OR-AUD-03 · Smart Contract Management

Smart Contract Management
OR Audit Work Program

Structured 10-section audit work program for the Smart Contract Management operational resilience domain. Covers SSDLC gate compliance, dual external audit evidence, proxy configuration verification, live emergency pause testing, timelocked governance confirmation, and post-deployment invariant monitoring effectiveness.

GENIUS Act §§ 9, 113OCC NPR § 15.14NIST SP 800-218 SSDFNIST CSF 2.09 Risks · 8 Controls
§ 1Audit Objective
Primary Audit Objective
Determine whether the Smart Contract Management operational resilience program is designed and operating effectively to ensure that all production contract deployments and upgrades complete the full nine-stage SSDLC gate sequence, that the Emergency Response Team can execute an emergency pause within the 30-minute impact tolerance ceiling, that a confirmed critical bug can be patched and redeployed within 8 hours, and that post-deployment invariant monitoring is continuously operational — meeting the requirements of GENIUS Act § 9, OCC NPR § 15.14, and NIST SP 800-218.

This audit has a distinctive live testing component: the auditor will observe a tabletop or testnet demonstration of the emergency pause, proxy upgrade, and resume sequence. Management's inability to demonstrate this sequence in a controlled setting is treated as a Critical finding — equivalent in significance to the on-chain threshold verification in the Key Management audit.

§ 2Scope & Regulatory Anchor
FrameworkProvisionRelevance to Smart Contract OR
GENIUS Act§ 9Technical controls — issuer must maintain technical safeguards sufficient to ensure operational integrity of the stablecoin protocol and the ability to halt operations in the event of a critical vulnerability
GENIUS Act§ 113Reportable incident notification — a critical smart contract bug, unauthorized upgrade, or L1 halt that disrupts stablecoin operations constitutes an assessable reportable incident requiring simultaneous multi-regulator notification
OCC NPR§ 15.14Technology risk management — robust procedures for development, testing, deployment, and change management of all systems material to stablecoin issuance operations
NIST SP 800-218SSDF (Secure Software Development Framework)Secure software development lifecycle framework — preparation, protection, production, and response functions applicable to smart contract development and deployment
NIST CSF 2.0GOVERN · IDENTIFY · PROTECT · DETECT · RESPOND · RECOVERCybersecurity framework — Detect and Respond functions applicable to on-chain monitoring, alert-to-pause escalation, and incident response procedures
§ 3Risk Assessment — Inherent Risk Rating

Smart Contract Management has the highest concentration of Critical inherent risks of any of the three OR domains. A single deployed bug can affect all token holders simultaneously and is publicly visible on-chain, creating both financial exposure and immediate reputational damage that compounds with each block that passes before the pause is executed.

Risk IDRisk StatementInherent LikelihoodInherent ImpactInherent Risk RatingTesting Priority
SC-R01Critical bug exploited in production before pause executesMEDIUMCRITICALCRITICALPRIORITY 1
SC-R02Unauthorized contract upgrade bypassing governance controlsLOWCRITICALHIGHPRIORITY 2
SC-R03ERT unable to execute pause within 30-minute ceilingLOWCRITICALHIGHPRIORITY 2
SC-R04L1 network halt exceeding 6-hour impact tolerance ceilingLOWHIGHHIGHPRIORITY 2
SC-R05Oracle price feed manipulationMEDIUMHIGHHIGHPRIORITY 2
SC-R06Contract state corruption during proxy upgradeLOWCRITICALHIGHPRIORITY 2
SC-R07Front-running attack during upgrade windowMEDIUMMEDIUMMEDIUMPRIORITY 3
SC-R08Production deployment without completing full SSDLC gate sequenceLOWHIGHHIGHPRIORITY 2
SC-R09Post-deploy invariant violation undetected due to monitoring gapMEDIUMHIGHHIGHPRIORITY 2
Critical risk concentration: SC-R01 (bug exploited before pause) carries a CRITICAL inherent rating — the only Priority 1 risk in this domain, but the one that drives the most consequential audit procedure: the live or testnet emergency pause demonstration. A 30-minute ceiling is unforgiving. An ERT that has never executed a real pause is not a functioning control — it is a documented intention.
§ 4Control Design Assessment

Smart contract controls are assessed against a higher design bar than typical IT controls: because smart contract exploits are irreversible on-chain, a control that is "mostly adequate" does not provide adequate protection. The design assessment questions below reflect this — each asks whether the control would work in the worst case, not merely the average case.

