This document enumerates known attack vectors and residual risks. It does not claim completeness or security against all adversaries.
HashClue Threat Model v1
Status: Informational / Non-Normative
This document catalogues known attack vectors against HashClue v1, what we do about them, and what we don't. It is a disclosure document, not a security guarantee. Normative rules live in the Protocol Specification and Constitution; nothing here modifies them.
1. Brute-Force Coordinate Guessing
The HC1 format is finite and structured: 4 ENV values, 5 HOST values, 6 METHOD values (constrained by a validity matrix), and coordinates at 6-decimal-digit precision. An adversary could try to enumerate the entire keyspace.
The placement rule prevents this from being cheap. The GEO-5 cell — the narrowest geographic clue ever released — must contain at least 2^30 valid coordinate pairs. That holds even after all 8 clues are public. Every guess costs max(10, 2% of the payable price of the next locked clue), and 92.5% of each fee goes into the pot, so the cost of enumeration scales with both round progress and pot size.
After full clue disclosure an adversary knows the hemisphere, GEO-5 cell, ENV, HOST, and METHOD. What remains are the exact 6-digit lat/lon coordinates within the cell — at least 2^30 possibilities. Exhaustive enumeration at the minimum guess price runs to roughly 10^10 base currency units, and the price floor rises as the pot grows from the fees themselves.
This is an economic barrier, not a cryptographic one. A sufficiently funded adversary with mass-submission infrastructure could attempt it. The spec acknowledges this explicitly (§3.2.9). The design intent is that brute force is economically dominated by physical search.
2. Insider Leaks (Cartographer Trust)
The Cartographer knows the secret string and cache location before the round begins. There is no cryptographic mechanism that prevents leaking this to a confederate.
This is the single largest trust assumption in the protocol, and it is irreducible in the v1 architecture. After the commitment hash is published, the Cartographer cannot alter the target or interfere with deterministic resolution — but the pre-commitment knowledge exists and cannot be revoked. Participants evaluate Cartographer trustworthiness on their own terms. The protocol makes no claim of honesty; it only guarantees post-commitment integrity.
See Spec §1.4, §6 ¶2.
3. Social Engineering
Someone targets people believed to have proximity to the cache or partial knowledge of the solution — the Cartographer, associates, infrastructure operators, late-stage clue purchasers conducting physical searches.
The protocol does not care how a participant obtains the canonical string. Physical discovery, social engineering, theft, coercion, and independent deduction all produce the same outcome: first valid submission at finality wins. No dispute resolution, no intent evaluation, no conduct review (Claim Verification Mechanics §7).
This means social engineering is a valid strategy within the rules. The protocol offers no protection against it.
4. Collusion and Cartels
A group pools resources: buys clues, shares intel, coordinates physical searches, agrees to split winnings off-chain.
Clues are public, global, and simultaneous on unlock (Spec §3.1). Buying a clue benefits everyone equally — there is no private information channel. Guess pricing is deterministic and identical for all. The protocol cannot detect, prevent, or penalize coordination.
A cartel gains no informational advantage from clue purchases. It may gain logistical advantages in physical search coverage. Off-chain agreements to split winnings are entirely outside protocol scope.
5. Trail Monitoring ("Evil Maid")
Late-stage geographic clues narrow the search area. An adversary stakes out likely terrain, waits for someone to find the cache, and copies or photographs the canonical string before the finder can submit.
The protocol is submission-first (Claim Verification Mechanics §4). Finding the cache is not winning. Only the first valid on-chain submission at finality counts. The cache includes both human-readable text and a QR code so finders can capture and submit quickly.
A prepared observer with faster submission infrastructure beats a finder who hesitates. The GEO-5 cell is large enough to diffuse casual surveillance, but a determined adversary can narrow the area.
6. Timing Leaks at Discovery
A winning submission is a public on-chain event. If it originates from a geographic region matching known clues, it reveals approximate cache location to everyone watching.
Arena Freeze activates immediately on a provisionally valid submission (Claim Verification Mechanics §9). Guessing stops, clue sales stop, the pot locks. No competing submission can be made after the first valid one is accepted. The location leak is irrelevant to the current round, which is already frozen.
7. Submission Flooding (Denial of Service)
An adversary submits a large volume of wrong guesses to congest the queue and raise gas costs for legitimate participants.
Every submission requires payment. 92.5% enters the pot. The attacker is directly funding the prize while paying for the privilege. On-chain hash comparison (SHA-256 equality) is trivially cheap per submission.
A funded adversary can sustain this, but at escalating cost that enriches the pot. Chain-level congestion from unrelated traffic could delay legitimate submissions, but that is an infrastructure concern, not a protocol one.
