Security
GNDX Protocol's security model is designed around the principle that code is law — the smart contracts are the final arbiter, not governance, not the team, not legal agreements.
Audit Status
Independent third-party audits will be commissioned and completed before any production deployment on Arbitrum One. Scope covers all 19 implementation contracts. Audit firms, reports, and remediation summaries will be published on the Security page as engagements are confirmed.
Access Control Matrix
Every privileged action in the protocol is restricted to a specific role. The deployer EOA renounces all admin roles at the end of the deployment script.
| Contract | Role | Holder | Capability |
|---|---|---|---|
| IndexVault | MINTER_ROLE | MintEngine | depositBasket() |
| IndexVault | REDEEMER_ROLE | RedeemEngine | withdrawBasket() |
| IndexVault | REBALANCER_ROLE | RebalanceController | updateWeight() |
| IndexVault | GUARDIAN_ROLE | GuardianMultisig | pause() ONLY |
| IndexVault | UPGRADER_ROLE | Timelock | _authorizeUpgrade() |
| IndexVault | DEFAULT_ADMIN_ROLE | Timelock | addToken(), removeToken() |
| GNDXToken | MINTER_ROLE | MintEngine | mint() |
| GNDXToken | BURNER_ROLE | RedeemEngine | burn() |
| GAMEToken | (no MINTER_ROLE) | — | Fixed supply — no minting |
| VeGAME | FEE_DEPOSITOR_ROLE | FeeCollector | depositFees() |
| FeeCollector | GOVERNANCE_ROLE | Timelock | parameter changes |
| Timelock | PROPOSER_ROLE | GNDXGovernor | schedule() |
| Timelock | EXECUTOR_ROLE | GNDXGovernor | execute() |
The Guardian Multisig
The Guardian Multisig is a 5-of-8 threshold wallet. It has exactly one power: pause the protocol for up to 72 hours.
Signer composition:
- 3 founding team members
- 2 independent security researchers
- 2 community-elected representatives (elected by $GAME governance)
- 1 legal/compliance advisor
The Guardian CANNOT:
- Move funds
- Change parameters
- Execute upgrades
- Extend the pause
- Override governance decisions
After 72 hours, the pause automatically expires regardless of Guardian action. The protocol resumes. This prevents the multisig from ever becoming a permanent backdoor.
Upgrade Path
All UUPS upgradeable contracts require:
- A governance proposal passing with 66% supermajority
- A 7-day timelock (enforced at
Timelock.schedule()time — the timelock contract itself rejects shorter delays for upgrades) - During the timelock: any holder can observe the pending upgrade and withdraw funds if desired
- After 7 days: anyone can call
execute()to apply the upgrade
The Guardian Multisig cannot execute upgrades — only the Timelock (after a governance vote) can authorize _authorizeUpgrade().
Hardcoded Immutables
These values cannot be changed by any governance vote, admin action, or upgrade:
| Constant | Value | Enforcement |
|---|---|---|
| MAX_SINGLE_TOKEN_WEIGHT_BPS | 1000 (10%) | IndexVault — public constant |
| MAX_MINT_FEE_BPS | 25 (0.25%) | MintEngine — Governor reverts if exceeded |
| MAX_REDEEM_FEE_BPS | 50 (0.50%) | RedeemEngine — Governor reverts if exceeded |
| MAX_STREAMING_FEE_BPS | 150 (1.50%) | FeeCollector — Governor reverts if exceeded |
| GUARDIAN_PAUSE_MAX_HOURS | 72 | IndexVault — auto-expiry enforced in code |
| GAME_TOTAL_SUPPLY | 200,000,000 | GAMEToken — no mint function exists |
| GUARDIAN_THRESHOLD | 5-of-8 | GuardianMultisig — non-upgradeable |
| TWAP_WINDOW_SECONDS | 1200 (20 min) | NAVOracle — pure constant |
| STALE_THRESHOLD_SECONDS | 3600 | NAVOracle — pure constant |
| CIRCUIT_BREAKER_BPS | 3000 (30%) | NAVOracle — hardcoded |
| VELOCITY_ALERT_BPS | 700 (7%) | NAVOracle — hardcoded |
| CRISIS_FEE_AUTO_EXPIRY | 14400 (4 hrs) | IndexVault — hardcoded |
Reentrancy Protection
Every external and public state-changing function across all contracts uses the nonReentrant modifier. No exceptions.
Parameter Bounds at Execution
When a governance proposal attempts to execute, GNDXGovernor._executeOperations() checks parameter bounds before executing any calldata:
setStreamingFeeBps(x): reverts if x < 25 or x > 150updateWeight(token, x): reverts if x > 1000
A proposal that passes 100-0 but violates these bounds will still revert at execution. The smart contract is the final arbiter.
ChecklistVerify.s.sol
Before mainnet deployment, ChecklistVerify.s.sol executes 30+ invariant checks on the deployed contracts, including:
- All roles correctly assigned and no extras
- Deployer EOA has renounced all admin roles
- Weight cap immutable constant returns 1000
- GAMEToken has no mint function reachable
- Guardian can only call pause()
- Timelock delay for upgrades is ≥ 7 days
Only after all checks pass is the deployment considered production-ready.
Known Attack Vectors and Mitigations
See Governance Attack Defenses for the complete defense matrix covering flash loan attacks, governance capture, treasury drain, and parameter manipulation.
See also: Smart Contracts · Guardian Multisig details in Governance