# Smart Contract Security

To ensure the strict integrity of all token and vault operations, Midas enforces a comprehensive suite of on-chain security parameters. These mechanisms are hardcoded into the protocol to eliminate single points of failure and prevent unauthord access.

#### Multisig/MPC Controls&#x20;

No single individual or compromised key can unilaterally update prices, access funds, or modify critical vault parameters. All high-level protocol operations require approval from a multi-signature wallet and or MPC, typically requiring a minimum of three independent approvers. This strict consensus mechanism applies to Oracle price updates, modifications to fee recipients, and any adjustments to the underlying risk parameters of the vaults.

#### Midas Controller

**Overview**\
The Midas Controller ([address](https://etherscan.io/address/0x0312a9d1ff2372ddedcbb21e4b6389afc919ac4b)) is the core access control layer governing platform-level operations. It is designed with a multi-layered security architecture to ensure robust protection against single points of failure.

**Quorum Structure**\
The Midas Controller operates under a 1-of-3 quorum model:

* 1 Safe (multisig)
* 2 MPC-based signers:
  * 1 Fordefi
  * 1 Fireblocks

Each of these three entities represents one quorum participant.

\
**Underlying Security (Per Signer)**\
Each quorum participant is backed by an independent threshold signing mechanism:

* Safe (multisig): requires a quorum of at least 4 signers backed by cold wallet
* Fordefi MPC: requires at least 4 MPC participants
* Fireblocks MPC: requires at least 4 MPC participants

\
**Security Design Principles**

* Multi-provider setup: Reduces reliance on a single custody or signing provider
* Layered quorum: Combines wallet-level and MPC-level thresholds
* Fault tolerance: System remains operational even in case of partial signer failure
* Operational separation: Different entities and systems participate in signing flows

#### Role-Based Access Control&#x20;

Midas enforces a strict, cryptographic separation of powers across all smart contract functions. By isolating specific capabilities to dedicated contracts, the system ensures that a vulnerability in one area cannot be exploited to compromise the broader protocol.

* **Minter Role:** The Deposit Vault and cross-chain OFT bridge contracts hold the Minter Role. These contracts can strictly mint new mTokens upon successful deposit confirmations but have no ability to burn them.
* **Burner Role:** The Redemption Vault and OFT bridge contracts hold the Burner Role. They are authorised only to destroy mTokens when processing user withdrawals and have no minting capabilities.
* **Pauser Role:** This role holds dedicated emergency pause authority. It is separated from daily operational roles, is activated manually, and requires multi-sig authorisation to execute.
* **Token Management Role:** This specialised role handles manual minting or burning required for specific OTC transactions. System roles are tightly governed and can only be granted or revoked by the highest-level authorised administrative addresses.

#### Granular Pause Mechanisms & Smart Contract Controls

In the event of extreme market volatility or a security incident, Midas supports manual pause functionality. There are no automatic triggers for these specific actions. All manual pauses require multi-sig authorisation to activate, preventing malicious griefing attacks.

* **Vault-Level Pauses:** Operators can apply targeted restrictions directly to the vaults. They can choose to pause only deposits, only instant redemptions, only standard redemptions, or all vault operations simultaneously. This granularity allows the protocol to halt a specific liquidity flow without freezing the entire system.
* **Token-Level Pauses:** At the overarching token layer, a pause freezes all ERC-20 transfers, meaning mTokens cannot be moved between wallets or smart contracts. However, critical read-only functions, such as balance queries and block explorer viewing, remain fully operational.
* **Timelocked Upgrades:** As a broader protocol safeguard, all smart contracts are gated by a timelock controller that enforces a mandatory 48-hour delay for any contract upgrades, ensuring transparency and preventing abrupt structural changes.

During any pause event, background price updates and Oracle operations continue uninterrupted to ensure the NAV remains perfectly synced with the underlying assets once operations resume.

#### Transaction Atomicity&#x20;

All operations on Midas smart contracts are fully atomic, meaning they execute sequentially in a single block. A transaction must either execute completely from start to finish, or it will revert entirely.&#x20;

If any single step in a deposit or redemption flow fails, including a rejection by the Oracle's automated validation checks, the entire transaction is instantly reverted. No funds are transferred, no tokens are minted, and users are never left in an ambiguous, partially processed state.

#### On-Chain Transparency&#x20;

Every core Midas smart contract is verified and publicly readable on block explorers such as Etherscan and Basescan. This allows any user, auditor, or institutional partner to query the real-time state of the protocol directly from the blockchain.