8. Cache Tampering
Someone finds the cache and destroys it, replaces the string with a fake, or removes it entirely.
The canonical string is committed on-chain before the cache is discoverable. Tampering cannot change what string wins. A fake string won't hash to the committed value. Destruction doesn't resolve the round — it may trigger dormancy (Spec §5.2).
If the cache is destroyed before anyone recovers the string, the round cannot be solved by physical discovery. The string still exists (the Cartographer generated it), and a correct submission would still win, but nobody would have it. The round enters dormancy and eventually voids, with the pot rolling forward. The attacker gains nothing but inflicts denial of resolution.
9. False "Cache Destroyed" Claims
Someone claims the cache was destroyed when it wasn't, hoping to trigger dormancy or discourage competitors while continuing to search.
The protocol requires "credible information" to enter dormancy (Spec §5.2), but the credibility standard is undefined — the Cartographer evaluates it. A false claim could push the Cartographer into premature dormancy. A genuine destruction report could be dismissed if the Cartographer demands strong evidence. This is a governance-layer ambiguity, not a protocol-layer one.
10. Cartographer Metadata Leakage
During cache placement, the Cartographer generates metadata trails: travel records, purchasing history, device location data, communication records, timing patterns. An adversary who surveils the Cartographer or obtains these records can narrow the search space without buying any clues.
No protocol-level mitigation exists. This is purely an operational security concern. The protocol does not define or enforce OpSec requirements for placement. Participants should assume the Cartographer's OpSec is imperfect.
A state-level adversary or well-resourced investigator could plausibly reconstruct parts of the placement journey. This risk is inherent to any system where one party physically places an object at a secret location.
Cost-of-Attack Estimates
| Attack | Approximate Cost |
|---|---|
| Brute-force GEO-5 coordinates (minimum guess price) | ~10^10 base units |
| Brute-force GEO-5 coordinates (with pot scaling) | ~10^11–10^13+ |
| Submission flooding (1M guesses) | ~10^7 base units minimum |
| Cartographer surveillance | Operational; not quantifiable |
| Social engineering | Operational; not quantifiable |
| Physical cache destruction | Negligible cost; no profit |
Order-of-magnitude estimates. Actual costs depend on settlement asset valuation, chain fee markets, and round state.
11. Stewardship Continuity Risks
The Stewardship Continuity Amendment adds a deterministic succession mechanism. This introduces new attack surface.
11.1 Small-Win Eligibility Gaming
An adversary wins a low-value round to gain succession eligibility, then waits for the Cartographer to go dark.
This is by design, not a bug. The ordering prioritizes the smallest cumulative lifetime payout first. The Cartographer role confers no powers beyond custodianship — a malicious successor cannot alter active rounds, modify verification, or access funds.
11.2 Renunciation Cascade
All eligible winners renounce, leaving no successor.
Each renunciation requires an affirmative on-chain transaction. Coordinating mass renunciation means identifying all winners (public via PayoutReleased events) and convincing every one of them. If it happens, the protocol enters dormancy — which the Constitution treats as a valid state, not a failure.
11.3 Liveness Gaming
A Cartographer keeps sending heartbeat transactions while ignoring actual duties — not releasing clues, not processing payouts.
The liveness mechanism checks availability (is the key active?), not responsiveness (is the Cartographer doing the job?). The 90-day window is intentionally permissive. If someone maintains heartbeats while shirking, the automatic succession mechanism cannot remove them. Social pressure is the only recourse. The Constitution does not grant removal power.
11.4 Successor Ordering Manipulation
An adversary tries to game the ordering by winning strategically or choosing favorable wallet addresses.
The criteria are deterministic and public: (1) ascending lifetime payout, (2) earliest first-win block, (3) lexicographic address. You cannot retroactively change your payout history or first-win block. Address selection is the final tie-breaker and provides minimal advantage. Gaming the ordering still requires actually winning a round — submitting the correct preimage.
11.5 Mid-Round Cartographer Loss
The Cartographer's key is lost while a round is active. The contract requires msg.sender == cartographer for releasePayout(), enterDormancy(), and markVoid().
This is an accepted risk of the v1 architecture, disclosed in the Constitution. If the Cartographer disappears mid-round, the pot may be locked permanently. No payout can be released. A successor can deploy new rounds but cannot recover locked funds from the prior contract.
11.6 Renunciation/Abdication Spoofing
Forging a renunciation or abdication transaction requires compromising the target address's private key. Validity is determined by sender address (cryptographically authenticated) and calldata prefix (HASHCLUE_RENOUNCE_V1 / HASHCLUE_ABDICATE_V1). Standard blockchain security assumptions apply.
