# Technical Reference ## Core Architecture Paravel is built on an extended **Boring Vault framework**, designed for modular, multi-strategy capital deployment. The system includes: * Multi-agent execution layer * Cross-protocol strategy execution (including Uniswap V3) * Cross-vault capital movement * Off-chain strategy composition with on-chain enforcement Leverage and complex execution paths are composed off-chain and executed via: > `manageVaultWithMerkleVerification` This ensures that all executed actions are validated against a predefined allowlist before execution. There is no general-purpose on-chain execution layer in production. *** ## Smart Contracts ### Vault Contracts * **iPrvlUSDC**\ `0xA9dA417025B427cE8519F989BBD5d89F3E322a20` * **iPrvlETH**\ `0x5C1c20F7ae77f7cD80Fa4D08e053124b946f6C47` These contracts represent the primary vault accounting layers for user deposits and withdrawals. *** ## Security Model Paravel’s security architecture is based on **constraint enforcement rather than discretionary control**. ### Permission System All on-chain execution is restricted using a **Merkle Tree–based allowlist system**. This ensures that: * Only pre-approved contracts can be interacted with * Only validated execution paths can be used * Agents cannot generate arbitrary transactions *** ### Agent Safety Controls Before deployment, all agents undergo: * Sandbox simulation testing * Strategy validation against risk constraints * Execution boundary verification Only agents that pass all constraints are deployed to production. *** ### Monitoring and Auditing The system includes continuous monitoring for: * Execution anomalies * Contract-level behavior changes * Strategy-level risk deviations This is complemented by ongoing external audit review cycles. *** ## Audit Summary **Audit Firm:** iosiro\ **Date:** 13 February 2026 ### Findings Summary * 11 total findings * 1 medium severity * 4 low severity * 6 informational ### Resolution Status * All medium and low severity findings have been resolved * Addressed through architectural changes, including removal of the on-chain adaptor * 1 informational finding remains open * Related to permission scripting * Assessed as low impact *** ## Security Design Principle Paravel is designed around a single principle: > Minimize trust in execution by constraining what is possible at the protocol level. Rather than relying on post-hoc enforcement, the system ensures: * Invalid actions cannot be executed * Risk boundaries are enforced at runtime * Strategy behavior is strictly bounded by predefined rules *** ## Key Idea Paravel does not rely on unrestricted smart contract execution. Instead, it enforces a **pre-approved execution space** in which all agent activity must occur. > If an action is not explicitly allowed, it cannot happen. *** ## Independent Security Audit Paravel has undergone an independent smart contract audit conducted by iosiro. * Date: 13 February 2026 * Scope: Core contracts, execution layer, permission system 👉 [View full audit report](https://iosiro.com/audits/paravel-citadel-dao-aave-adaptor-and-permission-script-smart-contract-audit) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://paravel-citadel-dao-llc.gitbook.io/paravel/technical-documentation/technical-reference.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.