The PoolTogether Protocol has undergone three formal professional third party audits. Two have been conducted by Open Zeppelin, and one by ditCraft.
Additionally the PoolTogether core team has a long term security relationship with ConsenSys Diligence including monthly code reviews.
Notwithstanding, portions of the PoolTogether Protocol codebase will continue to evolve and it should never be expected that 100% of the deployed code has been formally audited.
We encourage responsible disclosure of any vulnerabilities in the smart contracts and will pay up to $25,000 for those. See the Bounties for more details.