Skip to content

Security: Road to GO — Completed

Last updated: 2026-04-10 Verdict: GO — all software items complete. Items 3 and 5 are infrastructure deployment tasks (HSM + PostgreSQL backups), covered by the production deployment plan (EC2 + HSM + S5 node connectivity).

DONE: 1. Auto-settlement on confirmed exit

Commit: ffd9cdefeat(security): auto-settlement on confirmed exit + watcher heartbeat monitoring

CL watcher now auto-runs the two-step settlement flow: 1. proposeSettlement(rewardsClaimedWei) when all three conditions are simultaneously true: 1. CL reports validator status = withdrawal_done 2. Vault balance >= principalTargetWei 3. Vault is still in Running phase (phase 0) 2. finalizeSettlement() once the on-chain delay elapses.

This removes the 24h human-response dependency for proposal and keeps finalization crash-safe/idempotent.

False positives remain operationally recoverable during phase 1 via cancelSettlement().

Files: src/watcher/auto-settle.ts, src/watcher/cl-watcher.ts Tests: 11 adversarial decision-logic tests in test/adversarial.test.ts

Residual: If the watcher is down when the withdrawal lands, auto-settlement won't fire. Covered by item 2.

DONE: 2. Watcher liveness monitoring

Commit: ffd9cde (same commit as item 1)

Both EL and CL watchers now write heartbeat timestamps to the AuditLog after each successful scan cycle. The health endpoint (GET /v1/dashboard/health) reports watcher liveness:

{
  "watchers": {
    "el": { "lastSeen": "...", "stale": false, "meta": { "lastBlock": "..." } },
    "cl": { "lastSeen": "...", "stale": false, "meta": { "seatsMonitored": 5 } },
    "allHealthy": true
  }
}

A watcher is flagged stale: true if its heartbeat is older than 5 minutes.

Files: src/watcher/heartbeat.ts, src/api/fastifyServer.ts Tests: 7 heartbeat tests in test/adversarial.test.ts

Operator requirement: Set up external monitoring of /v1/dashboard/health — alert if watchers.allHealthy is false.

PLANNED (infra): 3. Treasury key in HSM

Covered by deployment plan: seat manager EC2 instance will use HSM for the treasury private key. No code changes needed — viem supports KMS signer adapters.

DONE (by design): 4. CL client diversity

The S5 production topology specifies 3 CL clients (Lighthouse, Prysm, Lodestar) across 5 nodes. No code changes needed — the seat manager already supports multiple endpoint configs with different clClient values. This is covered by infrastructure deployment, not a software gap.

PLANNED (infra): 5. PostgreSQL backups

Covered by deployment plan: EC2 instance with PostgreSQL automated backups. No code changes needed.

Critical data in PostgreSQL (not recoverable from chain): - SeatBlsMaterial.keystoreJson — encrypted BLS validator private keys (generated via "Generate Keys" flow) - Seat-to-vault mappings, operator assignments, mnemonic indices, deposit data, audit trail

DONE: 6. EIP-7002 vault integration

EIP-7002 vault integration complete. triggerValidatorExit() added to WithdrawalVault — treasury can force-exit a validator without holding BLS keys. 120 forge tests pass. Seat manager CLI (seat force-exit <id> --send) and API (POST /v1/seats/:id/force-exit) fully wired. Staker console ABI updated.

DONE: 7. 2026-04-10 smart-contract audit findings remediation

Commit: f8e64d3 (centurion-networks/mainnet/contracts)

All five findings from the follow-up smart-contract audit were remediated: - TR-01 Router zero-destination ETH trap risk - TR-02 Router self-rotation to address(this) - DC-01 Stale allowlist intents surviving ownership transfer - DC-02 uint64 wraparound in disable scheduling - WV-03 Unbounded msg.value forwarding in exit requests

Formal verification rerun record: - docs/security/2026-04-10-certora-batch-rerun.md (all 8 relevant configs have passing prover outputs)

Detailed finding-by-finding remediation: - docs/security/2026-04-10-smart-contract-audit-remediation.md

Already closed (does NOT block full GO)

Item Status
principalTargetWei validation Hard-fail at every layer (Zod, CLI, deployer) + on-chain factory guard (principalTargetWei == 32 ether). Closed.
Phase-blind fund classification Bounded by on-chain Running-phase principal protection (PrincipalProtectionActive once balance >= 32 CTN). Reconciliation + policy remain in place for sub-target inflows. Closed (bounded residual).
H-06 EOA check Deployment-time policy, documented. Accepted.
M-14 solc tmp dependency Build-time only. Accepted.