d-bis/smom-dbis-138
4
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
6aaa100bbcd3b39264fc9999944bd5570ade31ce
smom-dbis-138/docs/hybx-omnl/SECURITY_THREAT_MODEL.md
defiQUG f3d2961b97
Some checks failed
CI/CD Pipeline / Lint and Format (push) Failing after 46s
Details
CI/CD Pipeline / Terraform Validation (push) Failing after 35s
Details
CI/CD Pipeline / Kubernetes Validation (push) Successful in 37s
Details
Deploy ChainID 138 / Deploy ChainID 138 (push) Failing after 1m50s
Details
HYBX OMNL TypeScript & anchor / token-aggregation build + reconcile artifact (push) Failing after 2m19s
Details
Validation / validate-genesis (push) Successful in 51s
Details
Validation / validate-terraform (push) Failing after 39s
Details
Validation / validate-kubernetes (push) Failing after 10s
Details
CI/CD Pipeline / Solidity Contracts (push) Failing after 12m56s
Details
Validation / validate-smart-contracts (push) Failing after 12s
Details
CI/CD Pipeline / Security Scanning (push) Failing after 15m52s
Details
Validation / validate-security (push) Failing after 10m59s
Details
Validation / validate-documentation (push) Failing after 17s
Details
Validate Token List / validate (push) Failing after 30s
Details
OMNL reconcile anchor / Run omnl:reconcile and upload artifacts (push) Failing after 26s
Details
Verify Deployment / Verify Deployment (push) Failing after 56s
Details
feat: add hybx omnl stack and gas pmm tooling
2026-04-24 12:56:40 -07:00

1.8 KiB
Raw Blame History

HYBX OMNL — threat model and audit scope

Trust boundaries

  • On-chain policy (PolicyMath, ComplianceCore) is deterministic given inputs (S0, S1, R) from IERC20.totalSupply and ReserveCommitmentStore.
  • Economic truth of R depends on custodian attestation and operational security of signing keys — not on PMM or spot price oracles.

Threats and mitigations

Threat Impact Mitigation
Compromised RESERVE_COMMITTER key Fake reserves Multisig / HSM, key rotation, monitoring on ReserveCommitted
Compromised attestation signer set (commitReserveAttested) Forged threshold commits Rotate isAttestationSigner, raise attestationThreshold, monitor lineAttestationNonce
Compromised CCIP lane Wrong mirror updates allowedSourceSelectors, replay protection on messageId
Malicious ERC-20 (inflated totalSupply) False compliance Register only audited tokens; avoid rebasing tokens without adapter
Governance capture Parameter / role theft Timelock, split roles (GUARDIAN, PAUSER), multi-sig admin
API layer spoofing Misleading dashboard API reads only from published ComplianceCore addresses; publish ABIs

External audit scope (recommended)

  1. contracts/hybx-omnl/*.sol — policy rounding, reentrancy (minimal external calls), access control.
  2. OMNLMirrorReceiver — decoding, version monotonicity, selector allowlist.
  3. Operational: HSM usage for commitReserve, CCIP operational runbooks.

Structured checklist: EXTERNAL_AUDIT_CHECKLIST.md.

Key ceremony (outline)

  • Generate RESERVE_COMMITTER / admin keys in HSM; no plaintext long-lived prod keys in CI.
  • Document signer roster on-chain (bytes32 merkle root optional extension) for auditor parity.
Reference in New Issue View Git Blame Copy Permalink