Security Model
Security Model
Threat Model · Trust Assumptions · Attack Surface Analysis · Formal Verification
Security architecture documentation for engineers, auditors, institutional risk teams, regulatory counsel, and the Solana Foundation. This document defines what the platform trusts, what it defends against, and how each defense is mathematically or architecturally guaranteed across all three production modules — Equities, Real Estate, and CORECM (Carbon Ore, Rare Earth, and Critical Minerals).
The platform is operated by Groovy Company, Inc. The trading venue is CEDEX. The issuer-onboarding and qualified-custody anchor is Empire Stock Transfer.
Table of Contents
Security Philosophy
Trust Assumptions
Threat Model
Attack Surface Analysis
Module-Specific Threat Surfaces
Control-to-Threat Mapping
Key Management Architecture
Upgrade Security
Oracle Security
Economic Attack Analysis
Formal Verification
Beta Incident Post-Mortems
Incident Response
Bug Bounty Program
Responsible Disclosure
1. Security Philosophy
The platform's security architecture is based on a single principle: mathematical impossibility, not policy prohibition.
Policy can be circumvented. Governance votes can be manipulated. Administrator keys can be compromised. Legal agreements can be breached. Mathematical impossibility cannot be argued with — if a withdrawal function does not exist in the bytecode, no combination of keys, votes, or legal orders can execute it.
This principle drives every architectural decision:
Design DecisionPolicy ApproachPlatform Approach
Liquidity lock
Governance vote to lock
No withdrawal function in code — mathematically impossible
Compliance enforcement
Application-layer checks
Solana runtime-enforced Transfer Hook — no bypass path
Holding period
Contractual agreement
On-chain timer — Control 24 rejects until elapsed
Wallet limits
Terms of service
Transfer Hook rejects above 4.99% — every transfer, every path
Transfer Hook permanence
Administrator can disable
SPL Token-2022 stores hook in mint account — permanent
This same principle applies identically across all three modules. A real-estate token issued under Module 2 receives the same mathematical guarantees as an equity token under Module 1 or a basin asset under Module 3. There is no module that gets weaker security because of its asset class.
2. Trust Assumptions
Every security model has trust boundaries. The platform explicitly documents what it trusts and what it does not.
2.1 What the System Trusts
Trusted ComponentWhyFailure ConsequenceMitigation
Solana validator consensus
Proof of History plus Tower BFT with 2,000+ validators
Chain halt or reorg
Multi-client diversity (Agave plus Firedancer)
SPL Token-2022 runtime
Hook invocation is Solana-enforced
Hook bypass
Solana Labs-maintained; formally verified; multi-billion TVL
Empire Stock Transfer
SEC §17A registered transfer agent; custody attestation source; sole investor-onboarding authority
False attestation
Ed25519 signatures plus quarterly third-party audit plus 2-of-3 oracle consensus
Ed25519 cryptography
NIST-standardized signature algorithm
Signature forgery
Cryptographic standard — no known practical attack
Anchor framework
Smart-contract development framework
Framework vulnerability
Coral-maintained; widely audited; Solana ecosystem standard
2.2 What the System Does NOT Trust
Untrusted ComponentAttack VectorDefense
External DEXs (Raydium, Orca, Jupiter, Meteora)
Bypass Transfer Hook entirely
CEDEX is the only venue — tokens never leave platform infrastructure
Individual administrator key holders
Rogue key holder
5-of-9 multi-signature — no single key can execute
The platform itself
Insider threat, compromised administrator
Immutable Transfer Hook controls — the platform cannot weaken protections
Governance voters
Governance capture
The 42 controls are outside governance scope — hard-coded immutability
Oracle providers (Chainalysis, TRM Labs)
False risk scores
Dual-provider cross-validation — both must agree
