Auditedv1.0.0All Criticals Fixed

Security-First Architecture

Your users' privacy is non-negotiable. Here's exactly how we protect it — from encryption at rest to zero-knowledge delivery proofs on-chain.

Four Pillars of Privacy

Every design decision in Herald starts with one question: does this protect the user?

Zero-PII Design

No plaintext emails, phone numbers, or social handles are ever stored. All contact info is encrypted before it leaves the user's device.

Salted SHA-256 for identity matching
Encrypted blobs on-chain
No central PII database

Dual Encryption

Users can decrypt their own stored data in the browser using their wallet key — no server round-trip needed.

NaCl box (X25519) encryption
Two independent decryption blocks
User block never touches our servers

TEE Isolation

Decryption occurs inside an AWS Nitro Enclave — a hardware-isolated VM that even system administrators cannot access.

Attested enclave code (PCR hashes)
No persistent storage inside TEE
KMS-protected decryption keys

ZK Receipts

Every delivery is proven on-chain via Light Protocol compressed receipts — verifiable without revealing the recipient.

Compressed account proofs
Recipient hash, not address
Immutable on-chain audit trail

Encryption Architecture

Herald uses a dual-recipient encryption scheme — two independent encrypted blocks stored on-chain, each decryptable by a different party using their own private key.

Dual-Encryption Blob Format

0–1Magic prefix0xAA, 0xBB

2–33Ephemeral pubkey 132 bytes (gateway sender)

34–35Length fielduint16 big-endian

36–NGateway ciphertextnacl.box → gateway public key

+0–+31Ephemeral pubkey 232 bytes (user sender)

+32–endUser ciphertextnacl.box → user wallet X25519 key

Gateway Block

Encrypted to Herald's X25519 public key. Only the Notification Gateway can decrypt it — and only inside the Secure Enclave.

User Block

Encrypted to the user's wallet-derived X25519 key. Only the user can decrypt it — directly in their browser, no server needed.

Neither party can read the other's block

The gateway doesn't have the user's wallet key. The user doesn't have the gateway's private key. This means Herald cannot access user contact info without the TEE, and users retain full sovereignty over their own data.

On-Chain Security

The Herald Privacy Registry is an Anchor program on Solana, with security baked into every instruction.

PDA Seed Constraints

Identity PDAs are derived from ["identity", owner]. A different wallet literally cannot derive the same PDA — enforced by the runtime.

Checked Arithmetic

All on-chain math uses checked_add and checked_sub. No silent integer wrapping possible.

Tier Enforcement

Send limits are enforced on-chain per billing period. A protocol cannot exceed its tier quota.

Subscription Expiry

Receipts cannot be written if a protocol's subscription has expired. The chain enforces billing compliance.

Suspension Mechanism

Protocols can be hard-suspended for ToS violations. Suspension blocks all access — not reversible by the protocol owner.

Granular Error Reporting

Distinct error variants for Light CPI, account validation, and invocation failures. Clear observability for operators.

Security Audit

Conducted by Antigravity on March 18, 2026. All critical and high severity findings have been resolved in v1.0.0.

Criticals

Highs

Mediums

Lows

ID	Severity	Status	Description
C-01	Critical	Fixed	Subscription expiry not enforced in write_receipt
C-02	Critical	Fixed	Tier send limits not enforced on-chain
H-01	High	Fixed	No hard-suspension mechanism for ToS violations
H-02	High	Fixed	Billing state missing from on-chain registry
H-03	High	Fixed	No audit trail on period send reset
M-01	Medium	Confirmed Safe	Owner check via PDA seed derivation
M-02	Medium	Fixed	EmptyUpdate not enforced in update_identity
M-03	Medium	Accepted	Authority key has no on-chain rotation (v1.1 roadmap)
M-04	Medium	Accepted	Notification ID deduplication handled off-chain
L-01	Low	Fixed	Clock errors now typed and observable
L-02	Low	Confirmed Safe	All arithmetic uses checked operations
L-03	Low	Fixed	Light CPI errors now granular and distinct

Infrastructure

The Notification Gateway is deployed on AWS with defense-in-depth at every layer.

ECS Fargate Multi-AZ

Stateless containers deployed across multiple availability zones. No single point of failure.

AWS Secrets Manager

X25519 private keys stored in encrypted secrets. IAM role-scoped access only.

Redis Caching

Identity PDAs cached in Redis to reduce Solana RPC calls and improve lookup latency.

PostgreSQL + Prisma

Notification metadata stored with zero PII. Wallet addresses and API keys hashed with SHA-256.

BullMQ Queue

Async processing with 5 named queues, dead-letter handling, and exponential backoff retries.

Tier Rate Limiting

Per-API-key rate limits enforced at the gateway level. Developer (2 rps) to Enterprise (500 rps).

Responsible Disclosure

If you believe you have found a security vulnerability in Herald Protocol, we encourage responsible disclosure. We take all reports seriously and will respond promptly.

Scope

Smart contracts (Solana program), Notification Gateway API, Encryption architecture, User Portal

Contact

Please email security@useherald.xyz

Response Time

We aim to acknowledge within 48 hours and provide a detailed response within 7 days.

Don't trust us. Verify.

All of our code is open source. Audit our smart contracts, review our encryption implementation, and verify our claims yourself.

View Source Code

Read the Docs