Trust Model
Relay Settlement is designed to be non-custodial — no single entity can unilaterally access user funds. Each component has different trust properties:Depository (Minimal Trust)
The Depository contracts are the most trust-minimized component:- Non-upgradable — Contract logic is immutable after deployment
- Single authorization path — Only the registered Allocator can authorize withdrawals
- Short custody duration — Funds are typically held for seconds to minutes, not hours or days
- No admin withdrawal — There is no backdoor function for the contract owner to withdraw user funds
Oracle (Trust-Critical)
The Oracle determines which deposits and fills are considered valid:- Can attribute balances — The Oracle controls what gets minted, transferred, or burned on the Hub
- Cannot steal Depository funds — Even an incorrect attestation only affects Hub balances. The Allocator independently verifies Hub balances before authorizing any withdrawal.
- Consensus-based — Designed for multi-operator consensus, where multiple independent parties must agree on attestations
The Oracle is the main trust-bearing component. A compromised Oracle could incorrectly attribute balances, but the damage is bounded by the Allocator’s balance checks and the Security Council’s ability to pause the system.
Hub (Smart Contract)
The Hub is a deterministic smart contract on the Relay Chain:- Rule-based — Balance changes only occur through Oracle-attested actions (MINT, TRANSFER, BURN)
- Idempotent — The same attestation cannot be processed twice
- Transparent — All balance changes are visible on the Relay Chain block explorer
Allocator (Trust-Critical, MPC-Mitigated)
The Allocator controls withdrawal authorization:- MPC signatures — No single entity holds the full signing key
- Balance-bounded — Can only authorize withdrawals up to a solver’s Hub balance
- Governed by Security Council — A multisig can pause or replace the Allocator
- Replay-protected — Nonces and expirations prevent proof reuse
Security Council
The Security Council is a multisig that governs the Allocator. Any single member can immediately pause all withdrawals, while structural changes (replacing the Allocator, changing membership) require a supermajority. Because all withdrawals flow through a single Allocator, the entire protocol across 80+ chains can be paused with a single transaction. See the full Security Council page for details on tiered thresholds and scope.Audits
The protocol has been audited by leading security firms:| Date | Scope | Auditor | Report |
|---|---|---|---|
| February 2025 | Relay Depository (EVM) | Spearbit | View Report |
| June 2025 | Relay Depository (EVM) | Certora | View Report |
| November 2025 | Settlement Protocol | Zellic | View Report |
Bug Bounty
Details of the Relay bug bounty program can be found on the Relay GitHub.Source Code
All protocol contracts are open source:settlement-protocol— Hub, Oracle, Allocator contractsrelay-depository— Depository contracts (EVM + Solana)