Security Model

StacksPay’s security model focuses on protecting users from malicious payment requests while maintaining the simplicity and interoperability that makes the protocol valuable.

Core Security Principles

Explicit approval required: Users must explicitly approve every payment before it’s broadcast to the network.

Clear information display: Wallets must clearly show:

Recipient address
Amount being sent
Token type
Any additional fees
Smart contract being called (for mint operations)

2. Data Integrity

Bech32m checksums: Built-in error detection prevents data corruption during transmission.

Parameter validation: All input parameters must be validated for type, format, and reasonable bounds.

Encoding verification: Invalid or malformed URLs must be rejected with clear error messages.

3. Temporal Security

Expiration enforcement: Wallets MUST enforce expiresAt parameters to prevent replay attacks.

Time validation: Expired payment requests MUST be rejected.

Threat Model

Attack Vectors

1. Malicious Payment Requests

Threat: Attacker creates payment request with malicious parameters.

Mitigation:

Wallet validates all parameters
User reviews transaction details before approval
Clear display of recipient and amount
Warning for unusual or suspicious requests

Threat: Attacker tricks user into scanning malicious QR code or clicking malicious link.

Mitigation:

User education about verifying recipient addresses
Wallet warnings for unusual patterns
Clear transaction confirmation screens
Amount limits and velocity checks

3. Man-in-the-Middle Attacks

Threat: Attacker intercepts and modifies payment request during transmission.

Mitigation:

Bech32m checksums detect tampering
HTTPS for web-based sharing
Direct QR code scanning eliminates network transmission

4. Replay Attacks

Threat: Attacker reuses old payment request to trigger duplicate payments.

Mitigation:

Enforce expiresAt timestamps
Unique invoiceNumber tracking
Wallet transaction history checks

Out-of-Scope Threats

Wallet security: Private key management is the wallet’s responsibility
Network attacks: Stacks blockchain consensus security
Device security: Physical device compromise
Social engineering: Users voluntarily sharing private keys

Security Requirements

For Wallet Implementers

MUST Requirements

Parameter validation: All fields MUST be type-checked and length-checked
Expiration enforcement: Wallets MUST enforce expiresAt if present
User confirmation: Every payment MUST require explicit user approval
Clear display: Transaction details MUST be clearly shown to users
Error handling: Invalid requests MUST be rejected with clear error messages

SHOULD Requirements

Post-conditions: Wallets SHOULD add appropriate post-conditions limiting the transferred asset/amount
Suspicious activity detection: Wallets SHOULD warn users about unusual patterns
Amount validation: Wallets SHOULD validate amounts against reasonable bounds
Address validation: Wallets SHOULD verify recipient addresses are valid

MAY Requirements

Transaction limits: Wallets MAY implement per-transaction or daily limits
Whitelist/blacklist: Wallets MAY maintain lists of known good/bad addresses
Risk scoring: Wallets MAY implement risk analysis for payment requests

For Application Developers

MUST Requirements

Secure generation: Generate payment requests server-side when possible
Input validation: Validate all user inputs before creating payment requests
Expiration times: Set reasonable expiresAt values for time-sensitive requests
Error handling: Handle encoding/decoding errors gracefully

SHOULD Requirements

Fresh timestamps: Regenerate expiresAt for time-sensitive invoices
Unique references: Use unique invoiceNumber values
Secure storage: Store payment request templates securely
Audit logging: Log payment request generation and usage

Privacy Considerations

On-Chain Privacy

Memo field warning: Memo fields are stored on-chain and are publicly visible. Wallets MUST NOT write sensitive data to memo fields.

Transaction privacy: All Stacks transactions are public. Users should be aware that:

Transaction amounts are visible
Recipient addresses are visible
Transaction timing is visible
Smart contract interactions are visible

Off-Chain Privacy

URL sharing: Payment request URLs may be logged by:

Web servers
Messaging platforms
Analytics tools
Network infrastructure

QR codes: QR codes may be captured by:

Surveillance cameras
Screenshots
Photo sharing

Best Practices

For Users

Verify recipients: Always verify recipient addresses before sending payments
Check amounts: Carefully review payment amounts before confirming
Validate requests: Be suspicious of unexpected payment requests
Keep software updated: Use updated wallets with latest security patches
Secure devices: Keep devices secure and use device locks

For Merchants

Generate fresh requests: Create new payment requests for each transaction
Monitor expiration: Set appropriate expiration times
Validate payments: Verify received payments match generated requests
Secure systems: Protect payment generation systems
Audit trails: Maintain logs of payment request generation

For Developers

Input validation: Validate all user inputs thoroughly
Error handling: Provide clear error messages without exposing sensitive information
Security testing: Test for common attack vectors
Regular updates: Keep dependencies updated
Documentation: Clearly document security considerations

Smart Contract Security

Mint Operation Risks

Contract validation: When using mint operations, wallets should:

Verify contract addresses are legitimate
Check contract source code when possible
Warn users about calling unknown contracts
Validate function names and parameters

Known contract patterns: Wallets MAY maintain a whitelist of known safe contract patterns (e.g., popular NFT marketplaces).

Custom Operations

Vendor-specific risks: Custom operations carry additional risks:

Unknown parameter validation
Unpredictable wallet behavior
Potential for vendor lock-in
Reduced interoperability

Handling guidelines: Wallets encountering custom operations SHOULD:

Warn users about unknown operation types
Provide safe defaults when possible
Fail gracefully to prevent unexpected behavior

Incident Response

Vulnerability Disclosure

Responsible disclosure: Security vulnerabilities should be reported to:

Wallet developers
StacksPay specification maintainers
Stacks community security channels

Coordination: Critical vulnerabilities may require coordinated disclosure across multiple wallet implementations.

Emergency Procedures

Rapid response: Critical security issues may require:

Emergency wallet updates
Temporary protocol modifications
Community alerts
Documentation updates

Security Auditing

Implementation Review

Regular audits: Wallet implementations should undergo regular security audits focusing on:

Parameter validation
Error handling
User interface security
Cryptographic implementation

Test vectors: Comprehensive test vectors should include:

Malformed inputs
Edge cases
Attack scenarios
Boundary conditions

Continuous Monitoring

Threat intelligence: Monitor for:

New attack patterns
Malicious contract deployments
Suspicious transaction patterns
Community reports of issues

Security Model

Security Model

Core Security Principles

1. User Consent

2. Data Integrity

3. Temporal Security

Threat Model

Attack Vectors

1. Malicious Payment Requests

2. Social Engineering

3. Man-in-the-Middle Attacks

4. Replay Attacks

Out-of-Scope Threats

Security Requirements

For Wallet Implementers

MUST Requirements

SHOULD Requirements

MAY Requirements

For Application Developers

MUST Requirements

SHOULD Requirements

Privacy Considerations

On-Chain Privacy

Off-Chain Privacy

Best Practices

For Users

For Merchants

For Developers

Smart Contract Security

Mint Operation Risks

Custom Operations

Incident Response

Vulnerability Disclosure

Emergency Procedures

Security Auditing

Implementation Review

Continuous Monitoring