HomeForumWebsiteImpact
GitHub Icon
Symbiotic Templates

Security

AnthropicOpen in Claude

Security architecture and trust assumptions for the Symbiotic template.

Shared Trust Model

EntityTrust LevelNotes
SettlementTrustedVerifies BLS quorum signatures
Authorized submittersSemi-trustedCan submit proofs, but cannot forge valid signatures
OwnerTrustedHandles pause, unpause, and submitter management
External usersUntrustedNo privileged access

Webhook ingress between OZ Monitor, OZ Relayer, and operators uses HMAC-SHA256 shared secrets. See CLI & API Reference for the header format.

Runtime API Security

Operator runtime behavior that is easy to miss:

  • /healthz bypasses authentication so orchestration health checks keep working.
  • /webhook/events verifies HMAC over the raw body plus X-Timestamp, and rejects requests outside a 300s timestamp window.
  • /api/v1/webhooks/oz-relayer verifies a separate base64 HMAC signature over the raw JSON body.
  • Authentication failures on ingress webhooks intentionally return generic 401 responses instead of detailed errors.
  • CORS is off by default.
  • Debug routes are security-gated and may be hidden by middleware before the handler runs.

Secrets are loaded from WEBHOOK_SECRET and OZ_RELAYER_WEBHOOK_SECRET at startup, not from the environment JSON.

LayerZero DVN Security

The LayerZero provider trusts SendUln302 as the only valid source-chain caller for assignJob.

Access Control

FunctionCallerPurpose
assignJobSendUln302 onlyRegister verification jobs and emit JobAssigned
getFeeAnyoneQuote verification fee
submitProofAuthorized submittersSubmit signed Merkle proofs
addSubmitter / removeSubmitterOwnerManage submitter whitelist
setBaseFee / pause / unpause / withdraw / transferOwnershipOwnerAdministrative controls

Invariants

  1. verifiedLeaves[leaf] only moves from false to true.
  2. verifiedRoots[root] only moves from false to true.
  3. Uncached roots require a valid BLS quorum from Settlement.
  4. Verified packet headers must have the expected length and destination EID.
  5. assignJob rejects msg.value > 0; the DVN does not custody fees.

Access Control

FunctionCallerPurpose
forwardToVerifierOnRampRegister a message for CCV verification
verifyMessageOffRampVerify the message on the destination path
getFeeAnyoneQuote verification fee

Invariants

  1. Verification requires a valid BLS quorum signature from Settlement.
  2. The derived message ID must match the message payload being verified.
  3. Settlement epoch data must be fresh, or verification reverts with EpochTooStale.

Deployment

Previous Page

Troubleshooting

Next Page

On this page

Shared Trust ModelRuntime API SecurityLayerZero DVN SecurityAccess ControlInvariantsChainlink CCV SecurityAccess ControlInvariants