Control IDControl NameDesign Assessment ProceduresDesign Adequacy Question
SC-C01 Upgradeable Proxy Architecture Obtain proof of proxy pattern implementation (Transparent or UUPS). Confirm upgrade authority is restricted to governance multisig — inspect the proxy admin contract. Verify there is no backdoor single-key upgrade path. Inspect storage layout compatibility enforcement in upgrade scripts. Confirm contract source code and deployment scripts are available for review. Is the proxy architecture designed so that no single actor can upgrade the contract logic unilaterally, and does it technically prevent storage corruption during a valid upgrade?
SC-C02 On-chain Governance Timelock (≥24 hr) Independently query the on-chain timelock contract to confirm the configured delay (minimum 24 hours for non-emergency upgrades). Verify the timelock is enforced at the contract level — not a procedural control. Inspect the emergency bypass procedure documentation. Confirm emergency timelock bypasses require documented CAB quorum approval and are logged and reported to the Board within 24 hours. Is the 24-hour timelock enforced on-chain such that a proposed upgrade cannot be executed by any party — including governance multisig holders — before the delay expires?
SC-C03 Emergency Pause Function with 30-Minute ERT Ceiling Verify pause function exists in deployed contract and is accessible to pre-authorized ERT wallet addresses. Confirm ERT addresses are distinct from the governance multisig. Inspect ERT on-call roster and confirm 24/7 coverage is documented. Review pre-provisioned pause credential hardware storage. Verify scope of pause function covers mint, burn, and transfer. Confirm view functions remain operational when paused (holder balance verification preserved). Is the pause function designed so that it can be executed by a single authorized ERT member within 15 minutes of an incident being confirmed, with no dependency on governance multisig quorum?
SC-C04 Mandatory Dual External Audit Gate Inspect the SSDLC gate enforcement procedure. Confirm deployment pipeline requires both Firm A and Firm B written sign-off before production credentials are released. Verify Firm A and Firm B are independent (different firms, no shared engagement history). Confirm there is no documented exception process by which a single firm's sign-off would be sufficient. Review any Board-level exceptions granted in the audit period — inspect evidence and rationale. Is the dual-audit requirement technically enforced as a pipeline gate — not a policy requirement that can be overridden under time pressure — and does the procedure confirm that Firm B reviews Firm A's findings and resolutions?
SC-C05 Pre-Upgrade State Snapshot & Post-Deploy Invariant Check Review state snapshot procedure documentation — confirm it is automated and runs immediately before each deployment. Verify snapshot covers: total supply, proxy implementation address, ERT pause address accessibility, and storage layout checkpoint. Confirm post-deploy invariant checks run automatically and are not dependent on a manual trigger. Verify any invariant check failure triggers immediate pause and escalation. Is the post-deploy invariant check designed to fire automatically with no human intervention required — such that a state corruption introduced during an upgrade would be detected within minutes of deployment, not hours?
SC-C06 Continuous Post-Deploy Invariant Monitoring Obtain monitoring system configuration documentation. Verify all five monitored invariants are configured: supply-reserve equality (0.01% threshold), unauthorized function calls, gas anomalies (>150% baseline), oracle deviations (>2% in 60s), and ERT address accessibility. Confirm alert routing to ERT on-call. Verify alert suppression or modification requires CAB approval. Review annual monitoring system security review documentation. Is the monitoring system designed to fire a critical alert within minutes of a supply-reserve deviation or unauthorized function call — without any human pre-filtering that could delay the alert?
SC-C07 L1 Network Halt Contingency Plan Obtain written L1 halt contingency plan. Confirm plan specifies holder communication within 1 hour of confirmed halt. Verify reserve and ledger state preservation procedures during L1 unavailability. Confirm escalation triggers at T+2hr and T+4hr are documented with named escalation contacts. Confirm plan was tested via tabletop exercise within the prior 12 months. Is the L1 contingency plan designed with specific enough procedures that it could be executed by a secondary team member without guidance from the primary author?
SC-C08 Immutable SSDLC Audit Trail & Gate Enforcement Inspect SSDLC gate artefact repository. Confirm it is immutable and tamper-evident. Verify it contains all nine stage artefacts for each production deployment in the audit period. Confirm deployment pipeline withholds production credentials until gate completion is recorded. Review any emergency gate exceptions in the audit period — verify Board notification was made within required timeframe. Is the SSDLC gate enforcement technically implemented such that bypassing a gate requires a deliberate, logged, Board-notified exception — not merely the absence of a check?
§ 5Control Effectiveness Testing

Smart Contract effectiveness testing includes two procedures that have no equivalent in traditional IT audit: (a) independent on-chain querying of the proxy and timelock contract state, and (b) live or testnet observation of the emergency pause → patch → upgrade → resume sequence. Both are required for regulatory readiness sign-off.

