# Security Model

### Security Model <a href="#security-model" id="security-model"></a>

**Threat Model · Trust Assumptions · Attack Surface Analysis · Formal Verification**

Security architecture documentation for engineers, auditors, institutional risk teams, regulatory counsel, and the Solana Foundation. This document defines what the platform trusts, what it defends against, and how each defense is mathematically or architecturally guaranteed across all three production modules — Equities, Real Estate, and CORECM (Carbon Ore, Rare Earth, and Critical Minerals).

The platform is operated by Groovy Company, Inc. The trading venue is CEDEX. The issuer-onboarding and qualified-custody anchor is Empire Stock Transfer.

***

#### Table of Contents <a href="#table-of-contents" id="table-of-contents"></a>

1. ​Security Philosophy​
2. ​Trust Assumptions​
3. ​Threat Model​
4. ​Attack Surface Analysis​
5. ​Module-Specific Threat Surfaces​
6. ​Control-to-Threat Mapping​
7. ​Key Management Architecture​
8. ​Upgrade Security​
9. ​Oracle Security​
10. ​Economic Attack Analysis​
11. ​Formal Verification​
12. ​Beta Incident Post-Mortems​
13. ​Incident Response​
14. ​Bug Bounty Program​
15. ​Responsible Disclosure​

***

#### 1. Security Philosophy <a href="#id-1.-security-philosophy" id="id-1.-security-philosophy"></a>

The platform's security architecture is based on a single principle: **mathematical impossibility, not policy prohibition.**

Policy can be circumvented. Governance votes can be manipulated. Administrator keys can be compromised. Legal agreements can be breached. Mathematical impossibility cannot be argued with — if a withdrawal function does not exist in the bytecode, no combination of keys, votes, or legal orders can execute it.

This principle drives every architectural decision:

Design DecisionPolicy ApproachPlatform Approach

Liquidity lock

Governance vote to lock

No withdrawal function in code — mathematically impossible

Compliance enforcement

Application-layer checks

Solana runtime-enforced Transfer Hook — no bypass path

Holding period

Contractual agreement

On-chain timer — Control 24 rejects until elapsed

Wallet limits

Terms of service

Transfer Hook rejects above 4.99% — every transfer, every path

Transfer Hook permanence

Administrator can disable

SPL Token-2022 stores hook in mint account — permanent

This same principle applies identically across all three modules. A real-estate token issued under Module 2 receives the same mathematical guarantees as an equity token under Module 1 or a basin asset under Module 3. There is no module that gets weaker security because of its asset class.

***

#### 2. Trust Assumptions <a href="#id-2.-trust-assumptions" id="id-2.-trust-assumptions"></a>

Every security model has trust boundaries. The platform explicitly documents what it trusts and what it does not.

**2.1 What the System Trusts**

Trusted ComponentWhyFailure ConsequenceMitigation

**Solana validator consensus**

Proof of History plus Tower BFT with 2,000+ validators

Chain halt or reorg

Multi-client diversity (Agave plus Firedancer)

**SPL Token-2022 runtime**

Hook invocation is Solana-enforced

Hook bypass

Solana Labs-maintained; formally verified; multi-billion TVL

**Empire Stock Transfer**

SEC §17A registered transfer agent; custody attestation source; sole investor-onboarding authority

False attestation

Ed25519 signatures plus quarterly third-party audit plus 2-of-3 oracle consensus

**Ed25519 cryptography**

NIST-standardized signature algorithm

Signature forgery

Cryptographic standard — no known practical attack

**Anchor framework**

Smart-contract development framework

Framework vulnerability

Coral-maintained; widely audited; Solana ecosystem standard

**2.2 What the System Does NOT Trust**

Untrusted ComponentAttack VectorDefense

**External DEXs** (Raydium, Orca, Jupiter, Meteora)

Bypass Transfer Hook entirely

CEDEX is the only venue — tokens never leave platform infrastructure

**Individual administrator key holders**

Rogue key holder

5-of-9 multi-signature — no single key can execute

**The platform itself**

Insider threat, compromised administrator

Immutable Transfer Hook controls — the platform cannot weaken protections

**Governance voters**

Governance capture

The 42 controls are outside governance scope — hard-coded immutability

**Oracle providers** (Chainalysis, TRM Labs)

False risk scores

Dual-provider cross-validation — both must agree

**Internet connectivity**

Network partition, distributed denial of service

Fail-safe: oracle staleness triggers halt (custody) or degrade (AML/OFAC)

**Users**

Social engineering, compromised wallets

On-chain enforcement regardless of wallet behavior

**Frontend applications**

Spoofed UI, modified client

Transfer Hook enforced by Solana runtime — frontend is UX only

**2.3 Trust Boundary Diagram**

<a class="button secondary">Copy</a>

```
TRUSTED                              UNTRUSTED
─────────────────────────────────────────────────────
Solana Runtime                    │  External DEXs
  ├─ Token-2022 program           │  User frontends
  ├─ Transfer Hook invocation     │  Third-party wallets
  ├─ Ed25519 precompile           │  Raw CLI transactions
  └─ Consensus (PoH + Tower BFT)  │  Governance voters
                                  │  Individual key holders
Empire Stock Transfer             │  Oracle network (partial)
  ├─ Custody balance              │    ├─ Single provider failure
  ├─ Ed25519 attestation          │    └─ Network latency
  ├─ §17A regulatory obligations  │
  └─ Sole onboarding authority    │  Platform team
                                  │    ├─ Cannot weaken 42 controls
On-Chain Programs                 │    ├─ Cannot extract from Global Pool
  ├─ Immutable Transfer Hook      │    └─ Cannot shorten holding periods
  ├─ Immutable Liquidity Pool     │
  └─ Certora-verified invariants  │
```

