Back to Documentation
> SECURITY

Security

Security model, audits, and best practices for building with ZKPrime

Security Model

ZKPrime's security model is built on cryptographic guarantees and defense-in-depth principles.

Cryptographic Guarantees:

  • Zero-knowledge property: No information leakage
  • Soundness: Invalid proofs cannot be generated
  • Completeness: Valid proofs always verify
  • End-to-end encryption for sensitive data

Trust Assumptions:

  • Secure setup ceremony (trusted setup for zkSNARKs)
  • Solana validator set security
  • Client-side key management

Security Audits

ZKPrime undergoes regular security audits by leading blockchain security firms.

Phase 1 Audit - Q4 2025

Smart Contract & Cryptography

SCHEDULED
  • • zkSNARK circuit analysis
  • • Solana program verification
  • • Cryptographic primitive review

Phase 2 Audit - Q1 2026

End-to-End Security

PLANNED
  • • SDK security review
  • • Client-side encryption audit
  • • Infrastructure penetration testing

Security Best Practices

Key Management

  • ✓ Never expose private keys in client-side code
  • ✓ Use hardware wallets for production applications
  • ✓ Implement key rotation policies
  • ✓ Store encryption keys securely (HSM, secure enclave)
  • ✗ Do not store keys in localStorage or cookies

Transaction Security

// ✓ GOOD: Validate recipient before transfer
const isValidRecipient = await validateAddress(recipientAddress);
if (!isValidRecipient) {
  throw new Error('Invalid recipient address');
}

const tx = await client.createPrivateTransfer({
  from: wallet,
  to: recipientAddress,
  amount: amount,
  privacyLevel: 'high' // Always use highest privacy
});

// ✗ BAD: No validation or error handling
const tx = await client.createPrivateTransfer({
  from: wallet,
  to: userInput, // Dangerous!
  amount: amount
});

Privacy Level Selection

High Privacy (Recommended)

Maximum anonymity set, strongest cryptographic guarantees. Suitable for all use cases.

Medium/Low Privacy

Use only when performance is critical and privacy requirements are lower.

Error Handling

// ✓ GOOD: Proper error handling
try {
  const tx = await client.createPrivateTransfer(params);
  const signature = await client.submitTransaction(tx);
  return { success: true, signature };
} catch (error) {
  // Log error without exposing sensitive data
  console.error('[ZKPrime] Transaction failed:', error.message);
  
  // Handle specific error types
  if (error.code === 'INSUFFICIENT_BALANCE') {
    return { success: false, error: 'Insufficient funds' };
  }
  
  return { success: false, error: 'Transaction failed' };
}

Threat Model

Understanding potential attack vectors and mitigations:

Threat

Front-running attacks

Mitigation

Transaction encryption prevents value extraction

Threat

Proof forgery

Mitigation

Cryptographic soundness guarantees

Threat

Side-channel attacks

Mitigation

Constant-time operations in SDK

Threat

Network analysis

Mitigation

Encrypted metadata, anonymity sets

🛡️ Bug Bounty Program

ZKPrime offers rewards for responsible disclosure of security vulnerabilities.

$500 - $5K
Low Severity
$5K - $25K
Medium Severity
$25K - $100K
Critical Severity

Report vulnerabilities to: security@zkprime.dev