Internal Security Audit

PSUSD Final Security Audit Report

BSC and Base contract review, live-state verification, and post-hardening assessment

Date: 2026-07-04

Audit execution: Internal AI-assisted security review executed by GitHub Copilot using GPT-5.4, based on repository source inspection, live chain-state verification, operational hardening evidence, and backend validation performed on the current PSUSD deployment.

Scope: BSC and Base PSUSD contracts. Live result: hardened in place. Residual risk: moderate.

Outcome: The PSUSD live deployment was hardened in place without redeploying the core contracts. Security posture improved materially, but the final target state has not yet been fully reached.

Before: high operational centralization risk. After: moderate residual operational risk.

Executive Summary

This report covers the PSUSD BSC and Base contract stack, the live production deployment state, and the security hardening actions completed during this audit cycle.

Scope

Live Deployment Covered

Contract-by-Contract Coverage

PSUSDCanonicalBridgeMintBurnAttested.sol
Network / role: core strict bridge token logic for the live BSC and Base strict token family

Coverage: Source reviewed and live ownership / role state checked.

Main notes: Source review identified surplus-attribution risk in the strict attested path. Repository hardening exists; live conclusions remain tied only to explicitly verified deployment state.

PSUSDCanonicalBridgeMintBurnAttestedRedeemable.sol
Network / role: redeemable strict-token extension

Coverage: Source reviewed.

Main notes: No separate standalone critical issue was isolated in this pass beyond inherited owner / operator concentration risk.

PSUSDCanonicalBridgeMintBurnAttestedMirroredReserve.sol
Network / role: reserve mirroring and reserve-release logic

Coverage: Source reviewed.

Main notes: Repository review identified the need to bind reserve release to real bridge demand and approved recipients.

PSUSDCanonicalBridgeMintBurnAttestedMirroredReserveStrict.sol
Network / role: strict mirrored reserve configuration on the live strict deployment family

Coverage: Source reviewed and live role state verified.

Main notes: Operationally important because it sits on the live BSC/Base strict token path. Residual live risk is mainly role concentration.

PSUSDSatelliteRedemptionVault.sol
Network / role: live Base vault

Coverage: Source reviewed and live ownership / fee recipient / rebalancer state verified.

Main notes: Owner and fee-recipient posture improved. Rebalancer concentration remains an open residual risk.

PSUSDBaseAsyncRedeemCoordinator.sol
Network / role: documented live Base async redeem coordinator

Coverage: Source reviewed and live deployment status partially checked.

Main notes: Repository source includes stronger pause / cancel behavior. Live bytecode / source parity remains a follow-up item.

PSUSDReserveRebalancerCoordinator.sol
Network / role: off-chain-assisted reserve rebalancer support contract

Coverage: Source reviewed.

Main notes: Repository hardening added duplicate active-request blocking. Residual live concern is operational key concentration.

PSUSDAutoMintRouter.sol
Network / role: supporting mint / route coordination component

Coverage: Source reviewed.

Main notes: Included in code-review scope. No standalone live critical issue was elevated above the broader PSUSD admin and operator control risks in this pass.

Completed Live Hardening

Methodology

  1. Manual source review of bridge, reserve, redeem, coordinator, and privilege surfaces.
  2. Repository build and regression validation.
  3. Live chain state verification on BSC and Base.
  4. In-place role hardening on the live deployment.
  5. VPS relayer rotation and service verification.
  6. Async redeem doctor, dry-run checks, and shadow smoke testing.

Findings

Medium - Contract-level issues were identified in the PSUSD Solidity codebase and addressed in repository hardening work

The contract review portion of this audit covered the PSUSD Solidity code itself, not only the live operational setup. That review identified important code-level areas around surplus attribution, reserve release controls, and operator-assisted guardrails in async / rebalancer support contracts.

Impact: these were real contract-level security and correctness concerns in the reviewed codebase, especially for future deployments or parity-sensitive live components.

Recommendation: keep the hardened repository implementations as the source of truth for future deployments and verify live bytecode parity where operationally relevant.

Medium - Owner role is improved but still EOA-based

The live owner is no longer the original concentrated operational wallet, but it is still a single EOA rather than a multisig.

Impact: compromise of the new owner EOA would still allow owner-level reconfiguration.

Recommendation: migrate owner to a multisig.

Medium - Reserve operator and Base rebalancer remain concentrated

The reserve-moving role and the Base vault rebalancer are still on the legacy hot wallet.

Impact: reserve and liquidity operations still have a larger-than-ideal blast radius.

Recommendation: split these hot roles when operations are ready.

Medium - Live async redeem coordinator may lag hardened local source

The local repository contains stronger async control logic than what was earlier observed on the documented live coordinator deployment.

Impact: emergency assumptions for the async redeem coordinator should be treated cautiously until bytecode parity is confirmed.

Recommendation: perform explicit live bytecode/source parity verification for the coordinator.

Informational - Core PSUSD contracts were not redeployed

This hardening cycle intentionally preserved live contract addresses and existing integrations.

Repository Hardening vs Live State

The repository source tree contains additional hardening work beyond the live in-place role rotation.

Important distinction: this audit explicitly separates contract-level source hardening from what was directly verified on live deployed contracts. The PSUSD BSC and Base contracts were part of the audit scope, but live conclusions are intentionally limited to state and behavior that were directly validated.

Validation Summary

Conclusion

This audit cycle produced a real live security improvement. The deployment is safer than before, but not yet at its ideal end state.

Priority next steps are: multisig owner migration, reserve operator / rebalancer split, and explicit live coordinator parity verification.