Security Model

Critical component
This is the most security-sensitive part of NMT. Every design choice here protects user funds. Read this page fully before making any changes to smart wallet contracts.

Security is the most critical aspect of NMT's smart wallet layer. Users are trusting the platform with access to their funds, so the contract design follows a principle of minimum necessary permission.

Core Security Properties

1. No Private Key Sharing

Users never share their private keys with anyone. Instead, they sign a single transaction that grants a delegate address permission to call specific module functions. The delegate can only operate within those bounds.

2. Whitelist-Only Execution

Every interaction is restricted to whitelisted protocol contracts. A module can only call the official Uniswap V3 NonfungiblePositionManager — not any arbitrary address. This prevents a compromised delegate from routing funds to a malicious contract.

3. Atomic Execution

All operations in a bundle either succeed completely or revert completely. There's no state where a user has approved a token but the deposit failed, leaving tokens exposed for an attacker to sweep.

4. Replay Protection

Every signed message includes:

  • Nonce — a unique number that can only be used once
  • Deadline — an expiration timestamp

This prevents old signatures from being re-submitted.

5. Reentrancy Protection

All modules use OpenZeppelin's ReentrancyGuard, which prevents a malicious contract from calling back into the module during execution.

What Delegates CAN Do

Action Allowed?
Deposit user funds into approved protocols Yes (if permitted)
Withdraw from positions back to the Safe Yes (if permitted)
Swap tokens via approved DEXs Yes (if permitted)
Collect earned fees/yield Yes (if permitted)

What Delegates CANNOT Do

Action Why Not
Transfer funds out of the Safe Not a module function
Call unapproved contracts Whitelist enforcement
Change Safe ownership Requires owner signature
Grant themselves more permissions Owner-only function
Execute after deadline Deadline check in bundler
Replay a past transaction Nonce check in bundler
Partially execute a strategy Atomic — all or nothing

Trust Model

WHO TRUSTS WHOM:

User ──trusts──> Gnosis Safe (battle-tested, audited)
User ──trusts──> NMT Modules (custom, audited)
User ──grants──> Delegate (limited, revocable permissions)

Delegate ──cannot──> Access funds directly
Delegate ──cannot──> Exceed granted permissions
Delegate ──cannot──> Operate after revocation

Known Security Considerations

Audit completed
The NMT custom modules have undergone a formal security audit. Most identified issues have been resolved.

  1. Smart contract audit — the NMT custom modules (PermissionsManager, DelegateBundler, protocol modules) have been formally audited. Most issues identified during the audit have been fixed

  2. Module upgrade path — modules are deployed as immutable contracts. To upgrade, a new module must be deployed and users must approve the new version on their Safe

  3. Compiler settings — Solidity 0.8.30 with optimizer enabled (200 runs). The optimizer is set conservatively to balance gas costs and code complexity

Solidity Version and Toolchain

Item Value
Solidity 0.8.30 (primary), 0.7.6 (V2 compat)
Framework Hardhat 2.26.0
Optimizer 200 runs
EVM Target Paris
OpenZeppelin 5.3.0

results matching ""

    No results matching ""