Skip to content

Security: BuFi007/BUFX

Security

docs/SECURITY.md

BUFX Security Notes

Scope

BUFX v1 is a venue and request layer. It does not custody Telarana liquidity, execute Circle Gateway, implement a perp engine, or manage Morpho collateral.

In scope:

  • BuFxTelaranaRequestRouter
  • BuFxVenueRequestRouter
  • BuFxFeeConfig
  • BuFxFeeCollector
  • SDK encoding, signing, deployment, and indexing helpers

Out of scope for BUFX v1:

  • Circle Gateway mint execution
  • Telarana hub liquidity routing
  • Morpho and MetaMorpho accounting
  • Perp margin, funding, PnL, and liquidations

Trust Boundaries

  • BUFX owner can configure routes, fee config, submitters, RFQ makers, and perp intent caps.
  • Authorized submitters can relay trader-signed or trader-approved requests, but cannot bypass trader signatures for signature flows.
  • Telarana Gateway hooks own Gateway attestation, minting, and destination-hub execution.
  • Fee collection is separate from Telarana liquidity and user margin.

Main Risks

  • Misconfigured route receiver could point BUFX requests at the wrong Telarana hook.
  • Authorized submitter compromise could spam valid direct-submit paths, but cannot forge EIP-712 trader signatures.
  • RFQ maker allowlist compromise could allow bad quotes into the request stream.
  • Perp liquidity requests are only intents; downstream systems must not treat them as settled positions.
  • Fee config owner can change market-specific fee parameters within contract caps.

Existing Controls

  • Route validation rejects zero addresses, zero chain IDs, disabled routes, and same-domain routes.
  • Testnet readiness rejects missing or duplicated Arc/Fuji Gateway hook addresses.
  • EIP-712 signatures include chain ID, verifying contract, request payload hash, and trader nonce.
  • RFQ requests require allowlisted makers, nonzero quote IDs, positive amounts, min output, and quote expiry.
  • Perp liquidity intent requires enabled market caps, max notional, max size delta, max deadline buffer, nonzero account, and nonzero margin.
  • Fee math keeps referral and treasury allocations explicit and tested with fuzz conservation checks.

Audit Checklist

  • Confirm BUFX never calls Circle Gateway directly.
  • Confirm Gateway hook addresses are real Telarana deployments before live deploy.
  • Confirm every privileged setter is owner-only.
  • Confirm signed request hashes match SDK typed data exactly.
  • Confirm request IDs cannot collide under practical deployment assumptions.
  • Confirm emitted events contain enough indexed fields for analytics without storing campaign state.
  • Confirm fee collection cannot mix BUFX revenue with Telarana liquidity, user margin, or insurance funds.

There aren't any published security advisories