monitoring**

Post-deployment, critical contracts are integrated with:

* **Automated alerting tools** for gas spikes, abnormal tx behavior, or unusual function calls
* **Continuous fuzzing and simulation** of edge cases (e.g., early vault exits, peg arbitrage cycles)

#### 3. **Re-Audits and Post-Merge Reviews**

Any upgrade, new vault class, or integrated module (e.g., LayerZero bridge wrapper, new yield source adapter) goes through a dedicated audit cycle before deployment.

### Formal Verification

Select modules, especially those managing collateral accounting, yield distribution, and redemption logic, undergo formal verification.

This is where logic is mathematically proven to behave as intended under all input conditions. While time- and resource-intensive, formal methods are applied to:

* thUSD mint/redeem logic
* sthUSD yield accrual calculations
* Vault maturity and redemption flows
* Oracle input validation and response timing

### Who We Work With

Tharwa partners with audit providers based on module complexity and specialization. These may include:

* Prism Security
* Sherlock
* Cantina

All audit reports are published publicly when available.

### Timeline & Scope

| Contract Module             | Status              | Notes                                                                                                      |
| --------------------------- | ------------------- | ---------------------------------------------------------------------------------------------------------- |
| **Stage 0 Core Contracts**  | Audited by PrismSec | [Audit report](https://github.com/tharwa-finance/contracts-v0/blob/main/audits/prismsec_tharwa_review.pdf) |
| thUSD Core Logic            | Audited by PrismSec | [Audit report](https://github.com/tharwa-finance/contracts-v0/blob/main/audits/prismsec_tharwa_review.pdf) |
| sthUSD Vault                | Audit in progress   | Yield distribution + vesting                                                                               |
| Risk-On Vaults              | Pending             | Scheduled before Phase 2 launch                                                                            |
| OTC Marketplace             | Pending             | Includes custom matching + fee logic                                                                       |
| Confluence Engine Interface | Audit in progress   | Focused on signal parsing + weight limits                                                                  |
| Governance Contracts        | Scheduled           | TRWA, sTRWA, proposal thresholds                                                                           |

### Public Security Dashboard (Coming Soon)

All audit statuses, GitHub commit hashes, and remediation timelines will be available through Tharwa’s upcoming \[security dashboard].

This allows DAO voters, integrators, and institutions to verify audit progress in real time.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://tharwa.gitbook.io/tharwa/security-and-risk-management/audit-strategy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.