Garuda Chain Threat Model¶
Assets¶
| Asset | Value | Protection |
|---|---|---|
| GAT Token | Critical | Max supply, role-based mint |
| Treasury Funds | Critical | 3-of-5 multisig |
| User Funds (PayHub) | Critical | ReentrancyGuard, Pausable |
| Validator Stakes | High | Slashing, min stake |
| Identity/KYC Data | High | Hash-only on-chain |
| Validator Keys | Critical | HSM, never in repo |
Threat Actors¶
- External Attacker — exploit contract vulnerabilities
- Malicious Validator — double-sign, downtime
- Insider — abuse admin roles
- Sybil Attacker — drain faucet, spam network
- MEV Bot — front-running (low risk on IBFT)
Attack Vectors & Mitigations¶
| Vector | Mitigation | Status |
|---|---|---|
| Reentrancy | ReentrancyGuard | ✅ |
| Unauthorized mint | MINTER_ROLE | ✅ |
| Treasury drain | Multi-sig 3-of-5 | ✅ |
| Flash loan attack | No oracle deps | ✅ |
| Governance takeover | Proposal threshold + quorum | ✅ |
| Validator collusion | 21 validators, slashing | ✅ |
| RPC abuse | Rate limiting | ✅ |
| Faucet drain | IP limit + cooldown | ✅ |
| Emergency exploit | Security council pause | ✅ |
Residual Risks¶
- External audit pending (SEC-013)
- HSM not yet deployed (SEC-014)
- Formal verification pending (SEC-015)