Skip to content
Zyper Docs Beta

Security model

Zyper AIO’s security model is built on three pillars:

  1. DPAPI seals sensitive state at rest.
  2. Ed25519 signatures protect the update pipeline.
  3. HWID binding ties license keys to one PC at a time.

At rest

Four files in %LOCALAPPDATA%\zyper-suite\data\ are sealed with Windows DPAPI:

  • wallets.dat
  • rpc.dat
  • proxies.dat
  • accounts.dat

DPAPI is OS-native and uses a key derived from your Windows account. Decrypting requires the same user on the same Windows install on the same machine. There’s no master password (and no UI to add one — that’s by design).

Files not sealed: tasks.json (task configs), license.json (key + HWID), the NFT caches, flashbots.key. These don’t contain wallet keys or authentication tokens.

In transit

All app ↔ license.zyper.app traffic is HTTPS with the certificate chain checked by Windows’ system trust store.

RPC traffic to your pinned endpoints is HTTPS-only (the app refuses http:// URLs on adds). Same for proxy URLs.

Update pipeline

Every release is signed twice:

  • The binary is Ed25519-signed.
  • The manifest is Ed25519-signed over canonical JSON bytes.

The public key is hardcoded in the desktop binary. The updater verifies both signatures before applying any update. Failure to verify → refuse to apply, log the failure.

This guards against:

  • Bucket compromise swapping in a malicious binary — binary sig catches.
  • Rollback attack swapping in a manifest pointing at an old vulnerable binary — manifest sig catches.

Update tarball details: see Updates & versioning.

License + HWID

Activation binds your license key to a hash of your machine’s hardware. The binding is enforced atomically server-side — there’s no “check then write” race window (SEC-2 fix).

The HWID hash itself isn’t reversibly identifying — it’s a derived value from several hardware fingerprints, not raw serial numbers.

Switching machines? Use Reset machine at license.zyper.app.

Telemetry

Anonymous contract-interaction events are sent to the license worker for aggregate stats (which contracts the community is firing on, basically). The endpoint requires a valid license + HWID auth pair (SEC-3 fix), so random callers can’t spam it.

No wallet keys, no tokens, no personally identifying information are sent. Source of truth: internal/telemetry/ in the codebase.

What this design does NOT protect against

  • A compromised Windows user account. If an attacker has admin access on your PC under your user, they can drive the app and read DPAPI-sealed files the same way you can.
  • Keyloggers, screen capture, OS-level malware. Standard endpoint-security threats. Use a clean OS install if you’re going to hold meaningful funds.
  • Phishing license keys. Your license key is your only credential. Don’t paste it anywhere except the desktop’s License Gate or the dashboard at license.zyper.app.

Reporting issues

Found a security bug? Please report privately. Discord DM the team rather than posting in a public channel. We respond to coordinated disclosure and will credit you on release notes if you’d like.