A verification registry only works if the adversary can't game it. Here's our threat model and what we do about it.
Mitigation: Publishers can't self-report without an attestor. Every Verified listing has a signed run from an allowlisted attestor whose pubkey lives on-chain.
Mitigation: Attestors post ETH stake (≥ 1 ETH). Any third party can dispute. Upheld disputes slash stake. For sensitive categories we require 2/3 attestors to agree (quorum mode).
Mitigation: Dataset hashes are pinned. Benchmarks we consider contaminated (e.g. HumanEval) are flagged, not removed — downstream consumers can filter. New benchmarks use contamination-resistant approaches (LCB, BrowseComp).
Mitigation: The runner repo is pinned at a specific commit hash. A new benchmark version is a new benchmark — old runs don't transfer.
(e.g. a service detects it's being benchmarked and switches to a better model)
Mitigation: Attestors never announce they're running a benchmark. Requests are interleaved with real traffic. Signatures cover full request+response pairs, not just the score.
Mitigation: We support multiple proof systems (SP1, Risc0, Halo2, Groth16). If a vulnerability is found in one, publishers can re-attest with another. Aligned's operator set provides defense-in-depth.
Mitigation: Aligned's operator set has BLS aggregate signatures and economic security. We mirror batch IDs on our own database for defense-in-depth. In the worst case (Aligned halted), new runs cannot be verified — but existing verified runs remain provable.
Found a security issue? Email security@benchlist.ai with PGP key 6F4A 8D21 E7B2 C9F4. We commit to initial response within 24h, fix within 7d for P0/P1 issues. We pay bounties via Immunefi for critical on-chain bugs.
SOC 2 Type I in audit (Q4 2026 target). Type II Q2 2027. Penetration tests quarterly via Cure53. DPA available on request.