⚠ Public self-audit by the ASPE Labs team. NOT a third-party formal audit. No external auditor has reviewed this codebase. External audit committed at Q3 2026 trigger (§9 of report).

Self-Audit v3.0

Public consolidated. Vault v5.1 production candidate.

Tier-1 methodology applied to the v5.1 vault + TimelockV2. Function-by-function threat model, 31-hack crosswalk, three per-surface attack trees, honest limitations and Q3 2026 external audit commitment. Self-audit by the ASPE Labs team following Trail of Bits / OpenZeppelin / Spearbit / Cantina report structure.

← Back to home

Report at a glance

Version
3.0 (supersedes v2.0 / v2.1 / v2.2)
Target
AspeLabsVault v5.1 + AspeTimelockControllerV2 + AspeLabsRouter + IAspeRedemption
Vault bytecode
825c42686adba26bbf3eaf4ca39d2fe7d96304b5810ce03943921343714ceb4d
Timelock bytecode
8f4762d9fbb7085411287cc5fe5cc32825f84175740cbbaacc86f3b119b9e93a
Audit commit
3ce24f1 (merged to main 2026-05-11, PR #2)
Chain
HyperEVM (chain ID 999)
Report date
2026-05-11
Methodology
Slither 0.11.5 · Aderyn 0.6.8 · Halmos 0.3.3 (27 symbolic properties) · Foundry 1.5.1 (448 forge tests, 5 fork-mainnet drills with Safe v1.4.1) · Manual review (SEC-002, function-by-function) · STRIDE threat model · OPS-014 cross-protocol hack crosswalk (31 incidents)
Reproducibility
./scripts/reproduce-audit.sh

Findings triage (42 raw findings)

Critical
0
High
0
Medium
0
Low
0
Info
0
FP / informational
42

Zero P0 / P1 findings on smart contracts. 24 Slither + 18 Aderyn findings triaged as false positive or informational with documented justification. Test coverage matrix: 448 forge tests · 27 Halmos symbolic properties · 5 fork-mainnet drills against Safe v1.4.1 (deployed in-test via canonical factory). See §4 of the report for full triage and §6 for the coverage matrix.

Download

Version history

Version Published Audited target Status
v3.0 2026-05-11 v5.1 production candidate (vault 825c4268… · timelock 8f4762d9…) Current · public release · consolidated
v2.0 2026-04-24 v5.0 redeploy (commit e923006) Archived · superseded by v3.0
v2.1 / v2.2 v5-final + v5.1 delta drafts Internal drafts merged into v3.0; archived in repo (docs/security/archive/)
v1.0 2026-04-21 v4.1 (commit fd06ce1) Not published externally (v5.0 superseded v4.1 pre-external-capital)

Why this isn't enough on its own

A self-audit is a transparency artifact, not a substitute for a third-party engagement. The ASPE Labs team wrote the code and wrote this report. An independent auditor has not reviewed either. The tier-1 methodology (Trail of Bits / OpenZeppelin / Spearbit / Cantina format) is applied to close the honesty gap: explicit severity rubric, function-by-function adversarial threat model, full findings matrix, 31-hack cross-protocol crosswalk, three per-surface attack trees, reproducibility script, and machine-readable outputs. But the author is the protocol team.

A formal external audit (Spearbit / Cantina / Trail of Bits / OpenZeppelin tier) is committed and will be contracted when any of three triggers is satisfied (§9 of the report): (a) TVL ≥ $200K AUM sustained 30 days, (b) protocol revenue covers audit cost ($16-27K), or (c) six months post Phase 1 launch without incident. ETA Q3 2026. Until then, launch cap TVL $500K + multisig 2/3 + on-chain cap mitigate blast radius. The self-audit is a floor, not a ceiling.

See the roadmap for the Phase 1 gate (which now relaxes to L1-clean + multisig + entity + cap + disclaimer; external audit is a phase-internal milestone, not a phase-entry gate) and the changelog for the full version history.