Threat model
This page covers v0 only — the testnet prototype. The v1 threat model replaces this page when v1 ships.
v0 trust assumptions
| Component | Trust level | Notes |
|---|---|---|
| Publisher key | Single self-operated Ed25519 key | Compromise = full oracle compromise |
| Admin key | Single self-operated Stellar account | Owns init and set_publishers |
| Attestation service | Single self-operated instance (Fly.io, fra region) | Single point of liveness failure |
| Audit status | Not independently audited | Internal review + cost-isolated benchmark suite |
caution
v0 is for hackathon prototypes and integration testing — not for production capital.
What v0 protects against
| Threat | Mechanism |
|---|---|
| Replay of stale signed prices | 60-second staleness window enforced in the contract |
| Overwriting fresh state with a stale round | Monotonic round_id per asset; lagging rounds are silent no-ops |
| Unknown signer | Contract checks pubkey against the registered publisher set |
| Cross-asset signature reuse | Asset tag is the first 8 bytes of the signed message |
| Soroban host upgrade breaking signature semantics | Committed snapshot tests surface host-cost regressions in diffs |
| Lagging attestation service | SDK rejects fetched attestations older than 2 seconds (StalePriceError) |
What v0 does not protect against (and the v1+ plan)
| Threat | Status in v0 | Mitigation in v1+ |
|---|---|---|
| Single publisher key compromise | Open | 3-of-5 Ed25519 threshold publisher set |
| Single admin key compromise | Open | 3-of-5 admin multi-sig distinct from publisher set |
| Single attestation service outage | Open | Geo-replicated service |
| Price manipulation on thin assets | Open by policy | Asset Inclusion Policy: only assets trading on ≥3 reference CEXs with sufficient depth |
| Absence of independent audit | Open | Engagement with Trail of Bits / OtterSec / Veridise-class firm before mainnet |
| MEV / front-running of pull updates | Partially open | Consumer slippage bounds and deterministic ordering documented in integration patterns |
| Manipulation-resistant valuation for lending | Open | Signed-TWAP attestation type (v2) |
Failure modes
| Failure | Consequence | Detection |
|---|---|---|
| Attestation service down | fetchLatest throws | https://api.noeracle.org/health reports HTTP 503 when not signing |
| Exchange returns bad data | Outlier sample | Service rejects samples beyond 3σ and beyond a 5-second staleness budget |
| Stellar network congestion | Tx may not land within freshness window | SDK retries with fresher attestation; contract rejects with StalePrice if exceeded |
| Replay of an older signed message | Stored entry overwritten with stale price | Blocked by 60-second staleness window and monotonic round_id |
Reporting issues
Email security@noeracle.org. A formal disclosure policy and bug bounty pool ship with v1.
See also
- Architecture — replay protection mechanics, freshness layers, signature scheme rationale
- Roadmap — what arrives in v1, v2, v3