# Security Practices ## Security approach ### Multi-layered security strategy 1. **Secure development practices** — All Fira contracts follow battle-tested Solidity patterns from OpenZeppelin, with strict adherence to the checks-effects-interactions pattern and consistent use of custom errors for gas-efficient revert reasons. 2. **Access control** — Sensitive state changes are gated behind `BoringOwnableUpgradeable` ownership checks at the contract level and role-based function selectors in the Router facet architecture. 3. **Reentrancy protection** — State-mutating entry points in FWBase, FiraMarket, CouponToken, and the LiquidityInjector are protected by OpenZeppelin's `ReentrancyGuard` (`nonReentrant` modifier). 4. **Pause controls** — FW token contracts implement `whenNotPaused` guards, allowing the owner to freeze deposits and redemptions during incidents without requiring a contract upgrade. 5. **Upgrade mechanisms** — Contracts use the `Initializable` pattern with upgradeable proxies, enabling hotfixes while preserving storage layout. The Router uses a diamond-like facet system with versioned selectors. 6. **Oracle safety** — A multi-layer oracle pipeline (Aave → Chainlink adapter → Fira solvency oracle → BC/LP oracle) provides defence-in-depth for price feeds, with staleness checks at every layer. 7. **Continuous monitoring** — On-chain events are designed for real-time indexing, supporting anomaly detection across all role buckets (see [Events & Indexing](https://docs.fira.money/developers/events-and-indexing)). {% hint style="info" %} For detailed information on each security mechanism and how it applies across the contract stack, see [Security Design](https://docs.fira.money/developers/security-and-audits/security-practices). {% endhint %} ## Pages * [Security Design](https://docs.fira.money/developers/security-and-audits/security-practices) — In-depth coverage of access control, reentrancy, pause, and upgrade patterns * [Audits](https://docs.fira.money/developers/security-and-audits/audits) — Chronological overview of completed security audits --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.fira.money/developers/security-and-audits.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.