Introduction

ETH6900 treats security as a first-class product feature. The protocol is non-custodial (keys never leave the user’s wallet) and functions as a transaction-layer relay that queues already-signed transactions and broadcasts them at the optimal time. This section details the threat model, defense-in-depth controls, MEV protection strategy, audit program, and operational security that collectively protect users, partners, and the network.

1) Threat Model

Category	Concrete Risk	Impact	ETH6900 Mitigation
Wallet-side	Phishing, malicious extensions, compromised seed	Loss of user funds	Non-custodial design; ETH6900 never sees keys; education & signed-domain prompts
Relay-side	Tampering with queued tx, altering recipients/amount	Integrity loss	Immutable payload rule: relay can only forward or drop exact signed bytes
Mempool/MEV	Sandwich/frontrun on swaps & mints	Value extraction	Private orderflow routing; slippage-aware guidance; deadline-aware inclusion
Nonce/Ordering	Collisions when users send parallel tx	Stuck/failing tx	Nonce oracle + queue isolation; replace/cancel flow before broadcast
DoS / Flood	Malicious actor floods queue	Service degradation	Per-address and per-IP rate limits; stake-gated enterprise lanes
Replay / ChainID mixup	Cross-chain replay of signed tx	Unexpected execution	Strict chainId verification before acceptance; EIP-155 enforced
Pii/Telemetry	Leaky logs or over-collection	Privacy risk	Minimal-data policy; redact addresses in non-essential logs; short retention
Infra compromise	Node/relay breach	Queue integrity risk	HSM/KMS-backed secrets; signed, append-only audit logs; least-privilege infra

2) Defense-in-Depth Controls

Protocol-Level Validation

Immutable Payload Rule: once a signed 0x raw tx is accepted, ETH6900 can only (a) hold and schedule, (b) broadcast as-is, or (c) drop on explicit user cancel. No mutation.
Strict EIP-155 Checks: verify chainId, maxFeePerGas ≥ maxPriorityFeePerGas, and from address derived from signature matches the envelope.
Nonce Safety: a nonce oracle tracks pending and broadcast states per address. A queued tx is rejected if it would collide with an already-broadcast nonce unless user marks it as a replacement.
Deadline Enforcement: each tx has a hard until time; after expiry ETH6900 either broadcasts at market or returns a status to the client (configurable policy).

{
  "accepted": true,
  "txHashPreview": "0x…",
  "chainId": 1,
  "noncePolicy": "reserve|replace",
  "deadline": "2025-10-05T14:30:00Z",
  "mutability": "immutable",
  "canCancel": true
}

Queue Isolation & Backpressure

Per-address lanes to prevent one noisy user from blocking others.
Adaptive backpressure: if mempool or relay load spikes, ETH6900 temporarily tightens acceptance thresholds and raises min stake for enterprise lanes.

Integrity & Observability

Append-only audit logs with hourly Merkle roots anchored to a public chain for tamper-evidence.
Deterministic scheduling traces: every broadcast decision stores (baseFee, tip, block, reason).

{
  "decision": "broadcast",
  "block": 20694231,
  "baseFee": "28.3 gwei",
  "priorityFee": "2 gwei",
  "reason": "below_target & <deadline-5m",
  "savings.vs_reference": "23.7%"
}

3) MEV Protection Strategy

Private Orderflow by Default

ETH6900 routes eligible transactions through private orderflow endpoints (private mempool / builder relays) to avoid public mempool exposure where sandwiches and generalized frontruns originate.

Goal: inclusion without leaking price-sensitive intent.
Tip Policy: for private routes, set a sane priority fee so inclusion remains fast after the engine decides to broadcast.

Inclusion Heuristics (High-Level)

Short deadlines (e.g., 30s–2m): preference = fast inclusion with private routing and slightly elevated tip.
Medium deadlines (5–30m): preference = fee valleys with private routing; tip moderate.
Long deadlines (1–24h): preference = deep valleys; engine is patient, still routes private.

mev:
  routing: private-first
  public_fallback: true   # only if private path unavailable near deadline
  min_tip_gwei:
    short: 3
    medium: 2
    long: 1
  slippage_guidance

What We Can & Can’t Prevent

We reduce: sandwiching/frontrunning risk for swaps/mints by avoiding public mempool exposure.
We cannot change: user-defined slippage, AMM pricing, or the contents of a signed tx; ETH6900 never edits calldata.
We detect/report: if a user opts to broadcast publicly (by policy or near-deadline fallback), UI warns about elevated MEV risk.

