# Smart Contract Security Governs the core vault architecture and operational safeguards, defining how the vault functions at a technical level and constraining its capabilities to pre-approved actions. Veda's framework for smart contract security involves: ### Minimal Surface Area Veda vaults expose only two public functions: * **Deposit** to supply assets * **Withdraw** to redeem assets This deliberately reduced surface area minimizes potential attack vectors, and clearly defines the user interaction model making it possible to build robust safeguards. ### Merkle Verification System The Merkle Verification System is the core access control mechanism that governs what actions a vault's strategist can execute with deposited funds. Rather than relying on broad role-based permissions, it uses a cryptographic data structure called a Merkle tree to enforce a precise, pre-approved set of allowed operations on-chain. Every action a vault can perform, whether deploying liquidity, staking, or rebalancing, is pre-registered as a specific combination of protocol, function, and counterparty. These approved actions are hashed and embedded in a Merkle tree, with the resulting Merkle root stored on-chain. Before executing any action, the vault must cryptographically prove its inclusion in this Merkle root. This means strategists can operate flexibly within their defined guardrails but can never interact with unapproved protocols, functions, or addresses. Arbitrary transactions or unauthorized strategy changes are not possible. Because the Merkle root and its verification logic live on-chain, the full set of approved actions is transparent and independently verifiable by anyone. Role permissions for updating the approved action set are also configurable. Depending on the vault's governance design, a curator may be granted authority to update the whitelist unilaterally, require changes to pass through a pending review period before taking effect, or be restricted from making changes entirely. ### Transaction Safeguards * **Share Lock Period:** Newly issued vault shares are locked for a brief period to neutralize flash loan manipulation risks * **Delayed Withdrawals:** Withdrawals are subject to a time delay, creating a monitoring window for identifying and responding to irregularities ### Onchain Monitoring * Veda tracks both internal positions and external market dynamics. * Additionally, Veda utilizes third-party monitoring systems to detect malicious behaviour targeting Veda contracts as well as the underlying protocols that Veda vaults take exposure to. * Veda vaults are also part of multiple ongoing bug bounty programs operated by our integration partners. ### Audits Veda contracts are leveraged by many of the top protocols in DeFi including ether.fi, Plasma, Lombard, TAC, Rings, and TurtleClub making the BoringVault one of the most audited DeFi contracts in production. Audit firms commissioned to evaluate the BoringVault include Spearbit, Macro, Secure3 & Hexens. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veda.tech/security-and-risk-controls/smart-contract-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.