Every line of code. Reviewed.
Four independent smart-contract audits. A $250K bug bounty. And the application, infrastructure, and operational controls that your compliance team will ask about after the smart contracts.
Program at a glance
The shape of the program in one view, the full detail follows below.
Smart contract audits
4 firms
Sherlock · Halborn · Cantina · Cyfrin
Bug bounty max
$250K
Flo-operated · critical tier
SOC 2 Type II
In progress
Year-1 observation window under way
Incident RTO
4 hours
Issuance pipeline
Audit Program
Quadruple auditEvery smart contract is independently audited by four of the most respected security firms in the industry, Sherlock, Halborn, Cantina, and Cyfrin. We do not consider a single audit sufficient for an issuance contract. Reports will be published before public launch and refreshed on every on-chain change.
| Contract | Chain | Auditor |
|---|---|---|
| Mint controller | All live chains | Sherlock · Halborn · Cantina · Cyfrin |
| Redeem + order contracts | All live chains | Sherlock · Halborn · Cantina · Cyfrin |
| Flo Token (ERC-20) | All live chains | Sherlock · Halborn · Cantina · Cyfrin |
| Supply / Withdraw vault | All live chains | Sherlock · Halborn · Cantina · Cyfrin |
| Borrow vault + liquidation engine | All live chains | Sherlock · Halborn · Cantina · Cyfrin |
| CCIP bridge adapter | Cross-chain (Base ↔ Arbitrum ↔ Ethereum) | Sherlock · Halborn · Cantina · Cyfrin |
Bug Bounty
Flo-operatedWe run an active bug bounty program in-house, with direct researcher relationships and rapid triage. Submissions go to our security team and are reviewed within hours, not days.
Bounty Tiers
Critical
Response SLA: 24 hours
Up to $250,000
High
Response SLA: 72 hours
Up to $50,000
Medium
Response SLA: 7 days
Up to $10,000
Low
Response SLA: 14 days
Up to $1,000
Max bounty: $250,000 for critical smart contract vulnerabilities
In Scope
- ✓All smart contracts on Ethereum, Base, and Arbitrum
- ✓Cross-chain bridge and messaging contracts
- ✓Oracle and price feed integrations
- ✓Governance and timelock contracts
- ✓Mint / redeem REST API and its authentication surface
Out of Scope
- ✗Known issues already documented in audit reports
- ✗UI/UX bugs and frontend-only issues with no security impact
- ✗Theoretical attacks requiring $1B+ in capital
- ✗Issues in third-party dependencies (report upstream)
How to Report
Submit vulnerabilities directly to security@flo.finance with a detailed description, reproduction steps, and potential impact assessment. We use PGP-encrypted email for sensitive disclosures and respond within hours.
On-chain Security Practices
Defense in depth at the contract layer, multiple independent controls so that no single point of failure can compromise the protocol.
72-Hour Timelock
All parameter changes to smart contracts are subject to a mandatory 72-hour timelock. This gives the community and security council time to review and, if necessary, veto any governance action before it takes effect.
Multi-Sig Governance
Pause is single-signer: any security council member can trigger an emergency pause on smart contracts (sub-second execution). Unpause requires a 5-of-9 quorum on the same Gnosis Safe that owns smart-contract upgrades and admin rights — one multi-sig, two thresholds. Vault-manager actions go through a separate 3-of-5 MPC quorum. Signers are geographically distributed across three jurisdictions, and no single entity controls more than one key. Key rotation occurs quarterly.
Incident Response
A documented incident response plan is maintained and tested quarterly. Any member of the independent security council can trigger an emergency pause on all contracts within seconds; unpause requires a 5-of-9 quorum on the same Gnosis Safe that owns smart-contract upgrades. Post-incident reports are published within 72 hours of resolution.
On-chain Custody
ForDefi MPCAny on-chain asset held operationally, gas wallets, bridge liquidity, treasury operations, is custodied via ForDefi MPC. No hot-wallet private key exists in full form, ever.
MPC Custody Solution
Threshold signatures with hardware-secured shards. No single device can sign alone.
