Smart Contract Audit
| Parameter | Value |
|---|---|
| Auditor | Cyfrin |
| Completed | February 2026 |
| Scope | iBTCY (ERC-20), BTCY (ERC-4626), governance contracts |
| Status | All identified issues resolved prior to deployment |
Audit Report
Cyfrin Aarc BTCY v2.0 (PDF, February 2026)Scope
The audit covered:- iBTCY token contract (ERC-20 with restrictions)
- BTCY vault contract (ERC-4626)
- Whitelist and access control mechanisms
- Pause functionality
- Upgrade mechanisms
- Integration with external oracles
Findings Resolution
| Severity | Count | Status |
|---|---|---|
| Critical | 0 | None |
| High | 0 | None |
| Medium | 1 | Resolved prior to deployment |
| Low | 12 | Resolved or acknowledged prior to deployment |
| Informational | Multiple | Addressed or acknowledged |
Security Measures
Multi-Party Authorization
All critical operations require multi-party authorization from independent signers. No single party can unilaterally mint, burn, or upgrade contracts.Timelocks
Material changes require advance notice to investors.Monitoring
- Real-time balance monitoring
- Oracle staleness detection
- Anomaly alerts
Phishing and Impersonation
Attackers may impersonate Aarc or related brands. Always verify you are on www.aarc.xyz or app.aarc.xyz, never share seed phrases or private keys, and treat unsolicited links as suspicious. Report concerns to [email protected] withSECURITY in the subject line.
Known Limitations
Upgradeability Risk
Contracts may be upgradeable via multisig. While this enables bug fixes, it introduces centralization risk. Mitigations:- Multi-party authorization
- Timelock on upgrades
- Advance notice to investors
Oracle Dependency
The system depends on Chainlink for the daily NAV feed and on Accountable for NAV methodology and proof-of-reserves attestation (dashboard today; separate on-chain PoR feed planned). Oracle failure, stale data, or manipulation could affect:- Subscription/redemption pricing
- Proof of Reserves attestation
- Staleness checks
- Manual verification capability
- Pause functionality
External Dependencies
BTCY interacts with external protocols when used in DeFi. Vulnerabilities in integrated protocols (lending markets, DEXs) could result in losses. The issuer is not responsible for third-party protocol risks.Security Contact
To report security vulnerabilities: Email: [email protected] Please include “SECURITY” in the subject line.Responsible disclosure is appreciated. Please allow time for investigation and remediation before public disclosure.
Bug Bounty
There is no public bug bounty program at this time. Report vulnerabilities via the security contact above.Governance & Controls
Multi-party authorization and controls
Available only to eligible professional/qualified investors on an invite-only basis, subject to onboarding and compliance approval. For informational purposes only and not investment advice. Not an offer to the public or a solicitation where unlawful. No retail distribution. Not available to US Persons.Disclaimers · Platform and issuer