Internet connectivity
Network partition, distributed denial of service
Fail-safe: oracle staleness triggers halt (custody) or degrade (AML/OFAC)
Users
Social engineering, compromised wallets
On-chain enforcement regardless of wallet behavior
Frontend applications
Spoofed UI, modified client
Transfer Hook enforced by Solana runtime — frontend is UX only
2.3 Trust Boundary Diagram
3. Threat Model
3.1 Threat Categories
CategoryExamplesSeverityPrimary Defense Layer
On-chain exploit
Smart-contract vulnerability, arithmetic overflow, reentrancy
Critical
Formal verification plus audit plus fuzz testing
Oracle manipulation
False custody attestation, stale OFAC data, AML score gaming, NAV oracle manipulation
Critical
Ed25519 signatures, dual-provider, staleness halts
Economic attack
Flash loan, sandwich attack, price manipulation, wash trading
High
Circuit breakers, TWAP, price-impact limits, Jito MEV protection
Key compromise
Administrator key theft, multi-signature collusion
High
5-of-9 geographic distribution, 24h timelock, governance supermajority
Infrastructure attack
RPC distributed denial of service, oracle network failure, Solana congestion
Medium
Helius dedicated cluster, Triton failover, fail-safe oracle design
Social engineering
Phishing, copycat tokens, impersonation
Medium
On-chain issuer verification, Empire onboarding gate, single verified venue
Regulatory action
SEC enforcement, OFAC emergency designation, export-control action (Module 3)
Low–Medium
Control 42 (immediate freeze), OFAC emergency push, compliance architecture
3.2 Threat Actor Profiles
ActorCapabilityMotivationPrimary Vectors
MEV bots
Mempool monitoring, Jito bundles, sandwich infrastructure
Profit extraction
Front-running, sandwich attacks, arbitrage
Sniper bots
Automated LP detection, priority-fee bidding
First-mover extraction
LP creation sniping, mempool monitoring
Coordinated dump groups
Multi-wallet infrastructure, timing coordination
Market manipulation
Cascade selling, wash trading
Nation-state actors
Advanced persistent threats, zero-day exploits
Sanctions evasion, financial warfare, strategic-mineral access
Proxy wallets, AML evasion, oracle manipulation, Module 3 export-control circumvention
Insider threats
Administrator access, key holder status
Financial gain, coercion
Key compromise, parameter manipulation
Copycat deployers
Token creation capability, social media access
Fraud
Name squatting, fake tokens, phishing
Real-estate-specific bad actors
Property-valuation manipulation, false appraisals
NAV gaming for arbitrage
Module 2 NAV oracle manipulation
4. Attack Surface Analysis
4.1 On-Chain Attack Surface
SurfaceAttackMitigationVerified By
CPMM arithmetic
Overflow/underflow in u64 multiplication
u128 checked arithmetic — all intermediates
Certora Prover (E.5)
Transfer Hook logic
Control bypass via unexpected account layout
CEI pattern enforcement (Controls 29–35) — account owner, size, type verified
Quantstamp plus Halborn audit
PDA derivation
PDA collision or substitution
Deterministic seeds with bump verification
Anchor framework standard
CPI reentrancy
Recursive call exploiting intermediate state
Solana runtime prevents CPI reentrancy by design
Solana architecture
Account confusion
Wrong account type passed as oracle
Account discriminator check (8-byte Anchor prefix)
Anchor framework
Mint authority
Unauthorized minting inflating supply
Mint authority disabled or held by multi-signature. Control 1 verifies supply ≤ custody on every transfer.
Certora Prover (E.1)
Global Pool extraction
Any instruction reducing pool balance
No withdrawal function exists. Immutable program (no upgrade authority).
Certora Prover (E.3)
Holding period bypass
Early unlock through governance or administrator
Holding period parameters are immutable — governance cannot shorten.
Hard-coded constants
Transfer Hook removal
Removing hook after mint creation
SPL Token-2022 standard — hook address permanently stored in mint account.
