> For the complete documentation index, see [llms.txt](https://piggybank.gitbook.io/docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://piggybank.gitbook.io/docs/security/audit.md). # Audit ## Audit Report The PiggyBank program underwent security audit by Formal Land *(auditing company that managed the formal verification of Tezos with Nomadic Labs)*. [Audit report](https://cdn.prod.website-files.com/68e7628180c5b014e78a46cc/6900fa6f3a2659fab4c7b728_piggy_bank.pdf). ### Audit Scope The audit covered: * Program logic correctness * State transition safety * Access control mechanisms * Token handling security * Mathematical calculations * Edge case handling ### Key Findings #### Critical Issues None identified. #### High Severity None identified. #### Medium Severity 1. **Integer Overflow Protection** * Status: Resolved * Added checked math operations * Implemented overflow guards 2. **Reentrancy Guards** * Status: Resolved * Added state checks * Ordered operations correctly #### Low Severity 1. **Input Validation** * Enhanced parameter checks * Added bounds validation * Improved error messages 2. **PDA Derivation** * Standardized seed usage * Consistent bump handling * Clear derivation patterns ### Security Features #### Access Control Program implements strict access control: * Admin-only operations protected * User operations validated * PDA ownership verified #### State Integrity State transitions maintain invariants: * Balance consistency * Supply tracking * Redemption accounting #### Token Safety Token operations secured: * Authority validation * Amount verification * Decimal handling ### Recommendations Implemented #### Code Quality * Added comprehensive comments * Improved error handling * Enhanced logging #### Testing * Expanded test coverage * Added fuzzing tests * Stress testing scenarios #### Documentation * Clarified invariants * Documented assumptions * Added integration guides ### Ongoing Security #### Monitoring Continuous security monitoring: * Transaction monitoring * Anomaly detection * Performance tracking #### Updates Security maintenance plan: * Regular dependency updates * Patch management * Vulnerability scanning #### Future Audits Planned security reviews: * Second audit scheduled * Continuous assessment * Community review program ### Contact For security concerns: * GitHub Issues (public) * Security email (private) * Bug bounty program (planned) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://piggybank.gitbook.io/docs/security/audit.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.