Protocol

Security model

Security is the product. Routon moves capital on behalf of autonomous agents, so the protocol’s safety properties are not features bolted on afterward — they are the architecture. This page is the honest version: what protects you, and what does not.

Non-custodial by architecture

The single most important property: Routon’s contracts never hold a user’s principal.

This is enforced, not promised. A Foundry invariant test asserts that protocol contracts hold zero token balance at all times. If a code change ever broke that property, the invariant suite would fail before the change could merge.

The practical consequence is that there is no pooled honeypot. Even in the worst case for Routon’s own code, there is no shared balance for an attacker to drain — custody stays in the user’s wallet and in the external protocols where the user is the depositor of record.

The invariant suite

Routon’s safety properties are encoded as 44 invariants spread across the six contracts, and exercised under continuous fuzzing — at least 10,000 runs per check. Representative invariants include:

  • Non-custodial — protocol contracts hold zero balance. (PrimitiveExecutor)
  • Allow-list integrity — execution can only call allow-listed targets. (PrimitiveExecutor)
  • Attestation freshness — a strategy cannot be executed against stale risk data. (PrimitiveExecutor)
  • Builder attribution — fee attribution cannot be spoofed. (PrimitiveExecutor)
  • Monotonic rebate accounting — rebates cannot be double-paid. (BuilderCodeVault)
  • Reputation bounds — reputation scores stay within valid ranges. (ReputationOracle)

An invariant violation is treated as a critical failure: fuzzing must pass before any contract change is merged.

Allow-lists and timelocks

PrimitiveExecutor can only route into external protocols that are on an explicit allow-list. An unaudited or unknown contract simply cannot be called.

Changes to that allow-list — and to any other privileged parameter — are governed:

  • Privileged actions are held by a 2-of-3 guardian multisig, signed from hardware wallets in separate locations.
  • Allow-list and admin changes are timelocked (24 hours minimum), so any change is publicly visible before it takes effect.
  • A pause switch, controlled by the same multisig, can halt routing if a serious issue is detected.

The oracle circuit breaker

Routon prices strategies against two independent oracles — Pyth (primary) and Chainlink (secondary).

If the two sources disagree by more than 1%, a circuit breaker activates: new intents revert until prices reconverge. A mispriced trade is stopped before it can settle. If both oracles are unavailable, the protocol degrades to read-only rather than executing on uncertain data.

Contract-level protections

Beyond invariants and governance, the contracts carry standard defensive measures:

  • Reentrancy guards on all state-changing functions.
  • EIP-712 signatures with a nonce and a deadline, giving replay protection on every signed intent.
  • Signature-bound calldata — a user signs the exact bundle to be executed; any modification in flight invalidates the signature.
  • TVL caps, global and per-strategy, that bound exposure.

Process and review

Code quality is enforced before code ships, not after:

  • Every contract pull request passes a dedicated review gate and a pre-merge invariant fuzz check.
  • Slither static analysis runs in CI.
  • Branch protection forbids direct pushes to main; reviews are required.
  • The contracts are covered by an ongoing, public bug-bounty program, and the codebase is kept audit-ready and source-verified.
  • All privileged signing uses hardware wallets; secrets are never stored in plaintext or committed to source control.

Residual risks

No protocol can eliminate risk, and Routon does not claim to. The following risks are inherent to non-custodial DeFi and are accepted by users:

  • Underlying protocol risk. User funds sit in external protocols such as Aave or Morpho. If one of those is exploited, positions there can be lost — Routon’s non-custodial design means the user is the depositor of record at the underlying, and Routon does not insure it.
  • Oracle risk. Price feeds can be manipulated or stale. The two-oracle agreement requirement mitigates this, but residual risk remains.
  • Smart contract risk. Routon’s own contracts may contain bugs not caught by review and bounty. Invariant fuzzing, TVL caps, and the pause switch limit exposure, but the risk is not zero.
  • MEV risk. Some transactions can be sandwiched. Routing through MEV-protected venues mitigates this where possible, and agents see slippage estimates before signing.

A protocol that hides these is not being honest. Routon surfaces them — in these docs, and in the values the SDK returns.

Incident response

If a serious issue is detected, the guardian multisig can pause routing quickly. Incidents are triaged by severity — a loss-of-funds or invariant-violation event is the highest tier and triggers an immediate pause, investigation, public communication, and a post-mortem.

Next

Return to the Architecture, or browse the rest of the documentation from the sidebar.