Every line of code. Reviewed.
Two independent smart-contract audits. A $500K bug bounty. Formal verification on the hot path. And the application, infrastructure, and operational controls that your compliance team will ask about after the smart contracts.
Program at a glance
The shape of the program in one view — the full detail follows below.
Smart contract audits
3 firms
Sherlock · Hellborn · Cantina
Bug bounty max
$500K
Flo-operated · critical tier
SOC 2 Type II
In progress
Year-1 report target Q4 2026
Incident RTO
4 hours
Issuance pipeline
Audit History
Triple auditEvery smart contract has been independently audited by three of the most respected security firms in the industry — Sherlock, Hellborn, and Cantina. We do not consider a single audit sufficient for an issuance contract.
| Contract | Chain | Date | Auditor | Findings | Report |
|---|---|---|---|---|---|
| Mint Controller | Ethereum | January 2026 | Sherlock | 0 Critical, 2 Medium, 5 Low | View PDF |
| Redeem Controller | Base | February 2026 | Hellborn | 0 Critical, 1 Medium, 3 Low | View PDF |
| Flo Token (ERC-20) | Ethereum | November 2025 | Hellborn | 0 Critical, 0 Medium, 4 Low | View PDF |
| Position Ledger | Arbitrum | December 2025 | Cantina | 0 Critical, 1 Medium, 2 Low | View PDF |
| LayerZero Bridge Adapter | Ethereum ↔ Base | March 2026 | Cantina | 0 Critical, 3 Medium, 6 Low | View PDF |
Zero critical findings across all audits. All medium and low findings have been addressed and verified in follow-up reviews. Remediation status is tracked publicly on each report.
Bug Bounty
Flo-operatedWe run an active bug bounty program in-house, with direct researcher relationships and rapid triage. Submissions go to our security team and are reviewed within hours, not days.
Bounty Tiers
Critical
Response SLA: 24 hours
Up to $500,000
High
Response SLA: 72 hours
Up to $50,000
Medium
Response SLA: 7 days
Up to $10,000
Low
Response SLA: 14 days
Up to $1,000
Max bounty: $500,000 for critical smart contract vulnerabilities
In Scope
- ✓All smart contracts on Ethereum, Base, and Arbitrum
- ✓Cross-chain bridge and messaging contracts
- ✓Oracle and price feed integrations
- ✓Governance and timelock contracts
- ✓Mint / redeem REST API and its authentication surface
Out of Scope
- ✗Known issues already documented in audit reports
- ✗UI/UX bugs and frontend-only issues with no security impact
- ✗Theoretical attacks requiring $1B+ in capital
- ✗Issues in third-party dependencies (report upstream)
How to Report
Submit vulnerabilities directly to security@flo.finance with a detailed description, reproduction steps, and potential impact assessment. We use PGP-encrypted email for sensitive disclosures and respond within hours.
On-chain Security Practices
Defense in depth at the contract layer — multiple independent controls so that no single point of failure can compromise the protocol.
72-Hour Timelock
All parameter changes to smart contracts are subject to a mandatory 72-hour timelock. This gives the community and security council time to review and, if necessary, veto any governance action before it takes effect.
Formal Verification
Mint, redeem, and bridge logic is formally verified using mathematical proofs. This goes beyond testing — it provides a guarantee that the code behaves correctly for all possible inputs, not just the ones covered by test cases.
Multi-Sig Governance
Protocol governance operates through a 3-of-5 multi-signature wallet. Signers are geographically distributed across three jurisdictions, and no single entity controls more than one key. Key rotation occurs quarterly.
Incident Response
A documented incident response plan is maintained and tested quarterly. Any member of the independent security council can trigger an emergency pause on all contracts within seconds; unpause requires a 4/7 multi-sig threshold. Post-incident reports are published within 72 hours of resolution.
On-chain Custody
ForDefi MPCAny on-chain asset held operationally — gas wallets, bridge liquidity, treasury operations — is custodied via ForDefi MPC. No hot-wallet private key exists in full form, ever.
MPC Custody Solution
Threshold signatures with hardware-secured shards. No single device can sign alone.
SOC 2 · ISO 27001
ForDefi is SOC 2 Type II and ISO 27001 certified. Independent attestation of custody controls.
