Security Model
Core Principles
On-chain Privacy
- Balances are encrypted using FHE
- Transfer amounts are never visible on-chain
- Only encrypted handles are stored publicly
Trustless Verification
- Server cannot fabricate payments
- Amount handles extracted directly from blockchain
- Client cannot lie about payment amounts
Minimal Authorization
- Decryption signatures scoped to specific contracts
- Time-limited authorization (default 365 days)
- Ephemeral keys for decryption operations
Security Flow
Handle Extraction
Transaction Receipt
|
v
Extract ConfidentialTransfer Event
|
v
Get Encrypted Handle (from chain, not client)
|
v
Verify Recipient Address
The facilitator extracts the encrypted handle directly from the blockchain, preventing clients from providing fake handles.
Decryption Authorization
The decryption signature contains:
| Field | Purpose |
|---|---|
signature | User's wallet signature |
publicKey | Ephemeral public key |
privateKey | Ephemeral private key |
contractAddresses | Authorized contracts |
startTimestamp | Authorization start |
durationDays | Validity period |
The privateKey is an ephemeral key, not the user's wallet key.
Verification Checks
The facilitator performs these security checks:
- Schema Validation: Request structure matches expected format
- Network Match: Payload network matches requirements
- Transaction Exists: Receipt found on blockchain
- Event Found: ConfidentialTransfer event in logs
- Recipient Match: Transfer sent to correct
payTo - Sender Match: Transfer from authorized user
- Contract Authorization: Token in user's authorized list
- Amount Sufficient: Decrypted amount >= required
Threat Mitigation
Client Manipulation
| Threat | Mitigation |
|---|---|
| Fake transaction | Handle extracted from chain |
| Wrong amount | Server decrypts and verifies |
| Replay attack | Transaction hash uniqueness |
Server Attacks
| Threat | Mitigation |
|---|---|
| Fabricate payment | Cannot decrypt without signature |
| Scope creep | Contract addresses limited |
| Long-term access | Time-limited authorization |
Best Practices
For Merchants
- Verify facilitator responses server-side
- Store verification results for auditing
- Use HTTPS for all endpoints
For Users
- Review authorized contracts before signing
- Use short authorization periods for testing
- Revoke old signatures when changing wallets