Audits
Merum's security audit program, including the Sherlock audit and how to access reports.
Security is foundational to a lending protocol that holds user collateral. Merum's smart contracts undergo independent review before mainnet.
Sherlock audit
Merum's contracts are audited by Sherlock, an audit and security-coverage platform. The audit covers the core lending, collateral, liquidation, and oracle-integration logic.
Audit reports are published here once finalized. A completed audit reduces but does not eliminate risk: no audit can prove the absence of all bugs, and changes made after an audit may not be covered by it. Read the risk disclosures before using the protocol.
Scope
The review covers, at a minimum:
- Collateral deposit, withdrawal, and accounting.
- Borrow and repay logic, including interest accrual.
- The liquidation engine and liquidation incentives.
- Oracle integration and the price-reconciliation logic.
Ongoing security
A point-in-time audit is one layer of defense. Merum also runs:
- A bug bounty program — see Bug bounty.
- An incident-response process — see Incident response.
Links to the finalized audit report(s) and any subsequent reviews are added to this page as they are completed.