Continuous adversarial
testing.
Methodology public, defenses layered, results measured. Every attack class against the verification pipeline, with attempt counts and pass rates rounded to prevent threshold inference.
Adversarial attempts
T1–T4a pass rate
Hardened
Continuous testing
Who we build against.
// ASSUMED CAPABILITIES
A well-resourced adversary with access to modern voice cloning (XTTS-v2, F5-TTS, ElevenLabs), generative models for biometric time-series, full source-code access to our public components (SDK, circuits, on-chain programs), unlimited wallets and devnet SOL, and days to weeks of time per attack campaign.
// OUT OF SCOPE
We do not assume the adversary can compromise user devices, mount physical hardware attacks on phones, or access our private defense-layer infrastructure. Those are separate threat categories covered by standard client-side hardening, hardware root-of-trust guidance, and infrastructure security practice respectively.
Three layers, one filter.
Defense in depth: cryptographic gate, statistical realism, behavioral coupling. Each tier is independent. An attack must pass all three to reach the chain.
Cryptographic gate
Zero-knowledge proofs of behavioral consistency. Groth16 proving system. Public verifier on Solana. Every verification produces a proof that the user's behavioral fingerprint is within a hidden Hamming distance threshold of their baseline, without revealing either fingerprint. Open source, auditable, verifiable on-chain.
Statistical distribution checks
Server-side validation of the 308-dimensional feature vector extracted from each verification. Multiple independent checks verify that the statistical properties of extracted features are consistent with human physiology, not synthetic generation. Specific checks and threshold values are not published.
Behavioral coupling signals
Time-series analysis of phonation and kinematic signals sampled during capture. Real human speech and hand motion share motor-cortex origins and produce measurable temporal coupling at short lags; independent synthesis does not. Enforcement is live on production since April 2026, calibrated against a two-wave red team study that isolated the layer's specific contribution to voice-replay rejection.
How we test our defenses.
An internal adversarial harness runs continuously against production. Eight attack tiers ordered by sophistication. Each campaign generates hundreds to thousands of bot attempts, measures pass rates per defense layer, and feeds results into threshold calibration.
| Tier | Attack class | Tests defense against |
|---|---|---|
| T1 | Procedural synthesis (script-kiddie baseline) | Absolute attacker floor |
| T2 | Parameter-varied procedural | Tier 1 statistical consistency checks |
| T3 | Feature-space optimization with source access | Tier 1 distributional realism |
| T4a | Pre-recorded human voice + procedural motion/touch | Cross-modal temporal coupling (Tier 2) |
| T4b | Modern voice cloning (XTTS-v2, F5-TTS, API-based) | Tier 1 TTS artifact detection |
| T5 | Coupled cross-modal synthesis | Tier 2 temporal coupling |
| T6 | Targeted human-mimicry / identity theft | Hamming distance gate + Sybil registry |
| T7 | Replay with adversarial perturbation | Min-distance floor + commitment registry |
| T8 | Black-box adaptive probing | Rate limits + response opacity |
Attack implementation code, per-attempt telemetry, and parameter values that produce elevated pass rates are kept in a private repository—methodology public, weapons private.
Current measurements.
Pass rate is the fraction of bot attempts that pass server-side Tier 1 validation—the gate preceding on-chain submission. An attempt that fails Tier 1 cannot proceed to challenge fetch, proof generation, or transaction submission.