12. Pre-Round 1 Code Audit (2026-02-09)
Full-stack audit covering information leakage, indexer safety, chain authority, impossible-state guards, and secret handling.
Information leakage: PASS. No off-chain interface exposes any value an attacker can compare to commitmentHash without paying gas. All hash computation is server-side; only transaction calldata reaches the client. No timing or response-shape oracle exists.
Indexer restart safety: PASS. Fail-closed cursor strategy — on crash, blocks are skipped rather than double-counted. Skipped blocks are recoverable via manual re-index from chain events. Minor display-stat divergence possible on replay; does not affect game integrity, pot, or winner determination.
Chain as sole authority: PASS. Pot, per-address spend, and winner are fully reconstructible from on-chain event logs. The database is a performance layer, not a trust boundary. Off-chain state (encrypted clue content, status posts) depends on backup procedures but is not required for independent verification.
Impossible-state guards: PASS.
| Condition | Result |
|---|---|
| Guess when round not active | Reverts on-chain; rejected off-chain |
| Claim with no provisional winner | Unreachable by state machine |
| Out-of-order clue unlock | Reverts on-chain; rejected off-chain |
| Pot decrease without authorized payout | Impossible by construction |
| Two winners for one round | Blocked by state transition |
Secret handling: PASS. No secret material crosses a logging, SQL, or client-response boundary in production code paths. Parameterized queries. Generic error responses.
Low-severity finding: Input validation errors disclose format constraints for some guess fields. This marginally reduces enumeration cost for non-coordinate fields but does not touch the coordinate search space (still ≥ 2^30 per §1). Accepted as low-impact.
13. Security Tooling
Results of automated analysis tools run against HashClueRound before deployment. Provided for transparency.
Slither (Static Analysis)
Version 0.11.5. All detectors enabled, filtered lib/ and test/.
| Detector | Severity | Disposition |
|---|---|---|
reentrancy-eth (submitGuess, unlockClue) | High | Not exploitable — external calls target EOA-verified cartographer only; state transitions follow strict guards; no reentrant path manipulates outcome |
reentrancy-benign (submitGuess) | Medium | Not exploitable — post-call writes are non-critical; call targets are EOA-only |
reentrancy-events | Low | Accepted — standard pattern; no state manipulation possible |
events-maths (initialize) | Low | Accepted — one-time init |
timestamp (releasePayout) | Low | Expected — 24-hour verification window is spec behavior (§4.2) |
low-level-calls | Info | Expected — .call{value:} to EOAs avoids gas griefing |
naming-convention | Info | Accepted — intentional style |
too-many-digits | Info | False positive — values are wei |
No exploitable vulnerabilities. All high-severity findings are false positives given EOA-only enforcement and strict state ordering.
Mythril (Symbolic Execution)
Version 0.24.8. 900s timeout, depth 64, solver timeout 60s, Solc 0.8.24.
No issues detected. No overflow paths, no exploitable reentrancy, no unchecked returns, no arbitrary writes, no state manipulation attacks.
Test Coverage
86 tests passed, 0 failed. 44 unit, 15 boundary, 16 fuzz (1000 runs each), 11 invariant (256 runs, 12800 calls each).
Bytecode hashes (SHA-256):
- Creation:
fb49411513eaa0f717549b5a6fe93263303e69d502da40a242906332cdc6e024 - Runtime:
369afac05c84e3f0fd5907de27ec15b0e7d4a148ba5a0425fbedcfa7ac6a91db
Solc 0.8.24, optimizer enabled, 200 runs.
Assumptions
- EOA-only enforced on-chain. Contract wallets are excluded. Payout-blocking by reverting recipients is mitigated.
Summary
Post-commitment integrity is the protocol's strongest property — cryptographically enforced, deterministic, immutable once the hash is published.
Pre-commitment integrity depends entirely on Cartographer honesty. This is a single-party trust assumption with no cryptographic backstop. It is disclosed, not hidden.
Compute-only attacks face an economic barrier (~30 bits of coordinate entropy after full disclosure), not a cryptographic wall. The anti-compute guarantee is a feasibility claim, not an impossibility proof.
Physical-layer attacks — surveillance, cache tampering, social engineering — are outside protocol scope. The protocol does not care how you obtain the string.
Economic incentives are aligned: submission flooding enriches the pot, clue purchases benefit all participants equally, and the Cartographer's Due is fixed and transparent.
The pre-round code audit confirmed no information leakage through off-chain interfaces, restart-safe indexing, proper impossible-state guards, and clean secret handling.
Trust assumptions are declared rather than obscured. The threat surface is narrow and documented here.