Security

Overview

This section states precisely what we hold and what we do not, and documents the encryption model in full. Refer to pseudocode below before contacting us with custody concerns.

PIN Model

Your PIN is never stored. We store the Argon2 hash of the PIN for verification. A separate Argon2-derived key XORed with a server-held secret encrypts your Hive active key — the double-key design.

Double-Key Pseudocode

Neither the server alone nor a database attacker alone can decrypt your active key. Both the PIN (known only to you) and the server secret (known only to us) are required.

# Encryption at PIN setup:
key_material  = Argon2(PIN) XOR KEY_ENCRYPTION_SECRET
encrypted_key = AES-256-GCM(active_key, key_material)

# Decryption at transaction time:
key_material  = Argon2(PIN) XOR KEY_ENCRYPTION_SECRET
active_key    = AES-256-GCM.decrypt(encrypted_key, key_material)

What We Hold

Your encrypted active key (useless in isolation), your HIVE and WAGE balance rows, your NFT ownership records, and the Argon2 hash of your PIN. Nothing else.

What We Do Not Hold

Your plain PIN. Your decrypted active key. Your seed phrase. Your email password. Anything that would enable us to unilaterally move your funds.

RNG Fairness

Every mint RNG roll uses a server-seeded PRNG; the seed is persisted to the MintEvent row. Any auditor can replay the roll from the seed and verify the outcome matches what was recorded.

PIN Lockout

Three consecutive failed PIN attempts lock the account for fifteen minutes. The counter resets on successful entry. This is the primary defense against brute-force.

No PIN Recovery

There is no PIN recovery. If you lose your PIN, your in-game HIVE balance and all staked NFTs are permanently inaccessible. Write your PIN down. Store it somewhere you will find it again.