Security model

Arx is designed around one principle: limit the blast radius of anything going wrong.

Every capital movement is pre-authorized

The keeper — the automated system that executes instructions — can only do what has already been approved. Each instruction specifies exactly which protocol, what action, how much, and when it expires. If the keeper's signing key were compromised, the attacker could only execute actions the operator had already authorized, within the limits already set. They could not move capital to unapproved destinations, exceed amount caps, or act after deadlines pass.

Onchain policy enforcement

Limits are not guidelines. They are enforced by the smart contract itself. Per-instruction amount caps, approved protocol lists, expiration deadlines, and replay protection are all checked at the contract level before any capital moves. This is not a backend rule that someone can override — it is cryptographic proof verified onchain. The contract does not care who is calling. If the parameters are outside bounds, the transaction reverts.

Capital can always exit

Withdrawals are never blocked. Even if the vault is paused — which stops new deposits and new deployments — existing depositors can always withdraw their funds. In an emergency, all protocol positions can be force-unwound to return capital to the vault. There is no scenario where an operator or depositor is locked out of their own money.

The security model is simple: approve narrowly, enforce onchain, and always leave the exit open.