You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This document defines the security framework for the agentic tokenomics system, including threat models, attack vector analysis, security invariants, and audit procedures.
attack_id: AV-001name: Attestation Fraudcategory: Economic Attackseverity: HIGHdescription: | Attacker submits false attestation with bond, hoping economic value of fraud exceeds bond amount before challenge.attack_flow:
1. Attacker creates false attestation with minimum bond2. False attestation used to claim benefits (e.g., credit issuance)3. Challenge window passes without detection4. Attacker recovers bond + fraudulent gainspreconditions:
- Challenge window too short for verification
- Bond amount too low relative to potential fraud value
- Insufficient monitoring/detection mechanismsmitigations:
- Dynamic bond sizing based on attestation value
- Mandatory challenge period scaling with attestation impact
- Agent-assisted anomaly detection
- Whistleblower incentives (% of slashed bond)detection:
- Anomalous attestation patterns
- Velocity of attestations from single address
- Correlation with on-chain benefit claimsresidual_risk: MEDIUM (with mitigations)
AV-002: Agent Key Compromise
attack_id: AV-002name: Agent Key Compromisecategory: Infrastructure Attackseverity: CRITICALdescription: | Attacker gains access to agent signing keys, enabling unauthorized transactions or governance actions.attack_flow:
1. Attacker compromises agent infrastructure (phishing, exploit, insider)2. Extracts agent private keys from memory/storage3. Signs malicious transactions using agent authority4. Executes unauthorized actions before detectionpreconditions:
- Keys stored in extractable form
- Insufficient access controls
- No transaction signing controlsmitigations:
- Hardware security modules (HSM) for key storage
- Multi-signature requirements for high-value actions
- Transaction value limits with human override
- Key rotation schedule
- Anomaly detection on agent behaviordetection:
- Unusual transaction patterns
- Geographic anomalies
- Out-of-hours activity
- Velocity checksresidual_risk: MEDIUM (with HSM + multi-sig)
AV-003: Oracle/MCP Manipulation
attack_id: AV-003name: Oracle/MCP Data Manipulationcategory: Data Integrity Attackseverity: HIGHdescription: | Attacker manipulates data provided by MCP servers to influence agent decisions or smart contract execution.attack_flow:
1. Attacker compromises MCP server or intercepts traffic2. Modifies responses to agent queries3. Agent makes decisions based on false data4. Incorrect recommendations/actions executedpreconditions:
- Single MCP server trust
- No response verification
- Weak authenticationmitigations:
- Multiple independent data sources
- Cryptographic response signatures
- Data freshness verification
- Anomaly detection on data patterns
- Consensus across multiple oraclesdetection:
- Data consistency checks
- Historical deviation alerts
- Cross-source validation failuresresidual_risk: MEDIUM (with multi-source validation)
AV-004: Governance Attack
attack_id: AV-004name: Agent-Assisted Governance Attackcategory: Governance Attackseverity: HIGHdescription: | Attacker exploits agent's proposal/recommendation authority to push malicious governance changes.attack_flow:
1. Attacker crafts proposal that appears legitimate2. Manipulates inputs to agent (KOI data, community signals)3. Agent recommends approval based on false context4. Proposal passes with agent endorsementpreconditions:
- Agent has proposal submission authority
- Insufficient human review window
- Community trusts agent recommendationsmitigations:
- Layer 2+ always requires human review window
- Confidence threshold for auto-submission
- Multiple agent consensus for proposals
- Escalation triggers for unusual proposals
- Community cooling-off periodsdetection:
- Unusual proposal characteristics
- Low community engagement
- Agent confidence anomaliesresidual_risk: LOW (with Layer 2+ controls)
AV-005: Escrow Manipulation
attack_id: AV-005name: Service Escrow Manipulationcategory: Economic Attackseverity: HIGHdescription: | Provider or client manipulates escrow to receive funds without fulfilling obligations.attack_flow:
Provider attack:
1. Provider creates agreement with vague milestones2. Claims milestone completion with insufficient evidence3. Receives funds without deliveringClient attack:
1. Client receives service2. Disputes milestone with false claims3. Recovers escrowed funds while keeping servicepreconditions:
- Vague milestone definitions
- Insufficient evidence requirements
- Weak arbitration processmitigations:
- Clear milestone criteria in contract
- Evidence IRI requirements
- Independent arbitration DAO
- Reputation system consequences
- Partial release schedulesdetection:
- Dispute frequency analysis
- Provider/client reputation patterns
- Milestone evidence verificationresidual_risk: MEDIUM (with arbitration + reputation)
AV-006: Sybil Attack on Reputation
attack_id: AV-006name: Reputation System Sybil Attackcategory: Identity Attackseverity: MEDIUMdescription: | Attacker creates multiple identities to artificially inflate reputation signals.attack_flow:
1. Attacker creates multiple addresses2. Stakes minimal amounts across addresses3. Mutual endorsement between sybil accounts4. Inflated reputation used to gain trustpreconditions:
- Low cost of identity creation
- No stake-weighted signals
- Linear reputation aggregationmitigations:
- Stake-weighted signal weights
- Quadratic aggregation
- On-chain history requirements
- Social graph analysis
- Proof of unique identity (optional)detection:
- Cluster analysis of endorsement patterns
- Account age/activity correlation
- Mutual endorsement detectionresidual_risk: LOW (with stake-weighting + graph analysis)
Security Invariants
Smart Contract Invariants
// Attestation Bond Contract Invariants/// INV-001: Bond conservation/// Total locked bonds must equal sum of all attestation bonds in locked states./// Active is the initial state (bonds lock on creation). Challenged bonds remain locked.
invariant bond_conservation{TOTAL_LOCKED == sum(attestation.bond for attestation in ATTESTATIONS where attestation.status in [Active,Challenged])// Note: If a pre-activation Bonded state is reintroduced, it must be included// in this invariant to account for bonds locked during the activation delay.}/// INV-002: State transitions are monotonic
/// Attestations can only progress forward in lifecycle
invariant state_monotonic{
forall attestation:old(attestation.status) == Active => new(attestation.status) in [Active,Challenged,Released,Slashed]
old(attestation.status) == Challenged => new(attestation.status) in [Challenged,Released,Slashed]
old(attestation.status) in [Released,Slashed] => new(attestation.status) == old(attestation.status)}/// INV-003: Challenge window respected
/// Challenges only accepted within window
invariant challenge_window{
forall challenge:
challenge.submitted_at < attestation.challenge_window_closes_at}/// INV-004: Only arbiter can resolve disputes/// Challenged attestations can only be resolved by designated arbiter
invariant arbiter_authority{
forall resolution:
resolution.status in [Released,Slashed]AND attestation.status == Challenged
=> resolution.sender == CONFIG.arbiter_dao}/// INV-005: Bond minimum enforced
/// All attestations must meet minimum bond requirement
invariant minimum_bond{
forall attestation:
attestation.bond >= CONFIG.min_bond}
// Service Escrow Contract Invariants/// INV-006: Escrow conservation/// Escrowed funds must equal sum of milestone values
invariant escrow_conservation{
agreement.escrow_amount == sum(milestone.amount for milestone in agreement.milestones where milestone.status != Completed)}/// INV-007: Milestone progression
/// Milestones must complete in order
invariant milestone_order{
forall agreement:
forall i < j:
milestones[j].status == Completed => milestones[i].status == Completed}/// INV-008: Dispute resolution authority/// Only arbiter can resolve disputes
invariant dispute_authority{
forall milestone:
milestone.status == DisputedAND new(milestone.status) in [Completed,Rejected]
=> msg.sender == agreement.arbiter
}
// Reputation Registry Invariants/// INV-009: Weight bounds/// Signal weights must be within valid range
