# Security Overview Fira treats security as a structural requirement. Before any user funds were accepted, Fira smart contracts underwent six independent external audits, an extended internal security review, and a live bug bounty program was established. Every deployed contract is verified on Etherscan. ## Audit Coverage Six independent audits were conducted on Fira contracts between November 2025 and March 2026: | Audit | Auditor | Date | Type | | -------------------- | ------------------ | ------------- | ----------------------- | | Fira UZR Audit Nov25 | Sherlock | November 2025 | Competitive audit | | Fira UZR Audit Nov25 | Spearbit / Cantina | November 2025 | Focused security review | | Fira UZR Audit Dec25 | yAudit | December 2025 | Independent assessment | | Fira V1 Audit Feb26 | Sherlock | February 2026 | Competitive audit | | Fira V1 Audit Feb26 | Hexens | February 2026 | Independent audit | | Fira V1 Audit Mar26 | yAudit | March 2026 | Independent assessment | All findings were addressed before deployment. Full reports and methodology details are on the [Audits](/security-and-risk/audits.md) page. In addition, the Steady Labs engineering team conducted an extended internal security review covering code quality, deployment procedures, parameter configurations, access controls, and operational security. ## Bug Bounty Fira maintains a live bug bounty program through Sherlock with rewards up to **$500K** for critical vulnerabilities. The program covers all deployed Fira V1 contracts on Ethereum mainnet. For the full scope, reward tiers, and submission process, see the [Bug Bounty](/security-and-risk/bug-bounty.md) page. ## Smart Contract Architecture Fira's system is composed of three core modules: * **Lending Market** — Core lending vault, collateral management, liquidations, interest accrual, and ERC-4626 curation vaults * **Fixed-Rate AMM and Tokenization** — BT/CT/FW token system, fixed-rate price discovery AMM, and rehypothecation module * **Router** — Diamond-style proxy dispatching to modular action contracts for single-transaction user flows Access control is enforced through role-based permissions and multisig governance. For the full architecture, see [Architecture Overview](/protocol/architecture-overview.md). ## Risk Framework Fira documents six primary risk categories: 1. [Interest Rate Risk](/security-and-risk/risk-framework/interest-rate-risk.md) 2. [Liquidation Risk](/security-and-risk/risk-framework/liquidation-risk.md) 3. [Bad Debt Risk](/security-and-risk/risk-framework/bad-debt-risk.md) 4. [Collateral Risk](/security-and-risk/risk-framework/collateral-risk.md) 5. [Liquidity Risk](/security-and-risk/risk-framework/liquidity-risk.md) 6. [Smart Contract Risk](/security-and-risk/risk-framework/smart-contract-risk.md) For the full risk index, see [Risk Framework](/security-and-risk/risk-framework.md). For legal disclaimers, see [Risk Disclaimers](/security-and-risk/risk-disclaimers.md). ## Key Principle Audits, reviews, and bounties reduce certain risks but do not eliminate them. Fira is experimental software. Users should understand all risk categories before interacting with the protocol. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.fira.money/security-and-risk/security-overview.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.