Security Model
This page documents Rubicon's security architecture and the trust assumptions involved in using our platform.
System Architecture
┌─────────────────────────────────────────────────────────────────┐
│ USER LAYER │
│ [Your Wallet] ◄──────► [Trading Interface] ◄──────► [Orders] │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ HYPERLIQUID LAYER │
│ [Order Book] ◄──────► [Matching Engine] ◄──────► [Settlement] │
│ [Margin System] ◄──────► [Liquidation Engine] │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ RUBICON ORACLE │
│ [Price Sources] ──► [Validation] ──► [setOracle()] ──► HL │
└─────────────────────────────────────────────────────────────────┘Trust Assumptions
What You Trust Hyperliquid For
Order matching
Fair, deterministic execution
Margin accounting
Accurate balance tracking
Settlement
Correct PnL calculation
Custody
Secure fund storage
Hyperliquid is a production-tested L1 with significant TVL and trading volume.
What You Trust Rubicon For
Oracle prices
Accurate ETF price feeds
Oracle uptime
Consistent 3-second updates
No manipulation
We don't exploit our oracle role
Oracle Security
Price Integrity
We ensure price accuracy through:
Multiple sources — Cross-reference Polygon and Yahoo
Validation — Reject prices outside ±20% of last known
Transparency — Prices verifiable against public ETF data
Operational Security
Oracle infrastructure is protected by:
Key security — Oracle signing keys in secure storage
Monitoring — 24/7 alerting on anomalies
Access control — Minimal personnel with system access
What We Cannot Do
As oracle operators, we cannot:
Access or move your funds
Cancel your orders
Force liquidations at incorrect prices
See your private keys
We can only:
Publish prices to Hyperliquid
Those prices affect mark/liquidation calculations
Wallet Security
Your funds are secured by:
Non-Custodial Design
Your keys, your crypto — We never hold your private keys
Direct interaction — You sign transactions with your wallet
Hyperliquid custody — Funds held in HL smart contracts
Best Practices
Use hardware wallet — Ledger/Trezor via MetaMask
Verify transactions — Check what you're signing
Secure seed phrase — Never share, store offline
Separate wallets — Don't use main wallet for trading
Smart Contract Security
Hyperliquid Contracts
Rubicon trades on Hyperliquid's infrastructure:
Battle-tested with billions in volume
Multiple audits completed
Bug bounty program active
Our Contracts
Rubicon's oracle submission is off-chain:
No Rubicon smart contracts
No additional contract risk
Relies entirely on Hyperliquid
Risk Vectors
Oracle Risks
Price manipulation
Multiple sources, validation
Oracle downtime
Fallback chain, state persistence
Operator malice
Reputation, transparency
Key compromise
Secure key management
Market Risks
Liquidation
Use appropriate leverage
Gap risk
Reduce overnight positions
Funding costs
Monitor rates
Low liquidity
Use limit orders
Technical Risks
HL downtime
Outside our control
API issues
Retry logic, alerts
Network congestion
Hyperliquid handles
Incident Response
If Oracle Fails
System automatically uses fallback sources
Cache used for brief outages (60s max)
Alerts notify operations team
Manual intervention if extended
If Compromise Suspected
Oracle immediately paused
Investigation initiated
Users notified via all channels
Remediation implemented
Audit Status
Hyperliquid contracts
Audited (multiple firms)
Rubicon oracle code
Internal review
External audit
Planned
Bug Bounty
Report security issues:
Email: security@rubiconmarkets.com
Responsible disclosure appreciated
Rewards for valid findings
Security Checklist for Users
Before trading:
Last updated