security
Security Model
Parthenon Fi's security model differs fundamentally from traditional DeFi protocols. Where DeFi security focuses primarily on smart contract vulnerabilities (reentrancy, flash loans, oracle manipulation), Parthenon's custody-native architecture distributes security across multiple institutional-grade layers.
Security Layers
Layer 1: Canton Network Security
Canton provides the base security layer:
No global state: Contracts are shared only between relevant parties, eliminating information leakage
No MEV: No global mempool means no front-running, sandwich attacks, or transaction reordering
Deterministic execution: Same inputs always produce same outputs
Formal verification: Daml contracts can be formally verified for correctness
Authorization enforcement: Multi-party signoff required for all state transitions
Layer 2: Custodian Security
Qualified custodians provide institutional-grade asset security:
OCC/FSRA regulation: BitGo and Anchorage operate under OCC national trust bank charters with regulatory examinations
Insurance coverage: BitGo provides up to $250M via Lloyd's syndicates
HSM key management: Hardware Security Modules protect cryptographic keys
Segregated custody: Client assets segregated from custodian operating assets
SOC 2 compliance: Regular third-party security audits
Layer 3: Protocol Security
Parthenon's protocol layer:
Smart contract audits: Daml contracts audited before deployment
TICS security: HSM-backed signing for all custodian instructions, mutual TLS authentication
Rate limiting: Instruction flooding prevention on TICS-custodian communication
Dual oracle verification: No automated action on divergent price feeds
Idempotency: All TICS instructions include idempotency keys preventing duplicate execution
Layer 4: Compliance Security
Sanctions screening: Continuous monitoring via Chainalysis and TRM Labs
KYC/AML: Custodian CDD processes for all participants
Jurisdictional controls: Transfer restrictions enforced at the smart contract level
Audit trail: All state transitions recorded on Canton with supervisory node access
Risk Categories
Smart Contract Risk
While Daml mitigates many smart contract risks (no reentrancy due to the authorization model, no flash loans due to atomic execution), software bugs, flawed logic, and unforeseen interactions remain possible. Canton's sub-transaction privacy prevents certain attack vectors (no public state to exploit) but introduces complexity in testing and verification.
Mitigation: Smart contract audits, formal verification where possible, staged deployment with limited exposure during testnet and pilot phases.
Custodian Risk
Despite regulation and insurance, custodians face: cyberattacks on infrastructure, key management failures, regulatory actions, and insolvency risk. Insurance coverage may not fully offset losses.
Mitigation: Multi-custodian architecture (no single custodian dependency), regulatory due diligence, insurance verification, and the ability to migrate collateral between custodians under the Account Control Agreement.
Oracle Risk
Price feed inaccuracies, delays, manipulation, or outages could result in premature or delayed margin calls and liquidations.
Mitigation: Dual oracle architecture, feed divergence detection, custodian-independent price verification, and manual review triggers for anomalous conditions.
Counterparty Risk
Borrower default or refusal to repay. While collateral provides security, rapid market decline could cause collateral value to fall below outstanding obligations between margin call and liquidation execution.
Mitigation: Conservative LTV parameters, short Cure Periods, custodian-executed liquidation (faster than DeFi liquidation bots), GMSLA close-out netting provisions, and legal recourse for any shortfall.
Regulatory Risk
Changes in digital asset regulation could affect the legality, enforceability, or economics of transactions.
Mitigation: Dual-jurisdiction strategy (ADGM + US Reg D), legal framework adapted for regulatory durability, compliance infrastructure that can adapt to new requirements.