# System Integrity Overview #### At a Glance * Audit: Quantstamp (January 2026) * Multisig: Distributed signer set, threshold enforced * Timelock: In progress (implementation underway) * Custody: Segregated accounts (ONyc SA) * Attestations: Apex Group (Monthly) #### Control Principles Failures in integrated protocols, contract execution, or individual keys are structurally contained and do not provide direct access to underlying collateral, reflecting a system designed to reduce common DeFi failure modes through three core constraints: {% stepper %} {% step %} **No single point of control** Critical actions require coordinated multisig approval. No single key or operator can unilaterally change parameters, upgrade contracts, or move funds. {% endstep %} {% step %} **Separation of execution and capital** Smart contracts enforce logic but do not custody underlying collateral. Capital is held in segregated accounts, preventing contract level exploits from accessing reserves. {% endstep %} {% step %} **Programmatic issuance and pricing** Minting and redemption are enforced by contract logic using predefined parameters. No external signer or offchain system can override pricing or supply constraints. {% endstep %} {% endstepper %} #### Protection by Design {% tabs %} {% tab title="Custody and Capital Segregation" %} Capital backing ONyc is held in legally segregated accounts and committed to collateralize reinsurance obligations. Collateral is not held in smart contracts and cannot be accessed through contract exploits. The collateral pool includes stablecoins, cash equivalents, and T-Bill exposure for liquidity and capital efficiency. {% hint style="info" icon="star" %} Sources * [Reinsurance Framework | Collateral Security and Segregation](https://docs.onre.finance/reinsurance-framework/collateral-security-and-segregation) * [For Capital Providers | Underlying Assets](https://docs.onre.finance/for-capital-providers/underlying-assets) {% endhint %} {% endtab %} {% tab title="Mint Authority and Control" %} The mint authority is a Program Derived Address (PDA), meaning issuance can only occur through program logic. No operator or private key can mint outside defined rules. {% hint style="info" icon="star" %} Sources: * [Token Configuration and Reference | Solana](https://docs.onre.finance/technical-resources/token-configuration-and-reference#solana) * [Solscan | ONyc Mint Authority](https://solscan.io/account/onreuGhHHgVzMWSkj2oQDLDtvvGvoepBPkqyaubFcwe) {% endhint %} {% endtab %} {% tab title="Risk Isolation" %} ONyc collateral is structurally separate from DeFi integrations. Activity in external protocols does not directly impact the underlying capital base. {% hint style="info" icon="star" %} Sources: * [For Capital Providers | Collateral Composition](https://docs.onre.finance/for-capital-providers/collateral-composition) * [ONyc in DeFi | DeFi Strategies](https://docs.onre.finance/onyc-in-defi/defi-strategies) {% endhint %} {% endtab %} {% endtabs %} #### System Mechanics {% tabs %} {% tab title="System Architecture" %} ONyc is a yield bearing token on Solana representing a proportional share of a regulated, segregated reinsurance account. The system separates onchain execution (minting, redemption, NAV), offchain underwriting and capital deployment, and custody of collateral in segregated insurance accounts. {% hint style="info" icon="star" %} Sources: * [Introduction | OnRe Tokenized Reinsurance](https://docs.onre.finance/introduction/onre-tokenized-reinsurance-onyc) * [X Article | Building on Real Risk, Not Synthetic Promises](https://x.com/nmcarv/status/2036144135690699030?s=20) {% endhint %} {% endtab %} {% tab title="Smart Contract Enforcement" %} Minting and redemption are enforced by contract logic using NAV based pricing derived from a base price, annual rate, and time component. No offchain service or external key determines issuance. A maximum supply cap is enforced at the contract level on every mint. {% hint style="info" icon="star" %} Sources: * [For Capital Providers | Minting ONyc](https://docs.onre.finance/for-capital-providers/minting-onyc) * [For Capital Providers | Redemptions](https://docs.onre.finance/for-capital-providers/redemptions) {% endhint %} {% endtab %} {% tab title="Oracle and Pricing Dependencies" %} NAV used for minting and redemption is computed from parameters stored within the contract. External providers such as Chainlink and Pyth support integrations and pricing inputs but do not control execution. {% hint style="info" icon="star" %} Sources: * [Technical Resources | Data Streams and Oracle