Logo
HalbornHalborn Audited

Security Built In,
Not Bolted On

Audited by Halborn. Guardian enforced. MPC signed. Fail-closed by design.

Security

Halborn Audited

The DeFi infrastructure was audited by Halborn, covering cross-chain logic, smart contracts on EVM and non-EVM, Soroban on Stellar and execution stack penetration testing.

Guardian Layer + MPC

The Guardian Layer is the core safety system between Surf and your funds. It defines what is allowed on-chain. Surf proposes actions; the Guardian Layer decides if they can execute.

Fail-Closed Architecture

The system is designed to fail closed. Any single rule violation rejects the action. No overrides. No backdoors. Every rejected action is logged.

Custody Model

Funds move across chains, but custody stays inside the user vault.

User
User Vault Contract
Approved Venue 1
Approved Venue 2
Approved Venue 3
Operator can rebalance to approved venues only (12h cooldown)
Bridge recipient must equal vault contract address (SL-C01 invariant)
User can deposit and withdraw freely
No extraction to arbitrary external addresses
Strict permissions enforced on-chain

Access Control Roles

No single role has full control. Permissions are scoped and enforced on-chain.

RolePermissions
Owner (User)Deposit, withdraw, close module, emergency token withdraw
OperatorRebalance to whitelisted vaults (TLD reserved)
AdminBootstrapping, authorised emergency, accounting, disputes
RevenueClaim protocol fees
Continuous monitoring with defined response paths

Monitoring and Crisis Response

Monitoring Triggers
Abnormal outflows or behaviour deviations
Third-party protocol incidents or confirmed hacks
Out-of-ordinary execution patterns
Oracle anomalies or utilisation spikes
Response Actions
Vault-level, strategy-level or system-level freeze
Highest-risk positions unwound first
User withdrawal rights preserved even during system freeze
Circuit breaker can be triggered by any MPC key holder
Non-negotiable system constraints

Invariant Categories

Custody

Funds never leave vault except via approved execution or user withdrawal

Exposure

Max per protocol, per asset class, per vault

Liquidity

Minimum exit depth. No stranding capital.

Execution

Atomic only. No partial states.

Risk

Health factor minimums. Oracle deviation tolerance.

Temporal

Cooldown periods. Emergency freeze conditions.

Trust is checkable

Security in Surf is inherited, not assumed