# Security and Audits

### **Security and Audits**

Security is a core pillar of ZO. Every component of the protocol — from smart contracts to oracle flows to backend infrastructure — is designed with a “safety-first” approach to protect both traders and liquidity providers.

**Independent Audits**\
All ZO smart contracts undergo independent, third-party security audits before deployment. Audits focus on critical areas including:

* leverage and liquidation logic
* collateral accounting and asset safety
* oracle integration and price update validation
* pool accounting and fee distribution
* role permissions and upgrade rules
* invariant checks and failure-mode behavior

ZO follows an iterative audit process: major upgrades, new modules (e.g., oracle engine, reserving fee model), and risk-sensitive components are re-audited before release.

Audit Partner: Movebit, Asymptotic

Latest Audit with Asymptotic:

{% embed url="<https://info.asymptotic.tech/sudo-audit-report>" %}

Audit with Movebit:

{% file src="/files/1uYDQCyNJg9UWQC5kYVt" %}

**Formal Verification & Testing**\
Beyond audits, ZO uses extensive internal testing:

* unit tests for all critical price, fee, and accounting functions
* fuzz testing to detect unexpected edge cases under load
* simulation environments that replay market volatility, liquidations, and oracle delays
* continuous integration pipelines to test every update against known attack vectors

**Oracle Safety & Manipulation Resistance**\
ZO integrates Pyth’s low-latency feeds and wraps them with additional protections:

* multiple layers of validation before a price is accepted
* staleness and deviation checks
* rate-limits and sanity bounds
* fallback paths when market conditions diverge sharply

This ensures the protocol is resistant to oracle manipulation, delayed updates, or abnormal market swings.

**Permission Controls & Safe Upgrades**\
ZO employs strict on-chain role separation. Administrative actions, such as upgrading modules or adjusting parameters, require multi-sig approval. Upgrades follow a staged rollout process, allowing for on-chain monitoring and rollback if needed.

**Ongoing Monitoring**\
Post-deployment, the protocol uses continuous monitoring tools to detect abnormal behaviors such as unusual OI imbalances, rapid liquidation clusters, or irregular transaction patterns. When thresholds are met, circuit-breakers and automatic safeguards can slow or restrict actions on the protocol.

**Onchain Programs**

You can find ZO contracts from Move Registry:

{% embed url="<https://www.moveregistry.com/package/@zofai/sudo-perps-core>" %}

{% embed url="<https://www.moveregistry.com/package/@zofai/zo-perps-zlp>" %}

{% embed url="<https://www.moveregistry.com/package/@zofai/zo-perps-usdz>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.zofinance.io/overview/security-and-audits.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.