Security

Overview

This section states precisely what we hold an' what we do not, an' documents th' encryption model in full. Refer to pseudocode below before contactin' us with custody concerns.

PIN Model

Yer PIN be never stored. We store th' Argon2 hash o' th' PIN fer verification. A separate Argon2-derived key XORed with a server-held secret encrypts yer Hive active key — th' double-key design.

Double-Key Pseudocode

Neither th' server alone nor a database attacker alone can decrypt yer active key. Both th' PIN (known only to ye) an' th' server secret (known only to us) be required.

# Encryption at PIN setup:
key_material  = Argon2(PIN) XOR KEY_ENCRYPTION_SECRET
encrypted_key = AES-256-GCM(active_key, key_material)

# Decryption at transaction time:
key_material  = Argon2(PIN) XOR KEY_ENCRYPTION_SECRET
active_key    = AES-256-GCM.decrypt(encrypted_key, key_material)

What We Hold

Yer encrypted active key (useless in isolation), yer HIVE an' WAGE balance rows, yer NFT ownership records, an' th' Argon2 hash o' yer PIN. Nothin' else.

What We Do Not Hold

Yer plain PIN. Yer decrypted active key. Yer seed phrase. Yer email password. Anythin' that would enable us to unilaterally move yer funds.

RNG Fairness

Every mint RNG roll uses a server-seeded PRNG; th' seed be persisted to th' MintEvent row. Any auditor can replay th' roll from th' seed an' verify th' outcome matches what were recorded.

PIN Lockout

Three consecutive failed PIN attempts lock th' account fer fifteen minutes. Th' counter resets on successful entry. This be th' primary defense against brute-force.

No PIN Recovery

There be no PIN recovery. If ye lose yer PIN, yer in-game HIVE balance an' all staked NFTs be permanently inaccessible. Write yer PIN down. Store it somewhere ye will find it again.