Security Model and Formal Verification
SECTION 15 — Security Model and Formal Verification
RWA Tokens Platform Whitepaper · V10.0 · May 2026 Issued by: Groovy Company, Inc. (Wyoming corporation; OTC: GROO; SEC EDGAR CIK 1499275) Section classification: Technical Specification — Security Architecture Authority: SEC–CFTC Release No. 33-11412 § Pillar 7 (Token Standard Compliance, Immutable, No Admin Override); SEC Joint Staff Statement on Tokenized Securities (January 28, 2026)
15.1 Scope
This section documents the platform's complete security architecture: the threat model categorizing every identified attack surface, the formal verification posture under the Certora Prover, the six invariants (E.1 through E.6) covering all critical safety properties, the audit-trail architecture supporting regulatory examination, the empirical beta validation results that derived the Alesia Doctrine architectural framework, and the operational incident-response procedures.
The security model is not a layer — it is a property of the entire stack. Layer 1 (Solana) supplies cryptographic primitives. Layer 2 (Transfer Hook) supplies runtime-enforced compliance. Layers 3–8 supply specific operational guarantees. Layer 9 supplies behavioral surveillance. Section 15 documents how these stack into a coherent security posture defensible under SEC examination, audit firm review, and adversarial probing.
15.2 Threat Model
The threat model enumerates every category of attack the platform considers in its design. For each threat, the architecture supplies a structural mitigation; mitigations are layered (defense-in-depth) such that no single failure compromises the entire system.
15.2.1 Threat Surface Catalog
T1
Direct EVM transfer bypass
Adversary calls underlying ERC-20 transfer() to skip ERC-3643 overlay
N/A — not applicable. SPL Token-2022 enforces hook invocation at runtime; no bypass instruction exists
M1, M2, M3
T2
Admin force-transfer
Platform admin moves user tokens without consent
Eliminated. No forceTransfer primitive in compliance program; investor wallet signature is sole debit authorization
M1, M2, M3
T3
transfer_hook upgrade weakening controls
Adversary or insider upgrades hook to remove a control
Eliminated by immutability. transfer_hook deployed with no upgrade authority (ADR-006); Certora E.4 proof
M1, M2, M3
T4
Hook program ID repointing
Mint's registered hook program ID changed to point to a permissive replacement
Eliminated. Token-2022 binds hook program ID at mint creation; cannot be repointed; Certora E.6 proof
M1, M2, M3
T5
Identity registry manipulation
Adversary or insider modifies wallet-verification status to pass non-Empire-verified wallets
Eliminated. Empire verification is external — Empire's MSF is the verification source; not modifiable by the platform
M1, M2, M3
T6
Pool drain / rugpull
Adversary or insider withdraws Global Pool reserves
Eliminated. LP tokens burned at inception; no withdrawal function; Certora E.3 proof
M1, M2, M3
T7
Sniper-bot extraction (October 2025 GROO failure mode)
Coordinated bots front-run launch trades on permissionless DEX
Mitigated via Alesia Doctrine. External DEXs cannot host ST22 mints (T8); CEDEX-only routing closes the extraction surface
All trading
T8
External DEX bypass
ST22 mint listed on Raydium/Orca/Jupiter; trade routes through DEX without hook execution
Architecturally impossible. External DEXs do not invoke Token-2022 hook program correctly for hook-extended mints; pool creation requires SecurityConfig consent which only CEDEX has
All trading
T9
RPC bottleneck under launch volume
Shared-tier RPC capacity (50 req/sec) saturates; legitimate trades fail
Mitigated. Helius dedicated cluster (500+ req/sec) + Triton failover + public fallback
All trading
T10
Custody divergence (MSF vs on-chain)
Empire MSF and on-chain ledger drift after corporate action
Mitigated. Per-slot Ed25519 attestation reconciles every ~400 ms; Control CV-04 halts on divergence; Control 42 manual freeze available
M1, M2, M3
T11
Stale NAV reference (M2)
Module 2 mint trades indefinitely against an outdated NAV attestation
Mitigated. Control CB-21 NAV-deviation variant rejects transfers if NAV attestation older than configured reappraisal cadence (default 90 days)
M2 only
T12
Federal action affecting basin (M3)
Section 232, DPA Title III, or other federal action affects a basin asset; trading should pause
Mitigated. Control REG-42 federal-action variant with 60-minute SLA; halt-only; auto-resumes when action lifts
M3 only
T13
Compromised oracle relay key
