# 5. Security (Security and Risk Management) {% hint style="info" %} This chapter describes DOR's security framework across smart-contract audits, infrastructure and operations controls, and periodic transparency and risk governance. {% endhint %} DOR is designed to minimize single points of failure. Since the protocol aggregates meme liquidity at scale, security is treated as a design variable, not an afterthought. ### 5.1 Smart Contract Audit Core protocol logic is implemented on EVM-compatible smart contracts. Vulnerabilities at this layer can directly cause liquidity loss, price manipulation, and accounting distortion. #### 5.1.1 Audit Scope Audit targets include module interactions, not only isolated functions: * HLP and HLA modules * MSP, RP, MOP/SOP/IRP transfer logic. * Rebalancing and auto-backstopping rules. * Swap and routing kernel * Downside-driven inflow logic. * Dynamic slippage and contribution controls. * External DEX integration paths. * Oracle and pricing layer * Multi-oracle and TWAP composite logic. * Volatility pause, circuit breaker, and execution validation gates. * Staking and vesting modules * DS allocation and lock/unlock logic. * Performance-linked emission and reward distribution. * Accounting and transparency layer * Off-chain aggregation and on-chain hash commitment pipeline. * IPFS/Arweave linkage and proof verification. * Governance and treasury modules * Parameter governance, treasury flows, and reserve logic. The effective audit target is the full protocol state machine. #### 5.1.2 Audit Lifecycle DOR uses a three-stage audit lifecycle: 1. Pre-launch audit * Static analysis, dynamic testing, and fuzzing before mainnet deployment. * Baseline reports and patches are publicly archived. 2. Post-launch delta audit * Targeted audits for upgrades, patches, parameter-sensitive transitions, and new modules. 3. Continuous audit and bug bounty * Public code transparency and ongoing review with clear boundaries between upgradable and immutable components. #### 5.1.3 Least Privilege and Multisig Security controls also depend on authority design: * Least privilege * No single EOA may unilaterally execute high-risk actions. * Function-specific roles and cross-approval constraints are enforced. * Multisig and distributed keys * Treasury movement, emergency pause, and key parameter actions require M-of-N signatures. * Authority progressively shifts from foundation keys to DAO and emergency council structures. ### 5.2 Periodic Audit and Operational Risk Framework Code-level security alone is not sufficient for live protocol safety. DOR combines accounting transparency with operation-level controls. #### 5.2.1 On-chain Accounting and Integrity DOR uses real-time execution and daily on-chain commitment: * Off-chain indexer records all operational events in real time. * Daily UTC summary files are generated in structured JSON. * Hashes (SHA-256 or Keccak) plus decentralized storage links are committed on-chain with DAO signatures. This enables reproducible external verification for any date and state snapshot. #### 5.2.2 Custody and Deployment Risk Controls Asset custody follows segmentation and diversification rules: * Multi-wallet segmentation * MSP, RP, operation pools, treasury, and SAFU reserves are separated. * External strategy diversification * No excessive concentration in one external protocol. * Insurance and SAFU policy * Dedicated reserve for exploit and operation-loss mitigation, with governance-adjustable minimum ratios. #### 5.2.3 Auto-Freeze and Emergency Protocol Anomaly response is proactive: * Auto-freeze * Suspicious addresses or abnormal route patterns can trigger automatic path-level freezes. * Emergency process * In severe events (oracle outage, abnormal balance drain, oversized transfers), selected operations are paused. * Emergency council executes predefined response windows, and all actions are publicly logged. #### 5.2.4 Periodic Transparency and External Review DOR supports periodic third-party validation: * External accounting and security review cycles. * Public DAO dashboards for key metrics, including CRR, LR, and stabilization indicators. * Open-source verified contracts for independent code and state validation. The combined framework delivers technical security, operational resilience, and auditable transparency. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dormanagement.gitbook.io/dormanagement-docs/5-security-risk-management.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.