Skip to content

Security: proof-of-agent/protocol

Security

docs/SECURITY.md

Security & risk

Honest security posture for Proof-of-Agent V1. This is what's been done, what hasn't, and the residual risks you should assume.

What's been reviewed

  • Adversarial self-review of ProofOfAgent.sol by the author, which caught the original key-rotation escape bug (now fixed + regression-tested).
  • Three independent model labs (DeepSeek-v4-flash, Qwen3.5:397b, Minimax-m3) reviewed the contract across two rounds. All HIGH/MEDIUM findings were fixed:
    • H1 repeatable double-sign slash → per-(agent,nonce) nullifier.
    • M1/M1b attestation/heartbeat not bound to agent → agent address bound into both typehashes.
    • M2 self-sink accepted → constructor + setter reject address(this).
    • M-NEW-1..4 governance-footgun bounds: escrowDelay, heartbeatWindow, registrationFee upper-bounded; slashBps/bountyBps snapshotted at challenge time.
  • Conservation invariant fuzz-tested across randomized stake/fee/slash/withdraw/claim sequences.
  • Reentrancy: nonReentrant on every POA-moving function; tested via a malicious-token mock.

See AUDIT_SCOPE.md for the full finding inventory and what's left for the paid auditor.

What has NOT been done

  • No paid independent audit. This is a hard pre-mainnet gate. Three model labs are a pre-screen, not a substitute for a human auditor reviewing against AUDIT_SCOPE.md.
  • No legal opinion. Whether stake-and-slash + fee-share is a securities offering is jurisdiction-dependent and unreviewed by counsel. See legal/.
  • No formal verification. The fuzz tests cover the conservation invariant, but the EIP-712/rewards math is not formally verified.
  • No mainnet deployment / bug bounty. No live history, no battle-testing.

Known LOW/INFO items deferred to the paid auditor

(All in AUDIT_SCOPE.md §4 — non-blocking, kept the audit surface small.)

  • Misleading error-name reuse (ZeroAddress for same-signer; StaleHeartbeat when agent alive; WindowNotEnded used in opposite conditions). Behavioral-neutral rename.
  • agentList unbounded growth + dead agentIndex (enumeration degrades; not a correctness bug).
  • No lower bound on setSlashBps/setBountyBps (governance could make slashing cosmetic).
  • Constructor folds SinkCannotBeSelf into generic BoundsExceeded (deploy script can't distinguish — minor UX).
  • AirdropClaimer.sweep() includes donated POA + bare revert() + no nonReentrant.
  • Unused SafeCast import.

Residual risks you must assume

  1. Slashing bug = direct loss of staker funds. Highest severity, mitigated but not eliminated by the above. This is why the paid audit is mandatory before real stake.
  2. Governance capture. A 3/5 multisig + 3-day timelock + slashBps ≤ 50% cap bound this, but a hostile coalition can still raise slashBps to 50%, change other params, or set a hostile protocolSink. Stakers have a 7-day withdrawal window to exit if governance turns.
  3. Sequencer censorship (Arbitrum-stack L2). The refute-before-deadline race is subject to sequencer ordering. Send refutes early with adequate priority fee. Standard L2 caveat.
  4. Adoption risk (the big one). A correct contract nobody integrates is worth $0. See index.md "Honest framing." Slashing is sound only if isVerified is actually queried by marketplaces.
  5. Legal/regulatory risk. Stake-and-slash + fee-share may attract securities scrutiny. No legal opinion yet. Do not market POA as "dividends" or "yield." Frame it as a utility/registration token; get counsel before launch.
  6. Chain risk. Robinhood Chain launched 2026-07-01. New chains have high variance (liquidity stickiness, bridge reliability, operator terms). POA is stranded if the chain doesn't take off.
  7. Smart-wallet signer handling. For ERC-6551 / smart-wallet agents, the offchain EOA signing key is a separate trust root — compromise it and an attacker can make your agent double-sign (slashable). Rotate keys on suspicion; keep the signing key offline.

Responsible disclosure

Until a paid audit + bug bounty are in place, report security issues privately to the project maintainer, not as a public issue. A bug-bounty program is a V1.1 priority once the audit clears.

Bottom line

The contract is more rigorously pre-screened than most tokens that ship, and it has not been audited by a human, has no legal sign-off, and has no live track record. Treat it that way: stake only what you can lose, integrate only after the paid audit, and never market POA as risk-free or as a dividend.

There aren't any published security advisories