Security Overview
VIRTUS Protocol inherits its smart contract architecture from Aerodrome V2 — one of the most battle-tested ve(3,3) DEX implementations in production. Security is enforced through professional auditing, immutable contracts, multisignature custody, non-custodial design, and transparent on-chain operations.
For security reports: Discord or GitHub.
Smart Contract Audits
Velodrome V2 — Core Protocol
| Property | Detail |
|---|---|
| Auditor | Spearbit |
| Period | February–March 2023 |
| Scope | Velodrome V2 core — inherited by Aerodrome V2 and VIRTUS Protocol |
Findings: 119 issues across all severity levels — 1 critical (fixed), 8 high (all fixed), 19 medium (16 fixed, 3 acknowledged), 30 low (18 fixed, 12 acknowledged), 61 informational/gas items. All critical and high severity findings were resolved before deployment. Post-engagement reviews conducted May and June 2023 to verify fixes.
Aerodrome V2
VIRTUS Protocol directly inherits its contract architecture from Aerodrome V2, which maintains its own audit history and active bug bounty program. See Aerodrome Security Page for the current state of smart contracts and bounty details.
Pool Launcher
| Property | Detail |
|---|---|
| Auditor | MixBytes |
| Period | September 12 – October 3, 2025 |
| Scope | Pool Launcher module (separately audited from core protocol) |
Smart Contract Immutability
Core protocol contracts are deployed as immutable — once on-chain, the logic cannot be modified, upgraded, or replaced by any party, including the protocol team.
| Property | Status |
|---|---|
| Upgrade proxies | None |
| Admin functions modifying logic | None |
| Emission coefficients | Hardcoded at deployment — cannot be altered |
| Pool logic, voting, fee distribution | Autonomous — no intervention possible |
| Direct contract interaction | Fully permissionless — no reliance on VIRTUS interface required |
Emergency Council
The Emergency Council is a multisig with strictly limited, enumerated powers designed to protect the protocol under exceptional circumstances.
| Property | Detail |
|---|---|
| Contract | 0xC9C0608F551aDe53f911ceC50F565dB55c5bAFd1 |
| Type | Gnosis Safe multisig |
| Scope | Emergency actions only |
What the Emergency Council Can Do
| Action | Purpose |
|---|---|
| Set a new Emergency Council address | Council rotation |
| Kill a gauge | Disable a compromised or malicious gauge |
| Revive a gauge | Re-enable a previously killed gauge |
| Set custom pool name or symbol | Interface display corrections |
What the Emergency Council Cannot Do
- Modify emission parameters or coefficients
- Redirect or access user funds
- Override governance votes
- Modify fee distribution logic
- Change core contract logic
Emergency Council powers are intentionally constrained and subject to progressive decentralization as governance matures.
Multisig Controls
All protocol wallets use Gnosis Safe multisignature security — multiple independent signers must approve every transaction before execution.
| Wallet | Address | Role |
|---|---|---|
| Deployment Wallet | 0xC9C0608F551aDe53f911ceC50F565dB55c5bAFd1 | Executed genesis mint only — no ongoing custody or spending role |
| Operational Wallet | 0xDD0D8b5ED94201caB79A0e007c1818C7B7741f98 | Protocol operations, VeLock Portal proceeds |
| Team Wallet | 0xaB60D96A94128EaB2c3eE9Ef3756ef018Dcb8d1f | Team veVRT positions — locked, publicly verifiable |
Non-Custodial Architecture
VIRTUS Protocol is entirely non-custodial. At no point does the protocol, the interface, or any team member have access to user funds.
- The interface generates unsigned draft transactions — users sign and broadcast from their own wallets
- Private keys, seed phrases, and wallet passwords are never collected, stored, or transmitted
- All swaps, deposits, locks, and votes execute directly against on-chain contracts
- Cross-chain swaps via Multichain Swapper are handled by Rango and LiFi contracts — VIRTUS does not custody funds at any point
On-Chain Transparency
All protocol operations are fully verifiable on-chain in real time:
- Token minting, emission distribution, and fee collection recorded on Base blockchain
- Wallet balances, lock positions, voting weights, and reward claims publicly visible
- Smart contract source code verified and readable on BaseScan
- No off-chain databases or proprietary APIs involved in core protocol logic
Contract Addresses
All contracts are deployed on Base Mainnet (Chain ID: 8453).