Solana runtime property
4.2 Oracle Attack Surface
SurfaceAttackMitigationFail-Safe
Custody oracle
False balance attestation
Ed25519 signature — Empire private key required
Reject ALL transfers (Error 6001)
Custody oracle
Stale attestation replayed
Slot plus timestamp in signed payload — stale rejected
Reject ALL transfers (Error 6002)
Custody oracle
Empire relay compromised
2-of-3 oracle consensus (primary plus backup plus quarterly audit)
Halt until consensus
OFAC oracle
Stale Specially Designated Nationals (SDN) list
Staleness threshold (24h cache / 48h halt)
Cache <24h; halt >48h
OFAC oracle
SDN list evasion via proxy wallet
Three-layer screening: exact plus fuzzy plus 2-hop clustering
Graph analysis catches proxy chains
AML oracle
Single-provider blind spot
Dual-provider (Chainalysis plus TRM Labs) — different ML models
Cache <6h
AML oracle
Score gaming (just below threshold)
0–30 approve / 31–70 review / 71–100 reject — manual review catches borderline
Enhanced review for 31–70
TWAP oracle
Price manipulation to trigger or avoid breaker
60-observation minimum plus 30-min window plus 3σ outlier rejection
Sustained manipulation required
NAV oracle (Module 2)
False appraisal feed for real-estate tokens
Independent licensed appraiser plus reappraisal cycle plus circuit breaker on NAV deviation
Trading halt outside reappraisal-defined bands
Export-control oracle (Module 3)
Stale or missing critical-minerals classification
USGS Critical Minerals List plus DOE Critical Materials Strategy data feeds
Enhanced review on classification ambiguity
EDGAR oracle
Tampered filing data
SEC-sourced via official RSS plus EFTS API — signed at source
Last batch; flagged stale in IDOS
4.3 Off-Chain Attack Surface
SurfaceAttackMitigation
CEDEX backend
Order matching manipulation
Pre-flight compliance check plus on-chain settlement atomicity — backend cannot alter on-chain outcome
RPC infrastructure
DDoS or degradation
Helius dedicated cluster plus Triton failover plus rate limiting (500 req/s)
WebSocket feeds
False market data
Market data is informational — all trades settle on-chain with Transfer Hook enforcement
API authentication
Stolen credentials
Empire wallet verification required — credentials alone insufficient without on-chain wallet
DNS / TLS
Domain hijacking
Certificate pinning plus HSTS plus DNSSEC
Key storage
HSM compromise
Ledger Enterprise HSM plus geographic distribution plus key rotation schedule
4.4 Social and Operational Attack Surface
SurfaceAttackMitigationBeta Evidence
Token impersonation
Copycat tokens on external platforms
Only Empire-verified issuers create ST22 tokens on CEDEX. Single verified venue.
19 copycats deployed across GRLF (6) and MSPC (13) — zero possible on CEDEX
Community confusion
"Which token is real?"
ST22 tokens require Empire custody deposit plus on-chain issuer verification
Direct beta observation — community flooded with support requests
Phishing
Fake CEDEX frontend
Domain verification, certificate pinning, official links only from rwatokens.net
—
Insider trading
Employee front-running issuer launches
Insider Trading Policy, restricted trading windows, compliance monitoring
—
5. Module-Specific Threat Surfaces
The same Solana foundation, the same Token-2022 standard, and the same 42-control Transfer Hook framework serve all three modules — but each module presents asset-class-specific threat surfaces that require dedicated defensive consideration.
5.1 Module 1 — Equities
Asset-class-specific threats:
ThreatDescriptionDefense
Issuer disclosure failure
Tokenized issuer fails to maintain SEC disclosure obligations
Empire onboarding requires current disclosure status; Control 38 (protective conversion) triggers on issuer distress
Rule 144 / Reg S evasion
Early resale before holding period elapses
Control 24 — on-chain HoldingPeriodAccount with jurisdiction-specific timer
Unregistered securities trading
Non-accredited investor receives Reg D security
Empire accreditation verification plus Controls 12–14 enforced on every transfer
Insider trading
Issuer insider trades on material non-public information
Insider Trading Policy plus blackout-window enforcement at the wallet level
Module 1 trust anchor: SEC Category 1 Model B architecture per SEC Release No. 33-11412, with Empire as registered transfer agent for the underlying Common Class B shares.
5.2 Module 2 — Real Estate
Asset-class-specific threats:
ThreatDescriptionDefense
NAV manipulation
False appraisal data inserted to enable arbitrage between NAV and on-chain price
Independent licensed appraiser per property; reappraisal cycle on defined cadence; circuit breaker (Control 21) on price-NAV deviation outside defined bands
Single-asset entity failure
The legal entity holding the underlying property defaults, files bankruptcy, or loses title
Control 38 protective conversion; jurisdictional title insurance; per-property due diligence
Property-specific encumbrances
Liens, easements, or transfer-tax obligations not disclosed at tokenization
Pre-issuance title search plus jurisdictional review plus Empire onboarding diligence
Geographic concentration risk
Multiple Module 2 issuances in one jurisdiction face correlated regulatory or environmental risk
Cross-property diligence; jurisdictional diversity tracking; portfolio-level circuit breakers
Reappraisal-cycle gaming
Bad actor accumulates position before favorable reappraisal, sells after
Position limits (Control 15) at 4.99% per wallet; reappraisal-window trading restrictions
Module 2 trust anchor: Independent licensed appraiser plus single-asset entity structure plus Empire as qualified custodian for backing collateral.
