Docs/Security/Audits

Audits

V2 contracts audited by Halborn (live since 2022). V3 audit by Halborn scheduled for Q2 2026 ahead of public launch.

● Last updated May 08, 20263 min readEdit on GitHub →

Overview

Atomic publishes the full report for every audit it commissions. There is no partial-audit-but-marketed-as-audited situation here - when this page says a version is audited, it means the linked report covers the deployed code.

i
Two versions, two audits

V2 has been audited and live in production since 2022. V3 is in final development; its audit by Halborn is scheduled for Q2 2026 and will be linked here on completion.

V2 - Halborn (2022)

The V2 contracts (live on Arbitrum since 2022) were audited by Halborn, a security firm specialising in blockchain protocols.

| | | |---|---| | Auditor | Halborn | | Date | 2022 | | Scope | V2 trading contract, lending pool, position state | | Status | Complete; V2 live since | | Public reference | Halborn announcement on X | | Full report | Published; link in repo (see Contract addresses) |

V2 has been live since 2022 with 99%+ uptime and zero critical security incidents to date.

V3 - Halborn (scheduled Q2 2026)

V3 is the current development target. It restructures the trading contract for clearer interfaces, adds the keeper network, and introduces the deeper 88% liquidation threshold.

| | | |---|---| | Auditor | Halborn | | Date | Q2 2026 (scheduled) | | Scope | Full V3 - trading, lending, registry, router | | Status | Engagement booked; report due before V3 mainnet launch | | Public report | Will be linked here on completion |

The audit will complete and the report will be published before V3 contracts are deployed to mainnet. Until then, V3 is on testnet only.

What an audit means

A few things worth being explicit about:

  • An audit reduces smart contract risk by surfacing known issue classes against the audited code. It does not eliminate it.
  • An audit is a snapshot of the code at a point in time. Any change post-audit (parameter tweaks, new aggregators) is not covered by the original report.
  • Multiple audits do not multiply security - they reduce single-auditor blind spots, which is why Atomic retains the same firm for continuity rather than rotating for the appearance of breadth.

The bug bounty exists exactly because audits are not exhaustive. See Bug bounty.

Past disclosures

No critical vulnerabilities have been disclosed against Atomic to date. Lower-severity findings from the V2 audit were addressed in pre-launch fixes; the audit report's "Status" column reflects this.

If you find an issue, report it via the bounty channels - never disclose publicly before the team has had a chance to assess and patch.

What gets re-audited

A non-exhaustive list of changes that will trigger a re-audit before going live:

  • Any modification to AtomicTrading, AtomicLendingPool, or AtomicPositionRegistry.
  • New aggregator integrations into AggregatorRouter (smaller scope, but not skipped).
  • New market types (e.g. stablecoin pairs, longer-tail mechanics).

Operational parameter changes (per-market leverage limits, min margin) do not require a new audit since they execute against already-audited code paths.