> For the complete documentation index, see [llms.txt](https://shinkalabs.gitbook.io/hub/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://shinkalabs.gitbook.io/hub/andromeda/security/threat-model.md).

# Threat model

A summary of what each actor can and cannot do. This is the pre-alpha posture; see [Status & disclaimers](/hub/andromeda/status.md) for the caveats that override everything below.

## A compromised Andromeda backend

| Can                                                                | Cannot                                                            |
| ------------------------------------------------------------------ | ----------------------------------------------------------------- |
| Choose when to submit transactions; delay or batch them            | Produce a user's signature for any operation                      |
| See request metadata (which dWallet, which operation, timing)      | Satisfy a policy that requires a signature it does not have       |
| Decide whether to pay gas on sponsored flows                       | Move a dWallet's authority in a way the on-chain rule forbids     |
| Read operational state (quotas, idempotency cache, webhook config) | Read a complete dWallet private key (it never has one)            |
| Read identity records if it can also defeat at-rest encryption     | Read the KMS-held audit or FHE keys (sign-only, in the KMS)       |
| Stop serving requests (denial of service)                          | Forge an audit-log entry without detection (hash chain + ed25519) |

The reason for the "cannot" column: signatures are precompile-verified on-chain ([Zero attestor](/hub/andromeda/security/zero-attestor.md)), policies are enforced by the program that holds the authority ([On-chain policies](/hub/andromeda/concepts/policies.md)), and the keys Andromeda signs with live in a KMS ([Key management](/hub/andromeda/security/key-management.md)).

## A compromised API key

| Can                                                        | Cannot                                                                                                      |
| ---------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |
| Call any operation the key's scope allows, up to its quota | Exceed the key's scope (`read` cannot mutate; non-`admin` cannot touch webhooks/audit/policies/future-sign) |
| Trigger `prepare`/`challenge` flows                        | Complete a `submit` without the user's signature                                                            |
| Consume the key's quota                                    | Bypass an on-chain policy on a dWallet                                                                      |
|                                                            | Act from outside the key's IP allowlist, if one is set                                                      |

Mitigation: scope keys narrowly, set IP allowlists, rotate keys, watch the [audit log](/hub/andromeda/guides/audit-log.md).

## A compromised gas-sponsor key

It can pay Solana fees and be a fee payer. It cannot move user funds, cannot be an authority over a dWallet, and is never treated as the user by the on-chain programs.

## A spoofed on-chain account

For `oracle-conditional`, the program checks the price account is owned by the Pyth program, so a fake price account does not pass. PDAs are seeded with init-authority hashes, so policy accounts cannot be front-run. Account and instruction data are validated against expected layouts to prevent type confusion. See [Audit summary](/hub/andromeda/on-chain-programs/audit.md).

## Replay

Each flow has its own monotonic on-chain nonce; challenges bind the nonce; sessions and admin actions are single-use. Idempotency keys protect against accidental client-side retries. See [Domain-separated challenges](/hub/andromeda/on-chain-programs/challenges.md) and [Idempotency keys](/hub/andromeda/guides/idempotency.md).

## Out of scope (pre-alpha)

* The Ika side uses a single mock signer; there is no real MPC threshold guarantee yet.
* The Encrypt side is pre-alpha; there is no real FHE confidentiality guarantee yet.
* No third-party audit yet.

Do not custody real value.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://shinkalabs.gitbook.io/hub/andromeda/security/threat-model.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.