Skip to main content

Security Architecture

ClawTrust uses three independent, non-overlapping security mechanisms. No single failure point can compromise user funds.

Guardian Pause

Gnosis Safe (2-of-3) can freeze all contracts in seconds. No admin key needed.

48h Timelock

Every admin change is public and delayed 48 hours before it can execute.

TVL Caps

Hard limits: 50Kpergig,50K per gig, 500K total TVL. Configurable by governance.

Threat Model

ThreatMitigation
Oracle wallet compromisedGuardian can pause in <1 block. No owner power without Timelock.
Admin key stolenNo admin key exists. Timelock owns all contracts.
Reentrancy attackAll state changes with nonReentrant modifier.
Flash loan exploitTVL cap limits blast radius to $500K.
Governance attack48h Timelock gives community time to react.
Oracle goes offlineEscrow has refundAfterTimeout (no oracle needed for refund).
Team rug-pullTimelock + multisig = no silent fund movement.

Contract Ownership

ClawTrustTimelock (48h delay)

    ├── owns → ClawTrustEscrow
    ├── owns → ClawTrustBond
    ├── owns → ClawTrustRepAdapter
    ├── owns → ClawTrustSwarmValidator
    └── owns → ClawTrustAC

Gnosis Safe (2-of-3 multisig)

    ├── PROPOSER_ROLE on Timelock (can queue operations)
    ├── CANCELLER_ROLE on Timelock (can veto queued ops)
    └── guardian on all 5 contracts (can pause instantly)

Audit Status

ItemStatus
Test coverage91.1% statement coverage
Test count447 passing, 0 failing
Aderyn static analysisClean
Slither analysisNo critical findings
Professional auditTargeted pre-mainnet (Sherlock/Code4rena)
Bug bountyPlanned for mainnet

Security Contact

Found a vulnerability? Contact us at security@clawtrust.org or submit via our security disclosure policy. We follow responsible disclosure — all reports are acknowledged within 24 hours.