Vault - Uncompromising Asset Security and Account Abstraction

Project Name: Vault
Project Track: Builder
Team Name: Vault
Project Website: https://tronvault.net/
Video Submission: https://youtu.be/TAwOC8HEnBU
Team Member(s): @otta @machineboy @mazko @mbng
DevPost Project Link: Vault | Devpost

Project Goal:

• Recover Lost or Stolen Assets Securely
• Integrate Web2 APIs into Web3 Gaslessly
• Build Custom Security into Any Smart Contract

As blockchain ecosystems expand rapidly, with chains like Tron and BitTorrent experiencing significant growth in Total Value Locked (TVL) and user adoption, the need for sophisticated asset security becomes critical. Vault aims to revolutionize asset protection, offering a unique solution that goes beyond traditional smart contract wallets.

Our protocol introduces a groundbreaking approach to asset security, leveraging advanced technologies such as custom Web2/Web3 Multi-Factor Authentication (MFA), Zero-Knowledge Proofs (ZKPs), and Account Abstraction. What sets Vault apart is its innovative “vaulting” mechanism:

1. Asset Vaulting: Users can secure their original tokens within Vault’s smart contract, receiving mirrored assets at a 1:1 ratio. These mirrored assets can be freely used across Web3 applications while the originals remain safely locked away.
2. Customizable Security Layers: Vault allows users to implement time-based or MFA-based locks on their assets, providing unprecedented control over asset transferability.
3. Trustless Asset Recovery System: In case of wallet compromise or loss, Vault enables full asset recovery through its completely trustless account abstraction system, a feature unmatched in the current blockchain security landscape.

Furthermore, Vault integrates a demonstration of our unique solution to the Oracle Problem (trustless, decentralized off-chain computation) prevalent on many chains, including Tron and BitTorrent, through an innovative approach:

4. Web2 API Integration: We have developed a pattern that enables any Web3 application, including Vault, to securely leverage Web2 APIs for enhanced security measures. This is achieved through a gasless, secure, and reliable method using EIP-191 signatures, opening up new possibilities for blockchain security across all networks.

Project Value:

As the crypto space evolves, so do the sophisticated tactics of attackers exploiting vulnerabilities to steal valuable assets. Our team has experienced this threat firsthand, with one team member nearly losing tens of thousands of dollars in an elaborate keyboard clipper attack. Had Vault been available, these assets could have been easily recovered, demonstrating the critical need for our solution across all blockchain ecosystems.

Vault’s unique value lies in its comprehensive approach to asset security, recovery, and innovative use of Web2 technologies in the blockchain space:

1. Unparalleled, Customizable Asset Protection: Vault’s vaulting mechanism provides a level of security that goes beyond simple wallet or smart contract protection. By securing original assets and issuing mirrored tokens, Vault creates a unique safety net for users’ valuable holdings.
2. Revolutionary Recovery System: Unlike traditional wallets or security solutions, Vault allows users to recover their assets even if their wallet is completely compromised or lost – a feature that could potentially save users millions in assets, as demonstrated by our team member’s experience.
3. Adaptive Security Measures: The ability to implement custom time-based and/or any number of custom MFA-based locks on assets provides users with flexible, situation-specific security options not available in other solutions.
   
   

   960×540 53 KB
4. Bridging Web2 and Web3: Our innovative protocol for integrating Web2 APIs opens up a new realm of security possibilities. Any Web3 protocol can now leverage the much more fleshed out Web2 world in a gasless and trustless manner, enhancing the overall robustness of blockchain applications.
5. Plug-and-Play: Vault can be integrated into ANY new smart contract or DeFi application to enable CUSTOM security logic and to protect assets in a custom manner within newly developed protocols.
6. Chain-Agnostic Solution: While particularly beneficial for rapidly growing chains like Tron and BitTorrent that may lack advanced oracle services, Vault’s solution is designed to work across all blockchain networks, providing universal asset protection.

