Cryptographic architecture and security best practices
Styx Protocol is designed with privacy-by-default principles. All sensitive data is encrypted client-side before ever touching the blockchain. The protocol uses industry-standard cryptographic primitives that have been extensively audited.
Zero-Knowledge Design: The Styx protocol never sees unencrypted messages. All encryption/decryption happens locally in your application.
Four-layer cryptographic protection
Elliptic curve Diffie-Hellman for perfect forward secrecy
Security: 128-bit security level
AEAD cipher with 24-byte nonce for message encryption
Security: 256-bit keys
Authenticates ciphertext to prevent tampering
Security: Included in AEAD
Multi-recipient envelope with ephemeral keys per message
Security: Compact 88-byte format
Messages are wrapped in a compact 88-byte envelope that contains all necessary cryptographic material for decryption while revealing nothing about the content.
| Offset | Size | Field | Description |
|---|---|---|---|
| 0 | 1 | Version | Envelope version (0x01) |
| 1 | 1 | Flags | Feature flags (stealth, anonymous) |
| 2 | 32 | Ephemeral PK | X25519 public key for key exchange |
| 34 | 24 | Nonce | XChaCha20 nonce |
| 58 | 16 | Auth Tag | Poly1305 authentication tag |
| 74 | N | Ciphertext | Encrypted message payload |
One-time derived addresses prevent linking sender to recipient
Optional sender concealment for anonymous messaging
Only encrypted ciphertext stored - no metadata leakage
Each message uses unique ephemeral keys
WhisperDrop uses Merkle trees to enable private airdrops without revealing the full recipient list on-chain.
Stealth Claiming: Recipients can optionally claim to a derived stealth address, breaking any link between their allocation and their public wallet.
No relayers, no sequencers, no oracles, no backend. Three on-chain programs on Solana L1 — no in-protocol admin access to user funds.
No instruction grants admin access to user pools or funds. The program has an upgrade authority (Styx Labs) — but no in-protocol path allows draining, pausing, or redirecting shielded tokens. Pool creation is permissionless — any wallet, any SPL token.
Core shield/unshield: ~5000 lamports Solana base fee only. ZK private transfers: 100–400 lamports to OBOL treasury for verifier costs. WhisperDrop: 0.01 SOL init + 0.0003 SOL per claim. All amounts hardcoded in the binary.
No relayer, sequencer, oracle, or backend server. The indexer is optional UX convenience — not a dependency. Protocol functions entirely on Solana L1.
Groth16 via CPI, Ed25519 via instructions sysvar, range proofs via SHA-256, nullifiers via PDA creation. Validators ARE the verifiers.
Pool PDA authority derived from ["sts_pool", mint_id]. invoke_signed requires matching seeds. No admin, multisig, or governance can withdraw.
No allowlist, denylist, paused state, or circuit breaker. If the cryptographic proofs are valid, the transaction succeeds.
Every cryptographic operation is verified by Solana validators. No trusted third party in any path.
| Operation | Verification Method | Trusted Third Party? |
|---|---|---|
| ZK Private Transfer | Groth16 via CPI to StyxZK verifier | ❌ None (on-chain) |
| Ed25519 Ownership | Solana instructions sysvar (native) | ❌ None (native Solana) |
| Range Proof | SHA-256 commitment-opening in program | ❌ None (on-chain) |
| Merkle Proof | Keccak256 tree verification in program | ❌ None (on-chain) |
| Nullifier Uniqueness | PDA creation (Solana runtime) | ❌ None (Solana runtime) |
| Token Transfer | SPL Token CPI (invoke/invoke_signed) | ❌ None (SPL Token program) |
All program-derived addresses are deterministic and verifiable by anyone. No centralized server needed.
| PDA | Seeds |
|---|---|
| Pool PDA | ["sts_pool", mint_id] |
| Pool Token Account | ["sts_pool", mint_id, "token"] |
| IC Pool PDA | ["ic_pool", mint_id] |
| Nullifier PDA | ["sts_nullifier", nullifier_hash] |
| DAM Pool PDA | ["dam_pool", mint_id] |
| IC Tree PDA | ["ic_tree", tree_id] |
| FeeConfig PDA | ["styx_zk_fee"] |
| Receipt Mint | ["sts_receipt", mint_id] |
| Stealth Address | ["sts_stealth", owner, nonce] |
How StyxStack compares to other privacy protocols
| Standard | StyxStack | Tornado Cash | Light Protocol |
|---|---|---|---|
| Fund admin access | None | None | None |
| Upgrade authority | Yes (Styx Labs) | None (immutable) | Yes |
| Protocol fees | Transparent (hardcoded) | Zero | Variable |
| Pause mechanism | None | None | Unknown |
| Governance token | None | TORN | None |
| Infrastructure | Only Solana | Only Ethereum | Solana + indexers |
| Pool creation | Permissionless | Fixed denominations | Permissionless |
| Censorship resistance | Full (no fund admin) | Full (immutable) | Partial (upgradeable) |
Styx Privacy Standard (SPS)
STYXygfX7on1MMnjjjxXtkzqbQ7heyh6gsC5Mihhs95
Canary Ferry v3.0.0 — 369,272 bytes — Pinocchio + Jiminy 0.7
StyxZK Verifier
FERRYpEo4dPbJZYqUfpkWHEMQCCs33Vm3TwBLZpBovXM
Groth16 proof verification + custom ZK circuit registry — 88,688 bytes
Never log, store in plaintext, or transmit private keys. Use secure enclaves when possible.
Always validate public keys, signatures, and decrypted data before processing.
Always use HTTPS for RPC connections. Use dedicated RPC providers like Helius for production.
Implement rate limiting to prevent abuse and protect your API keys.
Rotate encryption keys and API keys on a regular schedule.
Regularly audit npm dependencies for known vulnerabilities.
Audit in Progress
Styx Protocol is currently undergoing security audits. While the cryptographic primitives used (X25519, XChaCha20-Poly1305) are well-established and battle-tested, the smart contract code has not yet received a formal third-party audit. Use in production at your own risk.
Found a security vulnerability? We offer CRED rewards for responsible disclosure.
Report vulnerabilities to: security@styx.nexus