Join our community of builders on

Telegram!Telegram
HomeForumWebsiteImpact
GitHub Icon
Symbiotic Templates

Security

AnthropicOpen in Claude

Security architecture and trust assumptions for the Symbiotic multi-provider template.

Shared Trust Model

EntityTrust LevelNotes
SettlementTrustedSymbiotic contract for BLS signature verification
Authorized SubmittersSemi-trustedWhitelisted addresses that submit proofs; cannot forge signatures but can grief (spam invalid proofs)
OwnerTrustedAdmin with pause/unpause, submitter management
External usersUntrustedCannot call privileged functions directly

Symbiotic Security Layer

  • Operators stake and register BLS public keys via KeyRegistry
  • Settlement contract verifies BLS quorum before accepting proofs
  • Slashing handled by Symbiotic core contracts (production)

Webhook Authentication

Webhooks between OZ Monitor and operators use HMAC-SHA256:

  1. Monitor computes HMAC-SHA256(secret, body + timestamp)
  2. Signature sent in X-Signature header
  3. Timestamp (ms since epoch) sent in X-Timestamp header
  4. Operator rejects invalid/missing signatures or expired timestamps (HTTP 401)

Secrets must be at least 32 characters. See CLI Reference for config details.

LayerZero DVN Security

Trust assumptions specific to the SymbioticLayerZeroDVN contract.

EntityTrust LevelNotes
SendUln302TrustedLayerZero's send library; only caller for assignJob

Access Control

Source Chain

FunctionCallerPurpose
assignJobSendUln302 onlyRegister verification job, emit event
getFeeAnyoneQuery verification fee (view)

Destination Chain

FunctionCallerPurpose
submitProofAuthorized submittersSubmit signed Merkle proof for verification

Admin

FunctionCallerPurpose
addSubmitter / removeSubmitterOwnerManage submitter whitelist
setBaseFeeOwnerUpdate verification fee
pause / unpauseOwnerEmergency controls
withdrawOwnerRecover ETH (force-sent or accidental)
transferOwnershipOwnerTransfer admin rights

Invariants

  1. Leaf monotonicity: verifiedLeaves[leaf] transitions false -> true only, never back
  2. Root monotonicity: verifiedRoots[root] transitions false -> true only, never back
  3. Signature requirement: Uncached roots require valid BLS quorum from Settlement
  4. Packet header integrity: Verified packets have exactly 81 bytes and correct dstEid
  5. No ETH custody: Contract does not collect fees; assignJob rejects msg.value > 0

Deployment Modes

ModesendUlnreceiveUlnsettlementUse case
Source onlySetZeroZeroEmit JobAssigned events
Destination onlyZeroSetSetVerify proofs, call ReceiveUln
BidirectionalSetSetSetBoth functions on same chain

What the DVN Does NOT Do

  • Fee custody: Fees handled by LayerZero's fee accounting
  • Signature generation: BLS signing happens off-chain via Symbiotic Relay
  • Slashing: Handled by Symbiotic core contracts

Trust assumptions specific to the SymbioticCCV contract.

Access Control

FunctionCallerPurpose
forwardToVerifierOnRampSource-chain hook for CCV registration
verifyMessageOffRampDestination verification hook
getFeeAnyoneQuote verification fee (view)

Invariants

CCV verification requires:

  1. Valid BLS quorum signature from Settlement
  2. Correct message ID derivation
  3. Epoch freshness (reverts with EpochTooStale if settlement data is stale)

External Dependencies

DependencyVersionPurpose
@openzeppelin/contracts5.xMerkleProof verification
@symbioticfi/relay-contracts-Settlement base contracts
LayerZero V2-ILayerZeroDVN interface
Chainlink CCIP-CCV interfaces (ICrossChainVerifierV1)

Deployment

Previous Page

Troubleshooting

Next Page

On this page

Shared Trust ModelSymbiotic Security LayerWebhook AuthenticationLayerZero DVN SecurityAccess ControlSource ChainDestination ChainAdminInvariantsDeployment ModesWhat the DVN Does NOT DoChainlink CCV SecurityAccess ControlInvariantsExternal Dependencies