As blockchain adoption accelerates and networks like Tron and BitTorrent see skyrocketing TVL, Vault offers a timely and essential solution that redefines asset security. By introducing these unique features and bridging the gap between Web2 and Web3 security measures, Vault not only protects individual assets but also contributes to the overall stability and trustworthiness of the entire blockchain ecosystem. More security and recovery, especially if it is customizable, is extremely appealing to users and institutions. it can drop the percentage of assets stolen, lost and not recovered by a significant fraction and introduce traditionally apprehensive users such as banks.

Our market strategy will target both Web3 and Web2 sectors. In the Web3 space, we’ll partner with and integrate into DeFi, trading, and staking protocols, offering customizable security solutions to enhance their platforms. Simultaneously, we’ll collaborate with Web2 MFA providers and traditional sectors like banking and government, implementing blockchain-powered solutions for smart cities, digital identity verification, immutable public audits, and Sybil-resistant voting systems. This dual approach positions Vault as a comprehensive security solution bridging Web3 and Web2, facilitating broader blockchain adoption while providing bank-grade security across diverse sectors.

Project Info:
Video Submission: https://youtu.be/TAwOC8HEnBU

Project Website: https://tronvault.net

Socials: x.com

Project Test Instructions:

BitTorrent testnet wallet details: Network Details | Bittorrent-Chain Docs
BitTorrent block explorer: https://testnet.bttcscan.com/
BitTorrent testnet faucet: BTTC Faucet

Our current dApp User Guide: Vault_Testing_Instructions.pdf (1.7 MB)

Project Details:

Our dApp offers the following innovative features, all designed to be trustless, secure, and gasless where relevant:

• Vault: Securely store your tokens or NFTs within the Vault core smart contract. Users receive mirrored assets at a 1:1 rate, usable anywhere in Web3 (e.g., staking, DeFi, trading), while the original assets remain safely vaulted.
• Customizable Security Layers: Users can apply any combination of time-based locks and Multi-Factor Authentication (MFA) to their vaulted assets:
  • Time Lock: Set a specific date and time for when the asset becomes transferrable.
  • Custom MFA: Configure a customizable sequence of authentication steps required to access the asset.
• Unvault: Retrieving vaulted assets requires completing all applied security layers and exchanging the mirrored assets. This process is entirely trustless and secure.
• Lock: An optional additional security layer that completely disables outgoing transfers until unlocked. Unlocking requires satisfying the customized combination of time and MFA conditions set by the user.
• 

  968×783 69.1 KB
• Asset Recovery: In case of wallet compromise or loss, users can recover vaulted assets to a new, secure wallet using our account abstraction system. This process is completely trustless and secure, leveraging zero-knowledge proofs.
• Future-Proof Design: We will be implementing gasless cross-chain account abstraction between the Tron and BitTorrent chains in the future. Plans include an asset/vaulted asset bridge for common assets like native chain assets and stablecoins. Asset recovery will also be cross-chain and instantaneous.
• Flexible MFA Integration:
  • Web2 API-Based Providers: Any Web2 service can become an MFA provider by implementing a simple API endpoint. This endpoint processes custom payloads and generates EIP-191 signatures to verify MFA completion. Providers only need to deploy an instance of ExternalSignerMFA (specifying the public verification key of the signing key they will be using for EIP-191 signatures), and specify their ExternalSignerMFA address and API URL in the Vault core smart contract.
  • Technical Implementation for Web2 API MFA Provider:
    • Create API endpoint accepting: POST {username, requestId, payload, timestamp}
    • Implement custom verification logic
    • If valid, create EIP-191 signature of: “{username}-{requestId}-{unixTimestamp}”
    • Return: {message, msg_hash, v, r, s}
    • Deploy ExternalSignerMFA with public key matching private signing key
    • Register provider in Vault core contract
  • Custom Web3 Providers: Easily integrate any Web3-based MFA solution by implementing the IMFAProvider interface. As an example, we implemented VaultMFA, which uses zero-knowledge proofs to verify single-use per-vaulting/per-unlocking passwords without revealing sensitive information and does so completely trustlessly and on-chain. Users specify these passwords when locking/vaulting their tokens.
  • Technical Implementation for Web3 MFA Provider:
    • Implement IMFAProvider interface
    • Define getMFAData(username, requestId) returning {success: bool, timestamp: uint256}
      • success: whether MFA was completed successfully
      • timestamp: when MFA was completed (for expiry checks)
    • Implement getMFAType() returning provider name
    • Deploy contract
    • Register provider in VaultCore contract
  • Please note that the above allows for any custom combination of arbitrarily complex Web2/Web3 verification logic.
  • 