Users can directly call view functions on key Midas smart contracts, including:

{% tabs %}
{% tab title="mToken Contract" %}

* totalSupply()
* balanceOf(address)
* name()
* symbol()
  {% endtab %}

{% tab title="Custom Feed" %}

* lastAnswer()
* decimals()
  {% endtab %}

{% tab title="Deposit Vault" %}

* minAmount()
* instantDailyLimit()
* instantFee()
* greenlistEnabled()
* paused()
  {% endtab %}

{% tab title="Redemption Vault" %}

* minAmount()
* instantFee()
* minFiatRedeemAmount()
* paused()
  {% endtab %}
  {% endtabs %}

To verify any contract, users can visit the relevant block explorer, search for the contract address, navigate to the "Contract" tab, and use the "Read Contract" interface. For a comprehensive list of supported networks and deployed contract addresses, please refer to the Smart Contracts Addresses page in the Midas documentation.

#### Third party audits

All smart contracts undergo regular third party audits to ensure top-tier security standards and continuous assurance of protocol integrity. You can see full details here: [Audits](/resources/audits.md).

#### Bug Bounty Program

Midas operates a continuous bug bounty program to identify and resolve vulnerabilities within our smart contracts and infrastructure. While traditional audits provide a point-in-time security review before deployment, a bug bounty offers ongoing protection by incentivising a global network of independent security researchers to test our code in live environments.

For users and integration partners, this program functions as a proactive risk mitigation layer. By offering substantial financial rewards for the responsible disclosure of vulnerabilities, specifically those that could cause protocol insolvency or asset freezing, Midas actively reduces the risk of zero-day exploits. This ongoing external scrutiny is designed to ensure that mTokens maintain their structural integrity when utilised across the decentralised finance ecosystem.

The program is hosted on the Web3 security platforms Sherlock and Cantina, providing a structured and transparent framework for vulnerability reporting and triage.

{% tabs %}
{% tab title="Reward Pool" %}
$1,000,000 USD allocated for valid disclosures.
{% endtab %}

{% tab title="Max Payout" %}
Up to $500,000 USD for a critical vulnerability.
{% endtab %}

{% tab title="Scope" %}
The program encompasses the core Ethereum and Solana smart contracts, production contract configurations, and the Midas web interface.
{% endtab %}

{% tab title="Severity" %}
Payouts are strictly tied to impact, prioritizing findings that pose a direct financial threat to the protocol or its users.
{% endtab %}
{% endtabs %}

This crowdsourced testing operates alongside our formal audits and live off-chain portfolio monitoring, forming a critical component of our multi-layered security framework.

{% hint style="info" %}
*For complete details on scope, severity classifications, and reporting instructions, please click* [*here*](/resources/official-links.md)*.*
{% endhint %}

#### Smart Contract Integrity Verification

Every day at 00:00 UTC, the Midas system performs an automated "state-check" by reading the configuration of all Midas smart contracts directly from the blockchain (including deposit/redemption vaults, price feeds, and security parameters). The system verifies that all critical variables, such as deposit/withdrawal limits, fee structures, emergency pause status, and price oracle aggregators, match their expected, governance-approved values.

<details>

<summary><strong>The IPFS &#x26; On-Chain Audit Trail</strong> </summary>

<sup>*The resulting status report is published to IPFS via Pinata. IPFS automatically generates a Content Identifier (CID), which is a unique cryptographic hash of the file’s contents. This CID is then pushed onchain into a dedicated Midas registry contract, creating a public, timestamped proof of the protocol's state.*</sup>

<sup>*The security of this system lies in the CID itself: because the CID is a direct product of the file's data, any attempt to alter the report would result in a completely different CID, making any discrepancy or fraud immediately detectable.*</sup>

</details>

<details>

<summary><strong>Independent Verification by LlamaRisk and Canary</strong> </summary>

<sup>*To ensure Midas is not "self-reporting" without oversight, LlamaRisk and Canary act as independent third-party sentinels. Because the protocol's smart contract parameters are publicly accessible on the blockchain, the verification logic can be executed by anyone in read-only mode to independently recalculate the expected hash.*</sup>

<sup>*LlamaRisk and Canary perform this check continuously. They compare their independently calculated hash against the hash published onchain. If any critical parameter (such as a fee, a daily limit, or an oracle address) were modified without authorisation, their systems would immediately flag the divergence, providing a 24/7 external audit of the protocol's operational integrity.*</sup>

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.midas.app/security/smart-contract-security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.