***

#### 3. Threat Model <a href="#id-3.-threat-model" id="id-3.-threat-model"></a>

**3.1 Threat Categories**

CategoryExamplesSeverityPrimary Defense Layer

**On-chain exploit**

Smart-contract vulnerability, arithmetic overflow, reentrancy

Critical

Formal verification plus audit plus fuzz testing

**Oracle manipulation**

False custody attestation, stale OFAC data, AML score gaming, NAV oracle manipulation

Critical

Ed25519 signatures, dual-provider, staleness halts

**Economic attack**

Flash loan, sandwich attack, price manipulation, wash trading

High

Circuit breakers, TWAP, price-impact limits, Jito MEV protection

**Key compromise**

Administrator key theft, multi-signature collusion

High

5-of-9 geographic distribution, 24h timelock, governance supermajority

**Infrastructure attack**

RPC distributed denial of service, oracle network failure, Solana congestion

Medium

Helius dedicated cluster, Triton failover, fail-safe oracle design

**Social engineering**

Phishing, copycat tokens, impersonation

Medium

On-chain issuer verification, Empire onboarding gate, single verified venue

**Regulatory action**

SEC enforcement, OFAC emergency designation, export-control action (Module 3)

Low–Medium

Control 42 (immediate freeze), OFAC emergency push, compliance architecture

**3.2 Threat Actor Profiles**

ActorCapabilityMotivationPrimary Vectors

**MEV bots**

Mempool monitoring, Jito bundles, sandwich infrastructure

Profit extraction

Front-running, sandwich attacks, arbitrage

**Sniper bots**

Automated LP detection, priority-fee bidding

First-mover extraction

LP creation sniping, mempool monitoring

**Coordinated dump groups**

Multi-wallet infrastructure, timing coordination

Market manipulation

Cascade selling, wash trading

**Nation-state actors**

Advanced persistent threats, zero-day exploits

Sanctions evasion, financial warfare, strategic-mineral access

Proxy wallets, AML evasion, oracle manipulation, Module 3 export-control circumvention

**Insider threats**

Administrator access, key holder status

Financial gain, coercion

Key compromise, parameter manipulation

**Copycat deployers**

Token creation capability, social media access

Fraud

Name squatting, fake tokens, phishing

**Real-estate-specific bad actors**

Property-valuation manipulation, false appraisals

NAV gaming for arbitrage

Module 2 NAV oracle manipulation

***

#### 4. Attack Surface Analysis <a href="#id-4.-attack-surface-analysis" id="id-4.-attack-surface-analysis"></a>

**4.1 On-Chain Attack Surface**

SurfaceAttackMitigationVerified By

CPMM arithmetic

Overflow/underflow in u64 multiplication

u128 checked arithmetic — all intermediates

Certora Prover (E.5)

Transfer Hook logic

Control bypass via unexpected account layout

CEI pattern enforcement (Controls 29–35) — account owner, size, type verified

Quantstamp plus Halborn audit

PDA derivation

PDA collision or substitution

Deterministic seeds with bump verification

Anchor framework standard

CPI reentrancy

Recursive call exploiting intermediate state

Solana runtime prevents CPI reentrancy by design

Solana architecture

Account confusion

Wrong account type passed as oracle

Account discriminator check (8-byte Anchor prefix)

Anchor framework

Mint authority

Unauthorized minting inflating supply

Mint authority disabled or held by multi-signature. Control 1 verifies supply ≤ custody on every transfer.

Certora Prover (E.1)

Global Pool extraction

Any instruction reducing pool balance

No withdrawal function exists. Immutable program (no upgrade authority).

Certora Prover (E.3)

Holding period bypass

Early unlock through governance or administrator

Holding period parameters are immutable — governance cannot shorten.

Hard-coded constants

Transfer Hook removal

Removing hook after mint creation

SPL Token-2022 standard — hook address permanently stored in mint account.

Solana runtime property

**4.2 Oracle Attack Surface**

SurfaceAttackMitigationFail-Safe

Custody oracle

False balance attestation

Ed25519 signature — Empire private key required

Reject ALL transfers (Error 6001)

Custody oracle

Stale attestation replayed

Slot plus timestamp in signed payload — stale rejected

Reject ALL transfers (Error 6002)

Custody oracle

Empire relay compromised

2-of-3 oracle consensus (primary plus backup plus quarterly audit)

Halt until consensus

OFAC oracle

Stale Specially Designated Nationals (SDN) list

Staleness threshold (24h cache / 48h halt)

Cache <24h; halt >48h

OFAC oracle

SDN list evasion via proxy wallet

Three-layer screening: exact plus fuzzy plus 2-hop clustering

Graph analysis catches proxy chains

AML oracle

Single-provider blind spot

Dual-provider (Chainalysis plus TRM Labs) — different ML models

Cache <6h

AML oracle

Score gaming (just below threshold)

