b3a8fe4496
- Config, docs, scripts, and backup manifests - Submodule refs unchanged (m = modified content in submodules) Made-with: Cursor
10 KiB
DBIS Rail — Audit Readiness Results v1
Network: DBIS Mainnet (ChainID 138)
Document type: Checklist run results and gap remediation
Companion: Audit Readiness Checklist v1
Run date: First run (baseline).
Purpose: Record current status of each checklist section and list concrete remediation steps to reach audit-ready state.
Summary
| Section | Status | Notes |
|---|---|---|
| 1. Mint Path Integrity | Gap | DBIS Rail contracts not deployed; current GRU/c* use owner mint |
| 2. Authorization Integrity | Pending deployment | SettlementRouter and MintAuth flow not implemented |
| 3. Signer Governance | Pending deployment | SignerRegistry not implemented; Rulebook documented |
| 4. Accounting and Evidence | Documented | Rulebook defines accountingRef and isoHash; no on-chain router to validate |
| 5. Router Controls | Pending deployment | No SettlementRouter to verify |
| 6. Validator Layer | Partial | QBFT documented; ops runbook and multi-entity to be confirmed |
| 7. Emergency Controls | Pending deployment | Pause/suspension logic in contracts not deployed |
| 8. Documentation Integrity | Complete | Spec, Rulebook, Threat Model, Regulator Brief, Checklist aligned |
Overall: Documentation stack is complete and consistent. DBIS Rail contracts (RootRegistry, ParticipantRegistry, SignerRegistry, SettlementRouter, GRU_MintController) are specified but not yet implemented in the repo. Current Chain 138 GRU/c* mint path is owner-based (CompliantFiatToken, CompliantUSDT, CompliantUSDC). Closing gaps requires implementing and deploying the rail contracts and locking mint to the router.
1. Mint Path Integrity
| Item | Status | Evidence / note |
|---|---|---|
| All GRU mint roles restricted to SettlementRouter | Pending deployment | No DBIS_GRU_MintController or SettlementRouter in repo. Existing CompliantFiatToken.sol has mint(address to, uint256 amount) public onlyOwner. |
| Owner mint revoked | Gap | Owner mint is present on CompliantFiatToken (and likely CompliantUSDT/CompliantUSDC). Must be revoked or gated when rail is deployed. |
| No upgrade path allows mint bypass | Pending deployment | Mint Controller and upgrade path not implemented. When implemented, ensure only Router can call mint and upgrades are timelocked. |
| Unit tests confirm revert on direct mint | Pending deployment | No DBIS Rail contracts; no tests for router-only mint. |
Remediation: Deploy DBIS Rail contracts per Technical Spec. Restrict GRU/c* mint on Chain 138 to DBIS_GRU_MintController called only by SettlementRouter. Revoke or remove owner mint (and any other MINTER_ROLE) for tokens that are part of the rail. Add unit tests that direct mint from non-Router reverts.
2. Authorization Integrity
| Item | Status | Evidence / note |
|---|---|---|
| EIP-712 domain separation validated | Pending deployment | Spec defines EIP-712 domain (chainId 138, verifyingContract). No SettlementRouter to validate. |
| chainId = 138 enforced | Pending deployment | To be implemented in Router. |
| verifyingContract enforced | Pending deployment | To be implemented in Router. |
| messageId replay protection tested | Pending deployment | Replay pattern exists elsewhere (e.g. CCIPWETH9Bridge processedTransfers, EtherlinkRelayReceiver messageId). Not in DBIS Router. |
| Expired auth rejected | Pending deployment | To be implemented in Router (notBefore/expiresAt). |
| Cross-chain replay rejected | Pending deployment | EIP-712 domain binding will reject other chainId/contract. |
| Quorum category enforcement tested | Pending deployment | SignerRegistry and Router logic not implemented. |
Remediation: Implement SettlementRouter and SignerRegistry per Spec. Add EIP-712 validation, messageId replay map, time window check, and quorum/category checks. Add integration tests for valid auth, replay revert, expired revert, wrong chainId revert, and insufficient signers revert.
3. Signer Governance
| Item | Status | Evidence / note |
|---|---|---|
| 3-of-5 quorum enforced on-chain | Pending deployment | SignerRegistry not in repo. |
| Compliance category mandatory | Pending deployment | To be implemented in SignerRegistry/Router. |
| Signer allowlist change emits event | Pending deployment | Spec defines SignerAdded, SignerRemoved. |
| Signer revocation documented | Documented | Rulebook Section 6 and Threat Model Section 3.F. |
| HSM usage documented | Operational | To be documented in ops/key management when signers are designated. |
| Key rotation procedure documented | Operational | To be documented in ops runbook. |
Remediation: Implement SignerRegistry with addSigner/removeSigner, category mask, and validateSigners. Document HSM (or equivalent) and key rotation in operational runbook.
