Kaspa x402

Security Threat Model

Status: alpha threat model for the shipped exact and batch-settlement profiles.

Assets

Trust Boundaries

Core Threats

ThreatMitigationResidual risk
Exact transaction replayExact payment identity includes network, transaction id, and output index. State stores reserve the identity before handler execution.Production stores need atomic compare-and-set behavior across workers.
Batch voucher replay or regressionChannel state tracks active outpoint, cumulative amount, and voucher commitments. Older or conflicting vouchers are rejected.Production operators need durable channel state and recovery journals.
Duplicate retry double-executes protected workPayment identifiers bind request fingerprint, payload hash, and payment scope. Same id plus same fingerprint returns cached state; conflicts fail.Deployments must make payment-identifier writes transactional.
Handler failure consumes payment statePayment state is committed only after protected handler success unless the flow has an explicit recoverable settlement state.Product terms still need to define any billable work exceptions.
Stale node or RPC failureVerification fails closed unless required finality evidence is present.Operators must monitor node health and finality lag.
Funding source policy bypassClient code checks required funding source against adapter-reported funding source.Wallet and treasury adapters still require independent audit.
Malicious facilitator widens capabilityFacilitator supported kinds are intersected with direct-mode server capability and explicit action settlers.Hosted facilitators need authentication, rate limits, and tenant isolation.
Covenant template driftEscrow fixture checks and transaction-v1 vectors pin script-public-key, hash, fee, and output behavior.Mainnet requires an independent covenant and transaction-builder audit.

Exact Profile

The exact profile validates a native Kaspa transaction that pays the advertised amount to the advertised recipient output. Verifiers derive transaction id, output script, and output amount from the transaction body rather than trusting payload hints.

Required checks include:

Batch-Settlement Profile

The batch profile uses a funded escrow/channel UTXO and cumulative signed vouchers. The server can claim charged value later; the client can refund remaining value after the timeout.

Required checks include:

State Store Requirements

Production stores must provide atomic operations for:

In-memory stores are test fixtures only.

Live Proof Boundary

The live proof runner validates evidence supplied by an operator adapter. It is not a wallet, broadcaster, recovery journal, or production settlement service. Live testnet success demonstrates alpha flow execution only; it is not a mainnet approval or audit substitute.

Source: /docs/security-threat-model.md