Obolus
HomeResearchCreatorsDemoDocsRun research
What Obolus doesHow to run a queryHow creators get paidx402 tolls and citation royaltiesClaims, quotes, and weightsWhat a receipt provesSystem architectureSecurity and adversarial testsHow to test the claimsCurrent limits

Threat model

Security and adversarial tests

The prototype is testnet-only, but the money and attribution invariants are treated as real.

Security docsTesting scope

Hard boundaries

  • Never use mainnet private keys.
  • Never commit `.env.local`.
  • Do not treat browser test wallets as production custody.
  • Creator withdrawals are currently signed by a server-side seller key, not self-custodially; production would move withdrawal signing to the creator's own browser wallet.
  • Do not claim an asset is creator-owned without opt-in or review.

Adversarial cases

  • Off-topic assets must be skipped.
  • Prompt injection inside source content must not affect payouts.
  • Non-substring quotes must be rejected.
  • Re-running a query step must not double-pay.
  • Per-payment rows must not fabricate transaction hashes.

Root docs

Security and adversarial testing docs in the repository root list the checks to run before demos.

Need the implementation-level version? Read the root README, Architecture, Security, and Adversarial Testing documents in the repository.