VIRTUS Protocol — Security
Effective Date: March 6, 2026
Version: 1.0
Security Architecture
VIRTUS Protocol inherits its smart contract architecture and full security maintenance from Aerodrome V2, one of the most battle-tested ve(3,3) DEX implementations in production. Security is enforced through professional auditing, immutable contracts, multisignature custody, non-custodial design, and transparent on-chain operations.
For security reports, please reach out on Discord or to the contacts provided on our GitHub.
Smart Contract Audits
Velodrome V2 (Core Protocol)
The core codebase was audited by Spearbit during February–March 2023. All critical and high severity issues were fully resolved prior to deployment. Acknowledged findings were reviewed and determined to present acceptable risk within the protocol's design parameters.
Aerodrome V2
Additional audits were completed for the Aerodrome V2 codebase, from which VIRTUS Protocol directly inherits its contract architecture. Aerodrome V2 has been audited and runs an active bug-bounty program. To review the current state of the smart contracts and the bug bounty program, refer to the Aerodrome Security Page.
Pool Launcher
The Pool Launcher module was audited by MixBytes between 12th September and 3rd October 2025.
Smart Contract Immutability
Core protocol smart contracts are deployed as immutable — once on-chain, the contract logic cannot be modified, upgraded, or replaced by any party, including the protocol team.
- No backdoors or upgrade proxies in core contracts.
- Emission coefficients (1.03 → 1.0 → 0.99) are hardcoded and cannot be altered after deployment.
- Pool logic, voting mechanics, and fee distribution operate autonomously without any intervention.
- Users interact directly with verified, immutable code — not with changeable proxy contracts.
The protocol is fully permissionless. Anyone can interact with the deployed smart contracts directly, without relying on the VIRTUS interface.
Emergency Council
The Emergency Council is a multisig contract with strictly limited powers designed to protect the protocol under exceptional circumstances.
| Property | Detail |
|---|---|
| Type | Multisig |
| Scope | Emergency actions only |
The Emergency Council:
- Can set a new emergencyCouncil address
- Can kill a gauge
- Can revive a gauge
- Can set a custom name or symbol for a pool
- Can activate or deactivate (m)veNFTs (superseded by governance once enabled)
The Emergency Council cannot modify core protocol parameters, emission schedules, or user funds. Its powers are intentionally constrained and subject to progressive decentralization as governance matures.
Multisig Controls
All protocol wallets holding VRT or revenue use multisignature security to prevent single points of failure.
Multisig wallets are operated via Gnosis Safe, requiring multiple independent signers to approve any transaction before execution. This protects against unauthorized access, compromised keys, and unilateral fund movements.
The Deployment Wallet executed the genesis mint only and retains no long-term custody or spending role.
Non-Custodial Architecture
VIRTUS Protocol is entirely non-custodial. At no point does the protocol, the interface, or any team member have access to user funds.
- The interface generates draft transaction messages — users sign and broadcast them from their own wallets.
- Private keys, seed phrases, and wallet passwords are never collected, stored, or transmitted.
- All swaps, deposits, locks, and votes are executed by the user directly against on-chain smart contracts.
- Cross-chain swaps via the Multichain Swapper are handled by external provider contracts (Rango, LiFi) — VIRTUS does not custody funds during cross-chain execution.
On-Chain Transparency
All protocol operations are fully verifiable on-chain:
- Token minting, emission distribution, and fee collection are recorded on the Base blockchain.
- Wallet balances, lock positions, voting weights, and reward claims are publicly visible.
- Smart contract source code is verified and readable on block explorers.
- No off-chain databases or proprietary APIs are involved in core protocol logic.
Contract Addresses
All contracts are deployed on Base Mainnet (Chain ID: 8453) and are publicly verifiable.
Core Token
| Contract | Address |
|---|---|
| VRT Token | 0x1CEFF1D2e0F0f0E27417C5600758EEc1606575CA |
Core Infrastructure
| Contract | Address |
|---|---|
| Voting Escrow | 0x6Be687DF2ab94fBD7Eeb4dAc32118110967FF0ef |
| Voter | 0x83eAb12357860e8be00D4b8a65928D6caB4c0e0c |
| Minter | 0xDc1dE416DdaD4c9e8328F30aE88E2392d5b551f7 |
| Router | 0xd08270B8149DbdE478dA8aDad979246E957bE866 |
| Rewards Distributor | 0x3DD3A0751E79b592a5E1Cea15b782cC09DC6a907 |
| Forwarder | 0xE4Dac2c4888C632Af18AE1d6AD5e59e1dea00a3c |
| VeArt Proxy | 0x185fEEFe859F2d6791D88aA3ceB1F67dDF6955A6 |
| Airdrop Distributor | 0xAB9A5F57e7cE980643cE390E3Fe4029753202748 |
Basic Pool Factories
| Contract | Address |
|---|---|
| Pool Factory | 0x7F03ae4452192b0E280fB0d4f9c225DDa88C7623 |
| Gauge Factory | 0x5B49187553381ABD46EF0100B26134B305c2d5d0 |
| Voting Rewards Factory | 0xe0E8e12d0f48bde79D8eb17c50137e0BB6a76289 |
| Managed Rewards Factory | 0x42657E442508a1a9663a6826Cd6932Fd951d2e0a |
| Factory Registry | 0x8a66E17DC6fa9C963E891391C92d451202B6Fa28 |
Concentrated Liquidity (CL)
| Contract | Address |
|---|---|
| CL Pool Factory | 0x0e5Ab24beBdA7e5Bb3961f7E9b3532a83aE86B48 |
| CL Pool Implementation | 0xcD3d85d82137d3094E6F4f7A507D309A2c2639F8 |
| CL Position Manager | 0x0357EaF652227B6D31ED7A72852018B87Cd0940d |
| CL Position Descriptor | 0xF5de0a90AC4076d85c78856816af46d4Bd90ae62 |
| CL Gauge Factory | 0x0291573A4a0398D2Cf7588cBf5AB288cc11eb677 |
| CL Gauge Impl | 0xe920D5Ff8810B1E98c4d2F2a0A154F350898C22E |
| CL Swap Fee Module | 0xd9f77f8b00D42E2A49D82F8115cD5db380550750 |
| CL Unstaked Fee Module | 0x8Db72Ca3b57761f7E5417D5A59183c0658Ca297a |
| CL Swap Router | 0xab08EE1f3DC8cbBDb1b781484eCaE8d87eCB6ee7 |
| CL Mixed Quoter | 0x56Fab75F0E365ba7380Bb49F11a7783D263d4F0D |
| CL Quoter | 0x390F37392923Dc61Af96d332cf61611D2E5bD997 |
| CL QuoterV1 | 0xd05b1cA9Dd077c75145C972809EB331ad705E4a0 |
| CL Sugar Helper | 0xa18afA056f3e54A52CEc5c123DE0049B60c45D39 |
| CL TickLens | 0x9D797C6F2C27447572910925bB249Dbc864a9B2d |
| CL Interface Multicall | 0x937123F5482bA40059D140b61fc20bD3A89947E8 |
Other
| Contract | Address |
|---|---|
| VeLock Sale | 0x0FfC5F1DC2524EB9b1eE684DE530dd1a560Aeec9 |
| Universal Router | 0xe3f74ca5dd4918232600ccc0e0284f3d100ec281 |
| Emergency Council | 0xC9C0608F551aDe53f911ceC50F565dB55c5bAFd1 |
© 2026 VIRTUS Protocol. All rights reserved.