Security model
Predicate enforces compliance through a scoped onchain freeze/block role which can be revoked it in a single transaction and is typically granted by the contract’s admin role. This page covers the controls around the corresponding signer key and the guarantees on enforcement delivery.Security and engineering teams evaluating Predicate can request additional detail under NDA — covering key management, runtime hardening, and our threat model. The following is meant to be a high-level overview.
Onchain authorization
The following is based off the freeze/block interfaces we recommend implementing.- Scope. Predicate never holds asset-admin keys. Enforcement runs through the role you grant —
FREEZE_MANAGER_ROLEon EVM,blockeron Stellar. - Bounded authority. The role authorizes only freeze/unfreeze and block/unblock. It cannot mint, burn, transfer, upgrade, or reassign roles.
- Revocation. Authorization is revocable in a single transaction and verifiable on your own contract.
Key management
- Multi-factor protection. Signing keys are protected by multiple independent factors; no single operator can produce a signature.
- No human access. Keys are never exposed to human operators in the course of operations.
Infrastructure and access
- Isolation. Signing is isolated from application services behind independent controls; no single compromised component can produce a signed transaction.
- Least privilege. Production access is scoped, logged, periodically reviewed, and revoked on offboarding.
- Release process. Changes are peer-reviewed and built by CI, not developer machines. Production deploys require explicit human approval; no individual can deploy to production unilaterally.
- External assessment. Security posture is validated through ongoing internal review and independent third-party assessment.
Delivery and availability
- Retry. Enforcement actions are retried automatically on failure; contracts that persistently fail are surfaced and acted on.
- Redundant endpoints. Multiple RPC endpoints maintain enforcement through provider outages.
- Failover. The signing service is designed to survive infrastructure failure with tested failover.
