Threat Model

Known attack surfaces and mitigations for the Ghost Protocol.

Commitment grinding

Threat: An attacker precomputes commitments to find one that matches a target.

Mitigation: The blinding factor adds entropy. With a random 31-byte blinding factor, the search space is ~ $2^{248}$ , making grinding infeasible.

Double-reveal

Threat: An attacker reveals the same commitment twice to mint tokens.

Mitigation: The NullifierRegistry tracks spent nullifiers. Each commitment produces a unique nullifier via Poseidon2(nullifierSecret, leafIndex). A second reveal with the same nullifier is rejected.

Supply inflation

Threat: A malicious contract mints more tokens than were burned.

Mitigation:

Only governance-authorized contracts can call the Ghostmint precompile
The PreCommit ABCI hook verifies totalMinted - totalBurned <= 1B GHOST on every block
The NativeAssetHandler restricts callers to the CommitRevealVault

Merkle root manipulation

Threat: A malicious root updater submits an incorrect root.

Mitigation: The root updater operator address is restricted. Only authorized operators can submit roots. The on-chain contract verifies that the new root is consistent with inserted leaves.

Proof forgery

Threat: An attacker creates a valid-looking proof without knowing the preimage.

Mitigation: Groth16 proofs are computationally sound — forging a proof requires breaking the discrete log problem on BN254 or the knowledge-of-exponent assumption. The verification key is hardcoded from the trusted setup.

Front-running

Threat: A miner/validator reorders transactions to front-run reveals.

Mitigation: Reveals are non-competitive — the nullifier and recipient are bound in the proof. Front-running a reveal only moves the gas cost to the attacker without gaining them any tokens.

Relayer trust

Threat: The relayer operator sees secret values submitted to the commitment and proof relayer APIs.

Mitigation: Use client-side proof generation (snarkjs in browser) for maximum privacy. The relayer APIs are convenience services, not required. The chain itself never receives plaintext secrets.

Quantum computing

Threat: Future quantum computers could break BN254/Groth16.

Mitigation: The commitment structure includes a quantumCommitment field for post-quantum resistance. This is a forward-compatible design — quantum-resistant proofs can be required via a protocol upgrade without re-committing.

Commitment grinding​

Double-reveal​

Supply inflation​

Merkle root manipulation​

Proof forgery​

Front-running​

Relayer trust​

Quantum computing​