Control IDTest ProcedureSample / ScopeEvidence Required
SC-C01 Independently query the proxy contract to confirm the current implementation address and verify it matches the CAB-approved deployment record. Confirm the proxy admin is the governance multisig address (not an individual EOA). Inspect upgrade transaction history on-chain — verify all implementation changes were executed from the governance multisig with the required quorum. Confirm no implementation changes occurred outside a CAB-approved deployment window. Live on-chain query · all upgrade transactions in audit period · CAB deployment records Auditor-obtained proxy state query · CAB deployment records · on-chain transaction history
SC-C02 Independently query the on-chain timelock contract to confirm the configured delay. Confirm delay is ≥ 24 hours. Inspect timelock bypass log — if any emergency bypasses occurred in the audit period, verify each has a documented CAB quorum record and Board notification was made within 24 hours of the bypass. Confirm timelock delay has not been reduced without a documented CAB change record. Live on-chain query · all timelock bypass records in period Auditor-obtained timelock state query · bypass records with CAB approvals · Board notification evidence
SC-C03 ⚠ LIVE Live / testnet demonstration (required): Request management to demonstrate the full emergency pause → patch deploy → resume sequence on testnet. Observe in real time: (1) ERT receives simulated critical alert; (2) pause function executed — auditor confirms on-chain pause state; (3) patched implementation deployed via proxy upgrade; (4) post-deploy invariants verified; (5) pause lifted — auditor confirms operations resumed. Record elapsed time at each stage against the 30-minute pause ceiling and 8-hour patch RTO. Any inability to demonstrate this sequence is a Critical finding. Single live or testnet demonstration (auditor-observed) Auditor observation notes with timestamps · on-chain transaction hashes from testnet · elapsed times vs. ceilings · ERT on-call roster confirmed active during demonstration
SC-C04 Identify all production deployments and upgrades during the audit period. For each, obtain the complete SSDLC gate artefact package from the immutable repository. Verify all nine stages are represented for each deployment. Confirm Firm A and Firm B are distinct firms and audit reports are dated prior to the CAB approval. Inspect finding severity classifications and verify all Critical/High findings were resolved before sign-off. Inspect CAB decision records with deployment window and authorized deployer address. All production deployments/upgrades in audit period · complete gate artefact packages SSDLC artefact packages · both audit firm reports per deployment · CAB decision records
SC-C05 For each production deployment/upgrade in the audit period, obtain the pre-upgrade state snapshot record and post-deploy invariant verification record. Confirm both exist and are dated immediately before and after the deployment transaction respectively. Verify post-deploy invariant check results show all invariants passed. If any invariant failed, inspect escalation records and verify immediate pause was executed. Confirm snapshot records are stored in the immutable SSDLC artefact repository. All production deployments/upgrades in audit period · corresponding snapshot and invariant check records Pre-upgrade snapshot records · post-deploy invariant results · any escalation records from failures
SC-C06 Inspect live monitoring system configuration — confirm all five invariant monitors are active. Review alert log for the audit period: (a) inspect all critical alerts for response time and escalation pathway; (b) confirm no critical alert was suppressed without documented CAB approval; (c) verify alert routing reaches ERT on-call addresses. Inspect quarterly alert-to-pause escalation drill records — confirm minimum one drill per quarter. Review monitoring system annual security review documentation. Live monitoring configuration inspection · full alert log for audit period · quarterly drill records Monitoring configuration evidence · alert log with response records · drill records · annual monitoring security review
SC-C07 Obtain most recent L1 halt tabletop exercise documentation. Confirm exercise was conducted within the prior 12 months. Verify exercise scenario covered L1 halt exceeding 6-hour impact tolerance. Inspect exercise results for identified gaps. Confirm holder communication timeline was modelled within 1 hour. If any actual L1 disruption occurred during the audit period, inspect incident records for actual elapsed time vs. 6-hour ceiling and GENIUS Act § 113 notification assessment. Most recent tabletop exercise report · actual L1 incident records (if any) Exercise report · scenario description · gap log · incident records (if applicable)
SC-C08 Inspect SSDLC artefact repository for tamper-evidence controls. Confirm write-access is restricted to the pipeline system, not to Protocol Engineers or individual staff members. Verify all nine stage artefacts exist for each deployment in the audit period. Inspect any emergency gate exceptions — confirm Board notification was made within the required timeframe. Obtain the most recent pipeline deployment log and trace one deployment end-to-end from requirements to post-deploy monitoring confirmation. Repository access controls · full artefact review for all deployments · one end-to-end deployment trace Repository access control settings · complete artefact packages · end-to-end deployment trace record