5.3 Module 3 — CORECM
Asset-class-specific threats:
ThreatDescriptionDefense
Export-control evasion
Sanctioned entity acquires position in strategic-mineral basin via proxy wallet
Three-layer OFAC screening (exact plus fuzzy plus 2-hop graph); Empire enhanced KYC for Module 3 issuances; Section 232 / Defense Production Act cross-reference
Federal action freeze
Basin asset becomes subject to federal action under DPA Title III, Section 232, or EO 14017
Control 42 (regulatory freeze) plus Permanent Delegate extension routed through Empire; coordination protocol with relevant federal agency
Basin-asset misclassification
Mineral classification differs from USGS Critical Minerals List or DOE Critical Materials Strategy
Pre-issuance classification verification plus periodic re-verification against authoritative federal lists
Geological-reserve overstatement
Basin proven-reserves figures inflated to support issuance
Independent geological survey plus periodic re-verification plus protective conversion (Control 38) on material misrepresentation
Carbon Ore / DOE program disqualification
Project loses eligibility for DOE coal-derived rare-earth element recovery program
Federal-program-status oracle; Control 38 trigger on disqualification
Module 3 trust anchor: USGS Critical Minerals List plus DOE Critical Materials Strategy plus issuer-level technical and regulatory diligence plus Empire as qualified custodian.
5.4 Cross-Module Threat Properties
What every module gets, regardless of asset class:
Identical Transfer Hook enforcement. Every transfer in every module triggers all 42 controls atomically.
Identical custody architecture. Empire Stock Transfer holds backing collateral for all three modules under the same §17A regulatory framework.
Identical settlement mechanics. All three modules settle with ~13-second finality on Solana via GENIUS Act-compliant stablecoin.
Cross-module isolation. Sealevel parallel execution prevents an attack on one module's mints from affecting trading or settlement in another module.
6. Control-to-Threat Mapping
Every Transfer Hook control maps to a specific threat it mitigates. The mapping applies across all three modules:
ThreatControlsError CodesDefense Mechanism
Unauthorized minting / supply inflation
1–6
6001, 6002
Ed25519 custody oracle: supply ≤ custodied shares on every transfer
Unverified investor trading
7–10
6002, 6003
Empire KYC/KYB whitelist gate on every transfer
Sanctioned entity trading
11–13, 30–34
6003–6007
Three-layer OFAC screening plus dual AML scoring per transfer
Whale accumulation
15–19
6004, 6020–6023
4.99% maximum per wallet plus velocity plus cross-wallet detection
Flash crash / cascade dump
20–23
6005, 6006
Circuit breaker: >10% in 5 min triggers halt; >2% single impact triggers block; volume-spike detection
Early resale (Rule 144 / Reg S)
24–29
6024
On-chain HoldingPeriodAccount with jurisdiction-specific timer
Issuer / asset distress
35–38
6008
Protective conversion triggers on bankruptcy, enforcement, loss of Empire (all modules); NAV-divergence threshold (Module 2); federal-action triggers (Module 3)
Regulatory emergency
42
6042
Immediate freeze — Legal Counsel plus 3-of-5 multi-signature
Audit trail integrity
39–40
—
Immutable on-chain compliance record plus hash-chain verification
Governance capture
41
6041
Parameters bounded by hard-coded ranges. The 42 controls are immutable.
7. Key Management Architecture
7.1 Multi-Signature Configuration
AuthorityThresholdTotal SignersGeographic DistributionUse
Transfer Hook upgrade
5-of-9
9
5+ jurisdictions
Program upgrade (24h timelock)
AMM upgrade
5-of-9
9
5+ jurisdictions
Program upgrade (24h timelock)
Oracle upgrade
5-of-9
9
5+ jurisdictions
Program upgrade (24h timelock)
Parameter adjustment
3-of-5
5
3+ jurisdictions
Fee, threshold, cooldown changes (48h timelock)
Emergency freeze
3-of-5 plus Legal Counsel
5 plus 1
—
Control 42 (immediate)
Governance
3-of-5
5
—
Proposal execution (48h timelock)
7.2 Key Storage
Key TypeStorageBackupRotation
Multi-signature signer keys
Ledger Enterprise HSM
Encrypted cold backup in geographically separate safe deposit
Annual or on personnel change
Empire attestation key
Empire internal HSM
Empire custody infrastructure
Empire-managed per §17A requirements
Oracle relay keys
AWS KMS (EKS service)
Cross-region replica
Quarterly
Deployer key
Ledger hardware wallet
Cold backup
Disabled post-deployment (single-use)
7.3 Key Compromise Scenarios
ScenarioImpactMitigationRecovery
1 of 9 signer key stolen
None — below threshold
Attacker cannot execute. Compromised key immediately rotated.
