Docs
ConceptsBlockchain InfrastructureSmart Contracts

Security

Security model — smart contract architecture, governance security, and anti-manipulation mechanisms.

Overview

Security in the Carrot Network operates at two levels: smart contract security protecting on-chain assets, and governance security protecting the network from manipulation and hostile actions.

Smart contract security

The Carrot Network's smart contracts implement multiple security layers:

Role-Based Access Control (RBAC)

Each contract function is restricted to specific authorized roles. No single account can perform all operations. The system defines five standard roles:

  • DEFAULT_ADMIN_ROLE — Contract ownership and role management. This role can grant or revoke any other role.
  • UPGRADER_ROLE — Can upgrade contract implementations via UUPS proxy. Separated from admin to limit blast radius.
  • OPERATOR_ROLE — Day-to-day operations such as minting MassIDs, issuing certificates, and executing revocations.
  • PAUSER_ROLE — Standard pause mechanism for orderly operational halts.
  • EMERGENCY_PAUSER_ROLE — Circuit breaker for critical failures. Emergency pauses auto-expire after 48 hours to prevent indefinite lockouts, ensuring that even a compromised emergency account cannot permanently freeze the system.

The admin, operator, upgrader, and pauser roles are held by multi-signature wallets — meaning multiple authorized parties must approve any action before it executes. The emergency pauser is the exception: it is a single externally-owned account to enable rapid response when seconds matter.

Pausability

Contracts can be paused in standard or emergency mode, halting operations if a vulnerability or attack is detected. Standard pauses require the PAUSER_ROLE and persist until explicitly unpaused. Emergency pauses, triggered by the EMERGENCY_PAUSER_ROLE, automatically expire after 48 hours — providing a safety net that balances rapid incident response with protection against permanent denial of service.

UUPS upgradeability

Contracts use the Universal Upgradeable Proxy Standard, allowing bug fixes and improvements while maintaining the same contract addresses and state. The ContractRegistry provides centralized service discovery so upgrades propagate cleanly across the system.

EIP-712 typed data signatures

Critical operations like credit purchases and retirements require cryptographically signed, structured data before they can execute on-chain. This means every order must be digitally signed by an authorized party — the smart contract verifies this signature before processing, rejecting any transaction that wasn't properly authorized. This prevents unauthorized parties from executing operations and ensures that signed orders cannot be replayed (used more than once).

Specifically:

  • CreditPurchaseManager and CreditRetirementManager use EIP-712 typed data signatures to authorize purchase and retirement orders.
  • RewardsVault uses EIP-712 for withdrawal authorization, ensuring that reward distributions are explicitly approved.

Soulbound custody

All NFTs (MassIDs, certificates, receipts) are soulbound and held by the Vault smart contract. They cannot be transferred, traded, or stolen. This design is intentional for these reasons:

  • Provenance integrity — The chain from waste collection through certification to credit issuance remains permanent and verifiable on-chain.
  • No speculative trading — Environmental audit records should reflect real-world recycling work, not market speculation.
  • Simplified security model — Eliminating transfers removes an entire class of attack vectors related to marketplace interactions, approval exploits, and unauthorized token movement.

Reentrancy protection

A reentrancy attack occurs when a malicious contract interrupts an operation mid-execution — for example, triggering a withdrawal repeatedly before the balance is updated, draining funds that should no longer be available. All value-moving operations in the Carrot Network are protected against this class of attack using OpenZeppelin's ReentrancyGuard, which ensures each operation completes fully before any new call can begin.

Governance security

The Carrot Foundation implements systematic reward and punishment mechanisms that scale the cost of malicious behavior faster than any revenue it could generate:

  • Participant reputation tracking — Tracks participant behavior across the network, surfacing patterns that indicate bad actors. Sensitive operations can be gated by reputation thresholds, ensuring that only trusted participants access them.
  • Wallet verification — Additional verification steps can be enacted if needed to increase security, which may trade ease of onboarding for stronger protections.
  • Moderation — The Foundation's oversight team can flag behavior violating community guidelines and limit access to reduce risk. Moderators also work to detect and penalize automated manipulation attempts (anti-botting).
  • Punitive measures — When violations are confirmed, penalties are issued through governance decisions and can include suspension of credit minting participation, wallet freezing, or account restrictions.

Design philosophy

The security strategy follows a principle: make the cost of attacking the network always exceed the potential reward. As the ecosystem grows and more participants build genuine reputation, the barrier to coordinated manipulation scales proportionally — protecting the network's integrity as it becomes more valuable.

Learn about smart contracts · Learn about governance

On-Chain Flows

Step-by-step descriptions of the major on-chain transaction flows — minting, credit purchase, rewards, retirement, and revocation.

Interoperability

How Carrot smart contracts are designed for external integration, on-chain verifiability, and ecosystem composability.

On this page

Overview
Smart contract security
Role-Based Access Control (RBAC)
Pausability
UUPS upgradeability
EIP-712 typed data signatures
Soulbound custody
Reentrancy protection
Governance security
Design philosophy