0–30 approve / 31–70 review / 71–100 reject — manual review catches borderline

Enhanced review for 31–70

TWAP oracle

Price manipulation to trigger or avoid breaker

60-observation minimum plus 30-min window plus 3σ outlier rejection

Sustained manipulation required

**NAV oracle (Module 2)**

False appraisal feed for real-estate tokens

Independent licensed appraiser plus reappraisal cycle plus circuit breaker on NAV deviation

Trading halt outside reappraisal-defined bands

**Export-control oracle (Module 3)**

Stale or missing critical-minerals classification

USGS Critical Minerals List plus DOE Critical Materials Strategy data feeds

Enhanced review on classification ambiguity

EDGAR oracle

Tampered filing data

SEC-sourced via official RSS plus EFTS API — signed at source

Last batch; flagged stale in IDOS

**4.3 Off-Chain Attack Surface**

SurfaceAttackMitigation

CEDEX backend

Order matching manipulation

Pre-flight compliance check plus on-chain settlement atomicity — backend cannot alter on-chain outcome

RPC infrastructure

DDoS or degradation

Helius dedicated cluster plus Triton failover plus rate limiting (500 req/s)

WebSocket feeds

False market data

Market data is informational — all trades settle on-chain with Transfer Hook enforcement

API authentication

Stolen credentials

Empire wallet verification required — credentials alone insufficient without on-chain wallet

DNS / TLS

Domain hijacking

Certificate pinning plus HSTS plus DNSSEC

Key storage

HSM compromise

Ledger Enterprise HSM plus geographic distribution plus key rotation schedule

**4.4 Social and Operational Attack Surface**

SurfaceAttackMitigationBeta Evidence

Token impersonation

Copycat tokens on external platforms

Only Empire-verified issuers create ST22 tokens on CEDEX. Single verified venue.

19 copycats deployed across GRLF (6) and MSPC (13) — zero possible on CEDEX

Community confusion

"Which token is real?"

ST22 tokens require Empire custody deposit plus on-chain issuer verification

Direct beta observation — community flooded with support requests

Phishing

Fake CEDEX frontend

Domain verification, certificate pinning, official links only from rwatokens.net

—

Insider trading

Employee front-running issuer launches

Insider Trading Policy, restricted trading windows, compliance monitoring

—

***

#### 5. Module-Specific Threat Surfaces <a href="#id-5.-module-specific-threat-surfaces" id="id-5.-module-specific-threat-surfaces"></a>

The same Solana foundation, the same Token-2022 standard, and the same 42-control Transfer Hook framework serve all three modules — but each module presents asset-class-specific threat surfaces that require dedicated defensive consideration.

**5.1 Module 1 — Equities**

**Asset-class-specific threats:**

ThreatDescriptionDefense

Issuer disclosure failure

Tokenized issuer fails to maintain SEC disclosure obligations

Empire onboarding requires current disclosure status; Control 38 (protective conversion) triggers on issuer distress

Rule 144 / Reg S evasion

Early resale before holding period elapses

Control 24 — on-chain HoldingPeriodAccount with jurisdiction-specific timer

Unregistered securities trading

Non-accredited investor receives Reg D security

Empire accreditation verification plus Controls 12–14 enforced on every transfer

Insider trading

Issuer insider trades on material non-public information

Insider Trading Policy plus blackout-window enforcement at the wallet level

**Module 1 trust anchor:** SEC Category 1 Model B architecture per SEC Release No. 33-11412, with Empire as registered transfer agent for the underlying Common Class B shares.

**5.2 Module 2 — Real Estate**

**Asset-class-specific threats:**

ThreatDescriptionDefense

**NAV manipulation**

False appraisal data inserted to enable arbitrage between NAV and on-chain price

Independent licensed appraiser per property; reappraisal cycle on defined cadence; circuit breaker (Control 21) on price-NAV deviation outside defined bands

Single-asset entity failure

The legal entity holding the underlying property defaults, files bankruptcy, or loses title

Control 38 protective conversion; jurisdictional title insurance; per-property due diligence

Property-specific encumbrances

Liens, easements, or transfer-tax obligations not disclosed at tokenization

Pre-issuance title search plus jurisdictional review plus Empire onboarding diligence

Geographic concentration risk

Multiple Module 2 issuances in one jurisdiction face correlated regulatory or environmental risk

Cross-property diligence; jurisdictional diversity tracking; portfolio-level circuit breakers

Reappraisal-cycle gaming

Bad actor accumulates position before favorable reappraisal, sells after

Position limits (Control 15) at 4.99% per wallet; reappraisal-window trading restrictions

**Module 2 trust anchor:** Independent licensed appraiser plus single-asset entity structure plus Empire as qualified custodian for backing collateral.

