# Security Overview Fira treats security as a structural requirement. Before any user funds were accepted, Fira smart contracts underwent six independent external audits, an extended internal security review, and a live bug bounty program was established. Every deployed contract is verified on Etherscan. ## Audit Coverage Six independent audits were conducted on Fira contracts between November 2025 and March 2026: | Audit | Auditor | Date | Type | | -------------------- | ------------------ | ------------- | ----------------------- | | Fira UZR Audit Nov25 | Sherlock | November 2025 | Competitive audit | | Fira UZR Audit Nov25 | Spearbit / Cantina | November 2025 | Focused security review | | Fira UZR Audit Dec25 | yAudit | December 2025 | Independent assessment | | Fira V1 Audit Feb26 | Sherlock | February 2026 | Competitive audit | | Fira V1 Audit Feb26 | Hexens | February 2026 | Independent audit | | Fira V1 Audit Mar26 | yAudit | March 2026 | Independent assessment | All findings were addressed before deployment. Full reports and methodology details are on the [Audits](https://docs.fira.money/security-and-risk/audits) page. In addition, the Steady Labs engineering team conducted an extended internal security review covering code quality, deployment procedures, parameter configurations, access controls, and operational security. ## Bug Bounty Fira maintains a live bug bounty program through Sherlock with rewards up to **$500K** for critical vulnerabilities. The program covers all deployed Fira V1 contracts on Ethereum mainnet. For the full scope, reward tiers, and submission process, see the [Bug Bounty](https://docs.fira.money/security-and-risk/bug-bounty) page. ## Smart Contract Architecture Fira's system is composed of three core modules: * **Lending Market** — Core lending vault, collateral management, liquidations, interest accrual, and ERC-4626 curation vaults * **Fixed-Rate AMM and Tokenization** — BT/CT/FW token system, fixed-rate price discovery AMM, and rehypothecation module * **Router** — Diamond-style proxy dispatching to modular action contracts for single-transaction user flows Access control is enforced through role-based permissions and multisig governance. For the full architecture, see [Architecture Overview](https://docs.fira.money/protocol/architecture-overview). ## Risk Framework Fira documents six primary risk categories: 1. [Interest Rate Risk](https://docs.fira.money/security-and-risk/risk-framework/interest-rate-risk) 2. [Liquidation Risk](https://docs.fira.money/security-and-risk/risk-framework/liquidation-risk) 3. [Bad Debt Risk](https://docs.fira.money/security-and-risk/risk-framework/bad-debt-risk) 4. [Collateral Risk](https://docs.fira.money/security-and-risk/risk-framework/collateral-risk) 5. [Liquidity Risk](https://docs.fira.money/security-and-risk/risk-framework/liquidity-risk) 6. [Smart Contract Risk](https://docs.fira.money/security-and-risk/risk-framework/smart-contract-risk) For the full risk index, see [Risk Framework](https://docs.fira.money/security-and-risk/risk-framework). For legal disclaimers, see [Risk Disclaimers](https://docs.fira.money/security-and-risk/risk-disclaimers). ## Key Principle Audits, reviews, and bounties reduce certain risks but do not eliminate them. Fira is experimental software. Users should understand all risk categories before interacting with the protocol.