Kaspa x402

Security Threat Model

Status: alpha threat model for the shipped exact and batch-settlement profiles.

Assets

Trust Boundaries

Core Threats

ThreatMitigationResidual risk
Exact transaction replayExact payment identity includes network, transaction id, and output index. State stores reserve the identity before handler execution.Production stores need atomic compare-and-set behavior across workers.
Batch voucher replay or regressionChannel state tracks active outpoint, cumulative amount, and voucher commitments. Older or conflicting vouchers are rejected.Production operators need durable channel state and recovery journals.
Duplicate retry double-executes protected workPayment identifiers bind request fingerprint, payload hash, and payment scope. Same id plus same fingerprint returns cached state; conflicts fail.Deployments must make payment-identifier writes transactional.
Handler failure consumes payment statePayment state is committed only after protected handler success unless the flow has an explicit recoverable settlement state.Product terms still need to define any billable work exceptions.
Stale node or RPC failureVerification fails closed unless required finality evidence is present.Operators must monitor node health and finality lag.
Funding source policy bypassClient code checks required funding source against adapter-reported funding source.Wallet and treasury adapters still require independent audit.
Malicious facilitator widens capabilityFacilitator supported kinds are intersected with direct-mode server capability and explicit action settlers.Hosted facilitators need authentication, rate limits, and tenant isolation.
Covenant template driftEscrow fixture checks and transaction-v1 vectors pin script-public-key, hash, fee, and output behavior.Mainnet requires an independent covenant and transaction-builder audit.

Exact Profiles

The default standard-native profile validates a native Kaspa transaction whose selected output pays the advertised amount exactly to the advertised recipient. The optional additive profile validates a transaction that spends the current advertised KIP-10 head and recreates a same-script successor whose increase is exactly the advertised amount. The successor increase is the sole merchant payment; a separate merchant output is forbidden. Verifiers derive transaction id, inputs, outputs, scripts, amounts, and continuation evidence from the transaction body and trusted UTXO lookups rather than payload hints.

Required checks include:

Batch-Settlement Profile

The batch profile uses a funded escrow/channel UTXO and cumulative signed vouchers. The server can claim charged value later; the client can refund remaining value after the timeout.

Required checks include:

State Store Requirements

Production stores must provide atomic operations for:

In-memory stores are test fixtures only.

Live Proof Boundary

The live proof runner validates evidence supplied by a live adapter. The committed reference adapter in scripts/live-adapter-reference.mjs is a reviewable testnet harness, not a production wallet, broadcaster, recovery journal, or settlement service. It receives RPC, funding, and SDK paths from operator environment variables and writes generated signing material under the ignored live data directory.

Live testnet success demonstrates alpha flow execution only; it is not a mainnet approval or audit substitute.

Source: /docs/security-threat-model.md