SOC 2 · ISO 27001
ForDefi is SOC 2 Type II and ISO 27001 certified. Independent attestation of custody controls.
Policy engine
Allowlists, co-signing thresholds, and mandatory time delays on high-value operations.
Device diversity
Key shards held across different hardware and jurisdictional custody paths to resist single-vendor failure.
Audit trail
Every signing operation logged with approver identity and policy evaluation. Immutable retention.
Revocation
Individual shard holders can be revoked and rotated without downtime, preserving signing capability.
Application & Infrastructure
SOC 2 in progressThe controls behind the smart contracts. The part of the program a prospect's CISO will ask about after their engineers have finished reviewing the contract audits.
SSO + hardware MFA
All production access gated by SSO with WebAuthn-only MFA. No password-based access. No TOTP. Hardware keys or nothing.
Scoped IAM
Least-privilege IAM roles per service. No long-lived access keys. Break-glass credentials held in a separate custody path with audit logging.
Change management
Every production change via pull request. Two-reviewer approval required; at least one must be a different function from the author. CI/CD with signed releases and artifact provenance.
Secrets management
AWS Secrets Manager and Vault. Zero secrets in code, environment files, or developer machines. Rotation enforced on schedule and on personnel departure.
Dependency hygiene
SCA scanning on every PR. Renovate for routine updates. CVE triage SLA: critical within 24h, high within 7d, medium within 30d.
SAST / DAST
Static analysis gates on every PR. Dynamic scans against staging environments on a nightly cadence. Findings triaged into the security backlog with assigned severity.
Network segmentation
Production workloads in isolated VPCs. Inter-service traffic mTLS-authenticated. Ingress limited to a hardened edge layer with WAF and rate limits.
Data at rest & in transit
All storage encrypted with KMS-managed keys. All network traffic TLS 1.3. Application-layer field encryption for sensitive attributes.
Logging & SIEM
Centralised log aggregation with immutable retention. Security alerting pipeline independent from application alerting. 24/7 on-call.
Penetration Testing
ScheduledIndependent third-party pen tests on the application, partner dashboard, and infrastructure run on an annual cadence and after any material architectural change. Executive summaries are shareable under NDA.
Incident Response
24/7 on-callThe six phases. Every one is documented, drilled, and measured.
Detection
Multi-source alerting: application SLOs, SIEM correlation, on-chain monitoring, and partner reports. Mean time to detect: < 5 minutes for critical categories.
Triage
On-call lead classifies severity within 15 minutes. Sev1/Sev2 pages the full incident commander rotation plus the security council.
Containment
Any security council member can trigger an emergency pause on smart contracts (sub-second execution). Unpause requires a 5-of-9 quorum on the same Gnosis Safe that owns upgrades, so recovery is deliberate. Service-level kill switches for API surfaces.
Disclosure
Material-incident notice to partners and regulators within 24 hours of confirmation. User-facing status at status.flo.finance.
Post-mortem
Full post-mortem published within 5 business days of resolution. Root cause, timeline, remediation, and systemic changes.
Drill cadence
Tabletop exercises quarterly; live failover drill semi-annually. Every drill produces action items tracked to completion.
Business Continuity & Disaster Recovery
RTO, RPO, and the cadence at which we prove those numbers are real, not aspirational.
| RTO, issuance & redemption | 4 hours |
| RPO, issuance & redemption | 5 minutes |
| RTO, read-only status | 30 minutes |
| Regions | Active-passive, multi-AZ |
| Failover test cadence | Quarterly |
| Last tested | 2026-03-14 |
Vendor Risk Management
A dependency is a trust relationship. We treat it like one.
- ✓SOC 2 Type II or ISO 27001 required for any vendor with production-data access
- ✓Annual re-review of controls, sub-processors, and sub-processor changes
- ✓DPA and SCCs in place for any processing of EU or UK personal data
- ✓Continuous monitoring of security advisories for critical vendors
- ✓Exit planning documented for single-vendor dependencies
Emergency contact: For urgent security matters, reach our on-call security team at security@flo.finance (monitored 24/7, PGP available). Critical issues receive a response within 24 hours.