The Security Model for Institutional Onchain Capital

Trillions of dollars in financial assets are moving onchain. Most of the infrastructure securing those assets isn't ready for that scale.

The AI acceleration problem

AI is transforming how software gets built. More code is being written faster by more people with less manual review. This is broadly productive. For onchain systems that hold real capital, it also introduces a new category of risk.

Smart contract exploits already cost the industry billions annually. As AI-generated code becomes more prevalent, the attack surface grows. Not because AI writes worse code, but because velocity increases and review doesn't scale at the same rate. More contracts deployed faster means more opportunities for vulnerabilities to reach production. The same AI capabilities that accelerate development also accelerate exploit discovery.

This is a reason to build differently, not to slow down.

Trusted base layers with high Lindy

Auditing every new contract from scratch is not the answer. The security-critical layer should be shared, immutable, and battle-tested, with innovation happening on top of it within constrained boundaries.

This is the Lindy effect (the longer something has survived, the longer it's expected to survive) applied to smart contract security. Centrifuge's core contracts have been live for years, secure over $1B in onchain capital, have been through 24 independent security reviews, and are continuously verified through invariant suites and audit competitions. That track record produces a fundamentally different risk profile than a newly deployed contract with a single audit report. 

Centrifuge's core protocol is designed around this principle. The accounting engine, settlement logic, cross-chain messaging, and share token mechanics are immutable. They don't change between deployments. They accumulate Lindy. When a builder deploys a new vault, they inherit the security posture of infrastructure that has been hardened over years.

What Centrifuge has invested in security

Security at this level is not a checkbox. It's a continuous engineering discipline.

24 independent security reviews. The protocol has been audited by leading security firms across multiple major releases. Each review covers different aspects of the system: core accounting, cross-chain messaging, vault lifecycle, access controls, and the Onchain PM.

Invariant verification. Centrifuge maintains extensive invariant suites that continuously verify system properties across randomized execution paths. These catch classes of bugs that manual review misses: edge cases in accounting, reentrancy in complex cross-chain flows, and state inconsistencies across epoch boundaries.

Architectural simplification. Each protocol iteration reduces complexity. Fewer code paths means fewer places for bugs to hide. Simpler systems are more auditable, more testable, and more secure.

Audit competitions. Multiple public audit competitions have invited the broader security community to find vulnerabilities, supplementing private audits with open adversarial review.

Bug bounty program. A standing bounty program incentivizes ongoing vulnerability discovery by independent researchers.

Deep security researcher partnerships. Rather than one-off audit engagements, Centrifuge maintains ongoing relationships with top security researchers who understand the protocol deeply and review changes with full architectural context. This continuity produces better results than rotating between auditors who each start from scratch.

What immutability means in practice

The core protocol is immutable. Once deployed, the accounting logic, settlement rules, and message verification cannot be changed by any admin key. This removes rug pulls, admin key compromises, and unauthorized upgrades by design. Over time, it compounds into a verifiable production track record.

For builders launching new vault products, shared immutable infrastructure directly affects time to market and launch cost:

Less bespoke contract work. The security-critical code (accounting, settlement, cross-chain messaging, share token mechanics) is already built, audited, and deployed. Builders write configuration and product logic, not infrastructure. What would otherwise require a year of smart contract development becomes weeks of integration.

Smaller audit scope. When the core is immutable and already covered by 24 security reviews, a new deployment only needs to audit its custom modules: which transfer hook it uses, its fee model, its pricing logic. The audit surface shrinks from "the entire vault implementation" to "the specific configuration this pool uses."

Faster due diligence. The question risk teams ask is not just "has it been audited?" but "how long has it been in production, how much capital does it secure, and can the rules change after I deploy?" Immutable infrastructure with years of production history and $1B+ secured is a simpler review than a bespoke deployment that needs its own security assessment from scratch.

Immutable core. When builders deploy on infrastructure they don't control, the rules can change, fees can increase, access can be revoked. Immutable core contracts eliminate that. A builder who deploys a vault on Centrifuge owns that deployment. The contracts they depend on cannot be changed out from under them.

Ownership for builders, growth for the platform

Builders commit to infrastructure that won't shift under them. Institutions commit capital to contracts they can audit once and trust to stay fixed. Each deployment adds to the ecosystem without requiring permission or creating dependency on a central operator.

Secure infrastructure attracts builders. Builders create products that attract capital. Capital validates the security track record. That track record attracts more builders.

This is what it takes to bring trillions onchain. Trusted, immutable, battle-tested infrastructure that gets more secure with time, with innovation happening safely on top.