All posts

How We Approach Smart Contract Security

·SukukFi Teamsecurityauditsmart-contractserc-7540erc-4626

Smart contract security is not a checkbox. A protocol that handles real capital has to treat it as a continuous discipline. This post covers how SukukFi approaches security, what the audit process looked at, and where the reports live.

What the Audit Covered

SukukFi runs two contract layers with distinct security requirements.

The settlement layer handles batch transfers between parties and manages liquidity reserves. The critical invariants are:

Attack vectors that auditors focused on here: manipulating batch netting calculations to extract value, withdrawing mid-settlement to force a batch failure, double-spending settlement obligations, and injecting false balance adjustments to fabricate profits.

The investment layer handles the vault itself, share accounting for duPRT, and the async deposit and redemption flow.

The critical invariants are:

Attack vectors that auditors focused on here: inflating the reserved-asset calculation to justify over-investment, exploiting the async flow to claim assets twice, front-running fulfillment transactions, and corrupting storage slots during contract upgrades.

Why These Specific Invariants Matter

ERC-7540 introduces async redemption requests, which means the vault holds redemption claims in a pending state before fulfilling them. This creates a window where the accounting between pending claims, claimable funds, and deployed capital has to be correct at every state transition.

An error in how the contract tracks pending claims could mean that a depositor's redemption request is double-counted, or that their claimable balance is inflated. Neither scenario fails loudly. Both scenarios require careful testing with adversarial state manipulation.

ERC-4626, the base vault standard, specifies share-to-asset conversion in a way that is vulnerable to inflation attacks when the vault is near-empty. Auditors confirmed the protocol's handling of this edge case, specifically at vault initialisation and after large redemptions that leave a near-zero share supply.

Where to Find the Reports

SukukFi publishes smart contract audit reports in its public security repository:

github.com/sukukfi/security-audits

Each report includes findings by severity, the remediation steps taken for each finding, and the final status. Findings labelled Critical or High were resolved before deployment. Medium and Informational findings are documented with the rationale for acceptance or remediation.

Reviewers needing architectural context should read the Security Considerations and Integration Notes for Auditors sections in the technical documentation before reading the audit reports.

What Audits Do Not Cover

An audit assesses a specific version of a contract against a specific scope. It does not cover:

Ongoing Security Posture

The audit is the starting point. After deployment, the security posture is maintained through:

Security for a live financial protocol is a continuous commitment. The audit reports document what was reviewed. The invariants above document what the protocol is built to guarantee.


To review the full technical architecture, start with the multi-tier system overview. For ERC-4626 and ERC-7540, read our vault standards explainer.