invariant weight_bounds{
forall signal:0 <= signal.weight <= 1.0}/// INV-010: Self-endorsement prevention/// Cannot endorse own address
invariant no_self_endorsement{
forall signal:
signal.signaler != signal.subject_id(when subject_type == "address")}/// INV-011: Stake requirement/// Signalers must have minimum stake
invariant stake_requirement{
forall signal:get_staked_amount(signal.signaler) >= CONFIG.min_stake_to_signal}
Agent Behavioral Invariants
# Agent Behavioral InvariantsINV-A001:
name: Confidence threshold enforcementdescription: Agent must not auto-execute actions when confidence < thresholdcondition: decision.confidence < escalation_threshold => action.type != "execute"monitoring: Log all decisions with confidence, alert on violationsINV-A002:
name: Rate limit compliancedescription: Agent must respect MCP rate limitscondition: requests_per_minute <= configured_rate_limitmonitoring: Request counter with sliding windowINV-A003:
name: Transaction value limitsdescription: Agent cannot sign transactions exceeding value limit without multi-sigcondition: tx.value > agent_tx_limit => requires_human_cosignmonitoring: Transaction value tracking, alert on limit approachINV-A004:
name: Audit trail completenessdescription: All decisions must be logged with full contextcondition: decision => exists(audit_log_entry)monitoring: Audit log completeness checksINV-A005:
name: Escalation path availabilitydescription: Human escalation path must always be availablecondition: escalation_requested => human_notified_within_slamonitoring: Escalation latency tracking
Security Audit Checklist
Smart Contract Audit
## Pre-Audit Preparation-[ ] Code freeze complete
-[ ] Full test suite passing
-[ ] Documentation complete
-[ ] Known issues documented
## Static Analysis### Automated Tools-[ ] Slither analysis (all critical findings addressed)
-[ ] Mythril symbolic execution
-[ ] Semgrep custom rules
-[ ] Rust clippy (for CosmWasm)
-[ ] cargo-audit for dependencies
### Manual Review-[ ] Access control review
-[ ] Admin functions properly protected
-[ ] Role-based permissions correct
-[ ] Ownership transfer secure
-[ ] Economic logic review
-[ ] Bond calculations correct
-[ ] Fee calculations correct
-[ ] No integer overflow/underflow
-[ ] Rounding handled appropriately
-[ ] State management review
-[ ] State transitions valid
-[ ] No state corruption paths
-[ ] Proper initialization
-[ ] External call review
-[ ] Reentrancy protections
-[ ] Return value checks
-[ ] Gas limitations considered
## CosmWasm-Specific Checks-[ ] No unbounded iteration
-[ ] Proper use of `deps.querier`-[ ] Reply handling correct
-[ ] Submessage ordering
-[ ] Proper error types
## Test Coverage-[ ] Unit test coverage > 90%
-[ ] Integration test coverage for critical paths
-[ ] Fuzzing results reviewed
-[ ] Edge cases tested
## Documentation-[ ] All public functions documented
-[ ] State transitions documented
-[ ] Invariants documented
-[ ] Admin procedures documented
reporting:
platform: Immunefiurl: https://immunefi.com/bounty/regenrequired_info:
- Vulnerability description
- Steps to reproduce
- Impact assessment
- Suggested fix (optional)response_sla:
initial_response: 24 hourstriage: 72 hoursresolution_timeline: case-by-casedisclosure:
policy: coordinatedtimeline: 90 days after fix
Compliance Requirements
Data Protection
gdpr_compliance:
personal_data:
- Agent decision logs (may contain addresses)
- User preferences
- Escalation recordsrequirements:
- Data minimization
- Purpose limitation
- Storage limitation
- Right to access
- Right to erasure (where technically feasible)implementation:
- Pseudonymization of addresses in logs
- Retention policies (30 days for operational, 7 years for audit)
- Data export functionality
Financial Regulations
aml_considerations:
high_value_transactions:
- Escrow agreements > threshold
- Bond releases > thresholdmonitoring:
- Transaction pattern analysis
- Address screening (if required)
- Suspicious activity reportingnote: | Specific requirements depend on jurisdiction and regulatory classification. Legal review required before mainnet launch.
