Trust Model
Senticore is not fully trustless. It is a hybrid venue: execution is off-chain, custody and settlement verification are on-chain.
Understanding the trust model is critical before placing real funds at risk. The system is designed to reduce custody risk, not to eliminate every operator assumption.
What is trustless
Custody
User funds are held in MultiCollateralVault. Sentico Labs should not be able to arbitrarily move user funds. Withdrawals are intended to execute through proof-backed claims against published roots.
Withdrawal verification
A user can independently verify a withdrawal claim by:
- Fetching the relevant withdrawal root from
StateCommitment. - Constructing the withdrawal leaf from their claim.
- Verifying the Merkle proof against the published root.
- Executing the withdrawal through the vault contract.
Contract behavior
After deployment and verification, contract behavior is externally inspectable on-chain. Contract risk remains until the audited deployment is live.
What users must trust
Sequencer operator
The sequencer determines action ordering and matching. Users must trust the operator for:
- Fair ordering within the documented execution window.
- Liveness and operational uptime.
- Non-censorship of valid user actions.
- Correct replay and recovery procedures after incidents.
Publisher quorum
State commitments are signed by a publisher set. Users must trust that a quorum does not collude to publish invalid roots and that signing keys remain secure.
Off-chain matching
Trades happen off-chain first. Until a checkpoint is published, fills are sequencer-attested rather than chain-final. This creates a risk window between execution and settlement commitment.
What is planned after launch
| Mechanism | Purpose | Status |
|---|---|---|
| Emergency withdrawal path | Reduce sequencer liveness dependency | Post-launch roadmap |
| Additional publisher controls | Improve key-compromise response | In governance docs |
| Decentralized sequencing | Reduce single-operator trust | Long-term roadmap |
Operational track record
The trust model above has been validated end-to-end during internal beta on real collateral. We have observed the full lifecycle from deposit through proof-backed withdrawal in operational conditions before opening the system to external users.
External validation through a tier-1 audit is scheduled for Q4 2026 to Q1 2027 before public mainnet.
Independent verification
| Claim | How to verify |
|---|---|
| Vault holds supported collateral | Inspect MultiCollateralVault balances on-chain |
| A checkpoint was published | Query StateCommitment events and state |
| A withdrawal is valid | Verify Merkle proof against the withdraw root |
| Publisher set membership | Inspect publisher registry state |
Compared to alternatives
| Trust dimension | Centralized exchange | Senticore | Fully on-chain DEX |
|---|---|---|---|
| Custody trust | Required | Minimized | Minimized |
| Order fairness trust | Required | Required within model | Usually not required |
| Sequencer trust | Required | Required with verifiability | Not applicable |
| Latency | Sub-ms | Sub-ms target | Block-time |
| Advanced order types | Strong | Strong target | Limited |