Rotate key. Notify other signers.
2 of 9 signer keys stolen
None — below threshold
Same.
Rotate both. Review physical security.
4 of 9 signer keys stolen
None — below threshold
5-of-9 required.
Emergency rotation of all 9 keys via governance proposal.
5 of 9 signer keys stolen
Critical — attacker can upgrade programs
24h timelock visible on-chain. Remaining 4 signers or community can alert.
Cancel pending upgrade during timelock. Emergency governance response. Rotate all keys.
Empire attestation key stolen
False custody attestation
Quarterly audit detects discrepancy. Backup oracle cross-reference.
Empire revokes key. New key registered on-chain.
Oracle relay key stolen
Stale or false oracle data injection
Signed payloads include slot — stale payloads rejected. 2-of-3 consensus catches mismatch.
Rotate relay key. Oracle continues via backup.
7.4 Key Rotation Protocol
8. Upgrade Security
8.1 Transfer Hook Upgrade Process
The Transfer Hook is the most security-sensitive program. Upgrades follow the most restrictive protocol:
8.2 What Upgrades CANNOT Do
Prohibited ActionEnforcement Mechanism
Remove any of the 42 controls
Certora re-verification rejects — invariant E.4 violated
Lower holding period below statutory minimum
Hard-coded constants — not in adjustable parameter space
Add withdrawal to Global Pool
Pool program is immutable — no upgrade authority exists
Remove Transfer Hook from existing mints
SPL Token-2022 standard — hook address permanent in mint account
Bypass multi-signature requirement
Multi-signature enforced at Solana program level — not application logic
8.3 Immutable Programs
ProgramUpgrade AuthorityImplication
Liquidity-pool program
None
Cannot be upgraded. Ever. By anyone. This is the Global Pool permanence guarantee.
9. Oracle Security
9.1 Asymmetric Fail-Safe Design
Oracle failures are not treated equally. The consequence of each failure determines the response severity:
OracleFailure ModeRisk of ContinuingFail-Safe Response
Custody
Stale attestation
Catastrophic — trading without verified backing
Reject ALL transfers (Error 6001/6002)
OFAC
Stale SDN list
High — potential sanctions violation
Cache <24h. Halt ALL transfers >48h stale.
AML
Stale risk score
Medium — elevated compliance risk
Cache <6h. Flag stale for manual review.
TWAP
No price feed
Medium — circuit breaker disabled
Use last confirmed price. Disable breaker >5 min.
NAV (Module 2)
Reappraisal feed delayed
Medium — pricing band uncertainty
Trading paused until reappraisal feed restored
EDGAR
Feed delay
Low — delayed intelligence
Continue with last batch. Flag stale in IDOS.
The custody oracle has the strictest fail-safe because a custody discrepancy threatens the 1:1 backing guarantee — the foundational property of every ST22 token across every module. A stale AML score is a manageable risk. A wrong custody count is an existential threat.
9.2 Oracle Consensus Model
9.3 Ed25519 Attestation Security
PropertyImplementation
Signature algorithm
Ed25519 (EdDSA on Curve25519) — NIST-standardized
Key registration
Empire public key registered on-chain at oracle initialization
Payload structure
mint (32B) + common_b_balance (8B) + token_supply (8B) + slot (8B) + timestamp (8B) = 64 bytes
Replay prevention
Slot number in payload — attestation for past slots rejected
Verification
Solana Ed25519 precompile — verified in same transaction as Transfer Hook
Key rotation
Empire-managed. New key registered on-chain via multi-signature. Old key deauthorized.
