Security and trust

What the signer authorizes, what the VM does and does not check.

A plan runs arbitrary CPIs under your signature. That is powerful, so it is worth being precise about what PTBVM does and does not do on your behalf.

What the signer authorizes

When you sign an execute transaction, your key propagates to every inner call in the plan. Each step calls exactly the program and accounts encoded in the plan you signed. PTBVM does not add hidden steps , what compiles is what runs.

What the VM checks

  • Bounds. Register indices, splice offsets, and account indices are range-checked; out-of-range references revert.
  • The gate. Obligations opened in the plan must be closed, or the transaction reverts.
  • Atomicity. Any step failing reverts everything.

What the VM does not check

  • Semantics of the inner programs. PTBVM does not know what a swap or deposit means. If the plan you signed calls the wrong program, that is on the plan, not the VM.
  • Economic outcome. The VM guarantees piping and atomicity, not profit. Read the plan before you sign it.

In this section

  • FAQ: Short answers to the questions people ask first.