How We Keep It Honest

Rundown

This here section states precise-like what we hold and what we don't, and documents the encryption model in full. Refer ta the pseudocode below 'fore y'all come callin' 'bout custody concerns.

PIN Model

Yer PIN ain't never stored, cousin. We store the Argon2 hash of the PIN fer verification. A separate Argon2-derived key XORed with a server-held secret encrypts yer Hive active key — that there is the double-key design.

Double-Key Pseudocode

Neither the server alone nor a database attacker alone kin decrypt yer active key. Both the PIN (known only ta y'all) and the server secret (known only ta us) are required. Takes two ta tango.

# Encryption at PIN setup:
key_material  = Argon2(PIN) XOR KEY_ENCRYPTION_SECRET
encrypted_key = AES-256-GCM(active_key, key_material)

# Decryption at transaction time:
key_material  = Argon2(PIN) XOR KEY_ENCRYPTION_SECRET
active_key    = AES-256-GCM.decrypt(encrypted_key, key_material)

What We Hold

Yer encrypted active key (plumb useless in isolation), yer HIVE and WAGE balance rows, yer NFT ownership records, and the Argon2 hash of yer PIN. Nothin' else, partner.

What We Don't Hold

Yer plain PIN. Yer decrypted active key. Yer seed phrase. Yer email password. Anythin' that'd let us up and move yer funds on our own. We couldn't if we wanted to.

RNG Fairness

Every mint RNG roll uses a server-seeded PRNG; the seed gits saved ta the MintEvent row. Any auditor kin replay the roll from the seed and verify the outcome matches what was recorded. Ain't no funny business.

PIN Lockout

Three consecutive failed PIN attempts locks the account fer fifteen minutes. The counter resets on successful entry. This here's the primary defense against brute-force attacks, cousin.

No PIN Recovery

Ain't no PIN recovery. If y'all lose yer PIN, yer in-game HIVE balance and all stakin' NFTs are permanently unreachable. Write yer PIN down. Store it somewhere y'all'll find it again. Mama's tellin' ya.