Security

Trust Assumptions

Smart Contracts

Market contracts are deployed by the MarketFactory using CREATE (not CREATE2, which Quai doesn’t support)
Each market is an independent contract — a bug in one market cannot affect another
Factory owner can cancel markets and emergency-resolve, but cannot withdraw user funds

Oracle (Stork)

Resolution relies on Stork Oracle signed price data
Stork is a decentralized oracle with publisher signatures verified on-chain
The resolve() function requires cryptographically signed price data — it cannot be spoofed
Oracle fees are paid by the resolver (anyone can resolve after resolutionTime)

Factory Owner

The factory owner (admin) has limited powers:

Capability	Risk Level
Create markets	Low
Cancel markets	Low — returns all funds to bettors
Emergency resolve	Medium — can force a Yes/No outcome if oracle fails
Adjust fee rates	Medium — can change treasury/creator fee BPS
Pause/unpause factory	Medium — can temporarily prevent new markets

The factory owner cannot:

Withdraw funds from existing markets
Modify bets or pool balances
Change the oracle address on existing markets
Prevent users from claiming won bets

Emergency Resolution

If the Stork Oracle fails to provide valid data (e.g. feed removed, API down), the factory owner can call emergencyResolve(market, yesWon) to force resolution. This is a backstop to prevent funds from being permanently locked.

Emergency resolution can only be called 48 hours after resolutionTime — giving ample time for normal oracle resolution first.

User Safety

Funds are held in the market contract, not by any team or treasury
The claim() function sends QUAI directly to the winner’s wallet
All contract interactions are on Quai mainnet — there is no testnet deployment
There is no upgradeability pattern — deployed markets are immutable