Security
Access control, roles, replay protection, and the emergency governance model.
Role-based access control
All Landblock contracts use OpenZeppelin AccessControl with granular role assignments. Roles are defined per contract and granted by the appropriate authority.
| Role | Description |
|---|---|
ROLE_AUTHORITY | Accredited registry authority. Can accredit sub-registries and issue injunctions. |
ROLE_RELAYER | Authorized relayer. Can submit spatial unit registrations on behalf of a registry. Subject to daily cap. |
ROLE_OWNER | LADM party role for a rights-holder with ownership rights. |
ROLE_TRUSTEE | LADM party role for a trustee. |
ROLE_MORTGAGEE | LADM party role for a lien holder. |
Spatial unit ingest controls
- 3-of-5 threshold signatures required from authorized relayers before a spatial unit registration is finalized
- 72-hour challenge window during which any ROLE_AUTHORITY can flag a registration for review
- Daily relayer cap of 100 spatial unit registrations per relayer per day — limits burst abuse
Replay protection
All proof submissions include a nonce-based hash reconstruction (ADR-0018). Each proof hash is constructed from the record content plus a registry-specific nonce, preventing replay of previously submitted proofs against different records.
Pausable contracts
All registry contracts implement OpenZeppelin Pausable. In the event of a critical vulnerability or attack, the Founding Steward Multi-Sig (or, post-mainnet, the Aragon DAO executor) can pause operations on any contract. Pausing suspends new submissions but does not affect the integrity of existing records.
Governance security — neutrality lock
Any proposal that would give the DAO authority over land outcomes requires an 85% circulating LGT supermajority and a 90-day deliberation window. Lowering either threshold requires the same process. This is enforced at the governance layer to prevent scope creep by any future DAO majority.
Emergency veto
The Founding Steward Gnosis Safe holds an emergency veto role during the pre-mainnet phase. After mainnet launch and full DAO activation, the Safe transitions to an emergency veto role with a threshold set by DAO vote. The veto exists to respond to critical vulnerabilities faster than a DAO vote allows, not to override governance decisions.
Audit
An independent security audit is scheduled before mainnet deployment. Audit reports will be published publicly. All contracts are open-source and available in the landblock-public repository.