On-Chain Contracts
Senticore matches orders off-chain at centralized-exchange speed, but custody and solvency live on-chain. Three contracts form that trust boundary. Together they are the reason a market maker can post collateral here without trusting the operator's word: funds sit in an on-chain vault, the venue's state is committed to chain on a fixed cadence, and withdrawals settle against those commitments through Merkle proofs - not operator discretion.
| Contract | Role | Deep dive |
|---|---|---|
| MultiCollateralVault | Holds real ERC-20 collateral. Deposits, proof-backed withdrawals, per-asset rate limits, and a unilateral exit path. | MultiCollateralVault |
| StateCommitment | Anchors the off-chain engine state to chain via 7-of-10 publisher-signed checkpoints, publishing the roots that authorize withdrawals and exits. | StateCommitment |
| $SPT Token | The proposed ecosystem token (pre-launch). A fixed-supply ERC-20. | $SPT Token |
How custody actually works
- You deposit supported ERC-20 collateral into MultiCollateralVault. The vault holds the real tokens; there is no wrapping, rehypothecation, or off-chain IOU.
- The off-chain engine trades your balance deterministically. On a fixed cadence the sequencer commits a checkpoint to StateCommitment, signed by a 7-of-10 publisher quorum. Each checkpoint publishes a withdraw root and (when enabled) an exit root.
- To withdraw, you request a withdrawal, wait for the next eligible checkpoint, and the vault releases funds only against a Merkle proof of that withdraw root.
- If the operator ever goes dark or censors you, the vault's forced-withdrawal and exit-mode paths let you pull your committed balance directly on-chain, with no operator cooperation required.
This is the "don't trust, verify" property in concrete terms: every balance change that matters to your custody is either provable against an on-chain root or recoverable by you unilaterally. See the Trust Model and Threat Model for the full guarantees and their limits.
Production trust setup
The contracts are non-upgradeable. Privilege is split across independent parties, and the deploying key holds no standing power once setup completes:
| Power | Held by | Notes |
|---|---|---|
| Governor / Admin (registry, parameters, unpause) | TimelockController | Parameter changes are immediate on-contract, so safety relies on the timelock delay in front of the governor. |
| Guardian (emergency pause, one-tx shutdown) | Safe multisig | No timelock - guardians must be able to stop the bleeding immediately. |
| Withdraw executor (finalizes user withdrawals) | Operator worker | Can only settle valid, proof-backed claims; cannot mint, move, or redirect funds. |
| Publishers (checkpoint signers) | 10-key set, 7 required | Rotated only through a timelocked set-rotation flow. |
At deployment the setup script grants Governor/Admin to the timelock and Guardian to the Safe, then revokes every role from the deployer and asserts the revocation on- chain. There is no "admin key" that can unilaterally drain the vault.
Verification
Every deployed contract will be:
- source-verified on the relevant block explorer, matching the audited release commit tag byte-for-byte;
- built reproducibly (pinned
solc 0.8.28, fixed optimizer settings, IPFS bytecode metadata) so anyone can recompile and compare bytecode; - listed in the address table below with its network, deployment date, and the audit report it corresponds to.
Addresses
No public mainnet or testnet contracts are deployed. Senticore is in a capped private beta on internal infrastructure. Addresses are published here at deployment - do not trust any "Senticore" contract address from another source.
Mainnet
Published after external tier-1 audit completion and remediation (targeted post-audit; see the Roadmap).
Testnet
Published with the Q3 2026 closed-beta rollout.
| Contract | Network | Address | Status |
|---|---|---|---|
| MultiCollateralVault | TBA | 0x… | Pre-deployment |
| StateCommitment | TBA | 0x… | Pre-deployment |
| $SPT Token | TBA | 0x… | Pre-deployment (pending governance & legal review) |
The target EVM network is confirmed at deployment. Once live, this table carries the verified address, network, deployment date, and matching audit report for each contract.