block-quote chevron-down
GitBook Assistant Ask chevron-down Technical Reference Security Security architecture and practices
Security is foundational to Sova Protocol. This document covers the security architecture, operational practices, and vulnerability reporting procedures.
Security Architecture
Sova implements defense-in-depth with multiple security layers:
Layer 1: Smart Contract Security
Battle-tested tokenized vault standard
Audited base contracts for access control and proxies
Standard token implementation for svBTC
Layer 2: Access Control
Role-Based Permissions — Granular access via Role Manager contract
Multi-Signature — Critical operations require multiple approvals
Rate Limiting — Protection against rapid successive operations
Layer 3: Monitoring
On-Chain Watchers — Real-time transaction monitoring
Alert Systems — Automated notifications for anomalies
Balance Tracking — Continuous verification of contract states
Upgrade Pattern
Sova uses the transparent proxy pattern for contract upgrades:
Holds storage, delegates calls to logic
Contains business logic, upgradeable
Preserved across upgrades
Security Patches — Deploy fixes without user migration
Feature Updates — Add functionality preserving state
Storage Safety — User balances persist through upgrades
All upgrades require multi-sig approval (2/3+ signers)
Time-locks for non-emergency upgrades
Upgrade events logged on-chain for transparency
Role-Based Permissions
Role
Permissions
Assignment
Full control, upgrades, emergency pause
Day-to-day operations, process withdrawals
Multi-Signature Requirements
1/3 signers (fast response)
Transaction Safety
Slippage Protection
All swaps include default 1% slippage tolerance:
Quote shows expected output
Transaction reverts if output falls below minimum
Adjustable in advanced settings
Quote Expiration
Address Validation
All destination addresses validated before execution:
Bitcoin:
Zcash:
Shielded: Not supported (zs...)
Checksum validation performed on all addresses before transaction submission.
Monitoring & Incident Response
Real-Time Monitoring
On-chain watchers for unusual activity
Balance tracking across all contracts
Transaction monitoring for failed operations
Price feed validation for oracle data
Incident Response
Severity
Response Time
Actions
Emergency pause, all hands response
Assessment, patch deployment, user communication
Scheduled fix, close monitoring
Non-Custodial Design
Sova never has access to:
On-Chain Transparency
All operations verifiable:
Deposits to vault contracts
Swaps via smart contracts
Verified Contracts
All Sova contracts verified on BaseScan:
Reporting Vulnerabilities
Found a security issue? Report directly to our security team.
triangle-exclamation
Do NOT disclose publicly. Report directly via the channels below.
Email: [email protected]
Description of the vulnerability
Potential impact assessment
Your contact information (for follow-up)
Response Timeline
Provided after assessment
Coming soon. Follow @sovabtcarrow-up-right for announcements.
Verify Contracts — Check addresses before interacting
Start Small — Test with small amounts first
Bookmark the App — Avoid phishing via direct navigation
Check Approvals — Revoke unused token approvals periodically
Secure Your Wallet — Use hardware wallet for large amounts
Double-Check Addresses — Especially for cross-chain destinations
Phishing Prevention
Official URL: app.sova.io
Never share private keys or seed phrases
Be cautious of unsolicited DMs claiming to be support
Official support only through documented channels
