As a privacy-first prediction market utilizing Soroban smart contracts, Zero-Knowledge Proofs, and an autonomous Agentic Engine, security is our top priority. Below is the comprehensive security checklist that has been reviewed and implemented for the Horizon platform.
- Access Control: Critical administrative functions (like pausing the contract or emergency withdrawals) are strictly protected by admin-only auth checks (
require_auth). - Reentrancy Protection: State changes are made before external calls to prevent reentrancy attacks, though Soroban's single-threaded nature natively mitigates this.
- Integer Overflow/Underflow: Handled natively by Rust/Soroban's safe math operations.
- Unit Testing: Comprehensive test coverage for all edge cases (early resolution, incorrect ZK proofs, zero-balance claims).
- Nullifier Verification: The smart contract meticulously tracks nullifier hashes to ensure a ZK proof cannot be reused to double-claim a reward.
- Secure Parameter Generation: The circuit proving and verifying keys were generated securely to prevent forged proofs.
- Input Sanitization: Both the frontend and backend validate the structural integrity of the ZK proof payload before submitting it to the Stellar RPC.
- Relayer Rate Limiting: The fee-sponsorship API (
/api/relay) is rate-limited using Redis (Upstash) to prevent malicious actors from draining the platform's gas reserves. - Environment Variables: All sensitive keys (PostgreSQL URI, Redis URL, Gemini AI API keys, Stellar Secret Keys) are securely injected via Vercel secrets and never committed to version control.
- CORS & CSRF Protection: API routes are protected against Cross-Site Request Forgery, and CORS is tightly configured to only accept requests from the official Horizon domain.
- Resolution Consensus: The autonomous market resolver cross-references multiple high-authority sources via SerpAPI before finalizing a market. It does not rely on a single point of failure.
- Prompt Injection Mitigation: Strict system prompts and rigid JSON-schema outputs are enforced on the Gemini AI to prevent malicious news headlines from hijacking the agent's logic.
- Manual Override Switch: An admin fail-safe is built into the smart contract to manually halt or override agent resolutions in the event of AI hallucination or API failure.