The PoolTogether Protocol has undergone two formal professional third party audits conducted by Open Zeppelin. Those audits can be viewed here.
Notwithstanding, portions of the PoolTogether Protocol codebase will continue to evolve and it should never be expected that 100% of the deployed code has been formally audited.
We encourage responsible disclosure of any vulnerabilities in the smart contracts and will pay up to $25,000 for those. See the Bounties for more details.