9.4 Oracle Security Properties
PropertyMechanism
Single-oracle compromise resistance
2-of-3 consensus required for approval decisions
Replay attack prevention
Ed25519 signatures include slot plus timestamp — stale rejected
Price manipulation resistance
TWAP (30-min window) plus 60-observation minimum plus 3σ outlier rejection
SDN evasion resistance
Three-layer screening: exact address plus fuzzy entity plus 2-hop graph clustering
AML score gaming
Dual-provider (Chainalysis plus TRM Labs) — different ML models and training data
NAV oracle integrity (Module 2)
Independent licensed appraiser plus reappraisal-cycle enforcement plus on-chain price-NAV deviation circuit breaker
Federal-classification integrity (Module 3)
USGS plus DOE feed cross-reference plus quarterly re-verification
10. Economic Attack Analysis
10.1 Flash Loan Attack
Attack: Borrow massive capital in a single block, manipulate price, extract profit, repay loan — all atomically.
Why it fails on CEDEX:
DefenseMechanismControl
Price impact limit
>2% single-trade impact triggers block
Control 21 (Error 6021)
Volume halt
>30% daily sell per wallet triggers 24h halt
Control 23 (Error 6037)
TWAP deviation
Requires sustained manipulation across 60 observations / 30 minutes
Control 20
Circuit breaker
>10% price move in 5 min triggers 15-min halt
Control 20 (Error 6005)
Flash loans require large single-block execution. The 2% price-impact limit makes the profit margin insufficient after accounting for fees (5%) and slippage. The attack is economically irrational across all three modules.
10.2 Sandwich Attack
Attack: Bot detects pending trade, places buy before and sell after to extract MEV from price movement.
Why it fails on CEDEX:
DefenseMechanism
Jito Block Engine
Private transaction submission — trades not visible in mempool
Price impact limit
2% maximum per trade — sandwich profit margin compressed below fee cost
Fallback (no Jito)
CEDEX displays degraded MEV protection banner. Fair-sequencing by commit time.
10.3 Coordinated Dump
Attack: Multiple wallets coordinate to sell simultaneously, crashing price for community.
Why it fails on CEDEX:
DefenseMechanismControl
Wallet limit
Maximum 4.99% per wallet — limits individual selling pressure
15
Volume halt
>30% daily sell per wallet triggers halt
23
Circuit breaker
>10% price move in 5 min triggers 15-min halt
20
Cross-wallet detection
Behavioral clustering identifies coordinated wallets
18
Beta evidence (GROO): 1,000+ sniper bots used 200+ wallets to circumvent the 4.99% limit on Raydium. On CEDEX, Control 15 enforces 4.99% per wallet on every transfer at the Solana runtime level — multi-wallet strategies cannot bypass because the hook executes on every path.
10.4 Wash Trading
Attack: Self-trading to inflate volume metrics and attract investors.
Why it fails on CEDEX:
DefenseMechanismControl
Self-transfer block
sender == receiver triggers Error 6015
CEI
5% fee
Every trade costs 5% — wash trading has real cost
Fee architecture
Timing correlation
Same-wallet buy-sell within window flagged
Analytics
Amount correlation
Matching amounts across wallets flagged
Analytics
10.5 Rugpull
Attack: Issuer or LP provider withdraws liquidity, leaving token worthless.
Why it is mathematically impossible on CEDEX:
DefenseMechanism
LP burned
LP tokens burned at Global Pool initialization. No withdrawal function exists.
Immutable pool program
Liquidity-pool program has no upgrade authority — cannot add withdrawal.
Formal verification
Certora Prover invariant E.3: no instruction can reduce Global Pool balance.
Per-issuer isolation
Issuers do not control pool capital. Pool is protocol-owned.
10.6 NAV Arbitrage (Module 2-Specific)
Attack: Bad actor manipulates appraisal data to create arbitrage between on-chain price and "true" NAV.
Why it fails on CEDEX:
DefenseMechanism
Independent appraiser
Each property has a licensed appraiser; the platform does not control appraisal
Reappraisal cycle
Defined cadence — appraisals do not move continuously, removing high-frequency manipulation incentive
Circuit breaker on deviation
Control 21 halts trading when on-chain price diverges from appraised band
Position limits
4.99% maximum per wallet limits accumulation ahead of reappraisal
10.7 Federal-Action Position-Building (Module 3-Specific)
Attack: Bad actor anticipates federal regulatory action on a basin asset (DPA Title III, Section 232, EO 14017) and accumulates position before broader market awareness.
Why it fails on CEDEX:
DefenseMechanism
Position limits
4.99% maximum per wallet limits pre-action accumulation
Cross-wallet detection
Coordinated multi-wallet strategies flagged via behavioral clustering
Federal-action freeze
Once federal action occurs, Control 42 freezes the affected mint immediately
Insider trading policy
Platform personnel and counterparties prohibited from trading on material non-public information
11. Formal Verification
Six invariants verified via Certora Prover symbolic execution. Each invariant provides a mathematical proof — not a test result — that a critical property holds under ALL possible execution conditions.