    1104×778 74.4 KB
  • All features of the Vault protocol can be easily integrated into any new smart contract or DeFi protocol for custom security logic of all token operations. They become fully accessible upon importing the simple IVaultCore interface and specifying our VaultCore contract address.
  • We have developed a first-of-its-kind pattern to both protect and recover assets with account abstraction, the capability to leverage web2 in any web3 protocol, and the ability to leverage all our functionality with two lines of code. In practice, the Tron and BTT ecosystems and the dApps they are home to will have the ability to build more secure cross-chain bridging and cross-chain DEX operations with asset translation and quotes while still being protected by our account abstraction and recovery system.

This flexible architecture allows for the seamless integration of diverse security measures, ensuring that Vault remains at the forefront of blockchain asset protection. Additionally, the team took painstaking care to ensure the user experience was always held to a high standard. We developed an intuitive interface and went through countless design iterations on Figma and hours testing user flows to ensure the dApp would be easy to use. You can find our style guide linked below as a testament to that.

vault_design-guide.pdf (4.5 MB)

Smart Contract links:

Please browse on BTTC testnet explorer (https://testnet.bttcscan.com/)

• Groth16Verifier - 0xf401a231ebf18c5c68C7B822F097834E42B9c793
• MFAManager - 0xB9A979BcC82F93ff969EFa5B3e5B2EfE9654c19d
• VaultCore - 0xb6eA1AC42c3efff1b81b20EA797CA2a9148606fB
• VaultMFA - 0x97A7bF2a7E0A60Eca62801464351cC8a6cF525Be
• ExternalSignerMFA - 0x079800318903E71032321b094f9b86864Ac195E7
• ExternalSignerMFA - 0x96E41B93411bC5335DC0bA02e32A5f3Dbc85a691
• ExternalSignerMFA - 0xE4CfcAC1A829bd9f83F7D66F138B64b150F79bce
• TokenDataRetriever - 0x4A8829650B47fA716fdd774956e1418c05284e27

Project Milestones:

• Design Pattern for Generic Web2 API Support
• Implement UX design flows
• Build & Test Implementation
• Deploy Solution to testnet
• Deploy site to domain
• User Guide
• Finalize dApp uplift
• Pitch Deck
• Demo Video
• Deploy Solution to mainnet

Future Milestones

• Cross-chain Account Abstraction and recovery
• Vaulted stable-coin and native asset bridging across chains
• Integrate DAO, enhanced tokenomics. Implement quadratic voting and Sybil resistance measures
• Integration of DEX capabilities for vaulted assets, including cross-chain bridging/asset translation with quotes
• Eventually we aim for MFA providers to be able to charge custom prices for operations of certain MFA provider logic - allowing new users and MFA providers to earn

Testing and need developer support?

If you are testing and encounter any issues, please feel free to join our Telegram group linked below, and we can help you work through any issues.

Welcome to the Hackathon of season 7, I have take my time to read everything that you have write, I am seeing that the focus here is the asset security, please tell me will there be any fee that is associated with the vault assets, thank you

Welcome to season 7 of Hackathon
Without doubt your project is amazing
I have gone through your project project and I understand that vault addresses a pressing concern in the Blockchain space, protecting users from complex attack and assets loss.
But I will like more clarity on the zero knowledge proof implementation and it’s reward.

