Skip to main content

Security Model

Security is not a feature you add at the end. It is a property of every design decision, every line of code, and every assumption you make. Here is how Specter keeps you safe — organized by threat category, with honest discussion of both strengths and limitations.

Bridge SecuritySmart Contract AuditsNFC Card HardwareQuantum-Safe LayerZK Proof SoundnessBFT ConsensusDefensein Depth

BFT Consensus Safety

Threat: A group of validators colludes to finalize invalid blocks, double-spend tokens, or censor transactions.

Protection: CometBFT provides Byzantine fault tolerance with the guarantee that the network remains safe as long as fewer than one-third of validators (weighted by stake) are malicious:

f < n/3 — the network tolerates up to f Byzantine validators out of n total.

This means an attacker would need to control more than one-third of all staked GHOST to compromise consensus. Even then, the attack would be detectable (validators who double-sign are identifiable), and the attacker's stake would be slashed — making the attack economically destructive to the attacker.

Limitation: If more than one-third of validators go offline simultaneously (without being malicious), the network halts until enough validators return. This is a liveness issue, not a safety issue — no invalid state transitions can occur, but the chain stops producing blocks.

Zero-Knowledge Proof Soundness

Threat: An attacker forges a ZK proof to claim tokens they do not own, bypass a policy, or double-spend a commitment.

Protection: Ghost Protocol uses Groth16 on the BN254 curve. The soundness of Groth16 means that producing a valid proof without knowing the witness (the secret inputs) is computationally infeasible under the BN254 pairing assumptions. These are well-studied cryptographic assumptions that have held for decades and are used by Ethereum itself for precompiled pairing operations.

The two circuits — Redemption Proof (8 public inputs) and Access Proof (4 public inputs) — are each designed to verify specific claims about commitments, nullifiers, and policies. The proof either verifies or it does not. There is no gray area.

Limitation: Groth16 requires a trusted setup ceremony. If all participants in the ceremony colluded, forged proofs would theoretically be possible. In practice, ceremonies are designed with enough independent participants to make this risk negligible.

Quantum-Safe Layer

Threat: A future quantum computer breaks the elliptic curve assumptions underlying Groth16 and BN254, allowing an attacker to forge ZK proofs.

Protection: Every commitment in Ghost Protocol includes a quantum commitment:

quantumCommitment = keccak256(quantumSecret)

This is a separate defense layer that does not depend on elliptic curve cryptography. If ZK proofs are ever broken, users can prove ownership by revealing the preimage of their quantum commitment. Keccak256 is resistant to quantum attacks — Grover's algorithm provides only a quadratic speedup against hash functions, meaning a 256-bit hash retains 128 bits of security even against a quantum adversary.

Limitation: The quantum-safe layer is a fallback mechanism, not a full replacement for ZK proofs. If activated, it would require a protocol upgrade to define the new verification process, and it would not provide the same privacy guarantees as ZK proofs (revealing the preimage inherently discloses information). It is a safety net, not a seamless transition.

NFC Card Security

Threat: An attacker clones, extracts, or tampers with a Phantom Key stored on an NFC card.

Protection: Specter's physical NFC cards use NTAG 424 DNA chips from NXP Semiconductors, which include multiple hardware security features:

  • AES-128 encryption for secure communication between the card and reader.
  • Rolling CMAC (Cipher-based Message Authentication Code) that generates a unique authentication code for every tap, preventing replay attacks.
  • Tamper-resistant hardware designed to resist physical probing, side-channel attacks, and fault injection.
  • Unique chip identifiers that are burned in at manufacturing and cannot be changed.

Limitation: Hardware security is ultimately bounded by the physical implementation. While NTAG 424 DNA is considered industry-leading for NFC security, no hardware is provably unbreakable. State-level adversaries with access to advanced chip analysis equipment may be able to extract secrets, though the cost and effort would be extraordinary. For the highest-security use cases, we recommend treating NFC cards as a convenience layer with a digital backup.

Smart Contract Security

Threat: A vulnerability in Ghost Protocol's smart contracts allows an attacker to drain funds, bypass privacy, or corrupt state.

Protection: Multiple layers of defense:

  • OpenZeppelin libraries for standard security patterns (access control, pausability, reentrancy guards). These are the most audited smart contract libraries in the Ethereum ecosystem.
  • ReentrancyGuard on all external-facing functions that modify state or transfer value.
  • Checks-effects-interactions pattern throughout the codebase — state is updated before any external calls, preventing reentrancy exploits.
  • Minimal attack surface — the core vaults (CommitRevealVault, OpenGhostVault, PersistentKeyVault) are designed to do one thing well, with as little complexity as possible.
  • Immutable commitment bindings — policies, parameters, and commitment data are bound by Poseidon hashing. Even if a contract had a bug, an attacker could not modify an existing commitment's terms without invalidating the proof.

Limitation: Smart contract security is never absolute. We will conduct professional security audits before mainnet launch and maintain an active bug bounty program. Despite best efforts, the possibility of undiscovered vulnerabilities can never be fully eliminated — only minimized through rigorous engineering, auditing, and responsible disclosure.

Bridge Security

Threat: An attacker exploits the cross-chain bridge to mint unbacked tokens on Specter or unlock tokens on a source chain without a corresponding burn.

Protection: The Hyperlane bridge uses multiple independent relay operators who must reach consensus on cross-chain events. On-chain verification of relay messages occurs before any minting or unlocking. Rate limiting provides an additional layer of protection against large-scale exploits.

Limitation: Bridge security is one of the hardest problems in crypto. Cross-chain bridges are inherently more complex than single-chain applications because they involve coordinating state across two independent consensus systems. We take this seriously, and bridge parameters will be conservative at launch.

What We Do NOT Protect Against

Being honest about limitations is as important as describing protections:

  • Endpoint compromise. If your device is compromised (malware, keylogger), an attacker may be able to steal your Phantom Keys. Ghost Protocol protects data on-chain, not on your device.
  • Voluntary disclosure. If you share your Phantom Key with someone, they can reveal your commitment. The system cannot protect you from yourself.
  • Metadata analysis. While Ghost Protocol hides the contents of transactions, on-chain metadata (timing, gas usage, contract interactions) is visible. Sophisticated analysis could potentially narrow down possibilities. Operational security matters.
  • Social engineering. No cryptographic system can protect against being tricked into revealing your secrets. Be cautious about who you share Phantom Keys with and verify the authenticity of any application you interact with.

The Philosophy

Security is not about making guarantees you cannot keep. It is about being clear-eyed about what the system protects, how it protects it, and where the edges are. Specter is designed with defense in depth — multiple independent security mechanisms, each of which would need to be broken separately. The goal is not perfection (which does not exist in security), but a system where the cost of attack always exceeds the value of success.