Security Model
horse.fun is built with security-first principles:VRF Randomness
Cryptographically secure, verifiable on-chain
Solana Security
Inherits Solana’s BFT consensus security
Checked Arithmetic
Rust checked math and Anchor account constraints
On-Chain Transparency
All operations verifiable
Threat Model
Considered Adversaries
- Financial adversary: Can place arbitrary entries
- Network adversary: Can observe transactions
- Collusion: Multiple players coordinating
- MEV searcher: Can reorder transactions
Not Considered
- Solana validator compromise (beyond BFT assumptions)
- Cryptographic breaks of VRF
- Protocol bugs (assume correct implementation)
Attack Vectors & Mitigations
Race Outcome Manipulation
Race Outcome Manipulation
Attack: Predict or influence race outcomesMitigation:
- VRF unpredictable before commit
- Cryptographic proof ensures validity
- No party can manipulate seed
Pari-Mutuel Pool Manipulation
Pari-Mutuel Pool Manipulation
Attack: Large entries to manipulate payout ratiosMitigation:
- Self-balancing system
- Heavy entries reduce own payout ratio
- 5% fee makes manipulation unprofitable
Jackpot Sniping
Jackpot Sniping
Attack: Capture jackpot payouts with minimal stake — out-positioning winners in an active race, or placing dust entries on every horse in near-empty races so any trigger landing there pays out aloneMitigation:
- The volume gate voids triggers in races below the minimum-volume threshold, turning the empty-race strategy into a recurring qualification cost with negative expected return
- Within eligible races, distribution requires a committed entry on the winning horse (placed BEFORE the VRF resolves), and the share scales with entry size — token holdings alone cannot capture the jackpot with a dust entry
- Stake weights are frozen at entry close, so observing a trigger on-chain during the race phase can change neither the boost nor the burn
- The token burn on wins consumes the winner’s staked tokens, rotating the advantage over time
Token Emission Exploitation
Token Emission Exploitation
Attack: Inflate volume to farm tokens and dominate jackpot distributionMitigation:
- Emission is volume-linked but capped per race
- Minting tokens requires paying the protocol fee on the committed volume, so farming is self-limiting
- The volume gate prevents self-generated low-volume races from recapturing their own jackpot contributions, keeping the effective cost of volume inflation at its full fee rate
- Jackpot burns (10% normal / 50% super) create deflationary pressure on large staked holders
Front-Running and Informed Late Entries
Front-Running and Informed Late Entries
Attack: MEV searchers reorder entries within a block; sophisticated players wait until the last moment to enter with full knowledge of the pool distributionMitigation and design position:
- All entries are committed before the VRF is requested, and entry ordering doesn’t affect outcomes or payouts — classic MEV extraction has no surface
- Late entries with full pool information are possible and deliberately so: probabilities and pool distributions are public to every participant by design, so a late player’s advantage is informational skill, not privileged access — the same dynamic as any pari-mutuel market, where payout ratios move until post time
- Value-seeking players sharpen the pools, and the protocol fee applies to them like everyone else
Sybil Attacks (Referrals)
Sybil Attacks (Referrals)
Attack: Create multiple identities for referral farmingMitigation:
- Referral rewards only 1% of volume
- Requires actual play (pays the 5% protocol fee)
- Self-referral unprofitable
Security Properties
Formal Guarantees
- Outcome Fairness: the finishing order follows the Plackett-Luce distribution induced by the permuted weights and is deterministically verifiable on-chain. Each horse wins with its assigned probability:
- Payout Correctness: every unit of the prize allocation is accounted for — paid to winners or routed to the buyback:
- Token Conservation: total supply equals the premint plus all volume-linked emissions, minus the burns from both sinks:
Implementation Security
- Smart Contract
- Testing
- Rust with Anchor framework
- Integer overflow protection
- Access control on admin functions
- Multi-sig wallet for upgrades
User Security Best Practices
Wallet Security
Wallet Security
- Use hardware wallets for large amounts
- Never share private keys
- Verify transaction details before approving
- Use reputable wallets (Phantom, Solflare)
Phishing Protection
Phishing Protection
- Always check URL (official: horse.fun)
- Never enter seed phrase on websites
- Beware of fake social media accounts
- Verify contract addresses
Risk Management
Risk Management
- Choose entry sizes appropriate to your budget
- Use proper position sizing (1-5% per race)
- Keep entry sizes consistent regardless of recent results
Incident Response
In case of security issues:- Report: security@horse.fun
- Emergency Pause: Multi-sig can pause the protocol if needed
- Community Alert: Immediate notification via all channels
Next Steps
VRF Technical
Deep dive into VRF security
Smart Contracts
Contract architecture
Economic Analysis
Expected value and protocol sustainability
FAQ
Common questions answered