Welcome to Hackathon Season 7, this is really an ambitious and comprehensive approach to asset security and account abstraction. While the Web2 integration adds value, it could introduce centralization risks if the Web2 services go down or experience disruptions, how do you plan to mitigate potential points of failure arising from Web2 dependencies?

How does Vault’s trustless asset recovery system function, and what technologies are utilized to ensure it remains secure and efficient?

Hello.

When users vault or lock tokens, they are charged 1 VAULT token per MFA factor. Additionally, users will be charged gas/energy for the smart contract calls.

On registration to the testnet prototype, users will automatically be airdropped 10,000 VAULT tokens. We are currently investigating various tokenomics strategies prior to the mainnet launch . For now, the VAULT tokens are recirculated back to the smart contract/treasury for further airdrops and we have a supply of 10B tokens.

In the future, once we refine our dApp, we will recalibrate how much is airdropped to users and when and envision something along these lines:

function distributeFees(uint256 fee) public {
    uint256 devFund = fee * 20 / 100; // 20% to development fund
    uint256 stakingRewards = fee * 30 / 100; // 30% to staking rewards
    uint256 mfaProviders = fee * 20 / 100; // 20% to MFA providers
    uint256 governanceTreasury = fee * 15 / 100; // 15% to governance
    uint256 buybackAndBurn = fee * 15 / 100; // 15% for buyback and burn

    // Transfer to respective addresses or contracts
    _transfer(address(this), devFundAddress, devFund);
    _transfer(address(this), stakingRewardsContract, stakingRewards);
    _transfer(address(this), mfaProvidersContract, mfaProviders);
    _transfer(address(this), governanceTreasuryAddress, governanceTreasury);
    _transfer(address(this), buybackContract, buybackAndBurn);
}

Hello. Thank you for your kind words.

So as not to make assumptions regarding any potential reader’s level of familiarity with Zero Knowledge Proofs, let us preface the response with one of the best primers on zero knowledge proofs we have seen on the internet: https://chain.link/education/zero-knowledge-proof-zkp

The Zero Knowledge Proof aspect does not have an inherent associated reward with it, but it does aim to serve as a trustless and fully on-chain verification system of passwords associated with the account username or an ephemeral token vaulting/locking operation. The primary advantage of this is that there is no trust required in the developers of the protocol, on off-chain servers to be up, etc.

Lets examine how it works (with a few minor simplifications for brevity):

• When a user registers their account with the system, they supply an account password, however, the account password itself is not what is stored in the smart contract as that would be rather insecure. Instead, our dApp converts a user’s account password into a cryptographic hash compatible with Zero Knowledge Proofs https://blog.chain.link/what-is-cryptographic-truth/#hash_functions.
• At this time, during registration, as part of our Account Abstraction (AA) system, the username becomes binded to the user’s account address that was used to register.
• Should the user wish to recover their vaulted assets in the future in case access to their original wallet is lost or it is hacked, they may utilize our Account Abstraction (AA) system whereby they supply, via our dApp, proof that they have knowledge of their account username and password. Fundamentally, this proof is checked entirely via mathematics and there is no reliance on any server or on us to do this. If the Zero Knowledge Proof that is calculated via our dApp checks out in the smart contract, all the mirrored assets are redirected to the new wallet address the user used and the username becomes rebinded to the new wallet address.
• The same logic is applied with our example Web3 MFA provider, VaultMFA - except on an ephemeral (one-time) basis. Users are able to supply a one-time unvaulting/unlocking password when they are vaulting/locking and the same password will be required to access the tokens as the one that was set during vaulting/locking.

Hello. Thank you for your interest.

