Security is Foundation, Not an Afterthought
Throughout Cliff White’s career as VP of Engineering at Re, security has been a central focus. He’s seen what happens when projects treat audits as an afterthought. They rush to market, skip the deep reviews, and hope for the best. Inevitably, vulnerabilities surface.
Re has taken the opposite approach from day one — by embedding security into decisions and proving it with independent verification. When allocators review Re’s security stance, they should be able to see evidence of rigorous engineering discipline, not just claims of it. Re is not another DeFi protocol recklessly chasing yield, it manages real capital for real counterparties.
Our Audit History
Re has conducted multiple audits with Hacken throughout the protocol’s development. These engagements laid a solid security foundation and validated the protocol’s root architecture. As the protocol matured and expanded its scope and sophistication, Re partnered with Certora to expand verification and security audits across a wider range.
Certora specializes in rigorous formal verification; the kind of mathematical proof systems that go beyond ordinary testing to verify contract behavior through all possible scenarios.
The 3.5-week partnership examined key protocol core contracts and capital-flow logic, with particular scrutiny of mechanisms that protect depositor funds. The results: 0 critical issues, 0 high-severity vulnerabilities, 13 total findings identified, and 100% remediated and verified. The audit focused on redemption rails, capital-flow controls, and access/upgrade paths, the critical infrastructure that guarantees funds move securely.
The report can be accessed here. This is Re’s third comprehensive protocol audit. Security is not a one-time deal, it’s a repeated program that scales with the protocol.
Why Every Line Matters To Us
“In my experience, every line of code matters and has to be audited,” says White. That’s where the vulnerabilities hide.Protocols bypass rigorous review. Edge cases are overlooked. State transitions that “should” be harmless prove to have unforeseen interactions. Access controls have nuances. Such vulnerabilities don’t emerge during fundamental testing — they need to be thoroughly reviewed by security specialists who know how to break them. These are the details that separate secure protocols from compromised ones. “Most hacks happen because someone didn’t look closely enough,” he says.
“In my experience, every line of code matters and has to be audited,” says White. That’s where the vulnerabilities hide.Protocols bypass rigorous review. Edge cases are overlooked. State transitions that “should” be harmless prove to have unforeseen interactions. Access controls have nuances. Such vulnerabilities don’t emerge during fundamental testing — they need to be thoroughly reviewed by security specialists who know how to break them. These are the details that separate secure protocols from compromised ones. “Most hacks happen because someone didn’t look closely enough,” he says.
“In my experience, every line of code matters and has to be audited,” says White. That’s where the vulnerabilities hide.Protocols bypass rigorous review. Edge cases are overlooked. State transitions that “should” be harmless prove to have unforeseen interactions. Access controls have nuances. Such vulnerabilities don’t emerge during fundamental testing — they need to be thoroughly reviewed by security specialists who know how to break them. These are the details that separate secure protocols from compromised ones. “Most hacks happen because someone didn’t look closely enough,” he says.
“In my experience, every line of code matters and has to be audited,” says White. That’s where the vulnerabilities hide.Protocols bypass rigorous review. Edge cases are overlooked. State transitions that “should” be harmless prove to have unforeseen interactions. Access controls have nuances. Such vulnerabilities don’t emerge during fundamental testing — they need to be thoroughly reviewed by security specialists who know how to break them. These are the details that separate secure protocols from compromised ones. “Most hacks happen because someone didn’t look closely enough,” he says.
At Re, we don’t cut corners. We make significant investment in security because we know the risks and what’s at stake. “Security isn’t optional. It’s the foundation for trust in the capital we manage,” says White. It’s not about being cautious for caution’s sake. This is about understanding where risk truly exists within dynamic, complex systems and addressing it systemically.
Re has a no-unaudited-core policy. Smart-contract vulnerabilities are the top cause of protocol exploits in DeFi, which is why Re never releases unaudited core logic. Every substantive change goes through review before deployment. Any vulnerabilities found during audits get triaged, resolved, and re-tested before being released, with better monitoring, and alerting to maintain solid coverage in production. Re issues a high-level audit summary and will provide security updates so that depositors can have protocol security posture over time.
Why This Matters for Re and What’s Ahead
works at the intersection between legacy reinsurance and decentralized finance. We deal with sensitive, sometimes confidential information. We control significant amounts of capital on behalf of institutional parties. Protection and trust can’t be negotiated because they’re the foundation of our entire business model.
This context makes our security posture even more critical. We’re not “just another protocol.” Our responsibilities mirror those of traditional financial institutions, with the added complexity of operating in a transparent, on-chain environment. We need security practices that match the rigor of legacy institutions while embracing the accountability standards of decentralized finance.
As we’re heading into reinsurance contract season and actively growing our TVL (Total Value Locked), high balance figures and multiple counterparties exponentially raise the stakes. That’s why Re is hardening our codebase now, before growth takes off, not after things go wrong and vulnerabilities emerge.This Certora audit positions us to scale safely. It proves our architecture at a significant inflection point and guarantees us that our infrastructure is primed to handle the demands headed its way.
What This Means for Allocators
If you’re considering depositing capital with Re, we want you to be comfortable doing that. Not because we’re the perfect protocol but we’re serious about our security enough to demonstrate through our deeds.
We submit to vigorous third-party review. We invest in formal verification. We integrate security into our development process by design. And we’re transparent about our methods and results.
Re is serious, reliable, and professional. We’re building infrastructure that respects the magnitude of the capital we manage. Security and trust aren’t marketing claims, they’re built into the foundation of everything we do. When you invest with Re, you’re entrusting us with your money. We don’t take that responsibility lightly, and our track record of audits demonstrates our commitment to maintaining that trust.