# Security

Security is foundational to Sova Protocol. This document covers the security architecture, operational practices, and vulnerability reporting procedures.

***

## Security Architecture

Sova implements defense-in-depth with multiple security layers:

### Layer 1: Smart Contract Security

| Standard         | Purpose                                               |
| ---------------- | ----------------------------------------------------- |
| **ERC-4626**     | Battle-tested tokenized vault standard                |
| **OpenZeppelin** | Audited base contracts for access control and proxies |
| **ERC-20**       | Standard token implementation for svBTC               |

### Layer 2: Access Control

* **Role-Based Permissions** — Granular access via Role Manager contract
* **Multi-Signature** — Critical operations require multiple approvals
* **Rate Limiting** — Protection against rapid successive operations

### Layer 3: Monitoring

* **On-Chain Watchers** — Real-time transaction monitoring
* **Alert Systems** — Automated notifications for anomalies
* **Balance Tracking** — Continuous verification of contract states

***

## Upgrade Pattern

Sova uses the transparent proxy pattern for contract upgrades:

### Architecture

| Component          | Function                                |
| ------------------ | --------------------------------------- |
| **Proxy Contract** | Holds storage, delegates calls to logic |
| **Logic Contract** | Contains business logic, upgradeable    |
| **Storage**        | Preserved across upgrades               |

### Benefits

* **Security Patches** — Deploy fixes without user migration
* **Feature Updates** — Add functionality preserving state
* **Storage Safety** — User balances persist through upgrades

### Safeguards

* All upgrades require multi-sig approval (2/3+ signers)
* Time-locks for non-emergency upgrades
* Upgrade events logged on-chain for transparency

***

## Access Control

### Role-Based Permissions

| Role         | Permissions                                | Assignment       |
| ------------ | ------------------------------------------ | ---------------- |
| **ADMIN**    | Full control, upgrades, emergency pause    | Multi-sig (2/3+) |
| **REPORTER** | Update NAV, price feeds                    | Oracle system    |
| **OPERATOR** | Day-to-day operations, process withdrawals | Operational team |

### Multi-Signature Requirements

| Operation         | Requirement                 |
| ----------------- | --------------------------- |
| Contract upgrade  | 2/3 signers                 |
| Emergency pause   | 1/3 signers (fast response) |
| Parameter changes | 2/3 signers                 |
| Fund recovery     | 3/3 signers                 |

***

## Transaction Safety

### Slippage Protection

All swaps include default 1% slippage tolerance:

* Quote shows expected output
* Transaction reverts if output falls below minimum
* Adjustable in advanced settings

### Quote Expiration

| Quote Type         | Validity          |
| ------------------ | ----------------- |
| Swap quotes        | 5 minutes         |
| Limit order quotes | At order creation |
| NAV data           | 5 minute refresh  |

### Address Validation

All destination addresses validated before execution:

**Bitcoin:**

* P2WPKH (SegWit): `bc1q...`
* P2TR (Taproot): `bc1p...`
* P2PKH (Legacy): `1...`
* P2SH: `3...`

**Zcash:**

* Transparent: `t1...`
* Shielded: Not supported (`zs...`)

Checksum validation performed on all addresses before transaction submission.

***

## Monitoring & Incident Response

### Real-Time Monitoring

* On-chain watchers for unusual activity
* Balance tracking across all contracts
* Transaction monitoring for failed operations
* Price feed validation for oracle data

### Incident Response

| Severity     | Response Time | Actions                                          |
| ------------ | ------------- | ------------------------------------------------ |
| **Critical** | < 15 minutes  | Emergency pause, all hands response              |
| **High**     | < 1 hour      | Assessment, patch deployment, user communication |
| **Medium**   | < 24 hours    | Scheduled fix, close monitoring                  |
| **Low**      | Next release  | Track in backlog                                 |

***

## Non-Custodial Design

Sova never has access to:

* Private keys
* Seed phrases
* Wallet passwords
* Personal information
* KYC data

### On-Chain Transparency

All operations verifiable:

* Deposits to vault contracts
* Swaps via smart contracts
* Limit order execution
* All visible on BaseScan

***

## Verified Contracts

All Sova contracts verified on BaseScan:

| Contract       | Verification                                                                                |
| -------------- | ------------------------------------------------------------------------------------------- |
| svBTC Token    | [View Source](https://basescan.org/address/0xdFc4047620bd71F3dd781f1048f6890b76281D36#code) |
| Vault Strategy | [View Source](https://basescan.org/address/0xc23AE9352739E0AC242Bf0263980769C06a8F52B#code) |
| Conduit        | [View Source](https://basescan.org/address/0x1894fF3B7d07151b0b8aaBF059Ab4aD28EB6770f#code) |
| Role Manager   | [View Source](https://basescan.org/address/0xf97fC42e1B3c4c570cD0Ebc9f0967fF7C49B4360#code) |

***

## Reporting Vulnerabilities

Found a security issue? Report directly to our security team.

{% hint style="danger" %}
**Do NOT disclose publicly.** Report directly via the channels below.
{% endhint %}

### Contact

**Email:** <security@sova.io>

### Include

* Description of the vulnerability
* Steps to reproduce
* Potential impact assessment
* Your contact information (for follow-up)

### Response Timeline

| Stage               | Timeframe                 |
| ------------------- | ------------------------- |
| Acknowledgment      | Within 24 hours           |
| Initial Assessment  | Within 72 hours           |
| Resolution Timeline | Provided after assessment |

### Bug Bounty

Coming soon. Follow [@sovabtc](https://twitter.com/sovabtc) for announcements.

***

## Best Practices

### For Users

1. **Verify Contracts** — Check addresses before interacting
2. **Start Small** — Test with small amounts first
3. **Bookmark the App** — Avoid phishing via direct navigation
4. **Check Approvals** — Revoke unused token approvals periodically
5. **Secure Your Wallet** — Use hardware wallet for large amounts
6. **Double-Check Addresses** — Especially for cross-chain destinations

### Phishing Prevention

* Official URL: **app.sova.io**
* Never share private keys or seed phrases
* Be cautious of unsolicited DMs claiming to be support
* Official support only through documented channels


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sova.io/technical-reference/security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.