Docs
Threat model
Assets, trust boundaries, adversaries, and the risks we explicitly accept.
What we protect
- Your wallet keys — never held by Vaelun; client-signed only.
- Session integrity — cryptographically signed.
- Server-only credentials and signing keys.
- Your intent contents and balances.
Trust boundaries
- You and your wallet
- The wallet signs; the client never sees your keys.
- Client and server
- Untrusted input crosses here and is strictly validated and bound to your session.
- Server and third parties
- Secrets live only on the server side of this boundary.
Adversaries and mitigations
- Anonymous attacker spending the metered proxy: gating plus fail-closed rate limits plus strict validation.
- Authenticated user publishing for another account: session binding of family, signer, deadline, and action type.
- Malicious wallet altering signed bytes: an exactly-what-was-signed diagnostic and a mainnet comparison before any launch.
- Network attacker replaying a valid intent: short deadlines, salted nonces, and an auto-clearing diagnostic.