Skip to main content

Security model

An L2 is, ultimately, smart contracts — and smart contracts are a notorious attack surface. The dark pool's answer is to minimise what any contract or party is trusted to do, so whole classes of attack have nothing to act on. Security comes from architecture and cryptography, not from trusting the operator.

What the design removes by construction:

  • Non-custodial intent. The pool defines the rules; the trader's wallet holds the assets and authorises every spend. Settlement accepts a call only from the matched buyer or seller — submitSettlement rejects anyone who is not a party to that match. The pool coordinates; it is not designed to move trader funds.
  • Atomic settlement, no half-state. DVP executes both legs together or neither. There is no window in which one side has paid and not received — a leg that is never submitted simply lets the match expire, and both orders return to the book untouched.
  • No price to manipulate at the matcher. The matcher pairs on volume alone and never sees a trader-set price; the clearing price is sampled from an external reference oracle at the matched block. Matching is deterministic contract bytecode, and MatchFound carries a matchProof binding the cross to its block — anyone can recompute it.
  • Confidential intent. Order price, size, and side are designed to live inside Pedersen commitments, recipients behind stealth addresses, and balances behind RingCT — so there is no cleartext order flow in the mempool for an operator or MEV searcher to exploit.
  • Permissioned, accountable access. Every participant is KYC / AML-screened at the door via ERC-3643 identity, and compliance visibility is scoped, party-to-party selective disclosure recorded on-chain — not a master key.
Proof-of-concept status

This is a working proof of concept, not a production system. Some of the guarantees above are the design's destination rather than what the demo enforces today, and the contracts have not yet undergone an independent security audit — production hardening and that audit are part of the path to launch. The Technical spec carries the full design.