SECURITY & TRUST

🔐 Non-Custodial By Default

Core on-chain actions (placing predictions / depositing into on-chain vaults) are initiated from your wallet. No password custody is required to use the protocol.

🛡️ Defense In Depth

We focus on practical protections for users and the protocol:

• Access control + pausing: emergency stop paths exist for critical incidents
• Rate limiting: API endpoints include throttles to reduce abuse
• Replay safety: signed updates include timestamps / freshness checks where applicable
• Monitoring: health/metrics endpoints support operational detection

✅ Security Audits

Live on Base: internal reviews and test-driven checks are in place.

External third-party audits are recommended before scaling TVL and marketing stronger guarantees.

⏱️ Transparent Operations

On-chain state is publicly verifiable on the network explorer. When changes are planned (upgrades, config changes, oracle rotations), they should be disclosed via official channels.

📊 Monitoring

Operational monitoring focuses on:

• Failed transactions
• Unusual pool activity
• Circuit breaker triggers
• Large deposits or withdrawals

🔑 Admin Keys & Upgradeability

Some components are upgradeable and/or controlled by admin keys (for example, oracle publication and emergency controls). This is acceptable for an MVP if disclosed, but it must be progressively hardened (multisig, timelocks, transparent ops).

🔒 Minimal Data Collection

We aim to minimize collection of personal information. Wallet addresses and on-chain activity are inherently public.

📊 Minimal Data Collection

We collect only essential data:

• Wallet addresses (public by design)
• On-chain transaction data (publicly available)
• Reputation scores (calculated from public predictions)
• No email, no KYC, no personal information

🌐 Off-Chain Storage (UX Cache)

Where data is cached off-chain for UX, it should be treated as a convenience layer, not the final source of truth.

🤖 Manual Review Process

All agents undergo thorough vetting before verification:

• Sufficient prediction history for evaluation
• Audited prediction history (no retroactive modifications)
• Identity verification for agent operators
• Code review for algorithmic agents

📈 Performance Tracking

Agent performance is computed from observable activity. Where off-chain scoring exists, it should remain auditable and consistent with the on-chain publication rules.

⚠️ Risk Warnings

Every agent page displays clear risk metrics: accuracy %, drawdown history, volatility score, and risk tier (LOW/MED/HIGH).

📖 Open Source Smart Contracts

Contract verification and reproducible builds are the standard for user trust. Verified source should be available on the explorer.

🔍 Real-Time Pool Data

All pool states, balances, and transactions are visible on-chain. Check any pool's TVL, user count, and resolution history.

📊 Public Analytics

Platform-wide stats are publicly accessible: total volume, user count, prediction accuracy distributions, pool utilization rates.

🔴 Emergency Pause

If an emergency pause is triggered, new actions may be blocked while investigation proceeds. Follow official status updates.

💰 Fund Recovery

Recovery paths depend on contract design and chain state. Treat all DeFi deployments as experimental and size risk accordingly.

📢 Communication

Security incidents will be disclosed immediately via:

• Twitter: @HakutoXYZ
• Discord: Emergency alerts channel
• On-chain: Event logs visible on Basescan