Version: 1.0 Status: Active Protocol: NXY Benchmark System Network: BNB Smart Chain

The Naira Index (NXY) protocol is designed as a deterministic benchmark publication system operating through modular smart contract infrastructure.

Security of the protocol depends on several independent mechanisms including smart contract validation rules, oracle diversity enforcement, governance timelock controls, and on-chain transparency.

Because the protocol operates on public blockchain infrastructure, security assumptions include the integrity of the underlying blockchain network and the correct functioning of smart contract execution environments.

Security vulnerabilities affecting the NXY protocol should be reported privately.

Researchers discovering a potential vulnerability should provide sufficient technical details to allow maintainers to reproduce and evaluate the issue.

Security reports should include:

• description of the vulnerability
• steps required to reproduce the issue
• potential impact on protocol behavior
• recommended mitigation if available

Researchers are requested not to publicly disclose vulnerabilities until maintainers have had reasonable time to evaluate and address the issue.

The following components fall within the security scope of the NXY protocol.

Smart contract infrastructure

• Core proxy contract
• core implementation contract
• oracle policy module
• publication manager
• compliance module
• governance timelock

Protocol validation rules

• oracle signature validation
• signer diversity enforcement
• timestamp validation
• reference asset verification

Governance infrastructure

timelock scheduling
administrative execution flows

The following elements are outside the direct control of the protocol maintainers and therefore outside the security scope.

• External oracle operators
• external market data sources
• third-party integrations
• blockchain network infrastructure

Although these components influence protocol operation, they are not controlled by the NXY protocol itself.

The NXY protocol architecture follows several security design principles.

Modular architecture

Benchmark validation, publication, compliance, and governance are separated into independent contracts.

Deterministic validation

All benchmark observations must satisfy validation rules enforced by smart contracts.

Governance timelock

Administrative actions cannot be executed immediately and must pass through a mandatory delay.

Immutable publication history

Accepted benchmark observations become part of the permanent blockchain record.

Minimal trust assumptions

Protocol logic does not rely on a single oracle participant or centralized operator.

Benchmark observations originate from oracle participants.

Security protections include:

• signature verification
• oracle authorization checks
• signer class diversity enforcement

These safeguards reduce the risk that a single participant could manipulate benchmark observations.

Administrative control of the protocol is governed by a timelock contract.

Security protections include:

• delayed execution of governance actions
• transparent on-chain governance transactions
• auditable parameter changes

These mechanisms ensure that governance actions remain observable before execution.

The NXY protocol operates within several inherent risk categories.

Smart Contract Risk

Software vulnerabilities may exist in contract logic despite review and testing.

Oracle Risk

Benchmark observations depend on oracle participants and external data sources.

Blockchain Infrastructure Risk

Protocol operation depends on the underlying blockchain network.

Governance Risk

Governance participants may approve configuration changes affecting protocol behavior.

These risks are inherent to decentralized financial infrastructure.

Because all benchmark publications and governance actions occur on-chain, the protocol provides a transparent audit trail.

Security monitoring may include:

• contract interaction analysis
• benchmark publication verification
• governance activity monitoring
• oracle submission pattern analysis

External observers can independently verify protocol behavior using blockchain data.

If a vulnerability affecting the protocol is identified, mitigation may involve:

• contract upgrades through governance
• configuration adjustments
• temporary protocol restrictions

All security updates must pass through the governance timelock process unless emergency procedures are explicitly implemented.

The NXY protocol benefits from independent review and analysis by developers, researchers, and external observers.

Responsible security research contributes to improving the resilience of the protocol infrastructure.

Reported vulnerabilities may be classified according to their potential impact on protocol integrity.

Severity categories may include:

Critical

Vulnerabilities that allow unauthorized modification of benchmark state, governance control, or protocol storage.

High

Vulnerabilities that allow bypassing validation logic, oracle authorization checks, or governance restrictions.

Medium

Vulnerabilities that affect protocol availability, data visibility, or non-critical operational behavior.

Low

Issues that do not directly affect protocol integrity but may impact documentation, monitoring tools, or non-critical interfaces.

Severity classification helps prioritize mitigation efforts.

The NXY protocol assumes several potential adversarial scenarios.

These include:

• malicious oracle participants
• incorrect or manipulated external market data
• unauthorized governance attempts
• smart contract exploitation attempts
• transaction ordering manipulation

The protocol architecture mitigates these risks through oracle diversity enforcement, validation rules, governance timelocks, and modular contract separation.

Independent security reviews are an important component of protocol security.

Smart contract implementations may undergo internal review and external security audits prior to major protocol upgrades.

Audit reports, if produced, may be published within the repository or referenced in documentation to support transparency of the security review process.

Security researchers who responsibly disclose vulnerabilities that materially affect the protocol may be eligible for recognition or discretionary rewards.

Bug bounty programs, if established, will be documented in the repository or official protocol communications.

Participation in vulnerability disclosure programs should follow the responsible disclosure procedures described in this document.

End of ./SECURITY.md