Security Model
Authority boundaries, key invariants, BYO token signals, and emergency controls.
Security Boundaries
Program Authority Gating
Protocol-admin instructions (fee updates, emergency operations) are gated behind the protocol authority signer. No other account can invoke these paths.
Sovereign PDA Authority
Each sovereign's PDA signs CPI calls to the engine program. The engine only accepts calls from the liquidity program's derived authority — direct engine access is blocked.
State Machine Guards
Every lifecycle instruction checks the current SovereignStatus before executing. Invalid state transitions are rejected at the constraint level.
The protocol authority is currently a single cold-wallet keypair held offline. All admin and emergency operations require this key to sign. A multisig upgrade is planned as the protocol matures.
Key Invariants
These invariants are enforced on-chain and must hold at all times during normal operation.
| Invariant | Mechanism |
|---|---|
| Engine solvency floor | gor_reserve >= initial_gor_reserve in normal trading. Sell pricing uses locked rates so reserves can never go below the initial bond. |
| No double-claim | Position and account claim flags are set atomically on claim. Attempting a second claim fails at the constraint level. |
| No duplicate voting | VoteRecord PDAs are derived from (proposal, voter). Creating a second vote for the same proposal is blocked by PDA uniqueness. |
| Strict PDA derivation | All accounts use deterministic seeds from constants.rs. Address mismatches are caught by Anchor constraint checks. |
BYO Token Authority Signals
When a creator launches a BYO Token sovereign, the protocol records two advisory flags:
byo_mint_authority_active — mint authority is not revokedbyo_freeze_authority_active — freeze authority is not revokedThese flags are advisory only — they do not block launch. Clients should surface appropriate warnings to users when these are active.
Emergency Controls
The protocol authority has four escalation levels for incident response.
Protocol Pause
Global boolean flag on the protocol state account. When active, blocks new sovereign creation, deposits, and withdrawals. Does not affect existing swaps or claims. Reversible — authority can unpause at any time.
Sovereign Halt
Transitions a specific sovereign to Halted from any non-terminal state. Unlocks emergency withdrawal paths for all LPs and the creator. Starts the 30-day retirement clock. Not reversible — Halted is terminal.
Engine Pause / Drain
Two independent operations on the engine pool:
- ▸Pause/Unpause: Toggles the pool between Trading and Paused status. Blocks all swaps while paused. Reversible.
- ▸Emergency Drain: Requires sovereign to be Halted first. Drains all GOR and tokens from the engine pool back to the sovereign vaults. One-time, irreversible — sets pool to Unwound.
Redemption Windows
Two time-bounded windows that open when a sovereign reaches a terminal state:
- ▸Token redemption (30 days): TokenLaunch token holders can redeem tokens for their pro-rata share of the surplus GOR pool. BYO sovereigns have no redemption window.
- ▸Retirement claim (30 days): After the claim window closes, any participant can retire the sovereign and close all accounts.