| Tier | Description | Attempts | Pass | Status |
|---|---|---|---|---|
| T1 | Procedural synthesis | 2,000 | 0% | hardened · 2026-03 |
| T2 | Multi-strategy parameter variation | 4,000 | 0% | hardened · 2026-03 |
| T3a | Unconstrained feature optimization | 1,000 | 0% | hardened · 2026-04 |
| T3b | Constrained feature optimization | 9,000 | 0% | hardened · 2026-04 |
| Campaign surfaced a gap in server-side feature validation. Hardened—see AUDIT.md. | ||||
| T4a—Wave 1 | Pre-recorded human voice + procedural motion/touch (temporal enforcement OFF—log-only) | 50 | 100% | counterfactual baseline |
| T4a—Wave 2 | Pre-recorded human voice + procedural motion/touch (temporal enforcement ON) | 10 | 10% | production enforcement truth |
| Cross-program binding gap in update_anchor discovered during cross-analysis, patched same day—see AUDIT.md protocol-core Critical. | ||||
| T4a—Wave 3 | Pre-recorded human voice + procedural motion/touch (temporal enforcement ON + phrase content binding ON) | 20 | 0% | phrase binding closes the residual |
| Whisper-based content matching against the server-issued challenge phrase rejects every attempt where the spoken audio doesn't match. Combined three-layer stack drops T4a from 100% → 10% → 0%. | ||||
| T4a—Wave 4 | Wave 3 methodology at scale (N=1000) to tighten the statistical bound on the closed attack class | 1,000 | 0% | definitively closed |
| 1,000 of 1,000 attempts rejected at server-side validation by phrase content binding. 95% CI on the pass rate: [0%, 0.37%]. The pre-recorded-arbitrary-content attack class is closed at production scale. | ||||
// FRONTIER—NEXT WAVES | ||||
| T4b | Real-time synthesized voice (XTTS-v2, F5-TTS, streaming TTS) | — | queued | next-phase |
| T5 | Coupled cross-modal synthesis | — | queued | next-phase |
| T6 | Targeted human-mimicry / identity theft | — | queued | next-phase |
| T7 | Replay-perturbed | — | queued | next-phase |
| T8 | Adaptive probing | — | queued | post-mainnet |
Last updated: April 26, 2026
// T4A—TWO-WAVE STUDY
T4a was designed as a multi-wave study to measure each defense layer's specific contribution against one canonical attack class. Wave 1 ran with temporal enforcement in log-only mode to establish the counterfactual baseline (100% pass). Wave 2 enabled cross-modal temporal coupling enforcement (10% pass—the 90 percentage-point reduction isolates that layer's contribution). Wave 3 enabled phrase content binding on top of temporal enforcement (0% pass—the final closure of the pre-recorded-arbitrary-content attack class). Wave 4 confirmed the result at scale (1,000 attempts, 0% pass, 95% CI [0%, 0.37%]). Combined defense stack drops T4a from 100% to 0%.
// ON-CHAIN ANCHOR STATE
The Entros Anchors currently visible on devnet include internal red team artifacts from T4a Waves 1–4 (documented above) alongside legitimate team and pilot-user verifications. All state is preserved on-chain for audit traceability; the public /stats page reads the full on-chain aggregate directly.
What we open-source, and why.
Entros is open-source where open-source matters for user trust, and deliberately private where privacy protects users. Same disclosure convention used across crypto infrastructure projects—a mature implementation of open-source values, not a departure from them.
// OPEN—MIT LICENSED
- On-chain programs (entros-anchor, entros-verifier, entros-registry)
- ZK circuits and trusted setup artifacts
- Client SDK (pulse-sdk on npm)
- Executor node
- Website and documentation
- Security program page, blueprint documents, and aggregate results
- Baseline adversarial testing (script-kiddie tier in pulse-sdk)
// PRIVATE—DEFENSE LAYER
- Server-side validation service (entros-validation): check thresholds and parameter values
- Red-team harness (entros-redteam): attack code, per-attempt telemetry, captured baseline fixtures
- Pre-disclosure vulnerability reports (per standard responsible-disclosure practice)
Nothing that affects verifiable protocol behavior is private. Every on-chain transition, every cryptographic operation, every client-side computation is open and auditable. The private components are the detection surface an attacker would otherwise exploit to calibrate their attacks.
Reporting vulnerabilities.
- Contact
- contact@entros.io
- Scope
- On-chain programs, SDK, executor, validation service, website
- Response SLA
- Acknowledgment within 48 hours, initial triage within 5 business days
- Safe harbor
- Good-faith research is welcome. We will not pursue legal action against researchers acting within the scope of this policy.
- Attribution
- Researchers credited in AUDIT.md and hall of fame upon fix deployment, unless anonymity requested.
- Bug bounty
- Planned post-launch. Severity tiers and amounts TBD.