← Back to GhostReceipt
Security
GhostReceipt is built with security and privacy as core principles.
Architecture
- Client-side proof generation: All sensitive data stays in your browser
- Fail-safe oracle routing: Client uses primary
/api/oracle/* and optional edge backup only for transport/platform outages
- Oracle-signed data: Canonical transaction data is cryptographically signed by the oracle
- Consensus modes:
best_effort, strict, and off control peer-source validation behavior
- Passive validation labels: Signature payloads include validation strength metadata with no added user action
- Zero-knowledge proofs: Groth16 zk-SNARKs prove claims without revealing data
- No data storage: GhostReceipt does not store your transaction details
Threat Model
GhostReceipt protects against:
- ✓ Privacy leakage of transaction amounts
- ✓ Privacy leakage of exact timestamps
- ✓ Privacy leakage of sender/receiver addresses
- ✓ Forged receipts (cryptographic proof verification)
- ✓ Oracle payload tampering in transit (Ed25519 signature verification)
Trust Assumptions
You must trust:
- The current single oracle operator to fetch/sign canonical blockchain data honestly
- Upstream chain data providers used by the oracle
- The circuit implementation (open source, auditable)
- The proving system (Groth16, widely used)
- Your browser's JavaScript execution environment
Security Headers
GhostReceipt implements:
- Content Security Policy (CSP)
- X-Frame-Options: DENY
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin-when-cross-origin
Data Flow
- User enters transaction hash and claim parameters
- Client calls primary oracle route and only retries the configured edge backup route for unavailability failures
- Oracle fetches canonical blockchain data from the primary provider cascade
- Oracle attempts peer consensus validation (mode-dependent)
- Oracle signs canonical commitment data with Ed25519 and emits validation label metadata (
consensus_verified, single_source_fallback, or single_source_only)
- Browser builds witness from oracle payload + user claim
- Browser generates zero-knowledge proof locally
- Shareable receipt contains only proof + public signals
Reporting Security Issues
Found a security vulnerability? Please report it privately:
- GitHub: Open a private issue with
[SECURITY] in the title
- Email: Contact via teycirbensoltane.tn
Audits
Please audit the code and report any issues if you find any. Security reports are welcome via GitHub issues with [SECURITY] tag or direct contact.