# Audits

Security is foundational to ETH Strategy. Smart contract audits are conducted before any contract goes live in a permissionless capacity.

## Completed Audits

### ESPN (Perpetual Note)

ESPN's smart contracts have been fully audited by **Nethermind**.

|             |                                                                                                                          |
| ----------- | ------------------------------------------------------------------------------------------------------------------------ |
| **Auditor** | [Nethermind](https://nethermind.io/)                                                                                     |
| **Scope**   | EthStrategyPerpetualNote (ESPN vault), ESPNRedemptionQueue                                                               |
| **Report**  | [NM0599-FINAL\_ETH\_STRAT.pdf](https://github.com/NethermindEth/PublicAuditReports/blob/main/NM0599-FINAL_ETH_STRAT.pdf) |
| **Status**  | Complete — findings addressed                                                                                            |

## In Progress

### Core Protocol

The core protocol contracts — covering convertible notes, esETH, CDT, StakedStrat, and supporting infrastructure — have completed **2 full audits**. Reports will be published alongside the contract code as the protocol approaches permissionless launch.

|                      |                                                          |
| -------------------- | -------------------------------------------------------- |
| **Scope**            | EthStrategyConvertibleNote, esETH, CdtToken, StakedStrat |
| **Audits completed** | 2                                                        |
| **Reports**          | To be published before permissionless launch             |

### Treasury Lending

Treasury Lending (StratETHTreasuryLend) is on the [roadmap](/introduction/roadmap.md) for Q2 2026. Audits for this contract will be conducted and published before it goes live.

## Security Practices

* All contracts use `Ownable2Step` for ownership management — transfers require explicit acceptance
* `ReentrancyGuard` is applied to state-changing functions
* ERC-2612 permit support enables gasless approvals where applicable
* Protocol invariants are enforced at the contract level and covered by comprehensive integration tests
* Governance operations are managed through [Safe multisigs](/references/contracts.md) with a nested hierarchy

## Reporting Vulnerabilities

If you discover a potential vulnerability, please report it responsibly. Contact the team via the [ETH Strategy Telegram](https://t.me/ethstrat) or reach out to [@eth\_strategy](https://twitter.com/eth_strategy) on Twitter.

For a comprehensive view of protocol risks and mitigations, see [Risks](/security-and-risk/risks.md).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.ethstrat.xyz/security-and-risk/audits.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.