Skip to main content

Overview

This page follows the threat model in the Notional whitepaper. The protocol’s main risks fall into four buckets:
  • compromised operator or guardian control
  • infrastructure-level attacks on Azure, AMD, or network connectivity
  • stale or manipulated oracle prices
  • operational liveness failures
Responsibilities are intentionally split between the operator, guardians, and execution venues to limit blast radius when something goes wrong.

Compromised Operator or Guardian Set

A compromised operator may attempt to produce incorrect state or submit unauthorized trades. A compromised guardian majority could approve malicious withdrawals or authorize a rogue operator.

Mitigations

  • The operator cannot move funds without guardian approval.
  • Guardians can revoke the operator’s trading wallet at any time.
  • Canonical state is derived from the transaction log and can be independently replayed.
  • Guardian compromise requires coordinated collusion rather than a single failure.
  • The guardian set is intended to be distributed to reduce concentration risk.

Infrastructure-Level Attacks

Cloud, hardware, or network failures may enable malicious operator behavior, degrade availability, or expose secrets.

Mitigations

  • The operator runs inside AMD SEV-SNP on Azure Confidential VMs.
  • Azure Secure Key Release ties key access to valid attestation.
  • Guardian-controlled withdrawals prevent infrastructure compromise from directly moving funds.
  • Canonical state remains auditable through the protocol log.
  • Long term, Notional plans to diversify across TEE vendors to reduce single-vendor risk.

Trust Assumptions

The whitepaper is explicit that users still rely on a few core assumptions:
  • AMD hardware does not contain a backdoor.
  • Azure’s attestation service does not forge reports.
  • The system is not broken by advanced side-channel attacks.
For more detail on TEEs and attestation, see Protocol Architecture.

Oracle Price Manipulation

Stale or manipulated prices may cause incorrect margin calculations, incorrect liquidation triggers, or opportunistic withdrawals during volatile markets.

Mitigations

  • The protocol uses Hyperliquid mark prices for perps and spot.
  • Notional operator and guardian nodes are expected to run Hyperliquid nodes directly.
  • Public Hyperliquid nodes are a fallback if local infrastructure fails.
  • The goal is to keep price feeds current even during partial infrastructure failures.

Operational Liveness Risks

Cloud failures, network partitions, TEE errors, or venue outages may temporarily halt block production, trading, or withdrawals.

Mitigations

  • Critical keys are guardian-controlled.
  • State is fully replayable from canonical data.
  • Backup operators can assume control if needed.
  • The network can be safely restarted from the transaction log after a failure.

Responsible Disclosure

If you discover a security vulnerability, please report it to: security@notional.xyz We follow a coordinated disclosure process and offer bug bounties for qualifying vulnerabilities.