We Audited Our Own Code

Why

BV-7X has been live for 18 days. In that time the codebase grew from a clean MVP to 89,184 lines across 31 services, 150+ API routes, and 30+ cron jobs. Features shipped fast. Signal model went from v3 to v5.3. Content pipeline expanded to six platforms. Arena, referrals, staking, prediction market integration — all bolted on in two weeks.

Speed creates debt. Before the codebase grew another inch, we stopped building features and ran a full-scope audit. Not a third-party rubber stamp. A line-by-line inventory of every file, every dependency, every hardcoded value. The goal was simple: find the things that could break the signal.

---

Scope

The audit covered three domains:

• Signal Model — the 4-signal engine, self-testing framework, monitoring, calibration, and all data sources
• Smart Contracts — MultiRewards staking (Synthetix pattern), token gate, FeeLocker integration, on-chain interaction surface
• Infrastructure — server architecture, content pipeline, credential security, configuration management, rate limiting, error handling

Every service file was inventoried. Every API endpoint catalogued. Every parameter traced from its source to every consumer. The full audit produced 48,000 words across four documents.

---

What We Found

Critical: The threshold mismatch

The most dangerous bug was invisible. The live signal engine and the backtester used different default thresholds for the same parameters:

Under normal operation, both systems load thresholds from a JSON file written by the daily grid search. The defaults only activate if that file fails to load — disk error, race condition during a backtest write, corrupted JSON. A silent fallback to wrong values. The trend threshold was 67% wider, the ROC threshold 29% narrower, and the drawdown threshold 3x wider than the grid-searched optimums. A low-probability failure with high-impact consequences.

Critical: The God Object

server.js was 11,035 lines. Every API route, every cron schedule, all authentication middleware, content generation logic, business rules, arena scoring, referral tracking, and revenue calculations — all in one file. It was impossible to audit in isolation, impossible to test, and a single point of failure for the entire platform.

Critical: The signal engine

The signal methodology file had grown to 4,425 lines. 14 category scorers, regime detection, three generations of decision logic (v3, v4, v5), correction overrides, and post-decision filters — all accumulated through five model versions without cleanup. Dead code paths. Commented-out experiments. Functions that were never called.

High: 9 divergences between live and backtest

The live signal and the backtester were completely separate implementations that shared no code. We identified 9 specific divergences:

• Bounce/drop detection used in backtest but absent from live
• MVRV Z-Score (VALUE signal) hardcoded to "FAIR" in backtest — never fires CHEAP or EXPENSIVE
• Kalshi prediction market filter applied live but absent from backtest
• VIX/macro modifier applied live but absent from backtest
• Fear & Greed thresholds differ between live and backtest capitulation detection
• Confidence calibration uses different methods in each

The implication: our 61% backtest accuracy was not a reliable estimate of live performance. The two systems were measuring different things.

High: Version chaos

The signal engine file header said v3.5.2. The parsimonious signal function returned v5.3.0. The arena service defaulted to v5.1.0. The monitoring system reported v4.4.0. Four different version strings. No single source of truth.

High: No rate limiting

The signal API — the most important public endpoint — had zero rate limiting. 80% of all endpoints were completely unprotected.

Medium: Configuration scatter

The BV7X contract address appeared in 15 locations across 8 files. CoinGecko was called from 9+ locations with different error handling. 12+ interval values and 30+ cron schedules hardcoded across multiple files. No centralized configuration.

---

The Smart Contracts

The good news. MultiRewards.sol — our staking contract — is a faithful port of the battle-tested Synthetix/Curve multi-rewards pattern. OpenZeppelin 5.x, proper access control, ReentrancyGuard on all state-changing functions, SafeERC20 for all transfers.

Three low-severity findings (no reward token removal function, defense-in-depth on exit(), no flash loan protection) and two informational notes. All within expected parameters for a Synthetix-pattern contract. The Solidity was clean. The operational risk was elsewhere.

---

What We Fixed

We didn't just document the problems. We fixed them.

The server: 11,035 → 385 lines

We extracted 150+ API routes into 20 dedicated route files. Authentication, cron scheduling, and page routing each got their own module. server.js is now what it should have been from day one: middleware, route mounting, and startup. Nothing else.

The signal engine: 4,425 → 1,407 lines

Dead code removed. Commented-out experiments deleted. Legacy v3 and v4 decision logic stripped. What remains is the v5.3 parsimonious signal: four macro inputs, simple thresholds, regime detection, and post-decision filters. The signal engine now contains only code that runs in production.

Centralized configuration

Four new config files replaced hundreds of scattered magic numbers:

• constants.js — all contract addresses, API URLs, BTC constants. One import, everywhere.
• version.js — single MODEL: '5.3.0'. Every service reads from here. No more four different version strings.
• timing.js — every interval, every dedup cache size. Change one number, change the whole system.
• signal-defaults.js — all 30+ signal thresholds in one file. Both the live engine and the backtester import from the same source. The threshold mismatch is structurally impossible now.

---

What Remains

Transparency means reporting what we haven't fixed yet.

• Live/backtest divergence — the two implementations still don't share code. Unifying them is the highest-impact remaining task, but also the highest-risk refactor. It touches every accuracy metric.
• Test suite — still zero automated tests for server routes, API responses, or frontend behavior. The self-testing framework validates the model, not the platform.
• Pre-ETF data contamination — 73% of backtest data predates ETF flows. The FLOW signal contributes nothing in that era, which inflates its apparent importance in the aggregate.

---

The Thought Process

Most projects in this space don't audit themselves. The incentive structure points the other way — ship features, grow the number, don't look too hard at the scaffolding. We chose to stop for a different reason: the signal is the product. If the signal infrastructure has bugs, the signal has bugs. Everything downstream — the accuracy claims, the backtest numbers, the confidence scores — is only as trustworthy as the code that produces it.

The threshold mismatch was the proof. It was a latent bug that would never appear in normal operation. It required a file read failure to trigger. But if it triggered, the live signal would silently diverge from its backtested behavior with no alert, no log, no indication that anything was wrong. You can't find bugs like this by watching dashboards. You find them by reading every line.

The 96.5% reduction in server.js wasn't about aesthetics. A monolithic server is a monolithic failure mode. When 150 routes share one file, a syntax error in a referral endpoint can crash the signal API. Extraction isn't refactoring for its own sake — it's fault isolation. Each route file can fail independently without taking down the system.

We published the full audit internally — 48,000 words across four documents covering every finding, every parameter census, every dependency chain. This blog post is the public summary. The detailed reports are available on request.

---

By the Numbers

---