Technical
Security
ArcaneFi is built with a layered security model β on-chain atomicity, server-side key isolation, database row-level security, and on-chain revocation capabilities.
Atomic Trades
USDC payment and NFT transfer happen in a single Arc transaction. Either the full swap completes or nothing executes β no partial states, no stuck funds, no race conditions.
Treasury Key Isolation
The treasury private key (used for SBT minting and USDC reward delivery) lives only in server-side API routes. Never in the browser, never client-side, never in frontend code.
SBT Revocation
The ArcFiSBT contract includes
revoke() β the treasury can burn tokens from wallets found in ToS violation or sybil attacks. The revoked wallet's hasClaimed resets.Database RLS
Supabase Row-Level Security policies ensure wallets can only read and write their own XP and reward data. Admin operations use a separate server-side service role key never exposed to clients.
Admin Audit Log
Every admin action β XP grants, role changes, whitelist modifications, milestone edits β is logged in the admin_audit_log table with timestamp, admin wallet, action type, and full before/after state. This provides a complete audit trail for all administrative operations.
One SBT Per Wallet
The ArcFiSBT contract enforces a one-SBT-per-wallet rule via the hasClaimed mapping. A wallet cannot receive the same milestone SBT twice. This prevents duplicate badge farming and ensures the achievement is genuine.
Pre-Audit TestnetArcaneFi is currently on Arc Testnet. Smart contracts have not yet undergone a formal third-party security audit. A full audit will be conducted prior to Arc Mainnet deployment.