**5.3 Module 3 — CORECM**

**Asset-class-specific threats:**

ThreatDescriptionDefense

**Export-control evasion**

Sanctioned entity acquires position in strategic-mineral basin via proxy wallet

Three-layer OFAC screening (exact plus fuzzy plus 2-hop graph); Empire enhanced KYC for Module 3 issuances; Section 232 / Defense Production Act cross-reference

**Federal action freeze**

Basin asset becomes subject to federal action under DPA Title III, Section 232, or EO 14017

Control 42 (regulatory freeze) plus Permanent Delegate extension routed through Empire; coordination protocol with relevant federal agency

Basin-asset misclassification

Mineral classification differs from USGS Critical Minerals List or DOE Critical Materials Strategy

Pre-issuance classification verification plus periodic re-verification against authoritative federal lists

Geological-reserve overstatement

Basin proven-reserves figures inflated to support issuance

Independent geological survey plus periodic re-verification plus protective conversion (Control 38) on material misrepresentation

Carbon Ore / DOE program disqualification

Project loses eligibility for DOE coal-derived rare-earth element recovery program

Federal-program-status oracle; Control 38 trigger on disqualification

**Module 3 trust anchor:** USGS Critical Minerals List plus DOE Critical Materials Strategy plus issuer-level technical and regulatory diligence plus Empire as qualified custodian.

**5.4 Cross-Module Threat Properties**

What every module gets, regardless of asset class:

* **Identical Transfer Hook enforcement.** Every transfer in every module triggers all 42 controls atomically.
* **Identical custody architecture.** Empire Stock Transfer holds backing collateral for all three modules under the same §17A regulatory framework.
* **Identical settlement mechanics.** All three modules settle with \~13-second finality on Solana via GENIUS Act-compliant stablecoin.
* **Cross-module isolation.** Sealevel parallel execution prevents an attack on one module's mints from affecting trading or settlement in another module.

***

#### 6. Control-to-Threat Mapping <a href="#id-6.-control-to-threat-mapping" id="id-6.-control-to-threat-mapping"></a>

Every Transfer Hook control maps to a specific threat it mitigates. The mapping applies across all three modules:

ThreatControlsError CodesDefense Mechanism

**Unauthorized minting / supply inflation**

1–6

6001, 6002

Ed25519 custody oracle: supply ≤ custodied shares on every transfer

**Unverified investor trading**

7–10

6002, 6003

Empire KYC/KYB whitelist gate on every transfer

**Sanctioned entity trading**

11–13, 30–34

6003–6007

Three-layer OFAC screening plus dual AML scoring per transfer

**Whale accumulation**

15–19

6004, 6020–6023

4.99% maximum per wallet plus velocity plus cross-wallet detection

**Flash crash / cascade dump**

20–23

6005, 6006

Circuit breaker: >10% in 5 min triggers halt; >2% single impact triggers block; volume-spike detection

**Early resale (Rule 144 / Reg S)**

24–29

6024

On-chain HoldingPeriodAccount with jurisdiction-specific timer

**Issuer / asset distress**

35–38

6008

Protective conversion triggers on bankruptcy, enforcement, loss of Empire (all modules); NAV-divergence threshold (Module 2); federal-action triggers (Module 3)

**Regulatory emergency**

42

6042

Immediate freeze — Legal Counsel plus 3-of-5 multi-signature

**Audit trail integrity**

39–40

—

Immutable on-chain compliance record plus hash-chain verification

**Governance capture**

41

6041

Parameters bounded by hard-coded ranges. The 42 controls are immutable.

***

#### 7. Key Management Architecture <a href="#id-7.-key-management-architecture" id="id-7.-key-management-architecture"></a>

**7.1 Multi-Signature Configuration**

AuthorityThresholdTotal SignersGeographic DistributionUse

**Transfer Hook upgrade**

5-of-9

9

5+ jurisdictions

Program upgrade (24h timelock)

**AMM upgrade**

5-of-9

9

5+ jurisdictions

Program upgrade (24h timelock)

**Oracle upgrade**

5-of-9

9

5+ jurisdictions

Program upgrade (24h timelock)

**Parameter adjustment**

3-of-5

5

3+ jurisdictions

Fee, threshold, cooldown changes (48h timelock)

**Emergency freeze**

3-of-5 plus Legal Counsel

5 plus 1

—

Control 42 (immediate)

**Governance**

3-of-5

5

—

Proposal execution (48h timelock)

**7.2 Key Storage**

Key TypeStorageBackupRotation

Multi-signature signer keys

Ledger Enterprise HSM

Encrypted cold backup in geographically separate safe deposit

Annual or on personnel change

Empire attestation key

Empire internal HSM

Empire custody infrastructure

Empire-managed per §17A requirements

Oracle relay keys

AWS KMS (EKS service)

Cross-region replica

Quarterly

Deployer key

Ledger hardware wallet

Cold backup

Disabled post-deployment (single-use)

**7.3 Key Compromise Scenarios**

ScenarioImpactMitigationRecovery

1 of 9 signer key stolen

None — below threshold

Attacker cannot execute. Compromised key immediately rotated.

Rotate key. Notify other signers.

2 of 9 signer keys stolen

None — below threshold

Same.

Rotate both. Review physical security.

4 of 9 signer keys stolen

None — below threshold

5-of-9 required.

Emergency rotation of all 9 keys via governance proposal.

5 of 9 signer keys stolen

**Critical** — attacker can upgrade programs

24h timelock visible on-chain. Remaining 4 signers or community can alert.

Cancel pending upgrade during timelock. Emergency governance response. Rotate all keys.

Empire attestation key stolen

False custody attestation

Quarterly audit detects discrepancy. Backup oracle cross-reference.

Empire revokes key. New key registered on-chain.

Oracle relay key stolen

Stale or false oracle data injection

Signed payloads include slot — stale payloads rejected. 2-of-3 consensus catches mismatch.