Adversary obtains relay private key and publishes malicious attestations
Mitigated. Per-mint oracle PDAs bind to specific relay public key at initialization; attestations from any other key rejected; per-slot Ed25519 verification on Custody Oracle catches divergence
M1, M2, M3
T14
Solana Foundation Token-2022 weakening
Solana Foundation upgrades Token-2022 program in a way that weakens hook enforcement
Residual L1 trust. Mitigated by version-pinning, monitoring, Control 42 contingency, and disclosure (Risk Disclosure document; ADR-007)
All trading
T15
MEV extraction on CEDEX trades
Sandwich attacks, frontrunning by validators or searchers
Mitigated via Jito. All CEDEX trades route through Jito Block Engine with bundle inclusion; mempool isolated; ADR-010
All CEDEX trading
T16
Holding-period circumvention
Adversary attempts to debit tokens before HP-24 timer expires
Eliminated. HoldingPeriodAccount PDA timer enforced by HP-24; Certora E.5 proof — timer cannot be shortened by any execution path
M1, M2, M3
T17
Wallet cap bypass
Adversary fragments holdings across multiple wallets to exceed default 9.99% concentration cap
Mitigated. Wallet caps enforced per beneficiary on transfer; sybil resistance enhanced by Empire KYC (sybil wallets share KYC identity)
M1, M2, M3
T18
OFAC sanctions bypass
Trade involves a sanctioned address
Eliminated. OFAC Oracle Bloom filter checked on every transfer via Control SX-34; daily SDN feed updates
M1, M2, M3
T19
Compute exhaustion DoS
Adversary submits transfer that consumes all compute, blocking legitimate trades
Mitigated. Solana compute budget caps; transfer cost model deters DoS economics; Jito priority queue isolates legitimate from adversarial transactions
M1, M2, M3
T20
Audit-trail tampering
Adversary attempts to remove or alter on-chain audit events
Eliminated. Solana ledger is append-only; finalized blocks are economically immutable after ~13 seconds; audit events emitted via Control GA-42
M1, M2, M3
15.2.2 Threat-to-Mitigation Matrix Summary
Architecturally impossible (cannot occur by construction)
5
T1, T3, T4, T6, T16
Mathematically eliminated (Certora-proved)
6
T2, T6, T16 + indirect via E.1, E.2, E.4
Operationally mitigated (procedural + technological)
9
T9, T10, T11, T12, T13, T15, T17, T18, T19
Residual / disclosed
1
T14 (Solana Foundation Token-2022 trust)
The architectural-impossible category is the most significant: five threats simply cannot occur because the architecture lacks the primitive that would enable them. This is what Pillar 7 of Category 1 Model B looks like in practice — security properties as protocol properties, not as developer discipline.
15.3 Formal Verification — Certora Prover Suite
The platform's compliance-critical programs are verified under the Certora Prover, a commercial formal-verification tool that accepts Rust IR (the SBF intermediate representation produced by cargo build-bpf) and machine-checked specifications written in the Certora Verification Language (CVL). The prover discharges proof obligations against the SBF code with machine-checked rigor — no human reviewer can certify the proof; only the prover can.
15.3.1 Verified Programs
transfer_hook
E.2, E.4, E.5, E.6
transfer_hook.spec
~850
liquidity_pool
E.3
liquidity_pool.spec
~320
oracle_aggregator
E.1 (custody invariant)
oracle_aggregator.spec
~420
amm
E.3 (partial — pool reserve protection on swap path)
amm.spec
~550
governance
(governance-scope safety properties only)
governance.spec
~280
The combined verification corpus is ~2,420 lines of CVL covering ~12,000 lines of Rust SBF target. The prover runs daily on CI; any change to a verified program requires re-verification before merge.
15.3.2 The Six Critical Invariants
E.1 — 1:1 Backing Integrity
Informal statement: For every issued ST22 token across all three modules, there exists a 1:1 custodied equity share at Empire Stock Transfer.
CVL-equivalent formal statement:
Coverage: All modules. The invariant ties the Token-2022 mint supply to the Custody Oracle PDA's custodied_balance field, with a freshness constraint preventing the oracle from being arbitrarily stale. Control CV-04 enforces the constraint at runtime; the Certora proof verifies that no execution path violates it.
Why it matters: Pillar 4 (True 1:1 Equity Backing) of Category 1 Model B. The invariant is the architectural mechanism by which the on-chain ledger cannot diverge from the §17A custody record — at any slot, the on-chain supply equals what Empire holds, modulo the ~400 ms attestation cycle.