Economic Reboot Attack Vectors (M012-M015)
AV-007: Fee Manipulation Attack
attack_id: AV-007name: Fee Manipulationcategory: Economic Attackseverity: HIGHtarget_mechanism: M013 (Fee Routing)description: | Attacker manipulates credit reference prices to minimize fees on high-value transactions, or inflates reference prices to grief other users with excessive fees.attack_flow:
1. Attacker creates wash trades at artificially low prices to suppressthe marketplace reference price for a credit class2. Issues a large batch of credits; fee is calculated on deflated reference3. Attacker pays minimal fee on high-value issuance4. Reference price recovers; attacker has extracted valuepreconditions:
- Issuance fee uses marketplace_reference pricing (OQ-M013-2)
- Insufficient trade volume for robust median calculation
- No time-weighted average or outlier filteringmitigations:
- Time-weighted average price (TWAP) over 7 days instead of spot price
- Outlier filtering: discard trades > 3 standard deviations from median
- Minimum fee floor (1 REGEN) limits downside of price manipulation
- Rate bound safety (max 10%) limits upside of price inflation
- AGENT-003 price anomaly detection (WF-MM-01) flags wash trades
- Governance-set reference price fallback when marketplace volume is lowdetection:
- Sudden drops in reference price before large issuance events
- Address correlation between wash traders and batch issuers
- Fee revenue anomalies (WF-MM-05)residual_risk: MEDIUM (with TWAP and outlier filtering)
AV-008: Supply Oracle Manipulation
attack_id: AV-008name: Supply Oracle Manipulationcategory: Economic Attackseverity: MEDIUMtarget_mechanism: M012 (Dynamic Supply)description: | If the ecological_multiplier is sourced from an external oracle, an attacker who compromises the oracle can manipulate the regrowth rate — inflating minting or suppressing it.attack_flow:
1. Attacker compromises or bribes the ecological data oracle2. Reports favorable ΔCO₂ data to maximize ecological_multiplier3. Regrowth rate increases; excess minting dilutes existing holders4. Alternatively: reports unfavorable data to suppress minting entirelypreconditions:
- ecological_multiplier_enabled = true
- Single oracle source without redundancy
- No on-chain validation of oracle inputsmitigations:
- v0 deployment: ecological_multiplier disabled (hardcoded 1.0)
- Multi-oracle aggregation with outlier rejection (when enabled)
- Bounded ecological_multiplier: floor at 0, practical ceiling around 1.5
- On-chain verification against M008 attestation data where possible
- Governance can disable ecological_multiplier via parameter change
- Parameter bound safety: regrowth rate capped at 10% regardlessdetection:
- AGENT-003 supply monitoring (WF-MM-06) tracks multiplier values
- Anomalous regrowth rate changes without corresponding on-chain activity
- Discrepancy between oracle data and M008 attestation trendsresidual_risk: LOW (v0 disabled; MEDIUM when oracle is activated)
AV-009: PoA Governance Capture
attack_id: AV-009name: Authority Validator Governance Capturecategory: Governance Attackseverity: CRITICALtarget_mechanism: M014 (Authority Validator Governance)description: | A coordinated group gains control of a majority of the authority validator set (>10 of 21) through the application process, enabling them to control block production and governance votes.attack_flow:
1. Attacker creates multiple organizations that qualify across categories2. Organizations apply as authority validators, presenting legitimate credentials3. Over 2-3 term cycles, attacker accumulates sufficient validators4. Coordinated validators control 2/3+ of consensus5. Validators can censor transactions, pass favorable governance proposals,or redirect fee revenuepreconditions:
- Composition requirements insufficient to prevent capture
- Application vetting does not detect coordinated ownership
- No beneficial ownership disclosure requirementsmitigations:
- Composition guarantee: min 5 per category prevents single-category capture
- Term limits (12 months) with re-application requirement
- AGENT-004 monitors validator set for behavioral correlation