Rotate relay key. Oracle continues via backup.

**7.4 Key Rotation Protocol**

<a class="button secondary">Copy</a>

```
1. New key generated on Ledger Enterprise HSM
2. New key proposed via governance (ParameterAdjustment type)
3. 48-hour timelock — visible on-chain
4. 3-of-5 (or 5-of-9 for upgrade authority) execute rotation
5. Old key deauthorized in same transaction
6. Confirmation: verify new key can sign, old key rejected
7. Documentation updated in Network Configuration
```

***

#### 8. Upgrade Security <a href="#id-8.-upgrade-security" id="id-8.-upgrade-security"></a>

**8.1 Transfer Hook Upgrade Process**

The Transfer Hook is the most security-sensitive program. Upgrades follow the most restrictive protocol:

<a class="button secondary">Copy</a>

```
Step 1:  Governance proposal (ProgramUpgrade type)
Step 2:  Voting period ≥ 48 hours
Step 3:  66.67% supermajority required (not simple majority)
Step 4:  Certora re-verification — all 6 invariants must pass on new code
Step 5:  Independent audit attestation (Quantstamp or Halborn)
Step 6:  24-hour timelock (cancellable by 2-of-5 during window)
Step 7:  5-of-9 multi-signature executes BPF upgrade instruction
```

**8.2 What Upgrades CANNOT Do**

Prohibited ActionEnforcement Mechanism

Remove any of the 42 controls

Certora re-verification rejects — invariant E.4 violated

Lower holding period below statutory minimum

Hard-coded constants — not in adjustable parameter space

Add withdrawal to Global Pool

Pool program is immutable — no upgrade authority exists

Remove Transfer Hook from existing mints

SPL Token-2022 standard — hook address permanent in mint account

Bypass multi-signature requirement

Multi-signature enforced at Solana program level — not application logic

**8.3 Immutable Programs**

ProgramUpgrade AuthorityImplication

Liquidity-pool program

**None**

Cannot be upgraded. Ever. By anyone. This is the Global Pool permanence guarantee.

***

#### 9. Oracle Security <a href="#id-9.-oracle-security" id="id-9.-oracle-security"></a>

**9.1 Asymmetric Fail-Safe Design**

Oracle failures are not treated equally. The consequence of each failure determines the response severity:

OracleFailure ModeRisk of ContinuingFail-Safe Response

**Custody**

Stale attestation

**Catastrophic** — trading without verified backing

**Reject ALL transfers** (Error 6001/6002)

**OFAC**

Stale SDN list

**High** — potential sanctions violation

Cache <24h. Halt ALL transfers >48h stale.

**AML**

Stale risk score

**Medium** — elevated compliance risk

Cache <6h. Flag stale for manual review.

**TWAP**

No price feed

**Medium** — circuit breaker disabled

Use last confirmed price. Disable breaker >5 min.

**NAV (Module 2)**

Reappraisal feed delayed

**Medium** — pricing band uncertainty

Trading paused until reappraisal feed restored

**EDGAR**

Feed delay

**Low** — delayed intelligence

Continue with last batch. Flag stale in IDOS.

The custody oracle has the strictest fail-safe because a custody discrepancy threatens the 1:1 backing guarantee — the foundational property of every ST22 token across every module. A stale AML score is a manageable risk. A wrong custody count is an existential threat.

**9.2 Oracle Consensus Model**

<a class="button secondary">Copy</a>

```
                   ┌──────────────┐
                   │ Empire API   │ Primary — Ed25519 signed per block
                   │ (Ed25519)    │
                   └──────┬───────┘
                          │
              ┌───────────▼───────────┐
              │  2-of-3 Consensus     │
              │  Required for:        │
              │  - Discrepancy        │
              │    resolution         │
              │  - Post-halt resume   │
              └───────────┬───────────┘
                    ┌─────┴─────┐
           ┌───────▼──┐  ┌─────▼────────┐
           │ Platform │  │ Quarterly    │
           │ Backup   │  │ Third-Party  │
           │ Node     │  │ Audit        │
           └──────────┘  └──────────────┘
```

**9.3 Ed25519 Attestation Security**

PropertyImplementation

**Signature algorithm**

Ed25519 (EdDSA on Curve25519) — NIST-standardized

**Key registration**

Empire public key registered on-chain at oracle initialization

**Payload structure**

`mint (32B) + common_b_balance (8B) + token_supply (8B) + slot (8B) + timestamp (8B)` = 64 bytes

**Replay prevention**

Slot number in payload — attestation for past slots rejected

**Verification**

Solana Ed25519 precompile — verified in same transaction as Transfer Hook

**Key rotation**

Empire-managed. New key registered on-chain via multi-signature. Old key deauthorized.

