Security
IndexPad is testnet software. It has been through intensive internal multi-agent review (below), but no professional third-party audit. Do not use it with real funds until the mainnet gates are met.
Design-level guarantees
The most important security properties are structural, not patched-in:
- No trusted operator. Fee conversion is permissionless; dividend distribution is embedded in the token; claims and RFV redemptions are direct holder actions. There is no keeper whose honesty or liveness holders depend on.
- Immutable token economics. Fees (≤ 10% hard cap), the basket, and the RFV split are fixed at launch — the creator cannot rug via parameter changes. There is no blacklist and no arbitrary fee-exemption list.
- Unpausable exits. The guardian pause stops new launches and conversions only.
claim()andIndexTreasury.redeem()can never be paused or gated. - Oracle-free floor. RFV redemption is pure pro-rata arithmetic — it works even if every price feed is down, and rounding always favors the remaining holders.
- Standard ERC-20 semantics. No reflections or rebasing; dividend accounting is separate accumulator state, so integrations see a normal token.
- Vault-style hygiene throughout: checks-effects-interactions (state updates before transfers),
nonReentrantonclaim/distribute/redeem/convert, received-amount measurement on swaps, and hard caps (basket ≤ 16) bounding all loops.
Internal audit (v3, 2026-07)
The v3 keeper-free rewrite went through a multi-agent audit (9 specialized finders + adversarial verification across 3 rounds, ~30 agents) over the full delta. 3 findings were confirmed High — all fixed, regression-tested, and re-verified; the fix round itself was adversarially attacked twice more until a clean GO:
| # | Finding | Fix |
|---|---|---|
| V1 | Registered AMM pairs were never dividend-excluded — pool LP balances would accrue unclaimable dividends and dilute holders on every distribution | setAmmPair validates a genuine v2 pool for this token, excludes it from dividends, and reconciles reserves |
| V2 | One bad/delisted basket stock (or a reserve-equal member) could permanently brick the whole fee pipeline | Reserve/self rejected as basket members at initialize; per-stock try/catch isolation with min-outs capped at the router quote (so skips can't be forced); revert if nothing distributes |
| V3 | A single paused equity could block a holder's entire claim | Per-stock claim(address) escape hatch (effects already precede transfers) |
Plus hardening surfaced during the adversarial rounds: reentrancy guards on claim/distribute (proven by test), zero-quote skips, and dust-burn rejection in redeem. The earlier v2 audit's fixes carry over (immutable reserve, no setFeeExempt, one-way contract-only pair registration, zero-min-out reverts) — and the v3 architecture eliminated v2's worst findings by construction (no shared distributor pool to drain, no keeper to trust).
Full details in AUDIT.md.
Known limitations & accepted residuals
- Testnet router is a 1:1 mock — real price impact and sandwich dynamics are only exercised on mainnet. Permissionless
convertneeds oracle/TWAP-floored min-outs there (Chainlink feeds exist for every official tokenized equity). - Basket assets must be vanilla ERC-20s (no fee-on-transfer/rebasing) — enforced socially via the governance allow-list; the official Robinhood tokenized equities qualify (standard ERC-20, no pause/freeze/blocklist per Robinhood's docs).
- Pair registration trusts the creator to register the canonical pool (the contract verifies it is a genuine pool for the token; a canonical
factory.getPaircheck is queued for mainnet). distributionModeis reserved/inert; unusedmodules/code is slated for deletion before mainnet.
Mainnet gates
All of the following before any 4663 deployment:
- Tokenized-equity custody spike (verify an arbitrary contract can hold/transfer the real stock tokens).
- Professional audit of the high-severity areas.
- US-person geo-gating + legal review for stock baskets.
- Oracle/TWAP-derived slippage floors for conversion; confirm mainnet stock-buy routing (RFQ/0x vs AMM).
Reporting
Found something? Open a private security advisory on GitHub or contact the team — please don't open public issues for vulnerabilities.