Security
Centrifuge has best-in-class security process, with highlights including
- 24 security reviews to date for the Centrifuge protocol.
- Launched on mainnet in 2019, 0 exploits.
- Extensive invariant test suite.
The protocol codebase is fully immutable, and any emergency functions are locked behind a 48-hour timelock.
Security reviews
Protocol
| Auditor | Scope | Date | Engagement | Report |
|---|---|---|---|---|
| yAudit | V3.1 | Jan 2026 | Security review | Report |
| Sherlock, Blackthorn | V3.1 | Nov-Dec 2025 | Audit competition | Report |
| xmxanuel | V3.1 | Dec 2025 | Security review | Report |
| yAudit | V3.1 | Oct 2025 | Security review | Report |
| BurraSec | V3.1 | Oct 2025 | Security review | Report |
| BurraSec | V3.1 | Sep 2025 | Security review | Report |
| BurraSec | LayerZero adapter | Aug 2025 | Security review | Report |
| Spearbit | V3.0 | July 2025 | Security review | Report |
| xmxanuel | V3.0 | May-July 2025 | Security review | Report |
| Macro | Merkle Proof Manager | June 2025 | Security review | Report |
| yAudit | Spoke/Vaults | June 2025 | Security review | Report |
| Spearbit | V3.0 | May 2025 | Security review | Report |
| BurraSec | Gateway | May 2025 | Security review | Report |
| Alex the Entreprenerd | V3.0 | Apr 2025 | Review + invariant testing | Report |
| BurraSec | Gateway | Apr 2025 | Security review | Part 1 Part 2 |
| xmxanuel | V3.0 | Mar 2025 | Security review | Report |
| Spearbit | V2.1 | Feb 2025 | Security review | Report |
| Recon | V2.0 | Jan 2025 | Invariant testing | Report |
| Spearbit | V2.0 | July 2024 | Security review | Report |
| Spearbit | Morpho integration | June 2024 | Security review | Report |
| Alex the Entreprenerd | V2.0 | Mar - Apr 2024 | Review + invariant testing | Part 1 Part 2 |
| Spearbit | V1.0 | Oct 2023 | Security review | Report |
| Code4rena | V1.0 | Sep 2023 | Audit competition | Report |
| SRLabs | V1.0 | Sep 2023 | Security review | Report |
Operational securitiy
The core team contributing to Centrifuge has completed an operational security review with OPSEK.
Bug bounty
Centrifuge runs an active bug bounty program with a $250,000 maximum reward, available on Cantina.
Guardian
The protocol is controlled by the Root contract, which has access on all other contracts. The Root conract enforces a 48-hour delay for any upgrades and configuratino changes.
Each deployment has a Guardian role, who is authorized on the Root contract. The Guardian can pause in emergencies, schedule upgrades, and set up adapters to new networks.
| Network | Guardian |
|---|---|
| Ethereum Mainnet | 0xD9D30ab47c0f096b0AA67e9B8B1624504a63e7FD |
| Base | 0x8b83962fB9dB346a20c95D98d4E312f17f4C0d9b |
| Arbitrum | 0xa36caE0ACd40C6BbA61014282f6AE51c7807A433 |
| Plume | 0x2d442069f78561F817d92c94924D5EaddA9C5767 |
| Avalanche | 0xb6642fEd2221e177dD29581BB6d1959Bd1c54185 |
| BNB Smart Chain | 0x57066D897cB9cDef21b9Ecd7CecdD1d39b6eE445 |