Security Audit Report

Bondi Finance has undergone comprehensive security audits to ensure the integrity and safety of our smart contract infrastructure. These audits are conducted by independent third-party security firms to provide objective assessment of our platform's security posture.

Audit Overview

Audit Firm: Sherlock collaborative audit led by iamnmt and jennifer37
Audit Date: September 8 – September 15, 2025
Scope: Smart Contract Security Assessment (Bondi v2 contracts)
Status: Completed
Final Commit: 1508e56108c826c44be0ffb2b40261ada7be610f

Download Full Report

Download Bondi Audit Report (PDF)

Key Findings Summary

Severity	Count	Status	Description
High	1	✅ Fixed	Funding sync may be blocked (resolved)
Medium	6	✅ All fixed (M-3 resolved via backend implementation)	DoS, refund flow, unclaimed coupons, cross-chain sync, etc.
Low / Info	3	✅ Best-practice adjustments implemented	Gas optimization, KYC enforcement, initialization fix

Summary

• High Priority Issues: 1 (fixed)
• Medium Priority Issues: 6 (all resolved, including M-3 via backend implementation)
• Low Priority Issues: 3 (recommendations implemented)

Core Security Strengths

The audit highlighted several key security strengths of the Bondi v2 platform:

• Zero Bridge Risk Multichain Design: Funds never leave their origin chain. Cross-chain coordination is handled via mirrored AccountingTokens and an off-chain watcher, ensuring global target tracking without exposing assets to bridge exploits

• Battle-Tested Financial Flows: The same funding, extraction, bond purchase, and coupon/principal repayment logic proven in production is preserved in v2, now enhanced with FpUSD receipts and Merkle-based distributions

• Defense-in-Depth Role Architecture: Access control follows the principle of least privilege with strict separation between multisig admin powers and backend service roles

• Verifiable Merkle Distributions: Incentives and coupons are consolidated into a single Merkle root, which anyone can independently reconstruct to verify accuracy

Audit Scope

The security audit covered the following core smart contracts:

Smart Contracts Audited

Primary Market Contracts (Funding Phase):

• Funding.sol – Handles investment deposits and FpUSD minting in the primary market
• InvestorNFT.sol – Loyalty NFTs for early adopters who participate in the primary market
• FpUSD.sol – Receipt token for proof of participation in funding rounds
• AccountingToken.sol – Cross-chain deposit mirroring system for multichain coordination

Core Platform Contracts:

• Handler.sol – Orchestrates the entire bond lifecycle from crowdfunding start (Funding Phase) to maturity
• Distribution.sol – Manages bond token distribution and coupon payments
• BondToken.sol – ERC20 bond implementation with compliance & pausable logic
• KYCRegister.sol – Onchain KYC registry after third-party KYC provider approval
• ERC1643Upgradeable.sol – Document management system inherited by BondToken.sol for attaching bond purchase statements, prospectuses, and other relevant documents
• Proxies.sol – BondToken.sol upgrade mechanism management

Key Security Areas Assessed

• Access Control: Multisig admin structure with least-privilege role separation
• Input Validation: Parameter constraints and reentrancy protection
• State Management: Consistency in funding, mirroring, and distribution states
• External Dependencies: Building the Merkle tree for distirbutions, cross-chain sync mechanisms
• Economic Logic: Target amount enforcement, refund validity, coupon accruals
• Upgrade Mechanisms: Proxy safety, admin boundaries, initialization logic

Implementation Status

All issues were fixed. The final version was deemed production-ready by Sherlock.

Ongoing Security Measures

Bondi Finance maintains continuous security assurance through:

• Regular Code Reviews: Every major code change is further audited
• Automated Testing: 100% test coverage across all modules and key invariants
• Monitoring Systems: Real-time onchain transaction monitoring
• Incident Response: Procedures for anomaly detection and mitigation

Contact Information

For questions about this audit report or security concerns, please contact:

• Security Inquiries: info@bondifinance.io

Disclaimer

This audit report represents a point-in-time assessment of the Bondi Finance platform security. The blockchain and DeFi landscape continues to evolve, and new attack vectors may emerge. Users should always exercise caution and conduct their own due diligence when interacting with any protocol.

For additional security information, see our Cybersecurity Guide and Risk Disclosures.