Why the Contract Layer Is Non-Negotiable
The Strategy Layer defines what should happen. The Agent Layer makes it happen efficiently. The Contract Layer is the final backstop that ensures nothing harmful happens, even if the other two layers are compromised or misaligned. Every mutating instruction in the protocol performs the same three checks before executing:Hard-Coded Invariants
These live in the contract code itself. Changing them requires a program upgrade signed by the Upgrade Authority (Team Multisig during bootstrap; separate from the config and pause authorities). Governance cannot alter them viaStrategyConfig updates alone.
Fund conservation
compress_liquidity cannot debit pool vaults net negative. grow_liquidity can only add from Nexus. Rebalances are capital-preserving transformations by construction.NAV floor
adjust_capital cannot reduce total_invested_capital below MIN_CAPITAL_FLOOR (1 USDC lamport). Prevents NAV = 0 with supply > 0, which would brick the vault.Permanent tail immutability
Bins in
[permanent_tail_floor_bin .. left_anchor_bin] are never debited by any instruction. Attempting to shift or drain them reverts.Mint-path fee exclusivity
Fee-skip on master-pool
swap applies only when the instruction genuinely routes to mint_rwt. Bin-walk swaps always pay full fees; mint-routed swaps never pay DEX fees. No hybrid state is reachable.Kill-switch reachability
Every mutating agent instruction reads
StrategyConfig.kill_switch_active before executing. There is no bypass path — the check compiles into each instruction.Proposal-sourced updates
update_strategy_config validates its caller against a resolved futarchy proposal record. Direct multisig calls post-V2 revert with UpdateMustOriginateFromProposal.Monotonic config versions
config_version increases strictly. No downgrade. Agents that read an older version via stale account data will revert on mismatch with the state account they mutate.Timelock enforcement
apply_strategy_update reverts if now < pending_update_unlock_ts. Nobody — not governance, not the team — can shorten the unlock window for an already-submitted update.The Kill Switch
The kill switch is the protocol’s emergency brake. Its semantics are intentionally asymmetric to favour safety over convenience.Authority
Three independent paths can activate the kill switch. Each has its own trust, speed, and cost profile — no single actor is load-bearing, and no single path can be disabled without also bypassing the other two.| Path | Who | Trigger cost | Latency |
|---|---|---|---|
| Halt Bond | Anyone holding ARL | Stake 1% of ARL circulating supply | Instant (same tx as stake) |
| Pause Authority | Team Multisig | Multi-sig threshold reached | Instant, no bond |
| Governance | Successful futarchy emergency-halt proposal | Proposal + TWAP resolution | ~72h proposal cycle, no bond |
Why three paths rather than one. Halt Bond is the primary — permissionless, economically aligned, self-funding. Pause Authority is the fallback — unconditional speed in zero-day scenarios where even assembling 1% ARL takes too long. Governance activation is the democratic floor — major disagreements route to on-chain consensus without elite authority or capital requirements. Defeating all three at once requires compromising three independent signer sets plus the ability to prevent any ARL holder from staking — effectively compromising the chain itself.
Halt Bond — detailed design
Instead of an elected guardian body, the protocol uses a pure economic model: anyone can trigger an emergency halt, but must stake real ARL value against the legitimacy of the halt call. Good calls earn a bounty; bad calls forfeit the entire stake to the Treasury.Bond — 1% of ARL circulating supply
Computed at transaction time against on-chain
total_supply - protocol_held_balance. Locked in a frozen HaltBondEscrow PDA for the full review window. Size is material enough to deter spurious halts but achievable for coordinated responses to real threats.Instant on-chain effect
The
activate_kill_switch_with_bond instruction performs the stake and the flag-flip atomically. Within one block: bond locked, kill_switch_active = true, all agent instructions reverting. No coordination window, no multi-sig waiting.7-day review window
Reviewer examines evidence and renders a verdict: Justified or Not Justified. Review verdict must be published on-chain with rationale. V1 reviewer: Team Multisig. V2 reviewer: futarchy proposal “Was halt X justified?”.
Asymmetric outcomes
Justified → bond returned to caller + optional Treasury bounty sized to averted damage (governance-set ceiling 5%). Not Justified → entire bond forfeited to Areal Treasury. No partial verdicts; no negotiated returns.
Activation flow
Anomaly detected
Any participant observes something wrong via on-chain monitors, community channels, bug-bounty reports, audit events, or their own analysis.
Bond staked, halt engaged
Caller submits
activate_kill_switch_with_bond(rationale_uri) transferring 1% of ARL circulating supply into the HaltBondEscrow PDA. Same tx sets kill_switch_active = true. All agent instructions across RWT Vault, Nexus, and Treasury begin reverting with KillSwitchActive on next call. User-level operations continue unaffected.Review window (7 days)
Caller publishes detailed rationale (on-chain memo field or off-chain with pinned hash). Reviewer examines evidence — Team Multisig during V1, futarchy during V2. Community may submit supplementary evidence to the on-chain record during this window.
