# Audits

Security is foundational to ETH Strategy. Smart contract audits are conducted before any contract goes live in a permissionless capacity.

## Completed Audits

### ESPN (Perpetual Note)

ESPN's smart contracts have been fully audited by **Nethermind**.

|             |                                                                                                                          |
| ----------- | ------------------------------------------------------------------------------------------------------------------------ |
| **Auditor** | [Nethermind](https://nethermind.io/)                                                                                     |
| **Scope**   | EthStrategyPerpetualNote (ESPN vault), ESPNRedemptionQueue                                                               |
| **Report**  | [NM0599-FINAL\_ETH\_STRAT.pdf](https://github.com/NethermindEth/PublicAuditReports/blob/main/NM0599-FINAL_ETH_STRAT.pdf) |
| **Status**  | Complete — findings addressed                                                                                            |

## In Progress

### Core Protocol

The core protocol contracts — covering convertible notes, esETH, CDT, StakedStrat, and supporting infrastructure — have completed **2 full audits**. Reports will be published alongside the contract code as the protocol approaches permissionless launch.

|                      |                                                          |
| -------------------- | -------------------------------------------------------- |
| **Scope**            | EthStrategyConvertibleNote, esETH, CdtToken, StakedStrat |
| **Audits completed** | 2                                                        |
| **Reports**          | To be published before permissionless launch             |

### Treasury Lending

Treasury Lending (StratETHTreasuryLend) is on the [roadmap](https://docs.ethstrat.xyz/introduction/roadmap) for Q2 2026. Audits for this contract will be conducted and published before it goes live.

## Security Practices

* All contracts use `Ownable2Step` for ownership management — transfers require explicit acceptance
* `ReentrancyGuard` is applied to state-changing functions
* ERC-2612 permit support enables gasless approvals where applicable
* Protocol invariants are enforced at the contract level and covered by comprehensive integration tests
* Governance operations are managed through [Safe multisigs](https://docs.ethstrat.xyz/references/contracts) with a nested hierarchy

## Reporting Vulnerabilities

If you discover a potential vulnerability, please report it responsibly. Contact the team via the [ETH Strategy Telegram](https://t.me/ethstrat) or reach out to [@eth\_strategy](https://twitter.com/eth_strategy) on Twitter.

For a comprehensive view of protocol risks and mitigations, see [Risks](https://docs.ethstrat.xyz/security-and-risk/risks).