• TShareValuation — EV calculation correctness
• HexPriceOracle — TWAP manipulation resistance
• VaultManager — mint/repay/liquidate/early unstake
• StabilityPool — deposit/withdraw/reward accounting
• RedemptionHandler — debt reduction ordering
• PenaltyRouter — 80/20 split integrity
• BuybackBurn — swap slippage + burn authorization
• RecoveryModule — system CR thresholds
• DTSC — minter lock irreversibility (tested; verify on deploy)

• dtsc.lockWiring() called post-deploy
• All one-time setters renounced
• No remaining deployer addresses
• Only authorized minters can mint/burn (unit tests)

• Total debt ≤ sum of max borrowable per vault
• System CR triggers recovery mode correctly
• Penalty mint bounded by vault debt (removed; SP offset only)
• SP offset cannot exceed totalDeposits
• Redemption cannot create negative debt

• Pair address verified on-chain
• min(TWAP, spot) for liquidations; TWAP-only for borrow
• Stale TWAP fallback documented
• EV hard cap enforced

• stakeLists/stakeCount ABI matches PulseChain HEX
• globalInfo()[4] day index verified
• calcPayoutRewards range correct
• Custodial startStake minimum 2000 days

1. Registered stakes cannot be physically locked — reliance on monitoring + penalties
2. Early unstake penalties route to Stability Pool offset (no penalty mint)
3. USD pricing via WPLS requires external WPLS/USD reference for true dollar peg
4. BuybackBurn requires DTSC liquidity on PulseX post-launch

forge test
FOUNDRY_PROFILE=ci forge test
forge test --gas-report

Current: 156 tests across 23 suites (see GitHub Actions).

1. Pause frontend (contracts are immutable — cannot pause on-chain)
2. Communicate via official channels
3. Stability Pool depositors absorb losses per design
4. Post-mortem + audit remediation for v2 if needed