11.1 Invariant Registry
IDPropertyFormal StatementImplication
E.1
No Unauthorized Minting
∀ s→s': mint_to ⟹ custody_oracle(s').common_b ≥ s'.supply ∧ Ed25519.valid
Supply cannot increase without verified Empire custody deposit
E.2
Custody Ratio
∀ s, t: t executes ⟹ s.custody.common_b ≥ s.supply ∧ s.custody.slot ≥ current - 1
Every transfer has verified 1:1 backing at execution time
E.3
Pool Non-Extractability
¬∃ i: execute(i, s) → s' where s'.pool_balance < s.pool_balance
No instruction can reduce Global Pool balance. Withdrawal impossible.
E.4
Hook Completeness
∀ t on hook-mint: Token2022.transfer(t) ⟹ hook(t) invoked ∧ (hook = Err ⟹ revert)
Every transfer triggers hook. Rejection causes atomic revert.
E.5
Fee Accuracy
`∀ swap s:
actual_fee - (a × 500/10000)
E.6
Circuit Breaker Correctness
∀ t: (impact > θ) ⟺ rejected
Breaker activates if and only if threshold exceeded. No false positives or negatives.
11.2 Verification Scope
ProgramCertoraQuantstampHalbornOtterSec
Transfer Hook program
6 invariants
Full audit
Full audit
—
AMM program
E.5 (fee)
—
—
Full audit
Liquidity Pool program
E.3 (non-extract)
—
—
—
Governance program
—
—
Full audit
—
Oracle Aggregator program
—
Full audit
—
—
12. Beta Incident Post-Mortems
Three beta deployments on Solana Mainnet provided empirical validation of every security assumption. The attacks were real, measured, and on-chain.
12.1 GROO — Sniper Attack (October 2025)
MetricValue
Peak market cap
$6,000,000
Post-attack market cap
$250,000 (-95.8%)
Time to collapse
<2 hours
Estimated bots
~1,000+ wallets
Value extracted
~$5,750,000
Root cause: Token traded on Raydium (external DEX). Raydium calls the original SPL Token Program — Transfer Hook never invoked. All 42 controls bypassed.
Attack vectors confirmed: Mempool sniping (~300 bots), front-running (~400), sandwich attacks (~200), Jito bundle attacks (~100).
Architectural response: Built custom AMM and CEDEX. ST22 tokens never leave platform infrastructure. All trades execute through Transfer Hook.
12.2 GRLF — Bot Dominance plus Copycats (December 2025)
MetricValue
Price collapse
-93.69%
Bot share of activity
85% (34 of 40 post-launch transactions)
Human share
15% (6 transactions)
Copycat tokens
6 across Pump.fun, Raydium, Moonshot
Unauthorized LP
Created by third-party bot 54 min after mint
Root cause: Same as GROO — external DEX bypass. Additional finding: unauthorized LP creation by adversary bots.
Architectural response: Protocol-controlled pool creation (only the platform can initialize CEDEX pools). Empire onboarding required for token creation — copycat deployment structurally impossible.
12.3 MSPC — Infrastructure Bottleneck (November 2025)
MetricValue
Copycat tokens
13 across external platforms
RPC bottleneck
50 sendTx/sec exceeded — cooldown bypassed
Transactions beyond limit
Processed without security controls
Root cause: Helius RPC tier (200 req/sec, 50 sendTx/sec) insufficient for launch volume. Bots consumed RPC capacity, legitimate users saw failures.
Architectural response: Dedicated Helius cluster (500+ req/sec) plus Triton failover plus transaction queuing.
12.4 Beta Summary
FindingConfirmed AcrossArchitectural Response
External DEXs bypass ALL 42 controls
GROO, GRLF, MSPC
CEDEX-only venue. Custom AMM with native Token-2022 support.
85% of activity is automated bots
GRLF
Jito MEV protection, circuit breakers, commit-reveal
Unauthorized LP creation by bots
GRLF
Protocol-controlled pool initialization
19 copycat tokens across 3 launches
GRLF (6), MSPC (13)
Empire-verified issuers only. On-chain issuer verification.