§ 6Impact Tolerance Verification
ServiceToleranceVerification ProcedureEvidence Required
Critical Bug Containment (Pause) 30 min CEILING Obtain written management acceptance of the 30-minute pause execution ceiling. Verify ERT on-call SLA specifies ≤15 minutes response-to-execution target. Inspect drill results confirming achieved pause execution time was within 30 minutes. If any actual critical security event occurred during the audit period, inspect timestamped incident records against the 30-minute ceiling. Signed tolerance acceptance · ERT SLA · drill results with elapsed times · actual incident records (if any)
Smart Contract Patch RTO 8 hr RTO Obtain written management acceptance of the 8-hour patch deployment RTO. Inspect the emergency SSDLC procedure — confirm expedited gate sequence is documented for emergency patches (compressed internal review, single-firm emergency audit sign-off, 2-member CAB quorum). Verify the live demonstration in SC-C03 testing (§ 5) achieved patch deployment within 8-hour simulated ceiling. Inspect expedited deployment credential pre-provisioning evidence. Signed RTO acceptance · emergency SSDLC procedure · SC-C03 demonstration results · pre-provisioned deployment credential evidence
Full Resume after L1 Halt 6 hr CEILING Obtain written management acceptance of the 6-hour L1 dependency ceiling. Verify the L1 contingency plan (SC-C07) documents escalation triggers at T+2hr and T+4hr that culminate in management declaring a breach of tolerance at T+6hr with corresponding regulatory notification. Confirm holder communication procedures can be executed without dependence on L1 infrastructure. Signed ceiling acceptance · L1 contingency plan with escalation triggers · holder communication procedure (L1-independent)
§ 7Scenario Stress Test Evidence Review
Scenario SC-S01: Critical production smart contract bug discovered during active trading hours — potential reentrancy exploit confirmed. Tests: pause within 30-minute ceiling, rapid triage and patch development, expedited SSDLC gate sequence, CAB emergency approval, proxy upgrade to patched implementation within 8-hour RTO, invariant verification, and GENIUS Act § 113 notification.
StepEvidence Review ProcedureEvidence Required
Documentation Review Obtain the SC-S01 scenario documentation. Verify the scenario description matches the OR Program (critical bug + active trading). Confirm the six-stage recovery protocol is documented with explicit time targets: pause ≤30 min, triage T+30 min–2hr, patch development T+2–5hr, emergency CAB approval T+3–5hr, patched deployment T+5–8hr, and post-incident review T+8hr–30 days. Confirm management has formally accepted this scenario as plausible. Written scenario document · management sign-off · six-stage protocol with time targets
Execution Evidence The SC-C03 live demonstration (§ 5) serves as the primary execution evidence for SC-S01. Additionally, confirm whether a full six-stage tabletop or testnet simulation was conducted within the prior 12 months covering all stages including the GENIUS Act § 113 notification assessment stage. Inspect execution log timestamps against time targets for each stage. Verify observer sign-off covers full scenario scope. SC-C03 demonstration records · full six-stage exercise records (if conducted separately) · observer sign-off
Results vs. Tolerances Review drill results: (a) was pause executed within 30-minute ceiling? (b) was patch deployed to testnet within simulated 8-hour RTO? (c) were all post-deploy invariants clean after patched upgrade? (d) was § 113 notification assessment completed and documented? (e) was the 24-hour timelock bypass procedure exercised and documented? Inspect identified gaps and confirm remediation status with evidence. Results report · elapsed time measurements · post-deploy invariant results · notification assessment record · timelock bypass record · gap/remediation log
§ 8Exception Escalation Thresholds
Finding SeverityThreshold DefinitionRequired ResponseBoard Notification
CRITICAL Any production deployment without completed dual external audit sign-off. ERT unable to execute pause during live demonstration. On-chain proxy admin is an individual wallet rather than governance multisig. Timelock configured below 24 hours without documented emergency exception. Any unauthorized upgrade transaction identified on-chain during the audit period. Live demonstration elapsed time for pause exceeds 30-minute ceiling. Immediate written response within 5 business days. Interim controls within 10 business days. Permanent remediation within 30 business days. Board notification within 5 business days. Regulator notification assessed under GENIUS Act § 113.
HIGH Missing SSDLC gate artefact for any production deployment. Monitoring invariant configuration missing one or more of the five required monitors. Post-deploy invariant check not executed for a deployment. L1 contingency plan not tested within 12 months. Annual monitoring security review overdue. Written response within 10 business days. Remediation within 45 business days. Board informed at next scheduled meeting.
MEDIUM Documentation gaps in SSDLC artefact completeness. Quarterly monitoring drill not conducted. Minor alert configuration improvements identified. Emergency SSDLC procedure not reviewed within 12 months. Written response within 20 business days. Remediation within 90 days. Included in periodic management report.
§ 9Regulatory Readiness Sign-off Criteria

