Security Model

Security Architecture Overview

Aqua's security model is designed around the hybrid architecture principle, where security responsibilities are distributed between off-chain and on-chain components. The model ensures that while off-chain components provide performance and flexibility, on-chain components maintain trustlessness and security guarantees.

Trust Boundaries

Off-Chain Trust Requirements

Limited Trust Scope Users must trust the off-chain backend for quote aggregation and price discovery, but this trust is bounded by cryptographic verification mechanisms.

Trust Limitations:

  • Backend cannot execute trades without valid signatures

  • Backend cannot modify quote data after signing

  • Backend cannot access user funds or tokens

  • Backend downtime does not affect existing on-chain assets

Trust Verification:

  • All quotes are cryptographically signed using EIP-712

  • Signature verification prevents quote manipulation

  • Time-bounded quotes limit exposure to stale data

  • Multiple backend implementations possible for redundancy

On-Chain Trustless Guarantees

Cryptographic Security All critical operations are verified on-chain using mathematical proofs rather than trust assumptions.

Trustless Properties:

  • Quote authenticity verified through EIP-712 signatures

  • Registry operations governed by role-based access controls

  • Trade execution enforced by smart contract logic

  • Asset custody remains with users throughout the process

EIP-712 Signature Security

Quote Integrity Protection

Signature Generation Process The off-chain backend generates structured signatures that bind specific quote parameters to prevent tampering.

Protected Quote Elements:

  • Token symbol and amount

  • Price and expiration timestamp

  • Issuer identity and nonce

  • User address and trade direction

Signature Verification On-chain verification ensures that quotes haven't been modified between generation and execution.

Security Properties:

  • Non-repudiation: Backend cannot deny signing valid quotes

  • Integrity: Any modification of quote data invalidates the signature

  • Authenticity: Only authorized backend can generate valid signatures

  • Replay protection: Nonce system prevents quote reuse

Key Management Security

Backend Key Security The off-chain backend's signing keys are the critical security component for quote generation.

Key Protection Measures:

  • Hardware Security Module (HSM) integration for key storage

  • Multi-signature schemes for key backup and recovery

  • Regular key rotation procedures

  • Segregated key access controls

Operational Security:

  • Keys never exposed in application memory

  • Signing operations performed in secure enclaves

  • Comprehensive audit logging of all signing operations

  • Emergency key revocation procedures

Registry Security Model

Token Registry Protection

Registration Authority Only authorized issuers can register tokens, preventing unauthorized or malicious token listings.

Access Control Mechanisms:

  • Role-based permissions for token registration

  • Multi-signature requirements for critical operations

  • Time-locked administrative changes

  • Emergency pause mechanisms

Registry Integrity:

  • Immutable token-to-issuer mappings once established

  • Transparent on-chain record of all registrations

  • Community-verifiable registry state

  • Protection against registry poisoning attacks

Executor Registry Security

System-Level Controls Executor registration is restricted to system administrators to maintain security standards.

Security Validations:

  • Code review requirements for new executors

  • Formal verification of executor logic where possible

  • Compatibility testing with issuer protocols

  • Security audit requirements for complex executors

Executor Isolation:

  • Each executor handles only its designated issuer

  • Failure isolation prevents cascading security issues

  • Upgradeable executor implementations for security patches

  • Emergency executor disabling capabilities

Smart Contract Security

Manager Contract Protection

Entry Point Security As the primary entry point, the Manager Contract implements multiple security layers.

Security Mechanisms:

  • Signature verification before any trade processing

  • Quote expiration checks to prevent stale price exploitation

  • Registry validation to ensure legitimate trading pairs

  • Reentrancy protection for all external calls

Access Controls:

  • Only verified quotes can trigger trade execution

  • Registry modifications require appropriate permissions

  • Emergency pause functionality for critical situations

  • Upgradeable contract design with timelock governance

Executor Contract Security

Isolation Principle Each executor contract operates independently, limiting the blast radius of potential vulnerabilities.

Security Design:

  • Minimal trust assumptions about issuer protocols

  • Input validation for all trade parameters

  • Safe external call patterns to prevent reentrancy

  • Comprehensive error handling and failure recovery

Integration Security:

  • Standardized interface reduces integration risks

  • Whitelisting of authorized token contracts

  • Protection against malicious issuer behavior

  • Circuit breakers for unusual trading patterns

Economic Security

Quote Manipulation Protection

Time-Bounded Quotes Short quote expiration times limit the window for potential manipulation attacks.

Economic Incentives:

  • Backend reputation tied to quote quality and reliability

  • Economic penalties for providing poor quotes

  • Market-driven selection of optimal pricing

  • Transparency in quote generation process

MEV (Maximal Extractable Value) Considerations

Front-Running Protection The quote-based model provides some protection against traditional MEV attacks.

MEV Mitigation:

  • Pre-signed quotes reduce on-chain price discovery

  • Time-bounded execution windows limit sandwich attacks

  • Batch execution capabilities for multiple trades

  • Integration with MEV protection services where appropriate

Operational Security

Infrastructure Security

Backend Infrastructure Comprehensive security measures protect the off-chain infrastructure.

Security Measures:

  • Multi-region deployment for availability

  • DDoS protection and rate limiting

  • Encrypted communication with all external services

  • Regular security audits and penetration testing

Monitoring and Alerting:

  • Real-time monitoring of all system components

  • Automated alerting for suspicious activities

  • Comprehensive logging for security analysis

  • Incident response procedures and escalation paths

Upgrade Security

Safe Upgrade Procedures Both off-chain and on-chain components support secure upgrade mechanisms.

Upgrade Controls:

  • Timelock governance for contract upgrades

  • Multi-signature requirements for critical changes

  • Gradual rollout procedures for backend updates

  • Rollback capabilities for emergency situations

Risk Management

Systemic Risk Mitigation

Component Isolation Failure in one component should not compromise the entire system.

Risk Controls:

  • Independent operation of each issuer integration

  • Circuit breakers for unusual market conditions

  • Position limits and exposure controls

  • Emergency shutdown procedures

Compliance and Regulatory Considerations

Regulatory Alignment Security model designed to support compliance with evolving regulatory requirements.

Compliance Features:

  • Comprehensive audit trails for all transactions

  • Identity verification integration capabilities

  • Transaction monitoring and reporting tools

  • Jurisdiction-specific compliance modules

Security Monitoring

Real-Time Threat Detection

Automated Monitoring Continuous monitoring of system behavior to detect potential security threats.

Detection Capabilities:

  • Unusual trading pattern identification

  • Quote manipulation detection

  • System performance anomaly alerts

  • Integration with threat intelligence feeds

Incident Response

Response Procedures Comprehensive incident response plan for various security scenarios.

Response Capabilities:

  • Rapid threat containment procedures

  • Emergency system shutdown mechanisms

  • Coordinated response with affected issuers

  • Post-incident analysis and improvement processes

Security Assumptions

Explicit Trust Requirements

Off-Chain Dependencies Clear definition of what users must trust in the system.

Trust Assumptions:

  • Backend operators act in good faith for quote generation

  • Infrastructure providers maintain system availability

  • Key management systems remain secure

  • Regulatory environment remains stable

Security Guarantees

Cryptographic Guarantees Mathematical certainties provided by the security model.

Guaranteed Properties:

  • Quote authenticity through signature verification

  • Trade atomicity through smart contract execution

  • Registry integrity through on-chain storage

  • User asset custody through non-custodial design

This security model provides a robust foundation for tokenized asset trading while maintaining the flexibility and performance benefits of the hybrid architecture approach.

PreviousArchitectureNextGet Started

Last updated