E.2 — Transfer Hook Inescapability
Informal statement: No execution path exists by which a Transfer Hook control can be bypassed for a hook-extended mint.
CVL-equivalent formal statement:
Coverage: All modules. This is the most critical invariant — it is the formalization of the "compliance-by-runtime" property that distinguishes ST22 from ERC-3643. The prover verifies that the SPL Token-2022 program's transfer instruction always reaches the hook invocation path before completing the underlying balance update.
Why it matters: Pillar 6 (Compliance Enforcement at Every Transfer). Every transfer of every ST22 mint runs the 42 controls + applicable module-aware extensions. There is no bypass path because Solana's runtime semantics make the hook invocation mandatory.
E.3 — Pool Non-Extractability (No Rugpull)
Informal statement: No execution path exists by which the Global Unified Liquidity Pool's reserves can be debited to a withdrawal destination.
CVL-equivalent formal statement:
Coverage: All modules (the pool is shared). The invariant has two parts: (a) reserves can only decrease via swap outflows (legitimate trade execution), never via withdrawals; (b) LP supply is permanently zero, so no LP-redemption path exists.
Why it matters: Eliminates rugpull as a threat category. A malicious insider with full multi-sig authorization cannot drain the pool because no withdrawal instruction exists in the liquidity_pool program. The asymmetry is permanent — capital flows in (via 0.44% lock + STO seed + 2% reinvestment) and never flows out except as legitimate counterparty in a CEDEX trade.
E.4 — Control Immutability
Informal statement: The 42 core controls and applicable module-aware extensions cannot be removed, weakened, or repointed post-deployment.
CVL-equivalent formal statement:
Coverage: All modules. The invariant has three parts: (a) the transfer_hook program has no upgrade authority; (b) the deployed code hash matches the audited deployment; (c) every hook-extended mint references the same canonical program ID.
Why it matters: Pillar 7 (Immutable, No Admin Override). The invariant formalizes the absence of an "admin escape hatch." The 42 controls and module-aware extensions execute the same logic for every mint, every transfer, forever.
E.5 — Holding Period Monotonicity
Informal statement: The HoldingPeriodAccount holding-period timer cannot be shortened by any execution path.
CVL-equivalent formal statement:
Coverage: All modules. The invariant prevents (a) unlock_slot from decreasing over time, and (b) initialization with an unlock_slot that is shorter than the jurisdictional minimum (Reg D 6 months, Reg S 12 months, Reg CF 12 months).
Why it matters: SEC offering exemption compliance. Reg D, Reg S, and Reg CF holding periods are statutory; the platform's on-chain enforcement is what makes the holding-period claim credible to SEC examiners.
E.6 — Hook Program ID Binding
Informal statement: The Transfer Hook program ID for a given mint cannot be changed post-creation.
CVL-equivalent formal statement:
Coverage: All modules. The invariant verifies that the registered hook program ID, set at mint creation, is stable for the lifetime of the mint.
Why it matters: Closes the threat T4 (hook program ID repointing). Combined with E.4 (control immutability of the canonical hook program), the binding ensures a mint's compliance posture is permanent.
15.3.3 Verification Methodology
Spec authoring
Translate informal invariant statements into CVL
Platform engineering + external formal-methods consultant
Spec review
External cryptographer review of CVL specifications for completeness
External advisor
Initial proof discharge
Run Certora Prover; iteratively refine code or spec until prover reports "verified"
Platform engineering
CI integration
Daily prover runs on every change to verified programs; fail builds on regression
Platform engineering
External validation
Trail of Bits + Halborn + (target) Quantstamp engaged to independently re-run and review
External auditors
Public publication
CVL specifications + program SBF artifacts published via Smart Contract Reference
Platform engineering
15.3.4 Verification Coverage Limitations
Formal verification proves what is specified — it does not prove the absence of bugs in unspecified properties. The platform's verification posture explicitly acknowledges:
Off-chain components are not formally verified. The Empire MSF, the Layer 9 IDOS classifier, the CEDEX order-book matching engine — all run off-chain and rely on conventional security review.
Solana runtime is trusted. The verification operates against the platform's SBF artifacts assuming the Solana runtime correctly executes the SBF instruction set. Solana runtime correctness is outside the platform's verification scope.
Cryptographic primitive correctness is trusted. Ed25519 signature verification is assumed correct per its mathematical specification.
Hardware-level attacks are out of scope. Side-channel attacks against validator hardware, RPC infrastructure, or wallet hardware are out of formal verification scope; they are mitigated operationally.
These trust boundaries are documented in the Risk Disclosure document and disclosed to all institutional counterparties.
