Skip to main content

Security Model

HashNut's security model is built on the principle of non-custodial fund management, ensuring merchants maintain complete control over their funds while benefiting from enterprise-grade payment infrastructure.

Non-Custodial Architecture

Key Principle: HashNut never holds or controls merchant funds. All funds remain in merchant-controlled smart contracts.

Security Layers

1. Smart Contract Security

Features:

  • Audited Smart Contracts: Regular security audits by third-party firms
  • Open Source: Contract code is verifiable on-chain
  • Deterministic Addresses: Address pools use deterministic generation
  • Immutable Logic: Core payment logic cannot be changed after deployment

2. API Security

Authentication:

  • HMAC-SHA256 Signatures: All API requests require cryptographic signatures
  • UUID + Timestamp: Prevents replay attacks
  • API Key Management: Secure key storage and rotation
  • IP Whitelisting: Optional IP address restrictions

3. Webhook Security

Webhook Protection:

  • TLS/HTTPS: All webhooks delivered over encrypted connections
  • Retry Logic: Secure retry mechanism for failed deliveries
  • Idempotency: Handle duplicate webhook deliveries

4. On-Chain Verification

Verification Process:

  • Transaction Monitoring: Real-time monitoring of all blockchain networks
  • Multi-Confirmation: Configurable confirmation requirements per chain
  • Amount Validation: Ensures payment matches order amount exactly
  • Address Validation: Verifies payment to correct receipt address
  • Token Validation: Confirms correct token/currency used

Fund Control Model

Merchant Control

Merchant Rights:

  • Full Ownership: Merchant owns the smart contract
  • Fund Control: Only merchant can withdraw funds
  • Address Management: Merchant controls address pool
  • Withdrawal Control: Merchant sets withdrawal address
  • No Third-Party Access: HashNut cannot access funds

HashNut's Role

HashNut provides:

  • Infrastructure: API, monitoring, and payment processing
  • Smart Contract Templates: Pre-audited contract code
  • Transaction Monitoring: Real-time payment detection
  • Analytics: Reporting and insights

HashNut cannot:

  • ❌ Access merchant funds
  • ❌ Withdraw funds
  • ❌ Modify smart contracts
  • ❌ Change withdrawal addresses
  • ❌ Freeze or hold funds

Security Best Practices

For Merchants

  1. Secure API Keys

    • Store API keys securely (environment variables, secrets management)
    • Rotate keys regularly
    • Use IP whitelisting when possible
    • Never commit keys to version control

  2. Smart Contract Security

    • Review contract code before deployment
    • Use multi-signature wallets for high-value accounts
    • Set withdrawal addresses carefully
    • Monitor contract activity regularly

  3. Webhook Security

    • Use HTTPS for webhook endpoints
    • Implement idempotency checks
    • Log all webhook events
    • Query order status to verify webhook data

  4. Wallet Security

    • Use hardware wallets for high-value operations
    • Keep private keys secure
    • Use multi-signature wallets when possible
    • Regular security audits

For HashNut Platform

  1. Infrastructure Security

    • Regular security audits
    • DDoS protection
    • Rate limiting
    • Monitoring and alerting

  2. Data Security

    • Encrypted data storage
    • Secure API communications (TLS)
    • Minimal data collection
    • GDPR compliance

Security Guarantees

What HashNut Guarantees

Non-Custodial: HashNut never holds merchant funds
Smart Contract Security: Audited, open-source contracts
API Security: HMAC-based authentication
Webhook Security: Signed webhook deliveries
On-Chain Verification: All payments verified on blockchain
Transparency: All operations verifiable on-chain

What Merchants Must Secure

⚠️ API Keys: Merchant responsibility to secure
⚠️ Private Keys: Wallet private keys must be secured
⚠️ Smart Contract Access: Contract owner keys must be protected
⚠️ Webhook Endpoints: Must use HTTPS and validate data
⚠️ Withdrawal Addresses: Must be correct and secure

Incident Response

If You Suspect a Security Issue

  1. Immediately:

    • Rotate all API keys
    • Review recent transactions
    • Check smart contract state
    • Verify withdrawal addresses

  2. Contact Support:

    • Email: security@hashnut.io
    • Include transaction hashes
    • Provide detailed description
    • Share relevant logs

  3. On-Chain Verification:

    • Check blockchain explorer
    • Verify all transactions
    • Review contract state
    • Confirm fund locations

Compliance & Audits

Smart Contract Audits

  • Regular third-party security audits
  • Open-source contract code
  • Public audit reports

Compliance

  • Data protection compliance
  • Financial regulations (where applicable)
  • Industry standards

Next Steps

Security is our priority. Learn more about Architecture →