Centrifuge’s serial audits: 6 security reviews that reshaped RWA architecture | Jeroen Offerijns

Maker's core accounting contract—the vat—has remained immutable for six years while processing tens of billions in TVL. Centrifuge is proving this isn't legacy thinking; it's the only approach that survives institutional custody requirements where protocol upgrades introduce unacceptable counterparty risk. Jeroen Offerijns, CTO of Centrifuge, explains why their $750M TVL RWA protocol runs 6-7 serial audits rather than parallel reviews on a final commit hash. The goal isn't redundant coverage—it's forcing architectural iteration between audits. Low-s...

Maker's core accounting contract—the vat—has remained immutable for six years while processing tens of billions in TVL. Centrifuge is proving this isn't legacy thinking; it's the only approach that survives institutional custody requirements where protocol upgrades introduce unacceptable counterparty risk.

Jeroen Offerijns, CTO of Centrifuge, explains why their $750M TVL RWA protocol runs 6-7 serial audits rather than parallel reviews on a final commit hash. The goal isn't redundant coverage—it's forcing architectural iteration between audits. Low-severity findings don't get dismissed; they trigger contract redesigns before issues compound. This matters when tokenizing Apollo's private credit or S&P 500 funds, where a single exploit permanently destroys institutional trust.

The technical implementation diverges from standard DeFi patterns at every layer. Centrifuge co-authored ERC-7540 with competitor Maple Finance because RWA settlement requires multi-day cycles for off-chain broker execution and NAV updates—atomic swaps don't exist here. Their cross-chain security uses multiple bridge providers simultaneously; vulnerability requires compromising all providers. Invariant testing with Echidna and Medusa surfaces chained rounding manipulations that exceed human auditors' ability to reason through state permutations across multi-step transactions.

Topics discussed:

• Serial audit methodology: using findings to force architectural iteration rather than validating final code
• Maker's immutable core pattern: isolating accounting logic in never-upgraded contracts with modular extensions
• ERC-7540 co-authorship with Maple Finance: standardizing asynchronous operations for multi-day RWA settlement
• Multi-bridge redundancy: requiring simultaneous compromise of all interoperability providers
• Invariant testing with Echidna/Medusa via Recon: catching chained exploit patterns beyond human reasoning
• Low-severity findings as architectural signals: redesigning contracts before issues compound
• AI auditing integration: per-commit security validation reallocating human auditors to protocol-specific vectors
• DRWA architecture: separating regulated fund custody from permissionless yield token access
• Centrifuge V3.1 as freely immutable infrastructure: enabling third-party RWA protocols to avoid rebuilding primitives
• Rejecting upgradeable proxies: modular contract design for institutional custody requirements