Core Tokens
| Contract | Address |
|---|---|
| VRT Token (ERC-20) | 0x1CEFF1D2e0F0f0E27417C5600758EEc1606575CA |
| VotingEscrow / veVRT (ERC-721) | 0x6Be687DF2ab94fBD7Eeb4dAc32118110967FF0ef |
Core Infrastructure
| Contract | Address |
|---|---|
| Voter | 0x83eAb12357860e8be00D4b8a65928D6caB4c0e0c |
| Minter | 0xDc1dE416DdaD4c9e8328F30aE88E2392d5b551f7 |
| Rewards Distributor | 0x3DD3A0751E79b592a5E1Cea15b782cC09DC6a907 |
| Router | 0xd08270B8149DbdE478dA8aDad979246E957bE866 |
| Universal Router | 0xe3f74ca5dd4918232600ccc0e0284f3d100ec281 |
| Forwarder | 0xE4Dac2c4888C632Af18AE1d6AD5e59e1dea00a3c |
| VeArt Proxy | 0x185fEEFe859F2d6791D88aA3ceB1F67dDF6955A6 |
| Airdrop Distributor | 0xAB9A5F57e7cE980643cE390E3Fe4029753202748 |
| Emergency Council | 0xC9C0608F551aDe53f911ceC50F565dB55c5bAFd1 |
Basic Pool Factories
| Contract | Address |
|---|---|
| Pool Factory | 0x7F03ae4452192b0E280fB0d4f9c225DDa88C7623 |
| Gauge Factory | 0x5B49187553381ABD46EF0100B26134B305c2d5d0 |
| Voting Rewards Factory | 0xe0E8e12d0f48bde79D8eb17c50137e0BB6a76289 |
| Managed Rewards Factory | 0x42657E442508a1a9663a6826Cd6932Fd951d2e0a |
| Factory Registry | 0x8a66E17DC6fa9C963E891391C92d451202B6Fa28 |
Concentrated Liquidity (CL)
| Contract | Address |
|---|---|
| CL Pool Factory | 0x0e5Ab24beBdA7e5Bb3961f7E9b3532a83aE86B48 |
| CL Pool Implementation | 0xcD3d85d82137d3094E6F4f7A507D309A2c2639F8 |
| CL Position Manager | 0x0357EaF652227B6D31ED7A72852018B87Cd0940d |
| CL Position Descriptor | 0xF5de0a90AC4076d85c78856816af46d4Bd90ae62 |
| CL Gauge Factory | 0x0291573A4a0398D2Cf7588cBf5AB288cc11eb677 |
| CL Gauge Implementation | 0xe920D5Ff8810B1E98c4d2F2a0A154F350898C22E |
| CL Swap Fee Module | 0xd9f77f8b00D42E2A49D82F8115cD5db380550750 |
| CL Unstaked Fee Module | 0x8Db72Ca3b57761f7E5417D5A59183c0658Ca297a |
| CL Swap Router | 0xab08EE1f3DC8cbBDb1b781484eCaE8d87eCB6ee7 |
| CL Mixed Quoter | 0x56Fab75F0E365ba7380Bb49F11a7783D263d4F0D |
| CL Quoter | 0x390F37392923Dc61Af96d332cf61611D2E5bD997 |
| CL QuoterV1 | 0xd05b1cA9Dd077c75145C972809EB331ad705E4a0 |
| CL Sugar Helper | 0xa18afA056f3e54A52CEc5c123DE0049B60c45D39 |
| CL TickLens | 0x9D797C6F2C27447572910925bB249Dbc864a9B2d |
| CL Interface Multicall | 0x937123F5482bA40059D140b61fc20bD3A89947E8 |
Other
| Contract | Address |
|---|---|
| VeLock Sale | 0x0FfC5F1DC2524EB9b1eE684DE530dd1a560Aeec9 |
All contracts are verified and readable on BaseScan. VIRTUS inherits its contract architecture from Velodrome V2 — source code and ABIs are available at github.com/velodrome-finance/contracts.
Last updated: May 2026 — Version 1.1
© 2026 VIRTUS Protocol. All rights reserved.