Overview
Atomic publishes the full report for every audit it commissions. When this page lists an audit, the linked report covers the deployed code - no half-audits dressed up as full ones.
The current deployment has been audited by Halborn, a security firm specialising in blockchain protocols. Contracts have been live on Arbitrum since 2022.
Halborn audit (2022)
| Field | Detail |
|---|---|
| Auditor | Halborn |
| Date | 2022 |
| Scope | Trading contract, lending pool, position state |
| Status | Complete; live in production since |
| Public reference | Halborn announcement on X |
| Full report | Published; link in repo (see Contracts) |
The audited contracts have been live since 2022, with 99%+ uptime and no critical security incidents.
What an audit actually does
A few things to be clear on:
- An audit reduces smart contract risk by catching known issue classes in the audited code. It doesn't eliminate the risk.
- An audit is a snapshot of the code at a moment in time. Anything that changes after the report - parameter tweaks, new aggregator integrations - isn't covered by it.
- Two audits don't make a contract twice as safe. They reduce a single auditor's blind spots. Atomic stays with one firm for continuity, instead of rotating for the appearance of breadth.
The bug bounty exists precisely because audits aren't exhaustive. See Bug bounty.
Past disclosures
No critical vulnerabilities have been disclosed against Atomic. Lower-severity findings from the Halborn engagement were fixed before launch; the audit report's "Status" column reflects that.
If you find something, report it through the bounty channels - don't disclose publicly before the team has had a chance to assess and patch.
What triggers a re-audit
Not exhaustive, but these all trigger a re-audit before going live:
- Any change to
AtomicTrading,AtomicLendingPoolorAtomicPositionRegistry. - New aggregator integrations into
AggregatorRouter. Smaller scope, but not skipped. - New market types - for example stablecoin pairs or longer-tail mechanics.