Security & Privacy

Cryptographic architecture and security best practices

Security Architecture

Styx Protocol is designed with privacy-by-default principles. All sensitive data is encrypted client-side before ever touching the blockchain. The protocol uses industry-standard cryptographic primitives that have been extensively audited.

Zero-Knowledge Design: The Styx protocol never sees unencrypted messages. All encryption/decryption happens locally in your application.

Encryption Stack

Four-layer cryptographic protection

Key Exchange

X25519 (Curve25519)

Elliptic curve Diffie-Hellman for perfect forward secrecy

Security: 128-bit security level

Symmetric Encryption

XChaCha20-Poly1305

AEAD cipher with 24-byte nonce for message encryption

Security: 256-bit keys

Message Authentication

Poly1305 MAC

Authenticates ciphertext to prevent tampering

Security: Included in AEAD

Envelope Wrapping

Styx Envelope V1

Multi-recipient envelope with ephemeral keys per message

Security: Compact 88-byte format

Styx Envelope V1 Format

Messages are wrapped in a compact 88-byte envelope that contains all necessary cryptographic material for decryption while revealing nothing about the content.

Offset	Size	Field	Description
0	1	Version	Envelope version (0x01)
1	1	Flags	Feature flags (stealth, anonymous)
2	32	Ephemeral PK	X25519 public key for key exchange
34	24	Nonce	XChaCha20 nonce
58	16	Auth Tag	Poly1305 authentication tag
74	N	Ciphertext	Encrypted message payload

Privacy Features

Stealth Addresses

One-time derived addresses prevent linking sender to recipient

Sender Anonymity

Optional sender concealment for anonymous messaging

Minimal On-chain Data

Only encrypted ciphertext stored - no metadata leakage

Forward Secrecy

Each message uses unique ephemeral keys

WhisperDrop Privacy Model

WhisperDrop uses Merkle trees to enable private airdrops without revealing the full recipient list on-chain.

What's Public

• Merkle root (32 bytes)
• Total token amount
• Expiration timestamp
• Campaign authority

What's Private

• Recipient addresses
• Individual allocations
• Merkle tree structure
• Total recipient count

Stealth Claiming: Recipients can optionally claim to a derived stealth address, breaking any link between their allocation and their public wallet.

Security Best Practices

CRITICAL

Never Log Private Keys

Never log, store in plaintext, or transmit private keys. Use secure enclaves when possible.

CRITICAL

Validate All Inputs

Always validate public keys, signatures, and decrypted data before processing.

HIGH

Use Secure RPC

Always use HTTPS for RPC connections. Use dedicated RPC providers like Helius for production.

MEDIUM

Rate Limit API Calls

Implement rate limiting to prevent abuse and protect your API keys.

MEDIUM

Rotate Keys Periodically

Rotate encryption keys and API keys on a regular schedule.

MEDIUM

Audit Dependencies

Regularly audit npm dependencies for known vulnerabilities.

Security Audits

Audit in Progress

Styx Protocol is currently undergoing security audits. While the cryptographic primitives used (X25519, XChaCha20-Poly1305) are well-established and battle-tested, the smart contract code has not yet received a formal third-party audit. Use in production at your own risk.

Bug Bounty Program

Found a security vulnerability? We offer CRED rewards for responsible disclosure.

10,000 CRED

Critical

5,000 CRED

High

1,000 CRED

Medium

Report vulnerabilities to: security@styx.finance