Threat Model
Assets To Protect
- validator principal protection outcomes
- reward accounting correctness
- governance integrity
- admission and vault-binding integrity
- availability of claim and settlement operations
Trust Boundaries
- governance multisig and role custody
- oracle/backend submission authority
- deployment and release artifact integrity
- reserve proof integrity and freshness
Major Threat Classes
- governance key compromise
- malicious or mistaken implementation approval
- deposit baseline misconfiguration
- oracle replay/stale/conflict manipulation
- receipt source replay or misclassification
- operator runbook execution error
Expected Defensive Behaviors
- fail-closed when state evidence is stale or conflicting
- strict role checks on privileged actions
- idempotency checks for receipts and economic sources
- deterministic claim caps and pending-claim lifecycle controls
Residual Assumptions
- signers are not compromised
- offchain observation and receipt pipelines are honest enough for fail-closed model inputs
- governance process can detect malicious queued operations within timelock window