> ## Documentation Index
> Fetch the complete documentation index at: https://docs.aarc.xyz/llms.txt
> Use this file to discover all available pages before exploring further.

# Audits

> Smart contract security and audit status

BTCY smart contracts undergo rigorous security review before deployment.

## Smart Contract Audit

| Parameter | Value                                                 |
| --------- | ----------------------------------------------------- |
| Auditor   | Cyfrin                                                |
| Completed | February 2026                                         |
| Scope     | iBTCY (ERC-20), BTCY (ERC-4626), governance contracts |
| Status    | All identified issues resolved prior to deployment    |

### Audit Report

[Cyfrin Aarc BTCY v2.0 (PDF, February 2026)](https://github.com/Cyfrin/cyfrin-audit-reports/blob/main/reports/2026-02-20-cyfrin-aarc-btcy-v2.0.pdf)

### Scope

The audit covered:

* iBTCY token contract (ERC-20 with restrictions)
* BTCY vault contract (ERC-4626)
* Whitelist and access control mechanisms
* Pause functionality
* Upgrade mechanisms
* Integration with external oracles

### Findings Resolution

| Severity      | Count    | Status                                       |
| ------------- | -------- | -------------------------------------------- |
| Critical      | 0        | None                                         |
| High          | 0        | None                                         |
| Medium        | 1        | Resolved prior to deployment                 |
| Low           | 12       | Resolved or acknowledged prior to deployment |
| Informational | Multiple | Addressed or acknowledged                    |

## Security Measures

### Multi-Party Authorization

All critical operations require multi-party authorization from independent signers. No single party can unilaterally mint, burn, or upgrade contracts.

### Timelocks

Material changes require advance notice to investors.

### Monitoring

* Real-time balance monitoring
* Oracle staleness detection
* Anomaly alerts

## Phishing and Impersonation

Attackers may impersonate Aarc or related brands. Always verify you are on **[www.aarc.xyz](http://www.aarc.xyz)** or **app.aarc.xyz**, never share seed phrases or private keys, and treat unsolicited links as suspicious. Report concerns to [contact@aarc.xyz](mailto:contact@aarc.xyz) with `SECURITY` in the subject line.

## Known Limitations

<Warning>
  **Audits reduce risk but do not eliminate it.**

  Smart contracts may contain undiscovered vulnerabilities. An exploit could result in loss of funds.
</Warning>

### Upgradeability Risk

Contracts may be upgradeable via multisig. While this enables bug fixes, it introduces centralization risk. Mitigations:

* Multi-party authorization
* Timelock on upgrades
* Advance notice to investors

### Oracle Dependency

The system depends on Chainlink for the daily NAV feed and on Accountable for NAV methodology and proof-of-reserves attestation (dashboard today; separate on-chain PoR feed planned). Oracle failure, stale data, or manipulation could affect:

* Subscription/redemption pricing
* Proof of Reserves attestation

Mitigations:

* Staleness checks
* Manual verification capability
* Pause functionality

### External Dependencies

BTCY interacts with external protocols when used in DeFi. Vulnerabilities in integrated protocols (lending markets, DEXs) could result in losses. The issuer is not responsible for third-party protocol risks.

## Security Contact

To report security vulnerabilities:

**Email:** [contact@aarc.xyz](mailto:contact@aarc.xyz)

Please include "SECURITY" in the subject line.

<Info>
  Responsible disclosure is appreciated. Please allow time for investigation and remediation before public disclosure.
</Info>

## Bug Bounty

There is no public bug bounty program at this time. Report vulnerabilities via the security contact above.

<Card title="Governance & Controls" icon="shield" href="/security/governance">
  Multi-party authorization and controls
</Card>

***

<Note>
  Available only to eligible professional/qualified investors on an invite-only basis, subject to onboarding and compliance approval. For informational purposes only and not investment advice. Not an offer to the public or a solicitation where unlawful. No retail distribution. Not available to US Persons.

  [Disclaimers](/legal/disclaimers) · [Platform and issuer](/legal/platform-legal)
</Note>
