# DBIS Rail — Audit Readiness Results v1

**Network:** DBIS Mainnet (ChainID 138)  
**Document type:** Checklist run results and gap remediation  
**Companion:** [Audit Readiness Checklist v1](DBIS_RAIL_AUDIT_READINESS_CHECKLIST_V1.md)

**Run date:** First run (baseline).  
**Purpose:** Record current status of each checklist section and list concrete remediation steps to reach audit-ready state.

---

## Summary

| Section | Status | Notes |
|---------|--------|--------|
| 1. Mint Path Integrity | Gap | DBIS Rail contracts not deployed; current GRU/c* use owner mint |
| 2. Authorization Integrity | Pending deployment | SettlementRouter and MintAuth flow not implemented |
| 3. Signer Governance | Pending deployment | SignerRegistry not implemented; Rulebook documented |
| 4. Accounting and Evidence | Documented | Rulebook defines accountingRef and isoHash; no on-chain router to validate |
| 5. Router Controls | Pending deployment | No SettlementRouter to verify |
| 6. Validator Layer | Partial | QBFT documented; ops runbook and multi-entity to be confirmed |
| 7. Emergency Controls | Pending deployment | Pause/suspension logic in contracts not deployed |
| 8. Documentation Integrity | Complete | Spec, Rulebook, Threat Model, Regulator Brief, Checklist aligned |

**Overall:** Documentation stack is complete and consistent. DBIS Rail contracts (RootRegistry, ParticipantRegistry, SignerRegistry, SettlementRouter, GRU_MintController) are specified but not yet implemented in the repo. Current Chain 138 GRU/c* mint path is owner-based (CompliantFiatToken, CompliantUSDT, CompliantUSDC). Closing gaps requires implementing and deploying the rail contracts and locking mint to the router.

---

## 1. Mint Path Integrity

| Item | Status | Evidence / note |
|------|--------|------------------|
| All GRU mint roles restricted to SettlementRouter | Pending deployment | No DBIS_GRU_MintController or SettlementRouter in repo. Existing [CompliantFiatToken.sol](../../smom-dbis-138/contracts/tokens/CompliantFiatToken.sol) has `mint(address to, uint256 amount) public onlyOwner`. |
| Owner mint revoked | Gap | Owner mint is present on CompliantFiatToken (and likely CompliantUSDT/CompliantUSDC). Must be revoked or gated when rail is deployed. |
| No upgrade path allows mint bypass | Pending deployment | Mint Controller and upgrade path not implemented. When implemented, ensure only Router can call mint and upgrades are timelocked. |
| Unit tests confirm revert on direct mint | Pending deployment | No DBIS Rail contracts; no tests for router-only mint. |

**Remediation:** Deploy DBIS Rail contracts per Technical Spec. Restrict GRU/c* mint on Chain 138 to DBIS_GRU_MintController called only by SettlementRouter. Revoke or remove owner mint (and any other MINTER_ROLE) for tokens that are part of the rail. Add unit tests that direct mint from non-Router reverts.

---

## 2. Authorization Integrity

| Item | Status | Evidence / note |
|------|--------|------------------|
| EIP-712 domain separation validated | Pending deployment | Spec defines EIP-712 domain (chainId 138, verifyingContract). No SettlementRouter to validate. |
| chainId = 138 enforced | Pending deployment | To be implemented in Router. |
| verifyingContract enforced | Pending deployment | To be implemented in Router. |
| messageId replay protection tested | Pending deployment | Replay pattern exists elsewhere (e.g. CCIPWETH9Bridge processedTransfers, EtherlinkRelayReceiver messageId). Not in DBIS Router. |
| Expired auth rejected | Pending deployment | To be implemented in Router (notBefore/expiresAt). |
| Cross-chain replay rejected | Pending deployment | EIP-712 domain binding will reject other chainId/contract. |
| Quorum category enforcement tested | Pending deployment | SignerRegistry and Router logic not implemented. |

**Remediation:** Implement SettlementRouter and SignerRegistry per Spec. Add EIP-712 validation, messageId replay map, time window check, and quorum/category checks. Add integration tests for valid auth, replay revert, expired revert, wrong chainId revert, and insufficient signers revert.

---

## 3. Signer Governance

| Item | Status | Evidence / note |
|------|--------|------------------|
| 3-of-5 quorum enforced on-chain | Pending deployment | SignerRegistry not in repo. |
| Compliance category mandatory | Pending deployment | To be implemented in SignerRegistry/Router. |
| Signer allowlist change emits event | Pending deployment | Spec defines SignerAdded, SignerRemoved. |
| Signer revocation documented | Documented | Rulebook Section 6 and Threat Model Section 3.F. |
| HSM usage documented | Operational | To be documented in ops/key management when signers are designated. |
| Key rotation procedure documented | Operational | To be documented in ops runbook. |

**Remediation:** Implement SignerRegistry with addSigner/removeSigner, category mask, and validateSigners. Document HSM (or equivalent) and key rotation in operational runbook.

