- Threat Model
- What The Protocol Does Not Try To Be
- Ownership And Administration
- Initialization Safety
- Payment Handling
- Mint Flow Safety
- Randomness Limitations
- Renderer Considerations
- Reentrancy Discussion
- Testing Status
- Recommended Next Steps
42 Protocol is a lightweight onchain collectible protocol.
It is not:
- a lending protocol
- a custody system
- a vault protocol
- a gambling protocol with fairness guarantees
That matters because the security expectations should match the actual product.
The answer generation is themed and deterministic.
It is not cryptographically secure randomness.
No part of the project should be marketed as:
- provably fair randomness
- secure lottery mechanics
- adversarially robust gambling
The deployer becomes the owner of DeepThought.
Owner powers are intentionally narrow:
- initialize linked contract addresses once
- withdraw accumulated ETH
There is no broad mutable admin configuration surface after initialization.
setContracts(...) is one-time only.
This is important because it prevents the owner from later swapping:
- NFT contract
- SVG renderer
That reduces governance risk and makes the deployed system more predictable.
Payments are straightforward:
- user pays
0.042 ETH, or - uses a free-question credit
The contract does not keep per-user ETH balances.
That is good because it removes a large class of accounting bugs.
The mint flow writes question state before calling the NFT contract.
That is the correct order because it reduces inconsistency risk if an external call fails.
The NFT mint itself is restricted to onlyDeepThought.
Seed derivation uses:
msg.senderblock.numberblock.timestampblock.prevrandao- question id
This is acceptable for:
- variety
- rarity flavor
- SVG differentiation
This is not sufficient for adversarially secure randomness.
SVG and metadata generation happen through view calls.
That is good because complex rendering logic does not increase storage writes during minting.
The main remaining concern is ecosystem compatibility, not protocol safety:
- some platforms may behave differently with
foreignObject
Current reentrancy risk is limited because:
- there is no user balance withdrawal logic
- there is no partial balance accounting
- state is written before mint call
- withdraw is owner-only
This does not mean “reentrancy never matters”.
It means ReentrancyGuard is not a first-priority improvement for the current design.
The current test suite covers:
- initialization
- owner checks
- paid ask flow
- free-question flow
- NFT minting
- tokenURI
- renderers
- withdrawal
- answer mapping
Coverage is currently above 95%.
Before public launch beyond testnet:
- add a dedicated manual deployment checklist
- run a full Basescan verification pass
- do a final review of rendered output on target marketplaces
- consider a small external review or peer audit
- document any known compatibility caveats around SVG rendering