Agent Security
Secure and guarded for your peace of mind
Smart Contract Audits & Proven Models
All SurfLiquid smart contracts—strategy and vault contracts that interact with DeFi protocols—are based on pre-audited, industry-standard designs. We exclusively deploy contracts with a proven track record in the DeFi space, following rigorous security practices to minimise risk and potential vulnerabilities. Our team is committed to transparency and open-source principles: we will publish all critical contracts and invite community review and scrutiny at every stage. By building on established, battle-tested frameworks and prioritising safety, SurfLiquid puts user security first.
Additionally, our integrated DeFi protocols are reputable and carefully selected. We don’t ape into unaudited contracts or shady platforms just because they promise sky-high APYs. The agent’s universe of allowed protocols is intentionally limited to those with strong track records (e.g. well-known lending pools, DEXes, and yield farms with large TVL and community trust). This limits exposure to buggy or malicious contracts. In short, if we wouldn’t trust a protocol with our own money, SurfLiquid won’t either.
Self-Custody and Access Control
SurfLiquid’s self-custodial architecture means there’s no central honeypot or single point of failure custody-wise. Even if our front-end is compromised or our servers go down, your funds remain secure in your own smart contract wallet, which cannot be accessed by anyone from our side. Only you hold the keys to initiate a withdrawal from it. This non-custodial model removes the risk of the platform misusing or losing your assets – a crucial safety feature.
On top of that, the session key permission system ensures that the agent automations operate with minimal authority. Session keys are restricted to specific actions, protocols, and time windows. They cannot drain your wallet or arbitrarily transfer assets. You can revoke permissions at any moment by deactivating the agent or via emergency revoke functions. Because admin control of your smart account stays with your main wallet, you’re always one transaction away from cutting off the agent’s access if needed.
We also implement a wallet-to-wallet authentication where certain critical actions (like changing settings or initiating withdrawal) must be confirmed by your wallet, preventing any unauthorised changes. Essentially, SurfLiquid’s security philosophy is: automate what can be automated, but never at the expense of giving up user control.
Operational Security & Monitoring
Behind the scenes, SurfLiquid’s infrastructure is designed with robust security practices. The off-chain AI and executors run on secure, hardened environments. We do not keep any sensitive user information, and the only thing the agent can do is what the smart contracts allow it to. We also have monitoring in place for abnormal patterns – e.g., if an agent starts performing an unusual sequence of transactions outside of its typical strategy pattern, or if any integrated protocol shows signs of exploit, we can alert users or even auto-pause agents if needed.
For risk management, SurfLiquid limits exposure to any single protocol – for instance, the agent won’t put all your funds into a very new or unproven pool, and it might cap at a certain percentage. This way, even in worst-case events like a protocol hack, not all of your capital is at risk. We also ensure that you can always withdraw to your original asset – the agent keeps track of your initial deposit basis, so complex operations don’t result in you being stuck with some obscure token. When you exit, you get your stablecoin or main asset back, simplifying the risk profile.
Finally, regular security audits and system updates will be part of SurfLiquid’s ongoing development. DeFi is an ever-evolving space, and we will continuously test and formally verify our systems against new threats. Combined with the transparency of on-chain records (so any user or researcher can inspect what the agent is doing), we aim to maintain the highest level of trust through verifiable security.
User Best Practices
While SurfLiquid handles the heavy lifting, users should still follow standard security best practices. Keep your wallet secure (use hardware wallets for large amounts), be cautious of phishing (only use official SurfLiquid app links), and double-check transactions you approve – for example, when setting up, ensure you’re only approving the intended smart account and not some fake contract. We will never ask for your private keys or seed phrase – stay safe and guard those secrets. If anything seems suspicious or you have security concerns, reach out to the team and community immediately. We’re in this together to create a safe, profitable DeFi experience.
Last updated