The most critical technology leveraged is Zero Knowledge Proofs. Please view this reply as we have outlined how they are integrated: https://forum.trondao.org/t/vault-uncompromising-asset-security-and-account-abstraction/27254/7

With regards to keeping things secure and efficient - this is slightly technical, however zero knowledge proofs have traditionally been hindered with input size and may be slow and/or costly without some optimizations. The invention of new cryptographic hashes such as the Poseidon, Pederson, and MiMC7 hashes have allowed what is known as “SNARK” zero knowledge proofs to be very efficient and fast. We have faced numerous challenges in allowing our Zero Knowledge Proof circuit implementations to be accessible in our fully serverless (as there is no reliance or trust in any server to be honest) frontend as these hashes are a relatively new and not very accessible frontier; however, we have managed to expose them via WASM to our frontend through this Go implementation to calculate the Poseidon hash of some given input:

package main

import (
	"math/big"
	"syscall/js"
	"github.com/iden3/go-iden3-crypto/poseidon"
)

func hash(this js.Value, inputs []js.Value) interface{} {
	nums := make([]*big.Int, len(inputs))
	for i, input := range inputs {
		nums[i] = new(big.Int)
		_, ok := nums[i].SetString(input.String(), 10)
		if !ok {
			return nil // or handle error
		}
	}

	// Call the poseidon.Hash function with the slice of *big.Int values
	result, err := poseidon.Hash(nums)
	if err != nil {
		return nil // or handle error
	}

	return result.String()
}

func registerCallbacks() {
	js.Global().Set("hash", js.FuncOf(hash))
}

func main() {
	c := make(chan struct{}, 0)
	registerCallbacks()
	<-c
}

Our circuits were written in circom and compiled with snarkjs, however calculating the proof with snarkjs and then supplying it as an argument to our frontend via web3.js proved challenging as well:

function resetUsernameAddress(
    string memory _username,
    address _newUserAddress,
    uint256 _passwordHash,
    uint256 _timestamp,
    ProofParameters calldata _params
)

For example, in the above Solidity function signature, to supply our proof, we have had to create a new Solidity struct called ProofParameters

struct ProofParameters {
    uint256 pA0;
    uint256 pA1;
    uint256 pB00;
    uint256 pB01;
    uint256 pB10;
    uint256 pB11;
    uint256 pC0;
    uint256 pC1;
    uint256 pubSignals0;
    uint256 pubSignals1;
}

which allowed us to pass the calculated proof for the Solidity verifier contract compiled by snarkjs and deployed by us as a flat array instead of a nested array so that it would play nicely with web3.js. The pubSignal fields above are where the poseidon hashes calculated by the WASM on the user’s frontend would be supplied. They form part of the proof calculation and the proof itself.

@machineboy
Thanks for your explanation,you have enlightened me more about your project
I eagerly anticipate your project continued growths and success.
Thumbs up buddy

Hello.

In our current implementation, all configured MFA providers, including Web2 services, are required to successfully authenticate for asset unlocking. We acknowledge this introduces a potential point of failure if a Web2 provider experiences downtime or other issues.

We want to emphasize a few key points:

• We’re acutely aware of the risks associated with relying on Web2 services in a blockchain context. We can’t guarantee the behavior or availability of these external providers.
• This is precisely why we’ve developed fully on-chain alternatives like our VaultMFA , which uses zero-knowledge proofs. These on-chain solutions offer a trustless, always-available option that isn’t subject to the same risks as Web2 providers. Our architecture is also very flexible, in the sense that anyone can create full on-chain providers of their own should they wish to.
• We plan to clearly communicate these risks to users, encouraging them to include at least one on-chain MFA provider in their security setup to mitigate potential Web2 service failures.
• Our current implementation requires all providers to authenticate. However, our roadmap, and perhaps the mainnet release, includes developing more flexible authentication schemes, such as allowing users to specify a subset of required providers for unlocking (e.g., any 2 out of 3 configured providers) as a fallback mechanism. Our system’s modular architecture allows for easy integration of new, more resilient MFA providers as they become available, without needing to overhaul the entire system.

Good day Team Vault.
Recalled you from last session. S6 welcome to S7 and all the best.

Thank you all for the warm welcome and kind words @Gordian @Okorie @mahreenzahoor384 @manfred_jr @ines_valerie

Our team is looking forward to adding the website and testing details for the dApp soon. Stay tuned!