4. Accounting and Evidence
| Item | Status | Evidence / note |
|---|---|---|
| accountingRef deterministic structure documented | Complete | Rulebook Section 3.2: keccak256(ledgerSystemId, journalId, batchNumber, postingTimestamp, reserveAccountId). |
| accountingRef reproducible in test vector | Operational | Procedure and encoding must be fixed in ops; test vector can be added to repo or test suite. |
| isoHash reproducible from canonical bundle | Documented | Rulebook and Spec; canonical bundle schema to be fixed in ops; test vector optional. |
| messageId to accountingRef mapping validated | Operational | Rulebook Section 8; mapping maintained off-chain and auditable. |
| One-to-one mint mapping verified | Documented | Rulebook Section 3.3; enforced operationally until Router records on-chain. |
Remediation: Add a test vector (or script) that computes accountingRef from sample inputs per Rulebook. Document canonical bundle schema for isoHash in ops. No code gap for rail contracts; Router will accept accountingRef/isoHash when implemented.
5. Router Controls
| Item | Status | Evidence / note |
|---|---|---|
| ReentrancyGuard active | Pending deployment | Spec and Threat Model require it. Existing MintController.sol and other contracts use ReentrancyGuard; DBIS Router to follow same pattern. |
| CEI pattern followed | Pending deployment | To be implemented in SettlementRouter (state updates before mint call). |
| Caps enforced before mint | Pending deployment | Spec: maxAmountPerMessage and corridor daily cap checked before calling Mint Controller. |
| Pause modifier functional | Pending deployment | Spec: paused flag and ROUTER_ADMIN. |
| Corridor limits enforced | Pending deployment | Spec: corridor usage tracking and check. |
Remediation: Implement SettlementRouter with nonReentrant (or equivalent), CEI, cap checks, pause modifier, and corridor limits. Add tests for pause revert and cap revert.
6. Validator Layer
| Item | Status | Evidence / note |
|---|---|---|
| Validator keys segregated | Operational | To be confirmed; keys should not be shared with app/signer layer. |
| Multi-entity validator operation | Operational | To be confirmed or documented (single-entity with separation of duties acceptable). |
| Monitoring active | Partial | Monitoring referenced in docs; confirm block production and finality monitoring in place. |
| Block finality assumptions documented | Complete | Spec and Threat Model: QBFT, finality, no reorg of finalized blocks. |
| Incident runbook exists | Operational | General incident/validator runbook to be confirmed; DBIS Rail Rulebook Section 7 covers emergency controls. |
Remediation: Confirm validator key segregation and multi-entity (or equivalent) in ops. Ensure monitoring and validator/consensus incident runbook exist and reference rail pause where relevant.
7. Emergency Controls
| Item | Status | Evidence / note |
|---|---|---|
| Router pause tested | Pending deployment | No Router. |
| Mint controller pause tested | Pending deployment | No DBIS Mint Controller. |
| Participant suspension tested | Pending deployment | No ParticipantRegistry. |
| Signer revocation tested | Pending deployment | No SignerRegistry. |
| Corridor suspension tested | Pending deployment | No Router corridor logic. |
Remediation: After deploying DBIS Rail contracts, run drills: pause Router, pause Mint Controller, suspend participant, revoke signer, suspend corridor (if supported). Record results and retain as evidence.
8. Documentation Integrity
| Item | Status | Evidence / note |
|---|---|---|
| Spec version matches deployed contracts | N/A (no deployment) | Spec v1 is current. When contracts are deployed, confirm they match Spec. |
| Rulebook version current | Complete | Rulebook v1 current. |
| Threat model reviewed within last 12 months | Complete | Threat Model v1 in place; set review date when formally adopted. |
| Regulator brief reflects quorum and governance | Complete | Regulator Brief v1 matches 3-of-5, Compliance mandatory, Router-gated mint. |
Remediation: When DBIS Rail contracts are deployed, add a "Deployed" section or changelog to Spec (or deployment doc) and note version. Schedule Threat Model review (e.g. annual).
Gap Remediation (Prioritized)
- Implement and deploy DBIS Rail contracts (RootRegistry, ParticipantRegistry, SignerRegistry, SettlementRouter, GRU_MintController) per Technical Spec. This unblocks Sections 1, 2, 3, 5, 7.
- Lock GRU/c mint path on Chain 138* to SettlementRouter only: revoke owner mint (and any other direct mint) for tokens that are part of the rail; grant mint only to DBIS_GRU_MintController with Router as sole caller.
- Add tests for mint path (direct mint reverts), EIP-712 and replay, quorum/category, pause, and caps.
- Document signer key management (HSM or equivalent, key rotation) in operational runbook.
- Add accountingRef (and optionally isoHash) test vector per Rulebook; document canonical bundle schema.
- Confirm validator layer (key segregation, multi-entity or separation of duties, monitoring, incident runbook).
- Run emergency control drills after deployment and record results in this document or appendix.
- Schedule Threat Model review (e.g. within 12 months) and document review date.
Document Control
| Field | Value |
|---|---|
| Title | DBIS Rail — Audit Readiness Results v1 |
| Network | DBIS Mainnet (ChainID 138) |
| Version | 1 |
| Status | Active (baseline run) |