Trust Model
Relay Settlement is designed to be non-custodial — no single entity can unilaterally access user funds. Each component has different trust properties:Depository
The Depository contracts are the most trust-minimized component:- Non-upgradable — Contract logic is immutable after deployment
- Single authorization path — Only the registered Allocator can authorize withdrawals
- Short custody duration — Funds are typically held for seconds to minutes, not hours or days
- No admin withdrawal — There is no backdoor function for the contract owner to withdraw user funds
Oracle
The Oracle determines which deposits and fills are considered valid:- Can attribute balances — The Oracle controls what gets minted, transferred, or burned on the Hub
- Cannot steal Depository funds — Even an incorrect attestation only affects Hub balances. The Allocator independently verifies Hub balances before authorizing any withdrawal.
- Consensus threshold — Attestations require signatures from a threshold of independent validators. The onchain Oracle contract verifies the threshold is met before executing any action on the Hub.
The Oracle is the main trust-bearing component. A compromised minority of validators cannot submit false attestations. A compromised majority could incorrectly attribute balances, but the damage is bounded by the Allocator’s balance checks and the Security Council’s ability to pause the system.
Hub
The Hub is a deterministic smart contract on the Relay Chain:- Rule-based — Balance changes only occur through Oracle-attested actions (MINT, TRANSFER, BURN)
- Idempotent — The same attestation cannot be processed twice
- Transparent — All balance changes are visible on the Relay Chain block explorer
Allocator
The Allocator controls withdrawal authorization:- MPC signatures — No single entity holds the full signing key
- Balance-bounded — Can only authorize withdrawals up to a solver’s Hub balance
- Governed by Security Council — A multisig can pause or replace the Allocator
- Replay-protected — Nonces and expirations prevent proof reuse
Security Council
The Security Council is a multisig that governs the Allocator. Any single member can immediately pause all withdrawals, while structural changes (replacing the Allocator, changing membership) require a supermajority. Because all withdrawals flow through a single Allocator, the entire protocol across 80+ chains can be paused with a single transaction. See the full Security Council page for details on tiered thresholds and scope.Audits
The protocol has been audited by leading security firms:| Date | Scope | Auditor | Report |
|---|---|---|---|
| February 2025 | Relay Depository (EVM) | Spearbit | View Report |
| June 2025 | Relay Depository (EVM) | Certora | View Report |
| November 2025 | Settlement Protocol | Zellic | View Report |
Bug Bounty
Details of the Relay bug bounty program can be found on the Relay GitHub.Source Code
All protocol contracts are open source:settlement-protocol— Hub, Oracle, Allocator contractsrelay-depository— Depository contracts (EVM + Solana)