4) Audit Program

Scope & Artifacts

Scope: relay acceptance logic, nonce oracle, deadline enforcer, scheduling heuristics, RPC extensions, authz & rate-limit middleware, logging pipeline, privacy filters.
Artifacts: spec docs, annotated state machines, dependency SBOM, threat model (this section), and test harness.

Testing & Verification

Unit & Property Tests: invariants like “immutable payloads” and “deadline monotonicity.”
Differential Tests: compare scheduling choices against a reference engine under randomized gas traces.
Fuzzing: raw-tx decoders, RLP parsers, JSON-RPC input, and nonce/replace flows.
Replay Simulations: historical baseFee traces to validate savings logic across real spikes.

External Audits (Milestones)

Milestone	Focus	Deliverable
A1 – Pre-MVP	Acceptance path, nonce, deadline	Audit report + blocker fixes
A2 – Pre-Public Beta	MEV routing, logs, rate-limit	Report + regression tests
A3 – Post-Beta	Multi-chain adapters, perf hardening	Final report + badge summary

Continuous Security

Regression CI gates on code coverage & invariant tests.
“Two-engine” canary in production: a shadow scheduler recomputes decisions; discrepancies trigger alerts.

5) Bug Bounty (Public Program)

Severity	Example	Proposed Payout*
Critical	Bypass immutability, unauthorized tx mutation	Up to $25,000
High	MEV route downgrade enabling frontrun	$5,000–$10,000
Medium	Queue isolation bypass, nonce oracle inconsistencies	$1,000–$5,000
Low	Info leak in logs, minor DoS vectors	$250–$1,000

*Payouts illustrative; finalized terms will be published with program rules and safe-harbor policy.

6) Operational Security (OpSec)

Secrets: Keys for infra and relay auth stored in HSM/KMS, rotated on schedule; no plaintext in repos or CI logs.
Access: Least-privilege IAM, mandatory 2FA, short-lived credentials.
Network: Private subnets for schedulers, IP allowlists for RPC ingestion, WAF + DDoS shields.
Backups: Encrypted snapshots of queue metadata; restore tests run weekly.
Change Control: Two-person review on scheduler & RPC code paths; production changes require staged rollouts.

7) Data Privacy & Retention

Minimal Collection: store only what’s needed to schedule and display savings (tx hash preview, chainId, deadline, status).
Short Retention: default 7–14 days for non-essential metadata; users can “forget” completed tx history.
Redaction: addresses & tx hashes are hashed in analytics; raw logs are access-controlled and time-boxed.

{
  "retentionPolicyDays": 14,
  "fields": ["chainId","createdAt","deadline","status","feeMetrics"],
  "redact": ["from","to","txHash"]
}

8) Developer-Facing Safety Contracts

RPC Extensions (Read-only Safe by Default)

# Queue a signed tx with deadline (immutable bytes)
eth6900_sendRawTransactionWithDeadline

# Status & trace
eth6900_getTransactionStatus
eth6900_getDecisionTrace

# Cancel/replace before broadcast

Client-Side Guards

Chain Lock: client SDK refuses to submit if wallet chainId ≠ endpoint chainId.
Replace-by-Fee Helper: convenience wrapper that bumps maxFee/tip without changing calldata.
Dry-Run Mode: “what would the engine do” against the current gas trace (no enqueue).

9) SLA, SLO & Incident Response

Metric	Target
Relay Availability	≥ 99.9% monthly
Decision Latency	p95 < 250 ms
Status Freshness	< 1 block delay
RPO/RTO	≤ 1h / ≤ 15m

IR Playbook: user-visible status page, incident IDs, hourly updates during P1 events, post-mortems within 7 days with corrective actions tracked publicly.

ETH6900’s security posture combines non-custodial architecture, private orderflow MEV shielding, auditable scheduling, and a transparent audit & bounty program. Users gain lower, more predictable gas costs without surrendering keys or control, and builders integrate a hardened, observable transaction layer aligned with Ethereum’s first principles.

‹ Blockchain Layer

Scalability Approach ›