Verdict rendered
Within the 7-day window, reviewer publishes verdict on-chain:
HaltVerdictJustified or HaltVerdictNotJustified. Event includes reasoning hash and applicable bounty (if justified). No appeal mechanism — verdict is binding.Bond resolution
Justified →
HaltBondEscrow releases bond back to caller; BountyDisbursement event if bounty awarded. Not Justified → HaltBondForfeit transfers the full bond to Areal Treasury; caller added to HaltCooldownRegistry (30-day wallet cooldown).Parameters
| Parameter | Default | Governance-tunable? |
|---|---|---|
| Bond size | 1% of ARL circulating supply | Yes (critical tier) |
| Review window | 7 days | Yes (critical tier) |
| Bounty ceiling | 5% of averted damage | Yes (critical tier) |
| Wallet cooldown after forfeit | 30 days | Yes (operational tier) |
| Bond denomination | ARL | No — hard-coded invariant |
| Verdict authority | Team Multisig (V1) / Futarchy (V2) | Structural — set by V2 deployment |
Why an economic bond beats an elected council
A prior design considered a community-elected Safety Council (7 members, 4-of-7 supermajority). The bond model proved strictly simpler across every dimension that matters:| Concern | Elected Council | Halt Bond |
|---|---|---|
| Trigger authorization | 7 specific people | Anyone with 1% ARL |
| Election overhead | Annual per seat, eligibility rules | None |
| Personal disclosures | Required (diversity, affiliations) | Not needed |
| Coordination required | 4 of 7 agree within 30 min | Solo stake, atomic |
| Griefing resistance | Reputation stake only | 1% of ARL supply at risk |
| Compensation model | Monthly stipend from Treasury | None — halter funds own stake |
| Bad halt outcome | Reputation damage, future removal | Treasury gains 1% of supply |
| Incentive alignment | Personal accountability | Direct economic skin in the game |
| V1/V2 transition | Requires building election infrastructure | Works with Team Multisig as V1 reviewer immediately |
| Self-funding | No — costs Treasury in stipends | Yes — bad actors fund Treasury |
Why not pure “anyone can halt” without a bond
A free permissionless halt creates a griefing attack: gas is trivial for an attacker, while the 7-day reactivation timelock imposes massive asymmetric cost on the protocol. The bond closes this asymmetry — the attacker now pays 1% of ARL supply per spurious halt attempt, and a verdict of unjustified sends that value to the Treasury it was meant to harm.Pause Authority backstop
The Pause Authority (Team Multisig) retains independent, no-bond instant-halt capability for scenarios where even the Halt Bond is too slow:- Zero-day contract exploits observed during active attack
- External dependency failures (oracle failure, stablecoin issuer default) requiring immediate intervention
- Coordinated multi-surface anomalies where seconds matter more than process
Compensation
No stipends, no Council, no standing roles to fund. The only compensation flow is the bounty for justified halts:| Event | Source | Amount (governance-set) |
|---|---|---|
| Justified halt | Areal Treasury | Sized to averted damage, ceiling 5% |
| Not-justified halt | (forfeiture to Treasury) | Bond value transferred from caller |
| Pause Authority halt | n/a | Team Multisig acting in operational role |
| Governance halt | n/a | No individual compensation |
What the kill switch stops
Whenkill_switch_active = true, every agent instruction reverts with KillSwitchActive:
vault_swap— no OT acquisitionsgrow_liquidity/compress_liquidity— no rebalancingnexus_swap/nexus_add_liquidity/nexus_remove_liquidity— no LP changesclaim_yieldwhen called by Yield Harvester — suspended (users can still claim their own yield directly)
What remains operational
- User-level reads (NAV queries, balance checks)
- User-level swaps on DEX (trading never stops — liquidity is user capital, not protocol capital)
- User
mint_rwtand userclaim_lp_fees - User yield claims (user’s own merkle proofs)
- Governance proposals (kill switch does not stop governance)
remove_liquidityfor LP holders on StandardCurve pools (exit is always permitted)
Deactivation
Turning the kill switch off is a 7-day timelocked critical-tier update. Even if the activation was accidental, reactivation requires the full community exit window. Safety errs toward caution.Practical consequence: if a kill switch is triggered in error at 10:00am, agents remain inactive until 10:00am one week later. The protocol degrades gracefully — users can still interact, yield still accrues at the OT level, but no autonomous optimization runs. This is the intended failure mode: operational slowness is acceptable, silent compromise is not.
