Security Philosophy

Gasyard’s security model is designed around defense in depth—multiple independent layers that each provide protection, so no single failure can compromise the system.
Core principle: No single compromised component can affect the entire system or other participants.

Security Layers

LayerComponents
Layer 1: On-ChainNon-upgradeable Gateway · Role-based Access · Token Whitelist · Replay Protection
Layer 2: ExecutionIsolated Pools · Spend Limits · Rate Limiting · Watcher Verification
Layer 3: EconomicSettlement Credits · Fraud Resistance · Auto Refunds · No User Fund Exposure
Layer 4: OperationalMonitoring · Emergency Pause · Incident Response

On-Chain Security

Gateway Contract

FeaturePurpose
Non-UpgradeableTrust established at deployment
Role-Based AccessOnly authorized addresses
Token WhitelistPre-approved tokens only
Replay ProtectionOrder IDs execute once
Expiry EnforcementTime-bounded execution

Non-Upgradeable

Core contract cannot be modified after deployment—trust is established at deployment time

Role-Based Access

Functions are restricted to authorized addresses only

Token Whitelisting

Only pre-approved tokens can be bridged

Replay Protection

Order IDs can only be executed once

Rate Limiting

Critical operations are rate-limited to prevent abuse:
OperationLimit
RebalancingRate-limited calls
Large transactionsPer-tx and daily caps
New token additionsAdmin-only

Execution Security

Solver Isolation

SolverETH PoolARB PoolBASE Pool
Solver A100K75K50K
Solver B200K150K100K
If Solver A Compromised:
  • Only Solver A funds at risk
  • Solver B completely unaffected
  • System continues operating normally
Each solver operates independently:
  • Solver A compromised? → Only Solver A’s funds at risk
  • Solver B, C, D? → Completely unaffected
  • System? → Continues operating normally

Spend Controls

SolverPools enforce spending limits. Each transaction must pass all checks:
CheckIf Exceeded
Per-TX LimitRejected
Hourly LimitRejected
Daily LimitRejected
  • Per-transaction limits — Cap single execution size
  • Hourly limits — Prevent rapid draining
  • Daily limits — Overall exposure cap

Watcher Verification

Before settlement credits are issued, watchers verify:
CheckPurpose
Output amount ≥ minimumEnsure user got what was promised
Correct recipientFunds went to the right address
Not expiredExecution within validity window
Not already executedPrevent double-claiming
No fraud indicatorsDetect manipulation attempts

Economic Security

Settlement Credit Model

Key benefit: Solvers never have custody of user funds.

Automatic Refunds

1

Intent Expires

No valid execution before expiry timestamp
2

RefundPool Triggers

System detects unfulfilled intent
3

User Refunded

Funds returned automatically—no user action required

Operational Security

Monitoring

Multi-layer monitoring detects anomalies:
  • Transaction monitoring — Unusual patterns trigger alerts
  • Liquidity monitoring — Pool imbalances flagged
  • Cross-chain verification — State consistency checks
  • Fraud detection — Malicious behavior identification

Emergency Controls

In case of detected threats:
ControlAction
PauseHalt new intents temporarily
Solver removalRemove compromised solver from network
Token blacklistBlock specific tokens
Rate reductionLower limits during investigation

Threat Model

What We Protect Against

ThreatMitigation
Solver compromiseIsolated pools, spend limits
Double executionUnique order IDs, finality tracking
Malicious executionWatcher verification before settlement
Stuck fundsAutomatic refunds via RefundPool
Contract exploitationNon-upgradeable, audited contracts
Replay attacksOn-chain replay protection

Assumptions

The security model assumes:
  • At least one honest watcher node
  • Gateway contract integrity (non-upgradeable)
  • User verifies transaction parameters before signing

Audits

All core contracts have been audited. Audit reports available upon request.
For security inquiries or to report vulnerabilities, contact hi@gasyard.fi.