This repository exists in the spirit of full transparency. All audit reports are published in their entirety, with no redactions or summaries. Every finding, discussion, and resolution is open for public review.
Neverland contracts undergo continuous third-party and internal reviews to ensure that all deployed code meets the highest standards of safety, clarity, and maintainability.
Auditor: Composable Security
| Date | Description | Report | Announcement |
|---|---|---|---|
| August 22, 2025 | Initial comprehensive audit of Neverland’s core contracts including DustLock, DustRewardsController, RevenueReward, and core libraries. The assessment identified critical and high-risk issues related to withdrawal logic, voting power recalculation, and reward accounting. All findings were remediated and verified in the retest. | View Report | Tweet |
| October 10, 2025 | Follow-up audit expanding scope to self-repaying loans, vault system, and new reward mechanics. No critical or high-risk issues found. All medium and low findings were fixed and verified. Major improvements included dependency hardening, renounceOwnership protection, and gas-efficiency updates. | View Report | Tweet |
Between August and October 2025, Neverland completed a full second-round security review after introducing new lending and vault features. This process demonstrates Neverland’s commitment to transparency and verifiable remediation.
Key progress validated across both reports:
- All critical and high-risk vulnerabilities resolved and retested
- Self-repaying loan reward flow secured
- Governance and access control hardened with Ownable2Step
- Dust attack vector mitigated via enforced minimum lock amounts
- Fixed-point math adopted for precision in rewards and voting power
- Custom errors and consistent constants introduced for readability and gas optimization
- Multi-sig and timelock governance recommended for all admin-level actions
Neverland treats audits as living documents, not marketing material. Each issue, fix, and retest is preserved for anyone to verify.
Neverland's lending protocol builds on Aave V3, inheriting its audited base architecture and proven security guarantees. Aave’s full set of security reports can be found at aave.com/security.
Browse the audits directory to access reports.
Files follow this naming convention:
<date>_<project-name>_<auditor-name>.pdf
Security audits identify and reduce risk but cannot guarantee the absence of vulnerabilities. Neverland believes in continuous verification, open communication, and transparent disclosure. Users should always evaluate smart contract interactions independently.