Security
Security boundaries are explicit by design.
External operators hold validator signing keys. Foundation systems validate and fund seats. Vault contracts define settlement separately from off-chain policy.
Actor matrix
Four control planes. One holder each.
Validator signing key
OperatorBLS keypair generated and stored entirely in the operator's environment.
Principal funding
FoundationFoundation allowlists and submits the 32 CTN deposit after validation.
Reward claims
VaultBeneficiary wallet claims rewards under vault rules and delay safeguards.
Exit request path
NetworkTreasury/vault/EIP-7002 path can initiate; consensus layer governs completion.
Key custody
Validator BLS keys are generated and stored entirely in the operator's environment. Onboarding only moves the public key and deposit data.
Funding & allowlisting
The Foundation funds the 32 CTN principal only after validating submitted data against one-use, pubkey-bound allowlist intents.
Exit control & fault domains
Either party can initiate an exit; neither needs the other's key. Fault responsibility is explicit and non-overlapping.
Rewards, settlement & claims
Rewards and exit proceeds flow through a dedicated WithdrawalVault under principal-first accounting, with claim delays and rate limits bounding damage from key compromise.
Deep dive
Proofs, risks, and alternatives.
The contracts, invariants, residual risks, and the other custody models we considered. Open any panel for details.
On-chain architecture
Three contracts enforce the security model.
On-chain architecture
Three contracts enforce the security model.
TreasuryRouter
A forwarding proxy that decouples treasury identity from the operational signing key. The activeSigner can be rotated via a time-locked two-step process (7-day delay) without redeploying vaults.
VaultFactory
Deploys vaults with enforced parameters: 32 CTN principal target and PrincipalFirst shortfall policy are hardcoded. A registry enforces one vault per validator public key hash.
DepositContractCTN
Two independently toggleable gates: a pubkey-allowlist gate (one-use intent hashes bound to pubkey, withdrawal credentials, amount, depositor, and ownership epoch) and an owner-only depositor gate.
Formal properties
Proven invariants and structural guarantees.
Formal properties
Proven invariants and structural guarantees.
Conservation of funds
No vault operation creates or destroys value. Total lifetime inflows always equal current balance plus cumulative rewards claimed plus cumulative principal claimed.
Counter isolation
The rewards counter is incremented only by beneficiary-authenticated calls; the principal counter only by treasury-authenticated calls. No function increments both.
Claim ordering independence
In ExitSettlement with no shortfall, final distribution is identical regardless of claim order between beneficiary and treasury.
Disjoint authority sets
Operator capabilities use BLS; treasury capabilities use ECDSA. The two authentication domains are structurally disjoint.
Unambiguous slashing attribution
Since the Foundation never possesses the operator's BLS private key, any slashable message signed by that key can only have come from the key holder.
Force-exit sufficiency
CIP-7002 provides the Foundation with sufficient authority to unilaterally initiate a validator exit without possessing the operator's signing key.
Testing: 250/250 Foundry tests pass covering settlement sequencing, rate limiting, claim mechanics, conservation invariants, reentrancy, access control, CIP-7002 exit construction, and adversarial economics. Certora formal verification passes for vault economics, access, router, and factory specs.
Custody model comparison
Why BYO-BLS over four alternative models.
Custody model comparison
Why BYO-BLS over four alternative models.
| Model | No BLS custody | Unilateral exit | Auth split | Attribution | DB risk |
|---|---|---|---|---|---|
| BYO-BLS (Centurion) | Low | ||||
| Foundation generates keys | High | ||||
| Shared custody | High | ||||
| Distributed validator (DVT) | partial | partial | partial | partial | Medium |
| Direct withdrawal credentials | Low |
- BYO-BLS (Centurion)
Operator is sole custodian. Exit via CIP-7002 (no BLS key needed).
- Foundation generates keys
Both parties hold key copies. Slashing attribution is impossible.
- Shared custody
Formalizes the attribution problem rather than solving it.
- Distributed validator (DVT)
Foundation holds key shares, not the full key. Exit requires threshold cooperation.
- Direct withdrawal credentials
Clean key separation but sacrifices capital protection entirely.
Residual risks
Nine known risks and how each is bounded.
Residual risks
Nine known risks and how each is bounded.
- R1
Phase-blind fund classification
During Running phase, the vault cannot distinguish protocol rewards from arbitrary transfers. Once balance reaches 32 CTN, Running-phase claims are blocked.
- R2
Deployment-time EOA check
The constructor's code-size check on the beneficiary does not prevent future code deployment via CREATE2 or EIP-7702. Mitigated by the reentrancy guard.
- R3
Treasury key compromise
All vaults share one treasury address (the TreasuryRouter). Signer rotation is available via a 7-day time-locked process. Production uses HSM custody.
- R4
Watcher downtime window
If watchers are offline when a validator exits, auto-settlement does not fire. Principal protection still blocks Running claims at or above 32 CTN.
- R5
CIP-7002 availability dependency
Force-exit depends on the CIP-7002 system contract being deployed and functional on the target chain.
- R6
Claim delay front-running
An adversary with a compromised beneficiary key could initiate and finalize in the first block after delay. Mitigated by rate limit, settlement front-run guard, and private mempool.
- R7
CIP-7002 dynamic fee spike
Under congestion, CIP-7002 fees can spike. The seat manager queries the current fee and includes a safety margin.
- R8
Vault deployment front-running
Vaults deploy via CREATE (unpredictable address), with post-deployment verification reading back seven on-chain properties.
- R9
Uncoordinated operator voluntary exit
If the operator exits without coordination and watchers are down, principal protection still blocks Running claims at or above 32 CTN.
Multi-fault composition
How the system degrades under combined failures.
Multi-fault composition
How the system degrades under combined failures.
Operator misconduct + watcher failure
Slashed validator's exit balance may land in a Running-phase vault without triggering auto-settlement. At or above 32 CTN, principal protection blocks Running claims.
Treasury key + beneficiary key compromise
Arithmetic invariants still hold, but all funds can be drained by compromised keys acting within authorized roles. Rate limiting and the 7-day rotation delay bound exposure.
Deposit data manipulation + operator misconduct
Requires two independent failures in distinct enforcement layers (application-layer validation and the allowlist gate).
Premature voluntary exit + watcher failure
Exit balance lands in a Running-phase vault. At or above 32 CTN, principal protection blocks Running claims. Below, rate limit and claim delay bound extraction.