- Validator governance (Layer 3) requires broad community approval, notself-approval by existing validators (Security Invariant 3)
- Dual-track voting: even with validator capture, token holder track (40%)can veto malicious proposals
- Constitutional changes (Layer 4) require 67% supermajority includingtoken holders, making fundamental changes harder to ram through
- KYC/beneficial ownership requirements for validator applicantsdetection:
- Correlation analysis: voting patterns, commission behavior, geographic co-location
- AGENT-004 flags validators with correlated downtime or voting patterns
- Community governance participation monitoringresidual_risk: MEDIUM (with composition requirements + dual-track voting)
AV-010: Reward Gaming / Wash Trading
attack_id: AV-010name: Activity Reward Gamingcategory: Economic Attackseverity: HIGHtarget_mechanism: M015 (Contribution-Weighted Rewards)description: | Attacker generates artificial on-chain activity (purchases, retirements) to inflate their activity score and claim disproportionate rewards.attack_flow:
1. Attacker creates credits through a controlled class/project2. Lists credits at market price, buys from self (wash trade)3. Retires credits (generating both purchase and retirement activity)4. Accumulates high activity score5. Claims large share of activity pool rewardspreconditions:
- Rewards exceed M013 fees paid on wash transactions
- No effective Sybil detection
- Circular activity not penalizedmitigations:
- M013 fees extract real value on every transaction: issuance 2%,trade 1%, retirement 0.5% — creating structural friction
- Minimum activity value threshold filters micro-transactions
- No double-counting: buyer gets purchase credit, retiree gets retirementcredit — same address cannot claim both on the same transaction unlessthey are actually performing both roles
- Activity weights ensure no single activity type dominates
- AGENT-003 (WF-VM-05) monitors for wash trading patterns
- Proposal anti-gaming: zero reward weight for proposals not reaching quorum
- Address correlation analysis: flag addresses with circular flow patterns
- Revenue constraint: rewards pool is capped by actual fee revenue,limiting the total available to gamedetection:
- Circular flow analysis: credits issued → bought → retired by same/related addresses
- Fee-to-reward ratio monitoring per address
- Statistical outlier detection on activity scores
- AGENT-003 wash trading alertsresidual_risk: MEDIUM (M013 fees make profitable wash trading structurally difficult)
AV-011: Validator Fund Drain
attack_id: AV-011name: Validator Fund Draincategory: Economic Attackseverity: HIGHtarget_mechanism: M014 Compensation + M013 Fee Routingdescription: | A compromised or colluding validator set manipulates performance metrics to maximize their bonus pool allocation, or approves additional validators to dilute competitors' compensation while directing governance-controlled funds to accomplices.attack_flow:
1. Colluding validators game AGENT-004 performance metrics2. Inflate ecosystem_contribution_score through fake KOI artifacts3. Submit governance proposal to increase performance_bonus_share4. Colluding set captures majority of performance bonus poolpreconditions:
- Performance bonus enabled (performance_bonus_share_bps > 0)
- AGENT-004 ecosystem contribution scoring is gameable
- Insufficient governance oversight of parameter changesmitigations:
- Compensation cap: total payout ≤ validator fund balance (no inflation)
- Performance bonus is only 10% of total fund (default)
- Uptime score (40% of composite) uses on-chain signing data, ungameable
- Governance participation (30%) uses on-chain vote records, ungameable
- Ecosystem contribution (30%) is the only subjective metric — AGENT-004uses KOI search which is auditable
- Parameter changes to performance_bonus_share_bps require Layer 2governance with human oversight window
- Equal base compensation ensures all validators receive fair sharedetection:
- Abnormal performance score distributions
- AGENT-004 ecosystem scores that diverge from observable contributions
- Governance proposals to increase bonus share flagged for reviewresidual_risk: LOW (2/3 of composite score uses ungameable on-chain data)