---

## 4. Accounting and Evidence

| Item | Status | Evidence / note |
|------|--------|------------------|
| accountingRef deterministic structure documented | Complete | Rulebook Section 3.2: keccak256(ledgerSystemId, journalId, batchNumber, postingTimestamp, reserveAccountId). |
| accountingRef reproducible in test vector | Operational | Procedure and encoding must be fixed in ops; test vector can be added to repo or test suite. |
| isoHash reproducible from canonical bundle | Documented | Rulebook and Spec; canonical bundle schema to be fixed in ops; test vector optional. |
| messageId to accountingRef mapping validated | Operational | Rulebook Section 8; mapping maintained off-chain and auditable. |
| One-to-one mint mapping verified | Documented | Rulebook Section 3.3; enforced operationally until Router records on-chain. |

**Remediation:** Add a test vector (or script) that computes accountingRef from sample inputs per Rulebook. Document canonical bundle schema for isoHash in ops. No code gap for rail contracts; Router will accept accountingRef/isoHash when implemented.

---

## 5. Router Controls

| Item | Status | Evidence / note |
|------|--------|------------------|
| ReentrancyGuard active | Pending deployment | Spec and Threat Model require it. Existing [MintController.sol](../../smom-dbis-138/contracts/iso4217w/controllers/MintController.sol) and other contracts use ReentrancyGuard; DBIS Router to follow same pattern. |
| CEI pattern followed | Pending deployment | To be implemented in SettlementRouter (state updates before mint call). |
| Caps enforced before mint | Pending deployment | Spec: maxAmountPerMessage and corridor daily cap checked before calling Mint Controller. |
| Pause modifier functional | Pending deployment | Spec: paused flag and ROUTER_ADMIN. |
| Corridor limits enforced | Pending deployment | Spec: corridor usage tracking and check. |

**Remediation:** Implement SettlementRouter with nonReentrant (or equivalent), CEI, cap checks, pause modifier, and corridor limits. Add tests for pause revert and cap revert.

---

## 6. Validator Layer

| Item | Status | Evidence / note |
|------|--------|------------------|
| Validator keys segregated | Operational | To be confirmed; keys should not be shared with app/signer layer. |
| Multi-entity validator operation | Operational | To be confirmed or documented (single-entity with separation of duties acceptable). |
| Monitoring active | Partial | Monitoring referenced in docs; confirm block production and finality monitoring in place. |
| Block finality assumptions documented | Complete | Spec and Threat Model: QBFT, finality, no reorg of finalized blocks. |
| Incident runbook exists | Operational | General incident/validator runbook to be confirmed; DBIS Rail Rulebook Section 7 covers emergency controls. |

**Remediation:** Confirm validator key segregation and multi-entity (or equivalent) in ops. Ensure monitoring and validator/consensus incident runbook exist and reference rail pause where relevant.

---

## 7. Emergency Controls

| Item | Status | Evidence / note |
|------|--------|------------------|
| Router pause tested | Pending deployment | No Router. |
| Mint controller pause tested | Pending deployment | No DBIS Mint Controller. |
| Participant suspension tested | Pending deployment | No ParticipantRegistry. |
| Signer revocation tested | Pending deployment | No SignerRegistry. |
| Corridor suspension tested | Pending deployment | No Router corridor logic. |

**Remediation:** After deploying DBIS Rail contracts, run drills: pause Router, pause Mint Controller, suspend participant, revoke signer, suspend corridor (if supported). Record results and retain as evidence.

---

## 8. Documentation Integrity

| Item | Status | Evidence / note |
|------|--------|------------------|
| Spec version matches deployed contracts | N/A (no deployment) | Spec v1 is current. When contracts are deployed, confirm they match Spec. |
| Rulebook version current | Complete | Rulebook v1 current. |
| Threat model reviewed within last 12 months | Complete | Threat Model v1 in place; set review date when formally adopted. |
| Regulator brief reflects quorum and governance | Complete | Regulator Brief v1 matches 3-of-5, Compliance mandatory, Router-gated mint. |

**Remediation:** When DBIS Rail contracts are deployed, add a "Deployed" section or changelog to Spec (or deployment doc) and note version. Schedule Threat Model review (e.g. annual).

---

## Gap Remediation (Prioritized)

1. **Implement and deploy DBIS Rail contracts** (RootRegistry, ParticipantRegistry, SignerRegistry, SettlementRouter, GRU_MintController) per Technical Spec. This unblocks Sections 1, 2, 3, 5, 7.
2. **Lock GRU/c* mint path on Chain 138** to SettlementRouter only: revoke owner mint (and any other direct mint) for tokens that are part of the rail; grant mint only to DBIS_GRU_MintController with Router as sole caller.
3. **Add tests** for mint path (direct mint reverts), EIP-712 and replay, quorum/category, pause, and caps.
4. **Document signer key management** (HSM or equivalent, key rotation) in operational runbook.
5. **Add accountingRef (and optionally isoHash) test vector** per Rulebook; document canonical bundle schema.
6. **Confirm validator layer** (key segregation, multi-entity or separation of duties, monitoring, incident runbook).
7. **Run emergency control drills** after deployment and record results in this document or appendix.
8. **Schedule Threat Model review** (e.g. within 12 months) and document review date.

---

## Document Control

| Field | Value |
|-------|--------|
| Title | DBIS Rail — Audit Readiness Results v1 |
| Network | DBIS Mainnet (ChainID 138) |
| Version | 1 |
| Status | Active (baseline run) |