**9.4 Oracle Security Properties**

PropertyMechanism

Single-oracle compromise resistance

2-of-3 consensus required for approval decisions

Replay attack prevention

Ed25519 signatures include slot plus timestamp — stale rejected

Price manipulation resistance

TWAP (30-min window) plus 60-observation minimum plus 3σ outlier rejection

SDN evasion resistance

Three-layer screening: exact address plus fuzzy entity plus 2-hop graph clustering

AML score gaming

Dual-provider (Chainalysis plus TRM Labs) — different ML models and training data

NAV oracle integrity (Module 2)

Independent licensed appraiser plus reappraisal-cycle enforcement plus on-chain price-NAV deviation circuit breaker

Federal-classification integrity (Module 3)

USGS plus DOE feed cross-reference plus quarterly re-verification

***

#### 10. Economic Attack Analysis <a href="#id-10.-economic-attack-analysis" id="id-10.-economic-attack-analysis"></a>

**10.1 Flash Loan Attack**

**Attack:** Borrow massive capital in a single block, manipulate price, extract profit, repay loan — all atomically.

**Why it fails on CEDEX:**

DefenseMechanismControl

Price impact limit

\>2% single-trade impact triggers block

Control 21 (Error 6021)

Volume halt

\>30% daily sell per wallet triggers 24h halt

Control 23 (Error 6037)

TWAP deviation

Requires sustained manipulation across 60 observations / 30 minutes

Control 20

Circuit breaker

\>10% price move in 5 min triggers 15-min halt

Control 20 (Error 6005)

Flash loans require large single-block execution. The 2% price-impact limit makes the profit margin insufficient after accounting for fees (5%) and slippage. The attack is economically irrational across all three modules.

**10.2 Sandwich Attack**

**Attack:** Bot detects pending trade, places buy before and sell after to extract MEV from price movement.

**Why it fails on CEDEX:**

DefenseMechanism

Jito Block Engine

Private transaction submission — trades not visible in mempool

Price impact limit

2% maximum per trade — sandwich profit margin compressed below fee cost

Fallback (no Jito)

CEDEX displays degraded MEV protection banner. Fair-sequencing by commit time.

**10.3 Coordinated Dump**

**Attack:** Multiple wallets coordinate to sell simultaneously, crashing price for community.

**Why it fails on CEDEX:**

DefenseMechanismControl

Wallet limit

Maximum 4.99% per wallet — limits individual selling pressure

15

Volume halt

\>30% daily sell per wallet triggers halt

23

Circuit breaker

\>10% price move in 5 min triggers 15-min halt

20

Cross-wallet detection

Behavioral clustering identifies coordinated wallets

18

**Beta evidence (GROO):** 1,000+ sniper bots used 200+ wallets to circumvent the 4.99% limit on Raydium. On CEDEX, Control 15 enforces 4.99% per wallet on every transfer at the Solana runtime level — multi-wallet strategies cannot bypass because the hook executes on every path.

**10.4 Wash Trading**

**Attack:** Self-trading to inflate volume metrics and attract investors.

**Why it fails on CEDEX:**

DefenseMechanismControl

Self-transfer block

sender == receiver triggers Error 6015

CEI

5% fee

Every trade costs 5% — wash trading has real cost

Fee architecture

Timing correlation

Same-wallet buy-sell within window flagged

Analytics

Amount correlation

Matching amounts across wallets flagged

Analytics

**10.5 Rugpull**

**Attack:** Issuer or LP provider withdraws liquidity, leaving token worthless.

**Why it is mathematically impossible on CEDEX:**

DefenseMechanism

LP burned

LP tokens burned at Global Pool initialization. No withdrawal function exists.

Immutable pool program

Liquidity-pool program has no upgrade authority — cannot add withdrawal.

Formal verification

Certora Prover invariant E.3: no instruction can reduce Global Pool balance.

Per-issuer isolation

Issuers do not control pool capital. Pool is protocol-owned.

**10.6 NAV Arbitrage (Module 2-Specific)**

**Attack:** Bad actor manipulates appraisal data to create arbitrage between on-chain price and "true" NAV.

**Why it fails on CEDEX:**

DefenseMechanism

Independent appraiser

Each property has a licensed appraiser; the platform does not control appraisal

Reappraisal cycle

Defined cadence — appraisals do not move continuously, removing high-frequency manipulation incentive

Circuit breaker on deviation

Control 21 halts trading when on-chain price diverges from appraised band

Position limits

4.99% maximum per wallet limits accumulation ahead of reappraisal

**10.7 Federal-Action Position-Building (Module 3-Specific)**

**Attack:** Bad actor anticipates federal regulatory action on a basin asset (DPA Title III, Section 232, EO 14017) and accumulates position before broader market awareness.

**Why it fails on CEDEX:**

DefenseMechanism

Position limits

4.99% maximum per wallet limits pre-action accumulation

Cross-wallet detection

Coordinated multi-wallet strategies flagged via behavioral clustering

Federal-action freeze

Once federal action occurs, Control 42 freezes the affected mint immediately

Insider trading policy

Platform personnel and counterparties prohibited from trading on material non-public information

***

#### 11. Formal Verification <a href="#id-11.-formal-verification" id="id-11.-formal-verification"></a>

Six invariants verified via Certora Prover symbolic execution. Each invariant provides a mathematical proof — not a test result — that a critical property holds under ALL possible execution conditions.

**11.1 Invariant Registry**

IDPropertyFormal StatementImplication

**E.1**

No Unauthorized Minting

`∀ s→s': mint_to ⟹ custody_oracle(s').common_b ≥ s'.supply ∧ Ed25519.valid`

Supply cannot increase without verified Empire custody deposit

**E.2**

Custody Ratio

`∀ s, t: t executes ⟹ s.custody.common_b ≥ s.supply ∧ s.custody.slot ≥ current - 1`

Every transfer has verified 1:1 backing at execution time

**E.3**

Pool Non-Extractability

`¬∃ i: execute(i, s) → s' where s'.pool_balance < s.pool_balance`

No instruction can reduce Global Pool balance. Withdrawal impossible.

