Skip to main content

Security Architecture

The Gx402 SDK is built with a robust security architecture designed to protect user assets, transactions, and data integrity across all layers of the system.

Wallet Security

  • Embedded Wallets with MPC: Embedded wallets utilize Multi-Party Computation (MPC) for key management, enhancing security by distributing trust.
  • Private Keys Never Exposed: Private keys are never exposed to the game client, minimizing the risk of compromise.
  • Secure Enclave Storage: On mobile devices, private keys are stored in secure enclaves, providing hardware-level protection.
  • Optional Hardware Wallet Support: For advanced users, the SDK offers optional support for hardware wallets like Ledger and Trezor.

Transaction Security

  • EIP-712 Structured Data Signing: Transactions leverage EIP-712 structured data signing for clear, human-readable transaction details, enhancing transparency and preventing phishing attacks.
  • Nonce-based Replay Attack Prevention: Each transaction includes a unique nonce to prevent replay attacks.
  • Time-bound Transaction Validity Windows: Transactions are valid only within specified time windows, reducing the risk of stale or manipulated transactions.
  • Domain-Specific Signatures: Signatures are domain-specific, further mitigating phishing risks.

Smart Contract Security

  • Audited Payment Contracts: All payment-related smart contracts are audited by reputable firms (e.g., OpenZeppelin standards) to ensure their security and reliability.
  • Upgradeable Proxy Patterns: Smart contracts utilize upgradeable proxy patterns, allowing for bug fixes and feature enhancements without requiring a complete redeployment.
  • Multi-sig Admin Controls: Critical functions and administrative actions are protected by multi-signature controls, requiring approval from multiple authorized parties.
  • Emergency Pause Functionality: An emergency pause functionality is implemented to halt contract operations in case of a severe security incident.

API Security

  • API Key Authentication: All API requests are secured with API key authentication for developers.
  • Rate Limiting: API endpoints are protected by rate limiting (per-key and per-IP) to prevent abuse and denial-of-service attacks.
  • HMAC Signature Verification for Webhooks: Webhook payloads are secured with HMAC signature verification, allowing your application to verify the authenticity and integrity of incoming events.
  • TLS 1.3 Encryption: All communications with the Gx402 API are encrypted using TLS 1.3, ensuring data confidentiality and integrity in transit.