Security & Audits

Security at BasePerp is layered: rigorous code review, conservative operations, and on-chain safeguards that make failures rare—and contained when they happen.

10.1 Audit Plan & Bug Bounty

Before mainnet v1, the codebase undergoes multiple independent audits. Reviews focus on vault math, margin/liquidation logic, oracle guards, upgrade paths, and emergency controls. For any material change post-launch, a targeted re-audit is scheduled.

An always-on bug bounty invites external researchers under safe-harbor rules. Rewards scale with severity, and disclosure guidelines ensure fixes ship before public write-ups. Audit reports, issue trackers, and remediation notes are published for transparency.

10.2 Upgradeability & Timelocks

Upgrades are controlled and observable. Critical parameter and code updates pass through public timelocks with notice windows; where feasible, we prefer canary releases and minimal upgradeable surfaces to reduce blast radius. Emergency pausers are narrowly scoped and time-boxed, with mandatory post-mortems and diff links so the community can review actions.

A public parameter registry exposes current settings—including profitFeeRate, counterSkewCap, liquidatorBounty, deviationGuard, CHR thresholds, buffer tiers, and fee schedules—so integrators and users can verify live risk knobs on-chain.

10.3 Key Risks & Mitigations

Some failures are endemic to on-chain trading. We address them with explicit controls:

• Oracle failure/latency. Dual-feed validation with deviationGuard, heartbeat checks, and automatic halts on stale/out-of-band prices.

• Jump risk & cascades. Partial liquidations, short volatility halts, and buffer-tier withdrawals to slow feedback loops and preserve solvency.

• Smart-contract bugs. Multi-audits, formal/edge-case checks on critical math, heavy fuzzing, invariant tests, and bounty incentives.

• Keeper centralization. A permissionless keeper set with transparent rewards to promote diversity and reduce single-operator dependence.