RPC capacity limits enable bypass
MSPC
Dedicated Helius cluster plus Triton failover
Contract-level controls survive external DEX
All three
Confirms: liquidity lock plus vesting work everywhere. Hook-dependent controls require CEDEX.
13. Incident Response
13.1 Severity Classification
SeverityDefinitionResponse SLAEscalation
P0 — Active Exploit
Funds at risk, control bypass confirmed, custody discrepancy
15 minutes
CTO plus Legal Counsel plus all multi-signature holders
P1 — Service Degradation
Oracle stale, CEDEX latency >10s, RPC failover triggered
1 hour
CTO plus DevOps lead
P2 — Partial Failure
Single oracle degraded (cached serving), non-critical feature unavailable
4 hours
On-call engineer
P3 — Monitoring Alert
Threshold warning, unusual pattern, non-exploitable anomaly
24 hours
On-call engineer
13.2 P0 Response Procedure
13.3 Communication Protocol
AudienceChannelTiming
Multi-signature holders
Encrypted channel (Signal)
Immediate on P0/P1
Empire Stock Transfer
Dedicated compliance hotline
15-min SLA on P0
Institutional investors
Direct notification via CEDEX portal
Within 1 hour of confirmed P0
Public / community
Status page plus social media
After containment (not during active response)
SEC / regulators
Formal notification if SAR threshold met
Per 31 C.F.R. §1020.320 requirements
14. Bug Bounty Program
14.1 Scope
In ScopeOut of Scope
Transfer Hook program — all 42 controls
Third-party dependencies (Solana, Anchor, Token-2022)
AMM program — CPMM logic, fee routing
Social engineering attacks
Liquidity-pool program — extraction attempts
Denial of service (volumetric)
Oracle aggregator program — attestation verification
Frontend / UI issues
Governance program — proposal execution
Known issues already in remediation
CEDEX API — authentication, authorization
Rate-limiting behavior
14.2 Rewards
SeverityImpactReward
Critical
Fund extraction, control bypass, supply inflation, Global Pool drainage
Up to $100,000
High
Oracle manipulation, key compromise path, fee bypass, holding-period bypass
Up to $25,000
Medium
Information leak, partial control degradation, non-exploitable logic error
Up to $5,000
Low
UX issue with security implications, documentation inconsistency
Up to $1,000
14.3 Priority Targets
Highest-reward vulnerabilities that would represent fundamental security failures:
TargetImpactMaximum Reward
CPMM invariant violation (k decreases)
Fund extraction via swap manipulation
$100,000
Transfer Hook bypass on CEDEX
Any transfer without 42-control validation
$100,000
Global Pool balance reduction
Any instruction that reduces pool capital
$100,000
Custody oracle signature forgery
False attestation without Empire key
$100,000
NAV oracle manipulation (Module 2)
Trading based on false appraisal data
$50,000
Federal-classification oracle bypass (Module 3)
Trading of misclassified basin asset
$50,000
Fee routing bypass
Trade without 5% fee collection
$50,000
Holding-period early unlock
Transfer before Rule 144 / Reg S elapsed
$50,000
Circuit breaker bypass
Trade exceeding 2% impact without rejection
$25,000
15. Responsible Disclosure
15.1 Reporting
ChannelContact
security@rwatokens.net
Encrypted
PGP key published at rwatokens.net/security/pgp
Response SLA
Acknowledgment within 24 hours. Triage within 72 hours.
15.2 Disclosure Policy
Embargo period: 90 days from report acknowledgment before public disclosure.
Coordination: Reporter and the platform agree on disclosure timeline.
Credit: Reporter credited in security advisory (unless anonymity requested).
Safe harbor: Good-faith security research conducted within scope will not result in legal action.
15.3 What to Include in a Report
Related Documentation
Solana Blockchain Foundation — Why Solana, Token-2022, Transfer Hook, module-specific foundations
Architecture Decisions — ADR-001 through ADR-012 with full alternatives analysis
Smart Contract Reference — Program instructions, accounts, error codes
SDK Reference — Error handling and recovery patterns
Empire Stock Transfer Integration — Custody attestation, onboarding, regulatory-freeze workflow
Compliance Integration Guide — How module-specific issuances configure the 42 controls
Incident Response Playbook — Detailed P0 / P1 / P2 / P3 procedures
Whitepaper — Full technical specification referenced throughout
RWA Tokens · Security Model · Groovy Company, Inc.
Last updated
Was this helpful?