# Security DeFi security isn't a single feature — it's layers. AlphaFi takes a defense-in-depth approach: Here's every layer, top to bottom. ### **1. Bounded Blast Radius** The single most important security primitive at AlphaFi: **no single vault or market can exceed $250,000 in TVL.** In DeFi, the biggest hacks happen when one contract holds tens or hundreds of millions of dollars and a single bug drains all of it. AlphaFi caps each vault and each lending market at $250K. Even in a worst-case exploit, the maximum exposure is bounded to that amount. As integrations mature and battle-test, caps go up gradually. They never start unbounded. ### **2. Vault Caps** Each vault has its own TVL cap (within the $250K ceiling). Caps serve two jobs: * **Limit concentration** — if a single vault held disproportionate TVL, a bug there would hurt more users. * **Match underlying capacity** — some underlying pools can only absorb so much liquidity before yields decay. The cap reflects what the underlying pool can productively use. Caps are reviewed and adjusted by the team based on integration age, audit status, and underlying TVL. ### **3. Flow Limiters** Flow limiters are on-chain rate limits on how much value can leave a vault or market in any short time window. If an exploit attempts to drain a vault, the flow limiter halts withdrawals once the threshold is hit. Funds remain in the contract while the team and monitoring systems respond. Normal user activity stays well below the limit and is unaffected. This is the equivalent of a circuit breaker on a stock exchange — it doesn't stop trading, but it stops a runaway crash. **Pause Mechanism** Vaults can be paused by AlphaFi governance in case of an active exploit on an underlying protocol or a contract issue on AlphaFi's side. When paused: * **Deposits and harvests stop** * **Withdrawals stay open** — users can always exit The pause exists to halt new exposure, not to trap funds. Withdrawals are never disabled. ### **4. Continuous Monitoring by Hypernative** Hypernative is an institutional-grade Web3 security platform that monitors over $100B in digital assets across 75+ chains. AlphaFi uses Hypernative for real-time threat detection across both its own contracts and the external protocols where vaults deploy capital. What Hypernative does for AlphaFi: * **Detects threats in real time** — machine learning models, simulations, and graph-based analysis flag suspicious activity often **minutes before the first attack transaction**. * **Monitors third-party risk** — if Cetus, Bluefin, Navi, or any other integrated protocol shows signs of an exploit, AlphaFi gets alerted immediately, in time to pause and protect funds. * **Enables automated response** — alerts can trigger automatic actions like pausing a vault or initiating withdrawals from a compromised protocol. Track record reference: Hypernative detected attacks on WOOFi and Olympus minutes before damage occurred, saving millions in user funds. ### **5. Ongoing Monitoring by zeroShadow** zeroShadow handles a different layer: 24/7 on-chain forensics, founded by ex-Chainalysis investigators. Where Hypernative focuses on exploit detection, zeroShadow focuses on broader on-chain surveillance — flagging anomalous behavior, suspicious addresses, and patterns that suggest coordinated attacks. Two security firms watching at the same time gives AlphaFi overlapping coverage and reduces blind spots. ### **6. Continuous AI Auditing** Traditional audits happen once before deployment. AI auditing happens continuously after deployment. AlphaFi uses AI-powered tools that: * Scan deployed contracts 24/7 for anomalies * Compare on-chain behavior against expected patterns * Flag deviations that human reviewers may miss at speed This catches the slow, subtle exploit attempts that traditional monitoring can miss — things like a malicious upgrade attempt, an unusual sequence of calls, or a state change that shouldn't be possible. ### **7. Audited Contracts** All AlphaFi vault and strategy contracts are audited by **MoveBit** — the leading security firm for the Move language ecosystem, with audits on Cetus, NAVI, Scallop, Bucket, Aftermath, and most major Sui protocols. How AlphaFi handles audits: * **Pre-launch** — every new vault and strategy gets audited before going live * **Re-audit on changes** — material updates to existing contracts trigger a fresh audit * **Public reports** — audit reports are published on the [AlphaFi docs](https://docs.alphafi.xyz) Audits aren't a guarantee of perfection. They reduce the chance of bugs reaching production, and they create accountability. ### **8. Bug Bounty** AlphaFi runs a bug bounty program for security researchers. If you find a vulnerability, you get paid — and AlphaFi gets to fix it before anyone exploits it. Rewards scale with the severity and impact of the finding: * **Critical** — bugs that could drain funds or compromise the protocol * **High** — bugs that could cause significant loss but not full drain * **Medium / Low** — smaller issues that still need fixing For program details, scope, and submission instructions, see the [Bug Bounty page](https://docs.alphafi.xyz). ### **9. Selective Integration** The most important security decision AlphaFi makes happens *before* a vault is deployed: choosing which underlying protocol to integrate with. Every integration goes through internal due diligence: * **Audit status** — has the underlying been audited, by whom, and how recently? * **TVL & track record** — does it have meaningful capital and operational history? * **Age** — how long has it been live and battle-tested? * **Team reputation** — is the team known, doxxed where appropriate, and reachable? * **Code quality** — does the codebase show good engineering practices? Protocols that don't meet the bar don't get integrated. This is why AlphaFi has only a handful of integrations rather than every protocol on Sui. ### **10. Public & Verifiable** All AlphaFi security artifacts are public: * **Contract addresses** — published in the docs, verifiable on-chain * **Audit reports** — full MoveBit reports available * **Open repositories** — much of the AlphaFi codebase is open on [GitHub](https://github.com/AlphaFiTech) This isn't security through obscurity. The contracts protecting your funds are something you can read and verify yourself. *** #### **What no security program can do** Every measure above reduces risk. None of them eliminates it. A new class of exploit might evade Hypernative and zeroShadow. An audit can miss a bug. A flow limiter delays a drain but doesn't undo one. The $250K cap bounds the damage but doesn't prevent it. The honest framing: AlphaFi is engineered to make exploits hard, catch them fast, and limit the damage when they happen. Treat any displayed APY as compensation for accepting that residual risk. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.alphafi.xyz/resources/security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.