All docs

Docs

Threat model

Assets, trust boundaries, adversaries, and the risks we explicitly accept.

What we protect

  • Your wallet keys — never held by Vaelun; client-signed only.
  • Session integrity — cryptographically signed.
  • Server-only credentials and signing keys.
  • Your intent contents and balances.

Trust boundaries

You and your wallet
The wallet signs; the client never sees your keys.
Client and server
Untrusted input crosses here and is strictly validated and bound to your session.
Server and third parties
Secrets live only on the server side of this boundary.

Adversaries and mitigations

  • Anonymous attacker spending the metered proxy: gating plus fail-closed rate limits plus strict validation.
  • Authenticated user publishing for another account: session binding of family, signer, deadline, and action type.
  • Malicious wallet altering signed bytes: an exactly-what-was-signed diagnostic and a mainnet comparison before any launch.
  • Network attacker replaying a valid intent: short deadlines, salted nonces, and an auto-clearing diagnostic.