Skip to main content

On-Chain Contracts

Senticore matches orders off-chain at centralized-exchange speed, but custody and solvency live on-chain. Three contracts form that trust boundary. Together they are the reason a market maker can post collateral here without trusting the operator's word: funds sit in an on-chain vault, the venue's state is committed to chain on a fixed cadence, and withdrawals settle against those commitments through Merkle proofs - not operator discretion.

ContractRoleDeep dive
MultiCollateralVaultHolds real ERC-20 collateral. Deposits, proof-backed withdrawals, per-asset rate limits, and a unilateral exit path.MultiCollateralVault
StateCommitmentAnchors the off-chain engine state to chain via 7-of-10 publisher-signed checkpoints, publishing the roots that authorize withdrawals and exits.StateCommitment
$SPT TokenThe proposed ecosystem token (pre-launch). A fixed-supply ERC-20.$SPT Token

How custody actually works

  1. You deposit supported ERC-20 collateral into MultiCollateralVault. The vault holds the real tokens; there is no wrapping, rehypothecation, or off-chain IOU.
  2. The off-chain engine trades your balance deterministically. On a fixed cadence the sequencer commits a checkpoint to StateCommitment, signed by a 7-of-10 publisher quorum. Each checkpoint publishes a withdraw root and (when enabled) an exit root.
  3. To withdraw, you request a withdrawal, wait for the next eligible checkpoint, and the vault releases funds only against a Merkle proof of that withdraw root.
  4. If the operator ever goes dark or censors you, the vault's forced-withdrawal and exit-mode paths let you pull your committed balance directly on-chain, with no operator cooperation required.

This is the "don't trust, verify" property in concrete terms: every balance change that matters to your custody is either provable against an on-chain root or recoverable by you unilaterally. See the Trust Model and Threat Model for the full guarantees and their limits.

Production trust setup

The contracts are non-upgradeable. Privilege is split across independent parties, and the deploying key holds no standing power once setup completes:

PowerHeld byNotes
Governor / Admin (registry, parameters, unpause)TimelockControllerParameter changes are immediate on-contract, so safety relies on the timelock delay in front of the governor.
Guardian (emergency pause, one-tx shutdown)Safe multisigNo timelock - guardians must be able to stop the bleeding immediately.
Withdraw executor (finalizes user withdrawals)Operator workerCan only settle valid, proof-backed claims; cannot mint, move, or redirect funds.
Publishers (checkpoint signers)10-key set, 7 requiredRotated only through a timelocked set-rotation flow.

At deployment the setup script grants Governor/Admin to the timelock and Guardian to the Safe, then revokes every role from the deployer and asserts the revocation on- chain. There is no "admin key" that can unilaterally drain the vault.

Verification

Every deployed contract will be:

  • source-verified on the relevant block explorer, matching the audited release commit tag byte-for-byte;
  • built reproducibly (pinned solc 0.8.28, fixed optimizer settings, IPFS bytecode metadata) so anyone can recompile and compare bytecode;
  • listed in the address table below with its network, deployment date, and the audit report it corresponds to.

Addresses

No public deployment yet

No public mainnet or testnet contracts are deployed. Senticore is in a capped private beta on internal infrastructure. Addresses are published here at deployment - do not trust any "Senticore" contract address from another source.

Mainnet

Published after external tier-1 audit completion and remediation (targeted post-audit; see the Roadmap).

Testnet

Published with the Q3 2026 closed-beta rollout.

ContractNetworkAddressStatus
MultiCollateralVaultTBA0x…Pre-deployment
StateCommitmentTBA0x…Pre-deployment
$SPT TokenTBA0x…Pre-deployment (pending governance & legal review)

The target EVM network is confirmed at deployment. Once live, this table carries the verified address, network, deployment date, and matching audit report for each contract.