What ESEC guarantees, and what it does not.
Custody stays with the depositor via SPL token receipts. Single-cycle loss is bounded by on-chain stop-loss. Cluster signals are off-chain but enforced at deploy time. This page documents the trust boundary in full.
Custody
Depositor capital lives in the asset_vault token account whose authority is the vault PDA. The PDA can only move tokens via thecascade-vaultprogram's defined state transitions. No off-chain key can drain the vault.
- Deposit: SPL transfer authorized by depositor signature. Vault PDA never signs the transfer in.
- Withdraw: SPL transfer authorized by vault PDA (program-signed). Only valid when state == Idle and depositor holds matching LP tokens.
- Deploy / Exit: capital moves between asset_vault and venue LP positions. Vault PDA-owned at all times.
Stop-loss
Every Deployed position has an on-chain stop-loss at 5% below the deploy price. The stop_loss_crank instruction is permissionless: anyone can call it when the threshold is crossed. This means even if the off-chain monitor goes dark, anyone (depositor, watcher, integrator) can force-exit the position and bound the loss.
Trust boundary
The off-chain monitor is convenience, not custody.
| What | Where | Trust |
|---|---|---|
| Cluster computation | off-chain | signed by monitor_authority; verified at deploy time |
| Deploy signal | off-chain → on-chain | monitor_authority signs; vault re-checks cluster bounds |
| Recovery signal | off-chain → on-chain | monitor signs exit_price; vault verifies recovery threshold |
| Stop-loss enforcement | on-chain | permissionless crank; does not require monitor |
| Timeout enforcement | on-chain | permissionless crank; does not require monitor |
| Deposit / Withdraw | on-chain | depositor-signed; vault PDA-enforced |
| Performance fee | on-chain | computed in close_position; transferred to fee_treasury |
Threat model
| Threat | In scope | Mitigation |
|---|---|---|
| False cluster signal | yes | confidence threshold >= 80 at deploy; 5% stop-loss caps damage |
| Cascade continues past stop-loss | yes | 5% stop-loss bounds single-deploy loss |
| Off-chain monitor compromised | yes | monitor signals only; vault enforces state transitions |
| Vault PDA exploit | yes | audit gates mainnet deploy |
| Sustained downtrend | partial | trend filter reduces deploy size in downtrends |
| Oracle manipulation | yes (planned) | Pyth + Switchboard cross-check at deploy time |
| MEV sandwich on deploy/exit | yes | Jito bundle atomicity within slot |
| Drift Insurance Fund competes | partial | DIF is passive backstop, captures fees; ESEC captures rebound premium |
| Liquidation bots front-run LP entry | partial | bots want bonus, not LP fees; pre-position is faster than reactive entry |
What ESEC does not protect
- Market risk during a deployed cycle. If the recovery never happens, the stop-loss takes 5% per position.
- Solana liveness. If the network halts mid-deploy, withdraws wait until the network resumes.
- Smart contract risk pre-audit. Mainnet deploy is audit-gated; devnet is for testing only.
- Wallet hygiene. Standard self-custody assumptions apply.
Reporting
See SECURITY.md for the vulnerability disclosure process. Do not file public issues for security bugs.