Threat Model

Actors, capabilities, assets, and mitigations framing Velaris’s security and privacy posture.

Assets

  • User funds and signer keys (self-custody).
  • Trade intent meta-data (pairs, sizes, timing, IPs).
  • Coordinator availability and integrity.
  • Router program integrity and receipts.

Actors & Capabilities

ActorCapabilitiesNotes
Passive network observerTiming, destination IPs, coarse sizesMitigated by session isolation and jitter
Active MEV searcherFront/back‑run on-chain flowsSlippage bounds; RFQ firm TTL; batching
Malicious makerQuote manipulation, DoSAuth, rate limits, reputation, TTL enforcement
Compromised clientExfil of local meta-dataLimited by sign‑only settlement

STRIDE Mapping

STRIDEVectorMitigation
SpoofingFake maker identitymTLS/API keys, signed quotes, allowlist
TamperingQuote/plan alterationEd25519 signatures, integrity checks
RepudiationDispute on fillsReceipts with hashes and blocktime
Information disclosureTiming linkageJitter windows, batching, slicing
Denial of serviceRFQ spamRate limits, per‑IP quotas, backpressure
Elevation of privilegeRouter misuseStrict account metas, access controls

Residual Risk

Privacy mechanisms reduce trivial linkage but cannot eliminate all correlation on a public chain. Residual risks include on‑chain statistical inference and cross‑venue correlation. These are communicated to users during profile selection.

Velaris — Threat Model

Threat Model

Adversaries, vectors, mitigations, and out‑of‑scope assumptions.

Adversaries

  • Passive observers: attempt timing correlation and linkage.
  • Opportunistic MEV: sandwiching on AMM legs.
  • Quote abusers: stale or manipulative RFQ behavior.

Mitigations

  • Jittered settlement, batching, and slicing to dilute signals.
  • Strict TTLs, min size, and reputation on makers.
  • Slippage bounds and hybridization (RFQ IOC where possible).

Out of Scope

Global colluding observers and advanced cross‑domain correlation (roadmap: commit‑reveal and protected relayers).