Skip to content
LogoLogo

Security

Fail-closed identity

owner_address is immutable protocol identity. State attached to one address cannot be retargeted to another by protocol message.

Message authorization

Ordinary messages require a delegated Ed25519 key with sufficient scope.

SIGNER_ADD and SIGNER_REMOVE are special-cased and derive authority from custody proofs.

STORAGE_CLAIM still requires finalized settlement verification, but first successful application does not require delegated-key authorization. Duplicate replay remains settlement-first and marker-idempotent.

Replay protection

  • signer management uses custody_nonce
  • ref updates and deletes use per-ref nonces
  • message hashes remain content-addressed BLAKE3 digests over canonical protobuf encoding

Removed ingress classes

V2 removes relay-era attack and ambiguity surface by rejecting:

  • KEY_ADD
  • OWNERSHIP_TRANSFER
  • STORAGE_RENT
  • RELAY_SIGNER_ADD
  • RELAY_SIGNER_REMOVE

Validators do not inject Tempo events into blocks.

Edit this page on GitHub