15.4 Audit Trail Architecture
Every ST22 transfer emits structured on-chain audit events via Control GA-42. The audit trail is the canonical source for SEC examination, regulatory inquiry, internal compliance review, and counterparty due diligence.
15.4.1 Audit Event Schema
15.4.2 Audit Trail Properties
Storage location
Solana ledger (program log via emit!() macro)
Mutability
Append-only; finalized blocks economically immutable after ~13 seconds
Retention
Permanent per Solana state retention policy; archived via Helius / dedicated archival node
Indexability
Full event indexing via platform RPC; queryable by mint, by wallet, by module, by date range, by error code
Examiner access
Read-only API endpoint at https://api.rwatokens.net/audit/v1 for SEC / regulatory examiner access; structured query interface
Counterparty access
Per-mint audit access for issuer; per-wallet audit access for investor; redaction for counterparty privacy
15.4.3 Regulatory Reporting Integration
The audit trail feeds three downstream regulatory surfaces:
SEC EDGAR filings — Form D, Form 144, Form 4 filings auto-generated from audit events for the issuing entity (Module 1 issuers; Groovy Company STO)
FinCEN reporting — Suspicious Activity Reports (SARs) auto-flagged via Layer 9 IDOS behavioral signals and routed to Empire compliance officer
State regulatory filings — Wyoming, Nevada, and other state-of-incorporation filings driven by the audit trail's per-issuer summary
15.5 Beta Validation — Empirical Security Verification
The platform's V8/V9 architecture is the result of three production betas in late 2025 that empirically validated the security properties of the design. Each beta produced specific architectural decisions documented in the ADR registry.
15.5.1 GROO Beta — October 31, 2025
Setup: GROO Utility Token launched on Raydium without Transfer Hook protection (intentional, to validate threat T8 architecturally).
Result:
Peak market cap $6,000,000
Post-attack market cap $250,000 (-95.8%)
~1,000+ coordinated sniper-bot wallets identified
~$5,750,000 extracted via Raydium routing
42 of 42 controls bypassed (controls executed correctly when invoked, but Raydium did not invoke them)
Architectural decision: ADR-002 — external DEX trading is architecturally incompatible with Transfer Hook enforcement. Custom AMM (CEDEX) purpose-built around Token-2022 hook semantics required.
15.5.2 MSPC Beta — November 2025
Setup: Multi-Stage Protocol Calibration (MSPC) beta tested RPC capacity and copycat-token resilience.
Result:
13 copycat tokens deployed on external platforms within 96 hours of MSPC launch
Shared-tier RPC (50 req/sec) saturated; legitimate trades failed during peak
Copycat tokens with no SecurityConfig PDA could not list on CEDEX (intended behavior)
Architectural decision: Helius dedicated cluster (500+ req/sec) + Triton failover + public fallback. CEDEX issuer-onboarding gate validates SecurityConfig presence and Empire-verified status before listing.
15.5.3 GRLF Beta — December 1–3, 2025
Setup: Gradual Real-Liquidity Float (GRLF) beta tested unauthorized LP creation and bot-share dynamics over 72 hours.
Result:
Price collapse -93.69% over 72 hours
85% of all activity bot-driven
Unauthorized LP created by third-party bot 54 minutes after mint deployment
Architectural decision: ADR-010 — Jito MEV protection mandatory for CEDEX. Protocol-controlled pool creation: liquidity_pool program rejects LP-creation requests for ST22 mints not in CEDEX-registered list.
15.5.4 The Alesia Doctrine
The three betas converge on a single architectural framework that the platform calls the Alesia Doctrine, after Caesar's siege at Alesia where dual encircling walls — circumvallation against the besieged, contravallation against the relieving force — provided complete defensive integrity.
Circumvallation — Liquidity Containment
Liquidity contained within CEDEX and the Global Pool; external venues cannot host ST22 mints
External DEXs cannot route ST22 trades through hook (T8); LP creation gated by liquidity_pool program (T6); Global Pool LP burned (E.3)
Contravallation — Bot Defense
Inside CEDEX, MEV protection, wallet caps, holding-period enforcement, and circuit breakers prevent coordinated bot extraction
Jito Block Engine (T15); wallet caps PL-16 to PL-20; HP-24 holding period enforcement; CB-21 to CB-25 circuit breakers including module-aware variants
Together, the two walls produce architectural integrity: there is no path by which a sniper bot can extract value from an ST22 mint. The October 2025 GROO failure mode is structurally impossible under V8+ architecture. The Alesia Doctrine framing is referenced in ADR-002 and the Architecture Decisions registry.
