Security
Understanding Brtr Protocol's security model and best practices for safe trading.
Trust Model
Brtr is designed to be trustless:
- No custody of user funds
- No admin control over trades
- No ability to freeze user assets
- Smart contract enforced settlement
What You Trust
- Smart Contract Code — Open source, auditable
- LayerZero Protocol — For cross-chain messaging
- Blockchain Networks — Underlying consensus
What You Don't Trust
- The Brtr team
- Other traders
- Centralized services
Security Features
Escrow Model
All trades use smart contract escrow:
Seller creates order:
→ Tokens transferred to contract ✓
Buyer fills order:
→ Payment escrowed in contract ✓
Trade completes:
→ Contract releases tokens atomically ✓No party holds the other's tokens outside the contract.
State Machine Protection
Orders follow a strict state progression:
Open → AwaitingConfirmation → AwaitingFinalization → Completed
│
└──→ Cancelled- Can't skip states
- Can't go backwards
- Can't be manipulated
Cross-Chain Security
3-message protocol ensures atomic cross-chain settlement:
- FILL_INITIATE — Buyer tokens escrowed, message sent
- FILL_CONFIRMATION — Seller tokens locked (NOT sent), confirmation returned
- FILL_FINALIZATION — Both parties receive tokens
Seller tokens are only released AFTER buyer has irrevocably paid. This prevents the attack where seller receives payment but buyer never gets tokens.
Recovery Mechanisms
For edge cases (message failures, network issues):
- 30-minute timeout — Recovery functions only available after delay
- Buyer refund — Can reclaim escrowed tokens if confirmation never arrives
- Admin recovery — Owner can finalize/refund stuck orders after verification
Threat Analysis
Considered Threats
| Threat | Mitigation |
|---|---|
| Reentrancy | ReentrancyGuard on all external functions |
| Front-running | Fixed prices, no MEV opportunity |
| Flash loan attacks | No price oracles used |
| Message replay | LayerZero nonce tracking |
| Unauthorized access | Ownable modifier on admin functions |
| Token approval abuse | Specific amount approvals recommended |
Not Protected Against
- Malicious tokens (e.g., tokens with transfer taxes, blacklists)
- User error (wrong addresses, amounts)
- Network-level attacks on underlying chains
Best Practices for Users
Before Trading
- Verify contract addresses — Check against official docs
- Research tokens — Ensure tokens are legitimate
- Check liquidity — Make sure tokens are transferable
During Trading
- Start small — Test with small amounts first
- Verify amounts — Double-check before confirming
- Monitor gas — Ensure enough ETH for cross-chain
After Trading
- Verify receipt — Check tokens arrived in wallet
- Track cross-chain — Monitor progress on LayerZero Scan
- Keep records — Save transaction hashes
Common Scams to Avoid
🚫
Brtr team will NEVER:
- DM you first
- Ask for private keys
- Ask you to send tokens to "verify"
- Promise guaranteed returns
Fake Token Scams
Scammers create tokens with similar names:
- Always verify token addresses
- Check on block explorer before trading
- Don't trade unknown tokens
Phishing Sites
Fake websites mimicking Brtr:
- Always verify URL:
app.brtr.world - Bookmark the official site
- Don't click links in DMs
Social Engineering
"Customer support" asking for access:
- Brtr support will never ask for private keys
- Report suspicious accounts
Emergency Procedures
If You Suspect a Problem
- Don't panic — Most issues are temporary
- Check status — Is the trade in progress?
- Wait for timeout — Recovery available after 30 mins
- Contact support — Join Discord for help
Contract Pause
In extreme circumstances, the contract can be paused:
- Only by owner
- Stops new orders/fills
- Does NOT affect in-progress trades
- Users can still cancel open orders
Reporting Security Issues
Found a vulnerability?
- DO NOT disclose publicly
- Email security@brtr.world
- Include full details and reproduction steps
- Wait for acknowledgment (24 hours)
See Contract Addresses for current security contact details.