search

Security

Security architecture and practices

Security is foundational to Sova Protocol. This document covers the security architecture, operational practices, and vulnerability reporting procedures.

hashtag
Security Architecture

Sova implements defense-in-depth with multiple security layers:

hashtag
Layer 1: Smart Contract Security

Standard
Purpose

ERC-4626

Battle-tested tokenized vault standard

OpenZeppelin

Audited base contracts for access control and proxies

ERC-20

Standard token implementation for svBTC

hashtag
Layer 2: Access Control

  • Role-Based Permissions — Granular access via Role Manager contract

  • Multi-Signature — Critical operations require multiple approvals

  • Rate Limiting — Protection against rapid successive operations

hashtag
Layer 3: Monitoring

  • On-Chain Watchers — Real-time transaction monitoring

  • Alert Systems — Automated notifications for anomalies

  • Balance Tracking — Continuous verification of contract states

hashtag
Upgrade Pattern

Sova uses the transparent proxy pattern for contract upgrades:

hashtag
Architecture

Component
Function

Proxy Contract

Holds storage, delegates calls to logic

Logic Contract

Contains business logic, upgradeable

Storage

Preserved across upgrades

hashtag
Benefits

  • Security Patches — Deploy fixes without user migration

  • Feature Updates — Add functionality preserving state

  • Storage Safety — User balances persist through upgrades

hashtag
Safeguards

  • All upgrades require multi-sig approval (2/3+ signers)

  • Time-locks for non-emergency upgrades

  • Upgrade events logged on-chain for transparency

hashtag
Access Control

hashtag
Role-Based Permissions

Role
Permissions
Assignment

ADMIN

Full control, upgrades, emergency pause

Multi-sig (2/3+)

REPORTER

Update NAV, price feeds

Oracle system

OPERATOR

Day-to-day operations, process withdrawals

Operational team

hashtag
Multi-Signature Requirements

Operation
Requirement

Contract upgrade

2/3 signers

Emergency pause

1/3 signers (fast response)

Parameter changes

2/3 signers

Fund recovery

3/3 signers

hashtag
Transaction Safety

hashtag
Slippage Protection

All swaps include default 1% slippage tolerance:

  • Quote shows expected output

  • Transaction reverts if output falls below minimum

  • Adjustable in advanced settings

hashtag
Quote Expiration

Quote Type
Validity

Swap quotes

5 minutes

Limit order quotes

At order creation

NAV data

5 minute refresh

hashtag
Address Validation

All destination addresses validated before execution:

Bitcoin:

  • P2WPKH (SegWit): bc1q...

  • P2TR (Taproot): bc1p...

  • P2PKH (Legacy): 1...

  • P2SH: 3...

Zcash:

  • Transparent: t1...

  • Shielded: Not supported (zs...)

Checksum validation performed on all addresses before transaction submission.

hashtag
Monitoring & Incident Response

hashtag
Real-Time Monitoring

  • On-chain watchers for unusual activity

  • Balance tracking across all contracts

  • Transaction monitoring for failed operations

  • Price feed validation for oracle data

hashtag
Incident Response

Severity
Response Time
Actions

Critical

< 15 minutes

Emergency pause, all hands response

High

< 1 hour

Assessment, patch deployment, user communication

Medium

< 24 hours

Scheduled fix, close monitoring

Low

Next release

Track in backlog

hashtag
Non-Custodial Design

Sova never has access to:

  • Private keys

  • Seed phrases

  • Wallet passwords

  • Personal information

  • KYC data

hashtag
On-Chain Transparency

All operations verifiable:

  • Deposits to vault contracts

  • Swaps via smart contracts

  • Limit order execution

  • All visible on BaseScan

hashtag
Verified Contracts

All Sova contracts verified on BaseScan:

Contract
Verification

svBTC Token

View Sourcearrow-up-right

Vault Strategy

View Sourcearrow-up-right

Conduit

View Sourcearrow-up-right

Role Manager

View Sourcearrow-up-right

hashtag
Reporting Vulnerabilities

Found a security issue? Report directly to our security team.

triangle-exclamation

Do NOT disclose publicly. Report directly via the channels below.

hashtag
Contact

Email: [email protected]

hashtag
Include

  • Description of the vulnerability

  • Steps to reproduce

  • Potential impact assessment

  • Your contact information (for follow-up)

hashtag
Response Timeline

Stage
Timeframe

Acknowledgment

Within 24 hours

Initial Assessment

Within 72 hours

Resolution Timeline

Provided after assessment

hashtag
Bug Bounty

Coming soon. Follow @sovabtcarrow-up-right for announcements.

hashtag
Best Practices

hashtag
For Users

  1. Verify Contracts — Check addresses before interacting

  2. Start Small — Test with small amounts first

  3. Bookmark the App — Avoid phishing via direct navigation

  4. Check Approvals — Revoke unused token approvals periodically

  5. Secure Your Wallet — Use hardware wallet for large amounts

  6. Double-Check Addresses — Especially for cross-chain destinations

hashtag
Phishing Prevention

  • Official URL: app.sova.io

  • Never share private keys or seed phrases

  • Be cautious of unsolicited DMs claiming to be support

  • Official support only through documented channels

PreviousFeesNextWelcome to Sova Vaults

Last updated