Security

Security is foundational to Sova Protocol. This document covers the security architecture, operational practices, and vulnerability reporting procedures.

Security Architecture

Sova implements defense-in-depth with multiple security layers:

Layer 1: Smart Contract Security

Layer 2: Access Control

• Role-Based Permissions — Granular access via Role Manager contract

• Multi-Signature — Critical operations require multiple approvals

• Rate Limiting — Protection against rapid successive operations

Layer 3: Monitoring

• On-Chain Watchers — Real-time transaction monitoring

• Alert Systems — Automated notifications for anomalies

• Balance Tracking — Continuous verification of contract states

Upgrade Pattern

Sova uses the transparent proxy pattern for contract upgrades:

Architecture

Benefits

• Security Patches — Deploy fixes without user migration

• Feature Updates — Add functionality preserving state

• Storage Safety — User balances persist through upgrades

Safeguards

• All upgrades require multi-sig approval (2/3+ signers)

• Time-locks for non-emergency upgrades

• Upgrade events logged on-chain for transparency

Access Control

Role-Based Permissions

Multi-Signature Requirements

Transaction Safety

Slippage Protection

All swaps include default 1% slippage tolerance:

• Quote shows expected output

• Transaction reverts if output falls below minimum

• Adjustable in advanced settings

Quote Expiration

Address Validation

All destination addresses validated before execution:

Bitcoin:

• P2WPKH (SegWit): bc1q...

• P2TR (Taproot): bc1p...

• P2PKH (Legacy): 1...

• P2SH: 3...

Zcash:

• Transparent: t1...

• Shielded: Not supported (zs...)

Checksum validation performed on all addresses before transaction submission.

Monitoring & Incident Response

Real-Time Monitoring

• On-chain watchers for unusual activity

• Balance tracking across all contracts

• Transaction monitoring for failed operations

• Price feed validation for oracle data

Incident Response

Non-Custodial Design

Sova never has access to:

• Private keys

• Seed phrases

• Wallet passwords

• Personal information

• KYC data

On-Chain Transparency

All operations verifiable:

• Deposits to vault contracts

• Swaps via smart contracts

• Limit order execution

• All visible on BaseScan

Verified Contracts

All Sova contracts verified on BaseScan:

Reporting Vulnerabilities

Found a security issue? Report directly to our security team.

Contact

Email: [email protected]

Include

• Description of the vulnerability

• Steps to reproduce

• Potential impact assessment

• Your contact information (for follow-up)

Response Timeline

Bug Bounty

Coming soon. Follow @sovabtc for announcements.

Best Practices

For Users

1. Verify Contracts — Check addresses before interacting

2. Start Small — Test with small amounts first

3. Bookmark the App — Avoid phishing via direct navigation

4. Check Approvals — Revoke unused token approvals periodically

5. Secure Your Wallet — Use hardware wallet for large amounts

6. Double-Check Addresses — Especially for cross-chain destinations

Phishing Prevention

• Official URL: app.sova.io

• Never share private keys or seed phrases

• Be cautious of unsolicited DMs claiming to be support

• Official support only through documented channels