Security
How Senddy keeps your funds and data safe.
Architecture
Senddy is designed as a non-custodial system. Your funds are held in audited smart contracts — not in a company bank account. No one at Senddy can move, freeze, or access your money.
Smart contract security
- Audited by independent security researchers
- Upgradeable with timelocks — critical changes require a delay period
- Access-controlled — admin functions are restricted to authorized roles
- Open source — all contract code is publicly verifiable
Zero-knowledge proofs
- Proofs are generated on your device — no server ever sees your transaction details
- The proving system (UltraHonk) is based on well-studied cryptographic primitives and uses a universal trusted setup
- Circuits are written in Noir and have been reviewed for correctness
Attestor security
- Runs in a hardware-isolated trusted execution environment (TEE) — isolated from the host, no persistent storage, no shell access
- Signing key managed by a hardware security module (HSM) with an enclave-restricted key policy
- The attestor can only verify proofs — it cannot access funds or user data
- Enclave measurements are publicly verifiable
Key management
- Your spend key is derived from an EIP-712 signature and never leaves your device
- Your view key allows read access but cannot spend funds
- No seed phrases — keys are deterministically derived from your wallet signature
What data does Senddy collect?
| Data | Stored? | Details |
|---|---|---|
| Email address | Optional | Only if you sign in with email |
| Username | Yes | Public, chosen by you |
| Transaction history | No | Encrypted on-chain, only you can decrypt |
| Balance | No | Computed client-side from encrypted notes |
| IP address | Temporarily | Standard server logs, not linked to activity |
| On-chain activity | No | ZK proofs ensure transaction details are hidden |
What risks exist?
Smart contract risk
If a critical vulnerability is found in the pool contract, funds could potentially be at risk. This risk is mitigated by audits, bug bounties, and the upgrade mechanism.
Attestor compromise
If the attestor is compromised, invalid proofs could theoretically be attested. However, the smart contract maintains additional invariants (nullifier uniqueness, Merkle root validity, value conservation) that prevent the most dangerous attacks even in this scenario.
Regulatory risk
Privacy-preserving financial technology operates in an evolving regulatory landscape. Senddy takes a proactive, layered approach to compliance:
- Deposit screening — All deposits are checked against the Chainalysis sanctions oracle, blocking OFAC-sanctioned addresses at the contract level
- Association proofs — Users can voluntarily prove their funds trace back to approved deposit sources using zero-knowledge proofs, without revealing transaction details
- View key sharing — Users can grant read-only access to auditors without giving up control of funds
See Compliance for full details.
Bug bounty
We maintain a bug bounty program for responsible disclosure of security vulnerabilities. If you discover a security issue, please contact:
We take all reports seriously and will work with you to resolve issues promptly.