Greetings team vault and welcome to Tron Hackathon season 7. Am impressed with what you are building and happy with the milestone achieved so far by your project. I have few questions that needs clarity.

1. Why is Vault critical for the evolving blockchain ecosystem’s stability and trustworthiness?
2. What benefits does Vault’s chain-agnostic approach provide for emerging blockchain networks like Tron and BitTorrent?

Welcome to Grand hackathon S7
Am marveled by this great solution but still needs detailed explanation how this vaults works, do I need any fee structure or subscription to get it activated? Is it coming as an app where one can download and get activated?

Hello.

With regards to fees, please consult this response: https://forum.trondao.org/t/vault-uncompromising-asset-security-and-account-abstraction/27254/6 (You will be airdropped 10000 VAULT tokens on registration automatically for testing and experimenting with our protocol).

With regards to how the vaulting operations work from a technical perspective, assuming that is what you meant, at a high level we describe it in our post, however for a deeply technical overview we will shortly publish the smart contracts for everyone’s perusal and will be happy to elaborate on them further for those inquiring. We will also be adding higher level diagrams to explain how vaulting/locking/the smart contracts work at an intuitive level shortly.

With regards to trying out the project, we have just gone live on https://tronvault.net - our project’s URL. Please feel free to try it out. In order to access it you can use your browser on a computer or a mobile web browser that supports an embedded wallet such as Brave browser or Metamask browser. In order to begin, you will have to add the BitTorrent testnet to your wallet and get some coins from the testnet faucet we have linked in our forum and register on our website. It will automatically switch you to that network and add the testnet to your wallet if you do not already have it, however you would still need to get some coins from the faucet. As described in our response regarding fees, on registration users are airdropped an ample amount of coins they can use to test out operations on our platform automatically.

Additionally, we will very shortly publish a user guide and our pitch video which will hopefully clarify everything. We took great care in making our UI/UX highly accessibly and extremely intuitive as well, so should you try it out for yourself on our dApp right now, we hope that you will not run into any obstacles or confusions.

Hello. Thank you for your interest and your kind words.

Our project is critical for the evolving blockchain ecosystem’s stability and trustworthiness because it addresses key security challenges that have hindered widespread adoption. Vault’s innovative “vaulting” mechanism, coupled with customizable security layers and a trustless recovery system, significantly reduces the risk of asset loss due to hacks or theft. By bridging Web2 and Web3 security measures, we’re enhancing the overall robustness of blockchain applications. This comprehensive approach not only protects individual assets but also contributes to the ecosystem’s stability by increasing user confidence and encouraging broader adoption.

Regarding the benefits of Vault’s chain-agnostic approach for emerging networks like Tron and BitTorrent, our solution offers several advantages. Firstly, it provides immediate access to advanced asset protection features, enhancing these networks’ appeal to users and developers. Our novel approach to the Oracle Problem is particularly valuable for emerging chains that may lack advanced oracle services. By offering sophisticated security features, Vault can help attract more users and developers to these networks, potentially accelerating their growth and increasing Total Value Locked (TVL). Furthermore, our chain-agnostic design facilitates safer cross-chain interactions and future-proofs the solution, ensuring that Vault’s security benefits can extend to new networks as they emerge. This contributes to the overall interoperability and long-term value of the entire blockchain ecosystem.

Welcome to the hackathon season 7
I like the area your project is aiming to provide solutions to because it has become a common practice in crypto for users to be sustaining some degrees of attacks. Your solutions to asset recovery in times of scam attacks will make you a crucial safeguard for many blockchain users and enthusiast. I have this question for you

In facilitating asset recovery for victims of crypto scam, how do you ensure that the recovery process is user-friendly, especially for users who may not have technical expertise in blockchain?

You say that all the users are charged 1 vault, please tell me will this cost be changed over time, thank God

I will stay tune and wait, thank you

Welcome back team, you were here last season right? For me, I did not see any update until now… How is it going, hope you launched on the Mainnet last season? Are you growing in terms of users?