The Smart Contract OR audit has the most demanding sign-off criteria of the three domains because the consequences of a control failure are immediate, public, and difficult to contain. Two criteria above all others gate sign-off: (1) the live or testnet pause demonstration must have been observed by the auditor, and (2) dual external audit evidence must exist for every production deployment in the audit period.

Mandatory — Design
  • All 8 controls assessed as adequately designed
  • Proxy admin independently verified as governance multisig (not individual EOA)
  • On-chain timelock independently verified at ≥24 hours
  • Pause function confirmed callable by ERT addresses independent of governance multisig
  • SSDLC gate enforcement confirmed as a pipeline-enforced technical control
Mandatory — Effectiveness
  • Zero Critical findings from effectiveness testing
  • Live or testnet pause demonstration observed by auditor — pause executed within 30-minute ceiling
  • Dual external audit sign-off confirmed for every production deployment in audit period
  • No unauthorized upgrade transactions identified on-chain in audit period
  • All five monitoring invariants confirmed active and alerting to ERT
Mandatory — Impact Tolerance
  • Written management acceptance of all three impact tolerances (30 min, 8 hr RTO, 6 hr L1 ceiling)
  • Demonstration elapsed time for pause within 30-minute ceiling
  • Emergency SSDLC procedure documented with 8-hour deployment RTO pathway
Mandatory — Scenario & Regulatory
  • SC-S01 scenario coverage completed — live demonstration (SC-C03) observed by auditor
  • GENIUS Act § 9 technical control requirements confirmed met in writing
  • § 113 notification assessment procedure confirmed documented and tested
  • No open Critical or High findings from this audit at time of sign-off
  • L1 contingency plan tabletop exercise completed within prior 12 months
The governing sign-off question for all three OR domains: If a systemic market shock occurs tomorrow, can the issuer transparently prove reserve integrity, maintain absolute holder confidence, and fulfill redemptions within established tolerances? For Smart Contract Management specifically: if an exploit is discovered tomorrow at 2 AM, can the ERT pause within 30 minutes, the team patch within 8 hours, and the auditor verify both with timestamped evidence? That question must be answerable with verifiable certainty before sign-off is granted.
§ 10Finding Log Template

All findings, including the auditor-observed live demonstration result and the on-chain proxy/timelock query results, are recorded below. The SC-F-001 live demonstration record is mandatory in every Smart Contract OR audit regardless of outcome.

Finding IDAudit SectionControl / Risk RefFinding DescriptionSeverityMgmt ResponseRemediation DateStatus
SC-F-001§ 5 / SC-C03SC-C03 / SC-R01, SC-R03 Live Demonstration Record: [Record auditor-observed pause execution time, patch deployment time, proxy upgrade confirmation, post-deploy invariant result, and resume confirmation from testnet demonstration. Note any stage that exceeded time targets.] RECORD [N/A if all stages within ceilings — remediation required if any ceiling exceeded] OBSERVED
SC-F-002§ 5 / SC-C01, C02SC-C01 / SC-R02 On-chain State Query Result: [Record auditor-queried proxy admin address vs. governance multisig, timelock delay vs. 24hr minimum — confirmed match or discrepancy] RECORD [N/A if clean — remediation required if discrepancy] VERIFIED
SC-F-003§ [X]SC-C[X] / SC-R[X] [Describe finding] OPEN [Management response] [DD/MM/YYYY] NOT STARTED
Finding closure: SC-F-001 (live demonstration record) and SC-F-002 (on-chain state query) are mandatory records in every Smart Contract OR audit. They cannot be marked N/A or omitted. A Critical finding on SC-F-001 (pause ceiling exceeded) requires re-demonstration after remediation before the finding is closed. The auditor must witness the re-demonstration — management self-certification is not sufficient.