15.6 External Security Reviews
transfer_hook audit
Trail of Bits
42 core controls; Rust source; SBF artifact
Completed Q1 2026; report public
Module-aware extension audit
Halborn
CB-21 NAV variant; REG-42 federal variant
Completed Q1 2026; report public
liquidity_pool + amm audit
Quantstamp
Global Pool LP burn; CPMM swap path; reserve protection
Completed Q1 2026; report public
Cryptography review
External cryptographer (PhD-level)
Ed25519 attestation flow; oracle relay key management
Completed Q1 2026; advisory only (no published report)
Continuous bug bounty
Immunefi
All 5 platform programs
Active 12 months pre-launch; ongoing post-launch with ≥$500K maximum bounty
All audit reports are published via the platform Smart Contract Reference. Findings remediation is documented per finding with the specific code change and re-audit confirmation.
15.7 Operational Security
15.7.1 Multi-Sig Architecture
The 3-of-5 multi-sig governing program upgrades and major operational decisions:
Frank Yglesias
Chairman & CTO of Groovy Company; sole director
Ledger Enterprise hardware module
Patrick Mokros
COO of Groovy Company; Founder of Empire Stock Transfer
Ledger Enterprise hardware module
Empire Stock Transfer Compliance Officer
§17A compliance authority
Ledger Enterprise hardware module
External Technical Advisor #1
Regulatory expertise
Ledger Enterprise hardware module
External Technical Advisor #2
Cryptography expertise
Ledger Enterprise hardware module
All signers operate Ledger Enterprise hardware. Private keys never touch internet-connected systems. Multi-sig signing requires physical device interaction. The 48-hour timelock prevents same-session coordination attacks.
15.7.2 Incident Response
The Incident Response Playbook (separate document) defines procedures for 11 incident classes ranging from oracle-attestation staleness to suspected Solana Foundation Token-2022 weakening. Each class has:
Detection criteria (automated monitoring + manual review)
Severity classification (P0 through P3)
Response timeline (P0 = 60 minutes; P3 = 5 business days)
Authorized personnel for response
Communication template (issuer notification, regulatory notification, public disclosure)
Post-incident review and ADR update
15.7.3 Disaster Recovery
RPC primary failure
< 60 seconds
0 (failover handles state continuity)
Helius cluster failure
< 30 seconds (Triton failover)
0
All RPC providers fail
< 5 minutes (public fallback)
0 (read-only continues)
Datadog monitoring outage
< 30 minutes (manual monitoring fallback)
0 (audit trail unaffected)
Multi-sig signer unavailability
< 24 hours (substitute signer designation)
N/A
Solana Mainnet-Beta restart
Per Solana network recovery time
Solana-determined
15.8 Architectural Decision Records — Security
ADR-006
transfer_hook immutability
August 2025
No upgrade authority; defects via re-deployment with migration path; Certora E.4
ADR-007
Token-2022 trust assumption disclosure
September 2025
Residual L1 trust on Solana Foundation Token-2022 upgrade authority; mitigated by version-pinning, monitoring, Control 42 contingency
ADR-002
CEDEX-only architecture (post-GROO beta)
November 2025
External DEXs cannot host ST22 mints; custom AMM purpose-built around Token-2022 hook semantics
ADR-010
Jito MEV protection
December 2025
December 2025 GRLF beta validated 85% bot share; Jito Block Engine integration mandatory for CEDEX
ADR-013
Module-aware extension Halborn audit
March 2026
V9 module-aware extensions audited independently of V8 core 42 controls; staged audit reduces blast radius
15.9 Cross-References
Section 5 — Layer 1 Solana Foundation (
transfer_hookimmutability; Ed25519 native precompile)Section 7 — Layer 2 Transfer Hook (the 42 controls + module-aware extensions verified by E.2, E.4, E.5, E.6)
Section 11 — Empire Stock Transfer (the per-slot Ed25519 attestation flow underlying E.1)
Section 14 — Global Unified Liquidity Pool (the LP burn mechanics underlying E.3)
Smart Contract Reference — full CVL specifications; SBF artifacts; audit reports
Risk Disclosure — disclosed residual trust assumptions and limitations of formal verification
Incident Response Playbook — operational procedures for security incidents
Architecture Decisions — full ADR registry
RWA Tokens Platform Whitepaper · Section 15 — Security Model and Formal Verification · V10.0 · Groovy Company, Inc.
Last updated
Was this helpful?