How Veda Vaults Put Security First

When evaluating vault infrastructure, it’s important to look at both the provider’s general security practices and the features available at the smart contract level. 

Our infrastructure has been optimized for top enterprise implementations requiring the highest levels of security. Our smart contracts, opsec, and compliance controls combine onchain guardrails and offchain operations to ensure a secure environment for institutions and their end users to interact with onchain finance. 

When pairing a Veda vault with a third-party risk manager or curator, assessing that curator’s approach to economic risk, collateral, and protocol evaluation is also essential to understand the full security picture.

At the infrastructure level, our vaults are designed to mitigate risk for enterprise clients using best practices in smart contract development. Providing resilient onchain infrastructure with robust protections is core to everything we do.

We have dedicated staff focused on best-in-class cybersecurity measures including secure automation, advanced key management, and full lifecycle monitoring across APIs, vaults, and contracts. 

Every product at Veda is backed by rigorous threat modeling and development practices that identify and mitigate vulnerabilities before they can have an impact.

Vault Infrastructure

Our industry-leading vault architecture is fitted with operational safeguards at the smart contract level. These safeguards restrict permitted vault operations to pre-approved actions only.

Our framework for smart contract security involves:

Minimal Surface Area

Veda’s vaults use the BoringVault standard: the longest-standing smart contract vault architecture proven at enterprise scale. Made up of approximately 100 lines of code, these audited, time-tested smart contracts have handled over $32B in volume to date. 

Each vault deployment exposes as few public functions as possible. The number of functions exposed can be as few as two, but will vary based on enterprise needs. This deliberately reduced surface area minimizes attack vectors.

Merkle Verification System

Every action a Veda vault can perform is cryptographically verified. Before executing any action, the vault must prove the action’s inclusion in this Merkle root, ensuring that only pre-approved actions are executed.

Actions that require Merkle verification include, but are not limited to, the following:

• Deploying liquidity
• Lending
• Borrowing
• Staking

This system precludes arbitrary transactions or unapproved strategy changes.

Delayed Transactions

Our vault infrastructure enables timelocks for vault receipt tokens and withdrawals to enhance protection around these functions.

Share Lock Period: Newly issued vault shares are locked for a brief period to neutralize flash loan manipulation risks.

Delayed Withdrawals: Withdrawals can be subject to a timelock, creating a monitoring window for identifying and addressing irregularities.

Onchain Monitoring

Our security team’s comprehensive monitoring system continuously tracks both internal positions and external market dynamics. 

Veda’s tech stack is compatible with security services including Hypernative for real-time blockchain threat detection. 

Smart Contract Audits

Security firms have tested our onchain infrastructure with:

• Formal verification: Rigorous security verification involving mathematically proving vault contract viability and features 
• Fuzzing: Internal security teams and external contractors stress-test our code and look for edge cases via automated random data injection

We continuously work with auditors to ensure our vaults remain secure. In May, we announced an ongoing partnership with Certora to bolster our vault contract security with ongoing reviews. 

Offchain Security

Our offchain production infrastructure uses industry-standard security controls designed to reduce operational risk and protect critical systems.

These processes include:

• Role-based access controls with least-privilege permissions
• Multi-factor authentication for privileged access
• Segregated production and non-production environments
• Continuous vulnerability scanning and patch management
• Secure secrets and key management practices
• Infrastructure-as-code workflows with peer review and change controls

Offchain Monitoring

Our offchain operational practices span:

• 24/7 monitoring and alerting
• Automated health checks and service validation
• Capacity planning and performance monitoring
• Documented incident response procedures

Governance security

Core governance security practices include, but are not limited to:

• No reliance on external dependencies for signing vault configuration transactions.
• No transaction signing without direct confirmation from initiator through secure channels.
• Sensitive roles kept behind timelocks.
• Admin keys held in cryptographically secured devices.

External Verification

Veda’s onchain infrastructure has undergone over a dozen audits by third-party security firms including Certora, Sigma Prime, Spearbit, and 0xMacro. 

Our vaults are also vetted by our partners and trusted by clients including Kraken, ether.fi, Plasma, Lombard, Whop, and many others, making Veda’s BoringVault one of the most audited contracts in production. 

Our offchain infrastructure has also been audited by third-party security firms.

Additionally, we operate multiple ongoing bug bounty programs including one via ImmuneFi, with rewards of up to $1 million USD.

Enterprise-Grade Compliance

Veda’s infrastructure supports institutional compliance solutions, allowing enterprises to offer embedded yield products while remaining compliant with local and global regulatory frameworks.

Whitelisting & Access Controls

Granular access control systems allow precise management of permissions, ensuring compliance officers maintain complete oversight of all capital flows.

Know Your Customer (KYC) & Know Your Business (KYB)

Our tech stack is compatible with identity verification systems to implement access controls across depositor and curator onboarding.

Compliance Monitoring

Easily integrate third-party monitoring tools to Veda smart contracts to detect and report anomalies, ensuring proactive identification of potential compliance breaches.

Customizable Risk Parameters

Tailor capital exposure, counterparty verification, and DeFi yield strategies based on internal compliance requirements.

The Full Security Picture

Our approach includes rigorous procedures and policies at the smart contract level and at the broader cybersecurity and operational security levels. This is to ensure long-term safety, preventing both contract-level exploits and other forms of attacks that leverage human error or single points of failure to manipulate systems.

When it comes to security, the work is never done. Every day, we continue to enhance and elevate our approach to ensure enterprises can deploy with Veda with ease.