SwaptoX Security Model & Threat Analysis

1. System Overview

SwaptoX is a non-custodial, permissionless execution-based swap aggregator. It does not validate token implementations and relies on atomic execution guarantees.

Core features:

2. Security Assumptions

3. Critical Security Invariants

Invariant 1:
The contract cannot transfer tokens from any address other than msg.sender.
Invariant 2:
No swap can succeed unless amountOut ≥ amountMinOut.
Invariant 3:
All token transfers into the contract originate from explicit user action.
Invariant 4:
The executor cannot retain user funds due to transaction atomicity.
Invariant 5:
No external contract can re-enter and extract funds due to nonReentrant.

4. Risk Analysis

R1: Admin Compromise / Malicious Admin

Description:

Impact:

Mitigation:

R2: Malicious Executor

Description:

Executor may execute arbitrary logic or consume excessive gas.

Impact:

Mitigation:

R3: Arbitrary Permit Execution

Description:

Users can provide arbitrary permit parameters (within allowed selectors).

Impact:

Conclusion:

This is a user-controlled execution surface, not a protocol vulnerability.

R4: transferFrom Abuse

Description:

Potential unauthorized token transfers.

Analysis:

Conclusion:

Unauthorized fund extraction is impossible.

R5: Reentrancy

Description:

External calls via ETH transfer or executor.

Mitigation:

Conclusion:

No reentrancy attack path exists.

R6: Malicious Token Behavior

Description:

Tokens may behave unexpectedly (fake balances, transfer anomalies).

Impact:

Conclusion:

Protocol does not enforce token validity.

R7: Referral System Abuse

Description:

Users can farm referral tiers via multiple addresses.

Impact:

Conclusion:

Accepted business tradeoff.

R8: Minimum Fee Threshold

Description:

Rewards are skipped for fee amounts < 100 units.

Impact:

5. Non-Guarantees

6. Final Security Conclusion

SwaptoX guarantees:

SwaptoX does NOT guarantee:

Overall Classification:
Permissionless Execution Aggregator