Threat model
Hwal is a trigger engine. It defends against latency races between a keeper bot and a moving market. It does not defend against oracle manipulation, ER liveness failures, or RPC censorship. Read both sides.
Unaudited — devnet only
V0 is on devnet for testing. Do not deposit material funds. The mock oracle authority is a single keypair (not a multisig). An audit covering V1 (verified oracle) and V2 (ER delegation) is on the roadmap before mainnet.
What the engine protects against
- Keeper-bot latency races. Trigger evaluation lives inside the same ER block as the price update, so a stop fires before the next block's price has settled.
- Keeper monopoly. The tick instruction is permissionless. Anyone can run a bot, earn the keeper reward, and compete on speed. No protocol gate.
- Settlement asymmetry. Fee, keeper reward, and net collateral land in a single atomic transaction. There is no two-step where the trigger fires but the payout doesn't.
- Owner exit at any time. Owner can call
cancel_positionat any moment to refund full collateral, regardless of keeper state.
What the engine does not protect against
- Oracle manipulation. V0 trusts the feed authority. V1 verifies a signed oracle update. Neither version protects you from the oracle being manipulated upstream; that risk is inherited from the oracle.
- ER liveness failure. If the off-chain execution layer halts, positions fall back to the L1 keeper path. The 50 ms latency claim does not hold during downtime. Funds remain in self-custody.
- RPC censorship of the keeper. If your RPC drops the tick transaction en route, the trigger does not fire. Use staked-connection RPCs or private bundle submission for high-stakes triggers.
- Funding-rate or perp insolvency. Hwal manages an absolute price trigger over SOL collateral. It does not understand perp PnL, funding accrual, or cross margin. Use it for spot triggers and external-asset triggers, not perp-internal stops.
Audit status
Pending. Audit scope covers V1 (verified oracle) and V2 (ER delegation and settlement). Audit firm and timeline will be announced on the main site and on X before mainnet.
Responsible disclosure
Found a bug? Email security@hwal.fun with proof-of-concept and a wallet address for the bounty. Do not publicly disclose before triage.