Economic Reboot Security Invariants
Fee Router (M013) Invariants
m013_invariants:
FEE_CONSERVATION:
description: "fee_collected = burn + validator + community + agent_infra for every transaction"verification: "Sum pool distributions after each CollectFee call"severity: CRITICALSHARE_SUM_UNITY:
description: "burn_share + validator_share + community_share + agent_infra_share = 10000"verification: "Enforced on write in SetDistributionShares"severity: CRITICALRATE_BOUND_SAFETY:
description: "All fee rates <= max_fee_rate_bps (default 10%)"verification: "Checked in CollectFee before calculation"severity: HIGHPOOL_ISOLATION:
description: "No pool can draw from another without governance proposal"verification: "Each pool is a separate module account"severity: HIGH
Supply Module (M012) Invariants
m012_invariants:
CAP_INVIOLABILITY:
description: "current_supply <= hard_cap at all times"verification: "Cosmos SDK invariant checker runs every block"severity: CRITICALNON_NEGATIVE_SUPPLY:
description: "current_supply >= 0"verification: "Checked after every mint/burn cycle"severity: CRITICALMONOTONIC_CAP:
description: "hard_cap changeable only via Layer 4 governance (67% supermajority)"verification: "MsgUpdateSupplyParams rejects hard_cap changes from non-Layer-4 authority"severity: CRITICALMINT_BURN_INDEPENDENCE:
description: "Minting and burning computed independently"verification: "No conditional dependency between mint and burn calculations"severity: HIGHPARAMETER_BOUND_SAFETY:
description: "base_regrowth_rate in [0, 1000] (0-10%)"verification: "Enforced on write in SetSupplyParams"severity: HIGH
Authority Module (M014) Invariants
m014_invariants:
COMPOSITION_GUARANTEE:
description: "Active set maintains min per category at all times"verification: "RemoveValidator blocked if would violate; EndBlocker checks"severity: CRITICALBYZANTINE_TOLERANCE:
description: "active_validators > 3f + 1"verification: "Minimum validator count enforced"severity: CRITICALNO_SELF_APPROVAL:
description: "Existing validators cannot unilaterally approve new validators"verification: "ApproveValidator requires governance module authority"severity: HIGHCOMPENSATION_CAP:
description: "Total compensation <= validator fund balance"verification: "DistributeCompensation checks fund balance before distribution"severity: HIGH
Rewards Module (M015) Invariants
m015_invariants:
REVENUE_CONSTRAINT:
description: "Total distributions per period <= Community Pool inflow"verification: "DistributeRewards caps total at inflow amount"severity: CRITICALSTABILITY_CAP:
description: "Stability allocation <= max_stability_share_bps of inflow"verification: "sdk.MinInt applied in DistributeRewards"severity: HIGHACTIVITY_INTEGRITY:
description: "Scores derived only from on-chain transactions"verification: "RecordActivity callable only by module hooks, not user messages"severity: HIGHNO_DOUBLE_COUNTING:
description: "Each transaction counted once per participant"verification: "Hook-based recording with tx_hash deduplication"severity: HIGHWEIGHT_SUM_UNITY:
description: "Activity weights sum to 10000"verification: "Enforced on write in SetRewardParams"severity: MEDIUM
Updated Bug Bounty Scope
economic_reboot_bounty_scope:
critical:
reward: "$75,000 - $150,000"examples:
- Supply cap violation (minting above hard_cap)
- Fee conservation failure (fees lost or created)
- Unauthorized validator set manipulation
- Revenue constraint bypass (distributing more than inflow)high:
reward: "$25,000 - $75,000"examples:
- Fee rate bound bypass (exceeding max_fee_rate_bps)
- Composition guarantee violation
- Activity score manipulation via direct MsgRecordActivity
- Stability tier fund loss on early exitmedium:
reward: "$5,000 - $25,000"examples:
- Rounding errors leading to accumulated pool imbalance
- Denial of service on EndBlocker mint/burn execution
- Performance score gaming through KOI artifacts
- Reference price manipulation affecting fee calculationlow:
reward: "$1,000 - $5,000"examples:
- Informational discrepancies in event emissions
- Edge cases in phase transition timing
- Non-critical parameter validation gaps