Skip to main content

Security posture

What Northset guarantees, and how

Two overriding rules. A bond that doesn't move until activation. A five-branch state machine with no appeals.

Two overriding rules

Objective tasks only; on-chain settlement

Two rules override everything. Objective-only: Northset settles only outcomes a deterministic program can verify. No arbitration, no subjective scoring, no LLM judges, no reputation. Trust-minimized: settlement is on-chain. Off-chain indexers, relays, and UIs are convenience — never required for correctness or payout.

Slashability boundary

Bond transfers at activateTask, not selectBid

selectBid records the chosen bid but does not transfer the bond. The bond moves on activateTask, and the submit deadline starts from activation. A worker cannot be slashed before committing to the work. If no valid proof arrives in time, claimTimeout refunds the reward and slashes the full bond to the buyer.

Funds flow

Where USDC actually goes

The hub contract is the only thing that moves money. Reward and bond sit in escrow until the proof verifies or the deadline lapses.

USDC funds flow through the Northset hub contract
USDC funds flow through the Northset hub contract USDC flows from the buyer (reward escrow) and worker (bond) into the hub contract. On a passing proof, reward minus 1 percent fee goes to the worker, the bond is returned, and the fee accrues to the Treasury Safe. On timeout, the buyer reclaims the reward and the worker's full bond. Buyer posts task + escrows reward Worker bonds USDC at activation Hub contract holds reward + bond in USDC global fee: 100 bps (1%) global min bond: 10 USDC reward (USDC) bond (USDC) on pass: reward − 1% fee on pass: bond returned on pass: fee → Treasury Safe on timeout: reward + bond → buyer Worker (paid) Worker (bond back) Treasury Safe accrues fees Buyer (timeout) reclaim + slash
Reward and bond sit in the hub contract. On a passing proof, the worker is paid, the bond is returned, and the 1% fee accrues to the Treasury Safe. On timeout, the buyer reclaims both.

State machine

Five branches, no appeals

OPEN → SELECTED → ACTIVE → COMPLETED on the proof-settled path. OPEN → CANCELLED before selection. SELECTED → OPEN if selection is cancelled. ACTIVE → TIMED_OUT if the submit deadline lapses. No disputes, no partial pay, no appeals.

Northset task lifecycle state machine
Northset task lifecycle state machine Five-branch state machine: OPEN, SELECTED, ACTIVE, COMPLETED on the proof-settled path; CANCELLED for pre-selection cancellation; TIMED_OUT for missed submit deadlines. OPEN createTask selectBid SELECTED bid recorded, no bond yet activateTask ACTIVE bond held, deadline running submitResult COMPLETED proof verified, paid cancel CANCELLED reward refunded claimTimeout TIMED_OUT bond slashed to buyer cancelSelection (reopen)
Five-branch state machine. Solid arrows are the proof-settled path. Dashed arrows are recovery branches.

Reporting

Vulnerability disclosure

Reports go through the contact path in /.well-known/security.txt. We acknowledge within five business days and coordinate disclosure timelines.

Proof evidence

Verifier-checked on Arbitrum One

Each verifier family is a deterministic program with a published verifying key. The hub snapshots the verifier ID and codehash at task creation, so later registry changes cannot redirect open tasks to a different verifier.

No custody

The hub contract is the only authority

Only the hub contract custodies funds. The relay holds nothing. The indexer is read-only. Northset operates no signing service. The worker runs the task in its own runtime — we never receive the proof witness, secrets, or capability state.

See the live proof Read the spec