Security

Scope#

Security is analyzed across three layers: settlement contract, MCP gateway/services, and keeper operations.

Contract Controls#

  • Reentrancy protection on settlement and fee withdrawal paths
  • One-way state transitions for signal and purchase-leg statuses
  • Role separation for governance, resolver, and keeper functions
  • Pausable purchase entry points without freezing owed settlements

Commitment Integrity#

text
commitment_hash = keccak256(maker, asset, target_price, direction, expiry_time, salt)

Buyers can independently recompute this value after decrypting delivery and after reveal.

Delivery Trust Model#

  • Delivery is recognized only if receipt is finalized on-chain before deadline.
  • MVP challenge scope: mismatched commitment only (challengeMismatchedCommitment).
  • Deferred scope: generic decryptability disputes.

Economic Invariants#

text
For each purchase_ref exactly one terminal settlement outcome exists:
- SETTLED_PAYOUT or SETTLED_REFUND

Protocol fees accrue only on payout settlement outcomes.

Operational Security#

  • Idempotency keys on all mutating MCP calls
  • Rate limits and signature auth on gateway
  • Event replay + dead-letter handling in background workers
  • Chain reorg confirmation-depth policy before terminal projections
NOTE

Narrowing dispute scope in MVP reduces ambiguity and keeps settlement deterministic while preserving objective enforcement.