Circuit Breakers
Beyond the kill switch, the Contract Layer enforces several per-action circuit breakers that trip automatically without requiring governance intervention.Volume-based
Slippage-based
Concentration-based
Reserve-based
Cooldown-based
Formal Verification Goals
Several invariants are targets for mechanical proof (via Coq, Isabelle, or Solana-specific verification tools as they mature):Fund conservation
Claim: For all reachable states and all sequences of
grow_liquidity / compress_liquidity calls, sum(pool.vault_a_balance + pool.vault_b_balance) over all master pools is monotonic non-decreasing modulo user-initiated swaps and withdrawals.Kill-switch safety
Claim: While
kill_switch_active == true, no agent instruction executes to completion. Formally: every mutating agent instruction’s invariant includes !kill_switch_active.Timelock enforcement
Claim:
apply_strategy_update requires now >= pending_update_unlock_ts. No code path bypasses this check. Provable by symbolic execution over the instruction handler.Config monotonicity
Claim:
config_version is strictly increasing across any sequence of successful updates. No instruction decrements or equals-assigns the version.Permanent tail invariance
Claim:
BinArray[i].liquidity_b for i ∈ [permanent_tail_floor_bin, left_anchor_bin] is never decremented across any reachable call sequence except explicit governance-mandated retire_permanent_tail instruction (which requires Upgrade Authority).Agent authority isolation
Claim: No agent keypair can satisfy the signer check for any instruction outside its published surface. Formally:
signer_check(instruction, signer) is injective on (agent_role, instruction) pairs.Incident Response Playbook
Detection
Multiple independent channels surface anomalies:- On-chain monitors — indexers flag circuit breaker trips, unexpected value transfers, unusual agent action frequency
- Governance oversight — ARL holders can submit
IncidentReportproposals to flag observed problems - Audit events — every agent action is observable; statistical anomalies (e.g., slippage distribution shift) are mechanically detectable
- External bug bounty — standing program for invariant-breaking disclosures
Triage (T + 0 to T + 30 minutes)
Classify severity
- Sev-1: fund loss, live exploit, kill-switch bypass attempt → Pause Authority acts immediately
- Sev-2: circuit breaker trip pattern, agent misbehaviour within bounds → governance review
- Sev-3: UX issue, non-critical anomaly → normal proposal flow
Sev-1: Emergency halt
Pause Authority (Team Multisig) signs
activate_kill_switch transaction. All agents freeze within the next block. User operations continue.Public disclosure
Status page and social channels updated within 30 minutes of halt. Scope, observed impact, and next steps published.
Containment (T + 30 minutes to T + days)
- Compromised keypair: rotate via governance proposal (24h operational timelock); rollback any recoverable state via compensating transactions
- Exploited instruction: prepare program upgrade; deploy via Upgrade Authority
- Bad config: submit counter-proposal with instant-tier activation for kill switch, critical-tier for config fix
- External dependency issue (oracle, stablecoin issuer): halt agents, reroute to fallback, communicate
Post-mortem
Every Sev-1 and Sev-2 incident produces a public post-mortem within 14 days:- Timeline with block references
- Root cause analysis
- Scope of impact (funds, users, duration)
- Remediation applied
- Invariants added or strengthened as a result
- Whether a new hard-coded invariant is warranted for the next program upgrade
/changelog/ as YYYY-MM-DD-incident-<short-name>.mdx.
Compensation
The protocol does not guarantee user compensation for losses arising from exploits. However, the Areal Treasury holds reserves expressly earmarked (via governance) for incident remediation. Governance may propose compensation for affected holders if the Treasury position and incident scope warrant it. This is a discretionary case-by-case decision, not an insurance promise.Defense in Depth — Summary
Each vertical control class stops a different attack vector:| Control | Threat addressed | Layer |
|---|---|---|
| StrategyConfig bounds | Compromised agent, misaligned agent | Strategy |
| Signer check per instruction | Stolen agent keypair calling wrong function | Contract |
| Hard-coded invariants | Malicious governance proposal | Contract |
| Timelock | Rushed / coerced governance | Contract |
| Kill switch (instant on) | Active exploit, zero-day | Contract + Pause Authority |
| Kill switch (7d deactivation) | Social-engineered “all clear” | Contract |
| Circuit breakers | Runaway agent within bounds | Contract |
| Audit events | Undetected anomaly | Observability |
| Agent rotation | Keypair compromise | Strategy + Contract |
| Pause Authority separation | Multisig compromise | Key management |
| Upgrade Authority separation | Code vulnerability | Key management |
| Formal verification | Logic bug | Proof layer |
| Bug bounty | External discovery | Community |
| Governance oversight | Systemic drift | Community + Strategy |
What This Section Does Not Claim
No zero-risk assertion
Defense in depth reduces attack surface and blast radius. It does not eliminate smart-contract risk, oracle risk, or governance-capture risk. See Risk Disclosure.
No completed audit
Formal verification goals are aspirational. Current contracts have internal review; external audits are a prerequisite for mainnet agent deployment.
No compensation promise
Treasury reserves may fund remediation at governance discretion. No automatic coverage, no insurance product, no user-facing guarantee.
No unbreakable system
Any system involving humans, code, and economic incentives can fail. The design goal is to make failure modes bounded, observable, and recoverable — not to prevent failure entirely.
Summary
Three enforcement points
Signer validation, StrategyConfig bounds, hard-coded invariants — every mutation checks all three
Instant-on kill switch
Zero-delay activation by Pause Authority or governance; 7-day timelock on deactivation
Circuit breakers
Per-tx, per-day, slippage, concentration, reserve, cooldown — automatic trips without governance
Formal verification goals
Fund conservation, kill-switch reachability, timelock enforcement, config monotonicity targeted for mechanical proof
Public incident response
Severity classification, 30-minute disclosure target, 14-day post-mortem, invariant strengthening loop
Defense in depth
Every critical property enforced by multiple independent mechanisms — no single load-bearing control