**E.4**

Hook Completeness

`∀ t on hook-mint: Token2022.transfer(t) ⟹ hook(t) invoked ∧ (hook = Err ⟹ revert)`

Every transfer triggers hook. Rejection causes atomic revert.

**E.5**

Fee Accuracy

\`∀ swap s:

actual\_fee - (a × 500/10000)

**E.6**

Circuit Breaker Correctness

`∀ t: (impact > θ) ⟺ rejected`

Breaker activates if and only if threshold exceeded. No false positives or negatives.

**11.2 Verification Scope**

ProgramCertoraQuantstampHalbornOtterSec

Transfer Hook program

6 invariants

Full audit

Full audit

—

AMM program

E.5 (fee)

—

—

Full audit

Liquidity Pool program

E.3 (non-extract)

—

—

—

Governance program

—

—

Full audit

—

Oracle Aggregator program

—

Full audit

—

—

***

#### 12. Beta Incident Post-Mortems <a href="#id-12.-beta-incident-post-mortems" id="id-12.-beta-incident-post-mortems"></a>

Three beta deployments on Solana Mainnet provided empirical validation of every security assumption. The attacks were real, measured, and on-chain.

**12.1 GROO — Sniper Attack (October 2025)**

MetricValue

Peak market cap

$6,000,000

Post-attack market cap

$250,000 (-95.8%)

Time to collapse

<2 hours

Estimated bots

\~1,000+ wallets

Value extracted

\~$5,750,000

**Root cause:** Token traded on Raydium (external DEX). Raydium calls the original SPL Token Program — Transfer Hook never invoked. All 42 controls bypassed.

**Attack vectors confirmed:** Mempool sniping (\~300 bots), front-running (\~400), sandwich attacks (\~200), Jito bundle attacks (\~100).

**Architectural response:** Built custom AMM and CEDEX. ST22 tokens never leave platform infrastructure. All trades execute through Transfer Hook.

**12.2 GRLF — Bot Dominance plus Copycats (December 2025)**

MetricValue

Price collapse

-93.69%

Bot share of activity

85% (34 of 40 post-launch transactions)

Human share

15% (6 transactions)

Copycat tokens

6 across Pump.fun, Raydium, Moonshot

Unauthorized LP

Created by third-party bot 54 min after mint

**Root cause:** Same as GROO — external DEX bypass. Additional finding: unauthorized LP creation by adversary bots.

**Architectural response:** Protocol-controlled pool creation (only the platform can initialize CEDEX pools). Empire onboarding required for token creation — copycat deployment structurally impossible.

**12.3 MSPC — Infrastructure Bottleneck (November 2025)**

MetricValue

Copycat tokens

13 across external platforms

RPC bottleneck

50 sendTx/sec exceeded — cooldown bypassed

Transactions beyond limit

Processed without security controls

**Root cause:** Helius RPC tier (200 req/sec, 50 sendTx/sec) insufficient for launch volume. Bots consumed RPC capacity, legitimate users saw failures.

**Architectural response:** Dedicated Helius cluster (500+ req/sec) plus Triton failover plus transaction queuing.

**12.4 Beta Summary**

FindingConfirmed AcrossArchitectural Response

External DEXs bypass ALL 42 controls

GROO, GRLF, MSPC

CEDEX-only venue. Custom AMM with native Token-2022 support.

85% of activity is automated bots

GRLF

Jito MEV protection, circuit breakers, commit-reveal

Unauthorized LP creation by bots

GRLF

Protocol-controlled pool initialization

19 copycat tokens across 3 launches

GRLF (6), MSPC (13)

Empire-verified issuers only. On-chain issuer verification.

RPC capacity limits enable bypass

MSPC

Dedicated Helius cluster plus Triton failover

Contract-level controls survive external DEX

All three

Confirms: liquidity lock plus vesting work everywhere. Hook-dependent controls require CEDEX.

