Security

SECURITY.md

Security Policy

Threat Model

UniBrain spans three execution domains:

Origin hook telemetry (Uniswap v4)
Reactive decision environment
Destination callback execution

Primary risks:

unauthorized callback execution
replayed or duplicated strategy actions
out-of-bounds strategy updates
reentrancy and state corruption
manipulated short-horizon market telemetry

Implemented Mitigations

Callback sender verification (msg.sender == callbackProxy)
Authorized RVM ID allowlist
Replay protection on decisionId (executor + strategy book)
Idempotent duplicate handling (false return without state mutation)
Reentrancy guard on executor
Strategy bounds validation (fee/ticks/hedge)
Deterministic model with explicit parameter constraints
Decision cooldown and duplicate fingerprint suppression in reactive layer

Remaining Risks

Callback liveness/funding failures on Reactive path
Strategy underperformance under adversarial volatility regimes
Economic attacks against shallow-liquidity pools

Audit Checklist

Verify callback proxy address per chain
Verify RVM authorization lifecycle
Validate bounds cannot be bypassed
Validate all decisionId replay scenarios
Validate hook permissions/address bits match implementation
Validate demo/deployment config does not leak privileged settings into production

Reporting

Open a private security issue with:

impact summary
exploit path
minimal reproduction steps
recommended mitigation

There aren’t any published security advisories