# Security We ensure that GroupFi is fully decentralized and, most importantly, safe to use. Here's why: #### Open source: Both the GroupFi protocol and trollbox are open-source. You can always verify our code on GitHub and raise your questions and concerns there. {% embed url="" %} #### Data encrpytion The [groups](/introduction/group-overview.md) in GroupFi are formed using inmutable on-chain data only, such as token holdings and NFT ownership. Messages in the private groups are directionally encrypted, and can only be decrpted by the members in the group. Here are the details: Given identity *Px*, who owns NFTs under collection *NCy* together with a group of identities *PA*= *{P1, P2, P3, … Pn}*, *Px* can share messages with *PA* with the following steps.
Shared 1. Topic/Group discovery Given the list of current owned NFTs for Px, show the virtual group for each NFT collection.For each collection, show preview of the very recent message.Hide collections without messages. 2. Group membership discovery Given the NFT collection, locate the current identities (addresses) of owners, as *{P1, …, Pn}* with *{{PubKey1, PriKey1}, … {PubKeyn, PriKeyn}}* as their crypto keys.\ Sender 1. Message *m* provided by *Px* 2. Data encryption key preparation. An encryption key Ks is randomly generated by *Px*. 3. Message payload construction\ a. *Payload\_PartA* = {schema\_version, type, recipients\_count}\ b. *Payload\_PartB = \[(P1, encrypt(Ks, PubKey1)), …, (Pn, encrypt(Ks, PubKeyn))]*\ c*. Payload\_PartC = encrypt(Ks, m)*\ d. *Payload=Payload\_PartA+PayloadPartB+PayloadPartC*
4. Message is posted to crypto network\ a. sign by *Px*\ b. tagged with *{magic\_prefix, unique-nft-collection-id}* \ Receiver 1. Subscribe to events\ a. Listen to messages with *{magic\_prefix, unique-nft-collection-id}* tag 2. Decrypt message\ a. Locate *(Px, encrypt(Ks, PubKeyx))* and decrypt *Ks* with *PriKeyx*\ b*.* Decrypt *encrypt(Ks, m)* with *Ks* #### SDK Security: The primary security goals of our open-source Web3 messaging protocol SDK include confidentiality, integrity, availability, authentication, and non-repudiation. Our protocol aims to ensure that all messages are s**ecurely encrypted, properly authenticated, and tamper-proof**, providing users with a secure and reliable messaging experience. Identified potential threats include man-in-the-middle attacks, data breaches, denial-of-service attacks, unauthorized access, and on-chain data retrieval vulnerabilities. Accordingly, we mitigate these threats through robust cryptographic techniques and secure coding practices. Compared to existing Web2 solutions replying on centralized servers, our protocol offers a higher level of security of privacy by leveraging blockchain technology such that **no single entity can control or access the communications**. We are committed to continuous improvement and are exploring additional features such as quantum-resistant cryptography and more advanced privacy-preserving techniques to further enhance the security and resilience of our protocol.

Image Source: Freepik

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://faqs.groupfi.ai/security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.