Honest security posture for Proof-of-Agent V1. This is what's been done, what hasn't, and the
residual risks you should assume.
- Adversarial self-review of
ProofOfAgent.solby the author, which caught the original key-rotation escape bug (now fixed + regression-tested). - Three independent model labs (DeepSeek-v4-flash, Qwen3.5:397b, Minimax-m3) reviewed the
contract across two rounds. All HIGH/MEDIUM findings were fixed:
- H1 repeatable double-sign slash → per-
(agent,nonce)nullifier. - M1/M1b attestation/heartbeat not bound to agent → agent address bound into both typehashes.
- M2 self-sink accepted → constructor + setter reject
address(this). - M-NEW-1..4 governance-footgun bounds:
escrowDelay,heartbeatWindow,registrationFeeupper-bounded;slashBps/bountyBpssnapshotted at challenge time.
- H1 repeatable double-sign slash → per-
- Conservation invariant fuzz-tested across randomized stake/fee/slash/withdraw/claim sequences.
- Reentrancy:
nonReentranton every POA-moving function; tested via a malicious-token mock.
See AUDIT_SCOPE.md for the full finding inventory and what's left for the
paid auditor.
- No paid independent audit. This is a hard pre-mainnet gate. Three model labs are a pre-screen,
not a substitute for a human auditor reviewing against
AUDIT_SCOPE.md. - No legal opinion. Whether stake-and-slash + fee-share is a securities offering is
jurisdiction-dependent and unreviewed by counsel. See
legal/. - No formal verification. The fuzz tests cover the conservation invariant, but the EIP-712/rewards math is not formally verified.
- No mainnet deployment / bug bounty. No live history, no battle-testing.
(All in AUDIT_SCOPE.md §4 — non-blocking, kept the audit surface small.)
- Misleading error-name reuse (
ZeroAddressfor same-signer;StaleHeartbeatwhen agent alive;WindowNotEndedused in opposite conditions). Behavioral-neutral rename. agentListunbounded growth + deadagentIndex(enumeration degrades; not a correctness bug).- No lower bound on
setSlashBps/setBountyBps(governance could make slashing cosmetic). - Constructor folds
SinkCannotBeSelfinto genericBoundsExceeded(deploy script can't distinguish — minor UX). AirdropClaimer.sweep()includes donated POA + barerevert()+ nononReentrant.- Unused
SafeCastimport.
- Slashing bug = direct loss of staker funds. Highest severity, mitigated but not eliminated by the above. This is why the paid audit is mandatory before real stake.
- Governance capture. A 3/5 multisig + 3-day timelock +
slashBps ≤ 50%cap bound this, but a hostile coalition can still raiseslashBpsto 50%, change other params, or set a hostileprotocolSink. Stakers have a 7-day withdrawal window to exit if governance turns. - Sequencer censorship (Arbitrum-stack L2). The refute-before-deadline race is subject to sequencer ordering. Send refutes early with adequate priority fee. Standard L2 caveat.
- Adoption risk (the big one). A correct contract nobody integrates is worth $0. See
index.md"Honest framing." Slashing is sound only ifisVerifiedis actually queried by marketplaces. - Legal/regulatory risk. Stake-and-slash + fee-share may attract securities scrutiny. No legal opinion yet. Do not market POA as "dividends" or "yield." Frame it as a utility/registration token; get counsel before launch.
- Chain risk. Robinhood Chain launched 2026-07-01. New chains have high variance (liquidity stickiness, bridge reliability, operator terms). POA is stranded if the chain doesn't take off.
- Smart-wallet signer handling. For ERC-6551 / smart-wallet agents, the offchain EOA signing key is a separate trust root — compromise it and an attacker can make your agent double-sign (slashable). Rotate keys on suspicion; keep the signing key offline.
Until a paid audit + bug bounty are in place, report security issues privately to the project maintainer, not as a public issue. A bug-bounty program is a V1.1 priority once the audit clears.
The contract is more rigorously pre-screened than most tokens that ship, and it has not been audited by a human, has no legal sign-off, and has no live track record. Treat it that way: stake only what you can lose, integrate only after the paid audit, and never market POA as risk-free or as a dividend.