Nomial Docs
  • Concepts
    • What is Nomial
    • Why use Nomial
  • Protocol
    • Architecture Overview
  • Loan Process
  • Interest Rate Model
  • Solvers
    • Take out a loan
  • View loan status
  • Repay a loan
  • Security
    • Security Model Overview
  • Resources
    • Terminology
    • Connect with us
Powered by GitBook
On this page
  • Access Control
  • Validator Sign-Off Mechanism
  • Collateral Lock & Withdrawal Process
  • Loan Process
  • Administrative Operations
  • Permissionless Actions
  • Threat Model
  1. Security

Security Model Overview

This document describes the security architecture of Nomial V1

PreviousRepay a loanNextTerminology

Last updated 26 days ago

Access Control

All protocol operations are gated by the contract, which implements OpenZeppelin’s AccessControl and adds custom roles (VALIDATOR_ROLE, BORROWER_ROLE) on top of DEFAULT_ADMIN_ROLE.

Validator Sign-Off Mechanism

Off-chain validators run clients that monitor system state across all deployed chains. Every protected operation requires a strict majority of the active validator set to sign off—e.g., with four validators, at least three must approve. The access manager verifies replay-protected signatures against the VALIDATOR_ROLE, ensuring only a majority consensus executes critical functions.

Collateral Lock & Withdrawal Process

Collateral in Nomial V1 is managed by the contract, which enforces a two-phase, time-locked withdrawal mechanism. Collateral can be liquidated to cover a borrower's debt if they fail to repay their loan. Validators enforce collateral requirements at their discretion. A majority of validator signatures is required to trigger collateral liquidation.

Loan Process

Borrowers must obtain majority validator sign-off for all borrows. Additionally, borrowers must be granted the BORROWER_ROLE in order to borrow funds from an inventory pool. Collateral requirements, enforced by validators, ensure that borrowers have an incentive to repay their debt.

Administrative Operations

Administrative changes (interest‐rate parameter changes, validator and borrower set updates, pool state overrides) can only be performed by the default admin address with the validator majority.

Permissionless Actions

Two core user operations remain permissionless

  • LP Deposits & Withdrawals in

  • Loan Repayments in

Threat Model

An attacker must compromise a strict majority of validator private keys and the default admin key to execute any privileged action or steal funds from inventory pools. If an attacker compromises a borrower key, the collateral provided by the borrower can be liquidated to recover the value of stolen funds.

By combining role-based access control with an off-chain validator set and a strict-majority threshold, Nomial V1 minimizes trust in any single party. An adversary would have to control both a majority of validators and a privileged access account key (admin or borrower) in order to exploit the system.

InventoryPoolDefaultAccessManager01.sol
CollateralPool01
InventoryPool01.sol
InventoryPool01.sol