Audits & Security Reviews
Have the contracts been audited?
No formal third-party audit has been completed. CRX has not yet been reviewed by an external audit firm. Do not treat the current contracts as production-grade.
What has been done is an in-house adversarial review program and a large automated test suite, described below. That is the honest scope today.
Testnet only. CRX is live on Sonic Testnet (chain id 14601). No production funds are at risk.
What review has the code passed?
A multi-round in-house adversarial review against the canonical model, plus an automated test suite that runs unit, adversarial, fuzz, and invariant tests.
| Layer | What it checks |
|---|---|
| Unit | core, margin model, oracle haircut, deadlines, role guards, multicall, settlement |
| Cascade | liquidation waterfall, multi-round resumability, cross-counterparty netting isolation, scale isolation |
| Adversarial / attacks | known attack patterns and the invariants in the canonical model |
| Fuzz | cascade and margin paths under randomized inputs |
| Invariant | properties that must hold across any sequence of calls (e.g. no cross-counterparty netting) |
The canonical model records the suite green at every step of the contract-size split (147 tests at that checkpoint, HEAD 89e022d, 2026-05-31). The suite has grown since as new paths landed.
What invariants does the review enforce?
The properties the contracts must never break, taken straight from the canonical model:
- No on-chain lists. Mappings only; sets are passed as calldata, validated by count and membership.
- No cross-counterparty netting. Each counterparty is paid from its own collateral, then the defaulter's own general balance — never from another counterparty's collateral.
- VM clears P&L continuously. No surplus or deficit is stored in an SCA; the SCA holds only initial margin.
- Control is by on-chain proof. Collateral moves on validated proof, not on the debtor's consent.
- Bilateral by construction. An agreement is two parties, one MAKER and one TAKER; netting is structural, never across relationships.
- IM is a % of notional, asymmetric, independent of the entry price, re-trued daily.
- One price per asset, global; haircut bilateral.
- Whitelists bound the universe — role-gated firms × whitelisted pairs × collateral eligibility.
What is the deployability bar?
forge build --sizes must pass — the Foundry test VM does not enforce the 24 KB EIP-170 limit, so a green test suite alone does not prove the contracts deploy. The size check is run separately.
What is still open?
- A formal third-party audit. Not yet scheduled in this doc.
- The liquidation cascade entry signatures finalize in a later phase; the invariant logic above is fixed, the exact function shapes are not.
Next: CRX Apps (~2 min) — the surfaces built on the contracts.