***

#### 13. Incident Response <a href="#id-13.-incident-response" id="id-13.-incident-response"></a>

**13.1 Severity Classification**

SeverityDefinitionResponse SLAEscalation

**P0 — Active Exploit**

Funds at risk, control bypass confirmed, custody discrepancy

15 minutes

CTO plus Legal Counsel plus all multi-signature holders

**P1 — Service Degradation**

Oracle stale, CEDEX latency >10s, RPC failover triggered

1 hour

CTO plus DevOps lead

**P2 — Partial Failure**

Single oracle degraded (cached serving), non-critical feature unavailable

4 hours

On-call engineer

**P3 — Monitoring Alert**

Threshold warning, unusual pattern, non-exploitable anomaly

24 hours

On-call engineer

**13.2 P0 Response Procedure**

<a class="button secondary">Copy</a>

```
1. DETECT: Automated monitoring alerts (Datadog plus PagerDuty)
     OR manual report via security@rwatokens.net

2. TRIAGE (15 min SLA):
   - Confirm exploit — on-chain evidence
   - Identify affected mints and modules
   - Estimate funds at risk

3. CONTAIN (immediate):
   - Control 42: Regulatory freeze on affected mint(s)
     Requires: Legal Counsel plus 3-of-5 multi-signature
   - Notify Empire Stock Transfer compliance (15-min SLA)
   - Disable CEDEX trading for affected pairs

4. INVESTIGATE:
   - Full on-chain forensics — transaction trace
   - Oracle state audit — attestation history
   - Smart contract review — identify vulnerability

5. REMEDIATE:
   - If program vulnerability: emergency upgrade (5-of-9 plus Certora re-verify)
   - If oracle issue: rotate oracle keys, verify backup consensus
   - If key compromise: emergency key rotation

6. RECOVER:
   - 2-of-3 oracle consensus confirms integrity restored
   - Lift Control 42 freeze
   - Resume CEDEX trading
   - Publish post-incident report

7. POST-MORTEM (within 72 hours):
   - Root cause analysis
   - Timeline reconstruction
   - Control effectiveness review
   - Remediation verification
   - Public disclosure (if warranted)
```

**13.3 Communication Protocol**

AudienceChannelTiming

Multi-signature holders

Encrypted channel (Signal)

Immediate on P0/P1

Empire Stock Transfer

Dedicated compliance hotline

15-min SLA on P0

Institutional investors

Direct notification via CEDEX portal

Within 1 hour of confirmed P0

Public / community

Status page plus social media

After containment (not during active response)

SEC / regulators

Formal notification if SAR threshold met

Per 31 C.F.R. §1020.320 requirements

***

#### 14. Bug Bounty Program <a href="#id-14.-bug-bounty-program" id="id-14.-bug-bounty-program"></a>

**14.1 Scope**

In ScopeOut of Scope

Transfer Hook program — all 42 controls

Third-party dependencies (Solana, Anchor, Token-2022)

AMM program — CPMM logic, fee routing

Social engineering attacks

Liquidity-pool program — extraction attempts

Denial of service (volumetric)

Oracle aggregator program — attestation verification

Frontend / UI issues

Governance program — proposal execution

Known issues already in remediation

CEDEX API — authentication, authorization

Rate-limiting behavior

**14.2 Rewards**

SeverityImpactReward

**Critical**

Fund extraction, control bypass, supply inflation, Global Pool drainage

Up to $100,000

**High**

Oracle manipulation, key compromise path, fee bypass, holding-period bypass

Up to $25,000

**Medium**

Information leak, partial control degradation, non-exploitable logic error

Up to $5,000

**Low**

UX issue with security implications, documentation inconsistency

Up to $1,000

**14.3 Priority Targets**

Highest-reward vulnerabilities that would represent fundamental security failures:

TargetImpactMaximum Reward

CPMM invariant violation (k decreases)

Fund extraction via swap manipulation

$100,000

Transfer Hook bypass on CEDEX

Any transfer without 42-control validation

$100,000

Global Pool balance reduction

Any instruction that reduces pool capital

$100,000

Custody oracle signature forgery

False attestation without Empire key

$100,000

NAV oracle manipulation (Module 2)

Trading based on false appraisal data

$50,000

Federal-classification oracle bypass (Module 3)

Trading of misclassified basin asset

$50,000

Fee routing bypass

Trade without 5% fee collection

$50,000

Holding-period early unlock

Transfer before Rule 144 / Reg S elapsed

$50,000

Circuit breaker bypass

Trade exceeding 2% impact without rejection

$25,000

***

#### 15. Responsible Disclosure <a href="#id-15.-responsible-disclosure" id="id-15.-responsible-disclosure"></a>

**15.1 Reporting**

ChannelContact

**Email**

<security@rwatokens.net>

**Encrypted**

PGP key published at rwatokens.net/security/pgp

**Response SLA**

Acknowledgment within 24 hours. Triage within 72 hours.

**15.2 Disclosure Policy**

* **Embargo period:** 90 days from report acknowledgment before public disclosure.
* **Coordination:** Reporter and the platform agree on disclosure timeline.
* **Credit:** Reporter credited in security advisory (unless anonymity requested).
* **Safe harbor:** Good-faith security research conducted within scope will not result in legal action.

**15.3 What to Include in a Report**

<a class="button secondary">Copy</a>

```
- Description of vulnerability
- Affected program(s) and instruction(s)
- Affected module(s) (Equities, Real Estate, CORECM, or all)
- Steps to reproduce (localnet or devnet preferred)
- Proof of concept (code or transaction)
- Estimated severity and impact
- Suggested mitigation (if any)
```

***

#### Related Documentation <a href="#related-documentation" id="related-documentation"></a>

* **Solana Blockchain Foundation** — Why Solana, Token-2022, Transfer Hook, module-specific foundations
* **Architecture Decisions** — ADR-001 through ADR-012 with full alternatives analysis
* **Smart Contract Reference** — Program instructions, accounts, error codes
* **SDK Reference** — Error handling and recovery patterns
* **Empire Stock Transfer Integration** — Custody attestation, onboarding, regulatory-freeze workflow
* **Compliance Integration Guide** — How module-specific issuances configure the 42 controls
* **Incident Response Playbook** — Detailed P0 / P1 / P2 / P3 procedures
* **Whitepaper** — Full technical specification referenced throughout

***

*RWA Tokens · Security Model · Groovy Company, Inc.*


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://bitbook.rwatokens.net/foundation/foundation/security-model.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.