Security

We ensure that GroupFi is fully decentralized and, most importantly, safe to use. Here's why:

Open source:

Both the GroupFi protocol and trollbox are open-source. You can always verify our code on GitHub and raise your questions and concerns there.

GitHub - TanglePay/GroupFi-ChatboxGitHub

Data encrpytion

The groups in GroupFi are formed using inmutable on-chain data only, such as token holdings and NFT ownership. Messages in the private groups are directionally encrypted, and can only be decrpted by the members in the group. Here are the details:

Given identity Px, who owns NFTs under collection NCy together with a group of identities PA= {P1, P2, P3, … Pn}, Px can share messages with PA with the following steps.

Shared

1. Topic/Group discovery

Given the list of current owned NFTs for Px, show the virtual group for each NFT collection.For each collection, show preview of the very recent message.Hide collections without messages.

2. Group membership discovery

Given the NFT collection, locate the current identities (addresses) of owners, as {P1, …, Pn} with {{PubKey1, PriKey1}, … {PubKeyn, PriKeyn}} as their crypto keys. Sender

1. Message m provided by Px

2. Data encryption key preparation.

An encryption key Ks is randomly generated by Px.

3. Message payload construction a. Payload_PartA = {schema_version, type, recipients_count} b. Payload_PartB = [(P1, encrypt(Ks, PubKey1)), …, (Pn, encrypt(Ks, PubKeyn))] c. Payload_PartC = encrypt(Ks, m) d. Payload=Payload_PartA+PayloadPartB+PayloadPartC

4. Message is posted to crypto network a. sign by Px b. tagged with {magic_prefix, unique-nft-collection-id}

Receiver

1. Subscribe to events a. Listen to messages with {magic_prefix, unique-nft-collection-id} tag

2. Decrypt message a. Locate (Px, encrypt(Ks, PubKeyx)) and decrypt Ks with PriKeyx b. Decrypt encrypt(Ks, m) with Ks

SDK Security:

The primary security goals of our open-source Web3 messaging protocol SDK include confidentiality, integrity, availability, authentication, and non-repudiation.

Our protocol aims to ensure that all messages are securely encrypted, properly authenticated, and tamper-proof, providing users with a secure and reliable messaging experience. Identified potential threats include man-in-the-middle attacks, data breaches, denial-of-service attacks, unauthorized access, and on-chain data retrieval vulnerabilities. Accordingly, we mitigate these threats through robust cryptographic techniques and secure coding practices.

Compared to existing Web2 solutions replying on centralized servers, our protocol offers a higher level of security of privacy by leveraging blockchain technology such that no single entity can control or access the communications. We are committed to continuous improvement and are exploring additional features such as quantum-resistant cryptography and more advanced privacy-preserving techniques to further enhance the security and resilience of our protocol.