Skip to content

Security: Tenyokj/42protocol

Security

docs/SECURITY.md

Security

Table Of Contents

  1. Threat Model
  2. What The Protocol Does Not Try To Be
  3. Ownership And Administration
  4. Initialization Safety
  5. Payment Handling
  6. Mint Flow Safety
  7. Randomness Limitations
  8. Renderer Considerations
  9. Reentrancy Discussion
  10. Testing Status
  11. Recommended Next Steps

Threat Model

42 Protocol is a lightweight onchain collectible protocol.

It is not:

  • a lending protocol
  • a custody system
  • a vault protocol
  • a gambling protocol with fairness guarantees

That matters because the security expectations should match the actual product.

What The Protocol Does Not Try To Be

The answer generation is themed and deterministic.

It is not cryptographically secure randomness.

No part of the project should be marketed as:

  • provably fair randomness
  • secure lottery mechanics
  • adversarially robust gambling

Ownership And Administration

The deployer becomes the owner of DeepThought.

Owner powers are intentionally narrow:

  • initialize linked contract addresses once
  • withdraw accumulated ETH

There is no broad mutable admin configuration surface after initialization.

Initialization Safety

setContracts(...) is one-time only.

This is important because it prevents the owner from later swapping:

  • NFT contract
  • SVG renderer

That reduces governance risk and makes the deployed system more predictable.

Payment Handling

Payments are straightforward:

  • user pays 0.042 ETH, or
  • uses a free-question credit

The contract does not keep per-user ETH balances.

That is good because it removes a large class of accounting bugs.

Mint Flow Safety

The mint flow writes question state before calling the NFT contract.

That is the correct order because it reduces inconsistency risk if an external call fails.

The NFT mint itself is restricted to onlyDeepThought.

Randomness Limitations

Seed derivation uses:

  • msg.sender
  • block.number
  • block.timestamp
  • block.prevrandao
  • question id

This is acceptable for:

  • variety
  • rarity flavor
  • SVG differentiation

This is not sufficient for adversarially secure randomness.

Renderer Considerations

SVG and metadata generation happen through view calls.

That is good because complex rendering logic does not increase storage writes during minting.

The main remaining concern is ecosystem compatibility, not protocol safety:

  • some platforms may behave differently with foreignObject

Reentrancy Discussion

Current reentrancy risk is limited because:

  • there is no user balance withdrawal logic
  • there is no partial balance accounting
  • state is written before mint call
  • withdraw is owner-only

This does not mean “reentrancy never matters”.

It means ReentrancyGuard is not a first-priority improvement for the current design.

Testing Status

The current test suite covers:

  • initialization
  • owner checks
  • paid ask flow
  • free-question flow
  • NFT minting
  • tokenURI
  • renderers
  • withdrawal
  • answer mapping

Coverage is currently above 95%.

Recommended Next Steps

Before public launch beyond testnet:

  1. add a dedicated manual deployment checklist
  2. run a full Basescan verification pass
  3. do a final review of rendered output on target marketplaces
  4. consider a small external review or peer audit
  5. document any known compatibility caveats around SVG rendering

There aren't any published security advisories