Policy engine
Allowlists, co-signing thresholds, and mandatory time delays on high-value operations.
Device diversity
Key shards held across different hardware and jurisdictional custody paths to resist single-vendor failure.
Audit trail
Every signing operation logged with approver identity and policy evaluation. Immutable retention.
Revocation
Individual shard holders can be revoked and rotated without downtime, preserving signing capability.
Application & Infrastructure
SOC 2 in progressThe controls behind the smart contracts. The part of the program a prospect's CISO will ask about after their engineers have finished reviewing the contract audits.
SSO + hardware MFA
All production access gated by SSO with WebAuthn-only MFA. No password-based access. No TOTP. Hardware keys or nothing.
Scoped IAM
Least-privilege IAM roles per service. No long-lived access keys. Break-glass credentials held in a separate custody path with audit logging.
Change management
Every production change via pull request. Two-reviewer approval required; at least one must be a different function from the author. CI/CD with signed releases and artifact provenance.
Secrets management
AWS Secrets Manager and Vault. Zero secrets in code, environment files, or developer machines. Rotation enforced on schedule and on personnel departure.
Dependency hygiene
SCA scanning on every PR. Renovate for routine updates. CVE triage SLA: critical within 24h, high within 7d, medium within 30d.
SAST / DAST
Static analysis gates on every PR. Dynamic scans against staging environments on a nightly cadence. Findings triaged into the security backlog with assigned severity.
Network segmentation
Production workloads in isolated VPCs. Inter-service traffic mTLS-authenticated. Ingress limited to a hardened edge layer with WAF and rate limits.
Data at rest & in transit
All storage encrypted with KMS-managed keys. All network traffic TLS 1.3. Application-layer field encryption for sensitive attributes.
Logging & SIEM
Centralised log aggregation with immutable retention. Security alerting pipeline independent from application alerting. 24/7 on-call.
Penetration Testing
Annual + on major changeIndependent third-party pen tests on a fixed cadence and after any material architectural change. Executive summaries shareable under NDA.
| Scope | Last test | Firm | Critical findings |
|---|---|---|---|
| Application — mint / redeem API | 2026-02 | NCC Group | 0 (remediated) |
| Application — partner dashboard | 2026-02 | NCC Group | 0 |
| Infrastructure — VPC + edge | 2025-11 | NCC Group | 0 |
| Authentication surface | 2026-01 | Hellborn | 0 |
Incident Response
24/7 on-callThe six phases. Every one is documented, drilled, and measured.
Detection
Multi-source alerting: application SLOs, SIEM correlation, on-chain monitoring, and partner reports. Mean time to detect: < 5 minutes for critical categories.
Triage
On-call lead classifies severity within 15 minutes. Sev1/Sev2 pages the full incident commander rotation plus the security council.
Containment
Any security council member can trigger an emergency pause on smart contracts (sub-second execution). Unpause requires a 4/7 multi-sig so recovery is deliberate. Service-level kill switches for API surfaces.
Disclosure
Material-incident notice to partners and regulators within 24 hours of confirmation. User-facing status at status.flo.finance.
Post-mortem
Full post-mortem published within 5 business days of resolution. Root cause, timeline, remediation, and systemic changes.
Drill cadence
Tabletop exercises quarterly; live failover drill semi-annually. Every drill produces action items tracked to completion.
Business Continuity & Disaster Recovery
RTO, RPO, and the cadence at which we prove those numbers are real — not aspirational.
| RTO — issuance & redemption | 4 hours |
| RPO — issuance & redemption | 5 minutes |
| RTO — read-only status | 30 minutes |
| Regions | Active-passive, multi-AZ |
| Failover test cadence | Quarterly |
| Last tested | 2026-03-14 |
Vendor Risk Management
A dependency is a trust relationship. We treat it like one.
- ✓SOC 2 Type II or ISO 27001 required for any vendor with production-data access
- ✓Annual re-review of controls, sub-processors, and sub-processor changes
- ✓DPA and SCCs in place for any processing of EU or UK personal data
- ✓Continuous monitoring of security advisories for critical vendors
- ✓Exit planning documented for single-vendor dependencies
Emergency contact: For urgent security matters, reach our on-call security team at security@flo.finance (monitored 24/7, PGP available). Critical issues receive a response within 24 hours.