Providers](https://docs.onre.finance/technical-resources/data-streams-and-oracle-providers) {% endhint %} {% endtab %} {% endtabs %} #### Controls {% tabs %} {% tab title="Multisig and Governance Controls" %} Administrative actions, including parameter updates, vault management, and contract changes, require multisig approval with a distributed signer set. Ownership transfers follow a two step proposal and acceptance process. Public multisig addresses are available [here](https://solscan.io/account/45YnzauhsBM8CpUz96Djf8UG5vqq2Dua62wuW9H3jaJ5#programMultisig) and [here](https://solscan.io/account/FvmhydbpHGQzMUp51GmhB1fwsrkyfmnRsTg7oPwDe25f#programMultisig). {% endtab %} {% tab title="Execution Controls" %} Critical actions require multisig approval across multiple signers. Timelocks and execution delays are being implemented to introduce a review window before changes take effect. Designated admin accounts retain the ability to activate a kill switch to pause specific operations in the event of abnormal activity. OnRe does not currently use durable nonces and follows standard Solana transaction execution flows, while evaluating additional sequencing and nonce based protections. {% endtab %} {% endtabs %} #### Operations and Oversight {% tabs %} {% tab title="Monitoring and Incident Response" %} Security operations include monitoring of onchain activity, governance actions, and execution flows. In the event of abnormal behavior, response mechanisms include multisig intervention and the ability to halt certain operations such as a kill switch. {% hint style="info" icon="star" %} Sources: * [Legal | KYC and AML Policy](https://docs.onre.finance/legal/kyc-and-aml-policy) {% endhint %} {% endtab %} {% tab title="Transparency and Verification" %} Smart contracts are publicly accessible. NAV, reserves, and portfolio composition are reported through transparency dashboards, supported by monthly attestations and independent audits. The most recent independent audit was completed by Quantstamp in January 2026. Ongoing transparency is supported through additional audits and attestations. {% hint style="info" icon="star" %} Sources: * [Github | OnRe Smart Contracts](https://github.com/onre-finance) * [For Insurers | Reporting](https://docs.onre.finance/for-insurers/reporting) * [Reinsurance Framework | Portfolio Makeup](https://docs.onre.finance/reinsurance-framework/portfolio-makeup) * [Security and Verification | Independent Audits](https://docs.onre.finance/legal/security-and-verification/independent-audits) * [Security and Verification | Independent Attestations](https://docs.onre.finance/legal/security-and-verification/independent-attestations) * [Security and Verification | SOC 2 Type II Certification](https://docs.onre.finance/legal/security-and-verification/compliance) {% endhint %} {% endtab %} {% tab title="Ongoing Enhancements" %} Current improvements include: * Timelock implementation * Evaluation of advanced nonce and sequencing mechanisms * Continued optimization of signer distribution External partners including Allez Labs, Accountable, and Apex Group support data integrity, verification, and attestation processes. {% hint style="info" icon="star" %} Sources: * [X | Allez Labs](https://x.com/AllezLabs) * [X | Accountable](https://x.com/AccountableData) * [X | Apex Group](https://x.com/ApexGlobalGroup) * [X Article | OnRe Partners with Apex Group](https://x.com/onrefinance/status/2009627351496487093?s=20) {% endhint %} {% endtab %} {% endtabs %} #### Risk and Disclosures {% tabs %} {% tab title="Primary Risk" %} The primary risk is underwriting risk. If claims exceed premium income, NAV may decline, including in extreme or correlated loss scenarios. {% hint style="info" icon="star" %} Sources: * [Reinsurance Framework | Claims and Risk Management](https://docs.onre.finance/reinsurance-framework/claims-and-risk-management) * [X Article | The OnRe Model](https://x.com/onrefinance/status/1985752775507267788) * [X Article | Why ONyc's Yield Doesn't Break When Markets Do](https://x.com/onrefinance/status/2016985779634049404) * [X Article | The Correlation Crisis](https://x.com/onrefinance/status/2019817587459387878) {% endhint %} {% endtab %} {% endtabs %} #### Summary ONyc is structured so that minting and redemption are enforced by contract logic, token supply cannot be expanded outside program rules, collateral is held outside of smart contracts in segregated accounts, and administrative actions require multisig approval. This design reduces common DeFi failure modes and concentrates risk in the underlying reinsurance exposure.