Security Model
Cryptographic Security
| Property | Guarantee | Mechanism |
|---|---|---|
| Double-spend prevention | On-chain | Nullifier set in pool contract — deterministic, permanent |
| Proof soundness | Computational | Groth16 soundness under discrete log assumption on BN254 |
| Zero-knowledge | Statistical (perfect) | Groth16 simulator indistinguishability |
| Commitment hiding | Computational | Poseidon2 preimage resistance |
| Nullifier unlinkability | Computational | Poseidon2 with domain separation — nullifier cannot be linked to commitment |
| Front-running protection | On-chain | extDataHash binds proof to specific recipient and amount |
| ASP compliance | On-chain | Membership/non-membership proofs verified in circuit |
Storage Security
| Data | Protection |
|---|---|
| Agent private keys | AES-256-GCM encrypted in SQLite, per-field key derivation via HMAC-SHA256 |
| Agent notes (amount, blinding) | AES-256-GCM encrypted, agent-specific keys |
| Master encryption key | Generated on first run, stored in data/secrets.env (file-system level) |
| JWT secret | Persisted in data/secrets.env, not in environment variables |
Log Privacy
The proxy never logs:
- Public keys or wallet addresses
- Transaction hashes
- Agent IDs
- Any data that enables correlation between agents and services
Logs contain only: aggregate counts, timing information, generic status messages.
Audit Status
| Component | Status |
|---|---|
| Soroban contracts | Not audited |
| Circom circuits | Not audited (forked from Nethermind’s audited design) |
| Proxy application | Not audited |
| WASM prover | Based on ark-groth16 (audited library) |
| Cryptographic primitives | BN254 and Poseidon2 via Stellar Protocol 25 host functions (SDF-maintained) |
Known Attack Vectors
| Attack | Mitigated? | How |
|---|---|---|
| Malicious proof submission | Yes | On-chain Groth16 verification rejects invalid proofs |
| Double-spend | Yes | On-chain nullifier set |
| Stale root attack | Yes | 90-entry root ring buffer; proofs against old roots eventually expire |
| Amount correlation | Partial | Batching helps; decoy transactions planned for roadmap |
| Timing correlation | Partial | Batch window; jitter planned for roadmap |
| Compromised operator | Partial | Encrypted storage; FROST MPC planned for roadmap |
| Front-running | Yes | extDataHash in circuit prevents recipient/amount changes |
Last updated on