← Back to GhostReceipt
Security
GhostReceipt is built with security and privacy as core principles.
Architecture
- Client-side proof generation: All sensitive data stays in your browser
- Oracle-signed data: Transaction data is cryptographically signed by the oracle
- Zero-knowledge proofs: Groth16 zk-SNARKs prove claims without revealing data
- No data storage: GhostReceipt does not store your transaction details
Threat Model
GhostReceipt protects against:
- ✓ Privacy leakage of transaction amounts
- ✓ Privacy leakage of exact timestamps
- ✓ Privacy leakage of sender/receiver addresses
- ✓ Forged receipts (cryptographic proof verification)
- ✓ Oracle payload tampering in transit (Ed25519 signature verification)
Trust Assumptions
You must trust:
- The current single oracle operator to fetch/sign canonical blockchain data honestly
- Upstream chain data providers used by the oracle
- The circuit implementation (open source, auditable)
- The proving system (Groth16, widely used)
- Your browser's JavaScript execution environment
⚠️ Important: GhostReceipt is experimental software with a centralized oracle trust anchor. A valid receipt proves constraints against oracle-signed data, not trustless full chain-state verification.
Security Headers
GhostReceipt implements:
- Content Security Policy (CSP)
- X-Frame-Options: DENY
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin-when-cross-origin
Data Flow
- User enters transaction hash and claim parameters
- Oracle fetches canonical blockchain data
- Oracle signs canonical commitment data with Ed25519
- Browser builds witness from oracle payload + user claim
- Browser generates zero-knowledge proof locally
- Shareable receipt contains only proof + public signals
Reporting Security Issues
Found a security vulnerability? Please report it privately:
- GitHub: Open a private issue with
[SECURITY] in the title
- Email: Contact via teycirbensoltane.tn
Audits
GhostReceipt has not been formally audited. Use with appropriate caution for your use case.