Security
Last updated
Last updated
We ensure that GroupFi is fully decentralized and, most importantly, safe to use. Here's why:
Both the GroupFi protocol and trollbox are open-source. You can always verify our code on GitHub and raise your questions and concerns there.
The groups in GroupFi are formed using inmutable on-chain data only, such as token holdings and NFT ownership. Messages in the private groups are directionally encrypted, and can only be decrpted by the members in the group. Here are the details:
Given identity Px, who owns NFTs under collection NCy together with a group of identities PA= {P1, P2, P3, … Pn}, Px can share messages with PA with the following steps.
Shared
Topic/Group discovery
Given the list of current owned NFTs for Px, show the virtual group for each NFT collection.For each collection, show preview of the very recent message.Hide collections without messages.
Group membership discovery
Given the NFT collection, locate the current identities (addresses) of owners, as {P1, …, Pn} with {{PubKey1, PriKey1}, … {PubKeyn, PriKeyn}} as their crypto keys. Sender
Message m provided by Px
Data encryption key preparation.
An encryption key Ks is randomly generated by Px.
Message payload construction a. Payload_PartA = {schema_version, type, recipients_count} b. Payload_PartB = [(P1, encrypt(Ks, PubKey1)), …, (Pn, encrypt(Ks, PubKeyn))] c. Payload_PartC = encrypt(Ks, m) d. Payload=Payload_PartA+PayloadPartB+PayloadPartC
Message is posted to crypto network a. sign by Px b. tagged with {magic_prefix, unique-nft-collection-id}
Receiver
Subscribe to events a. Listen to messages with {magic_prefix, unique-nft-collection-id} tag
Decrypt message a. Locate (Px, encrypt(Ks, PubKeyx)) and decrypt Ks with PriKeyx b. Decrypt encrypt(Ks, m) with Ks
The primary security goals of our open-source Web3 messaging protocol SDK include confidentiality, integrity, availability, authentication, and non-repudiation.
Our protocol aims to ensure that all messages are securely encrypted, properly authenticated, and tamper-proof, providing users with a secure and reliable messaging experience. Identified potential threats include man-in-the-middle attacks, data breaches, denial-of-service attacks, unauthorized access, and on-chain data retrieval vulnerabilities. Accordingly, we mitigate these threats through robust cryptographic techniques and secure coding practices.
Compared to existing Web2 solutions replying on centralized servers, our protocol offers a higher level of security of privacy by leveraging blockchain technology such that no single entity can control or access the communications. We are committed to continuous improvement and are exploring additional features such as quantum-resistant cryptography and more advanced privacy-preserving techniques to further enhance the security and resilience of our protocol.
