This guide covers essential security considerations when building MPC applications with the Stoffel Solidity SDK.
Overview
MPC applications have unique security requirements beyond typical smart contracts. The security of the entire system depends on:
- Access control - Who can trigger state transitions
- Input integrity - Ensuring inputs are properly masked and validated
- Round sequencing - Maintaining correct state machine flow
- Threshold configuration - Proper n/t settings for Byzantine fault tolerance
Access Control
Why onlyDesignatedParty Matters
The designated party role controls the MPC lifecycle. Unauthorized access could:
- Skip preprocessing, causing computation failures
- Prematurely end input collection, excluding legitimate clients
- Trigger computation with insufficient inputs
- Publish invalid outputs
Never remove the onlyDesignatedParty modifier from lifecycle methods. This is the primary defense against unauthorized state manipulation.
Party Role Management
Designated Party Security
| Risk | Mitigation |
|---|
| Private key compromise | Use hardware wallet or multi-sig |
| Single point of failure | Consider time-locked transfers |
| Malicious designated party | Implement governance controls |
Threshold Configuration
The n >= 3t + 1 Rule
HoneyBadger MPC requires n >= 3t + 1 for Byzantine fault tolerance:
| n (parties) | t (threshold) | Tolerates | Valid? |
|---|
| 4 | 1 | 1 faulty | Yes (4 >= 4) |
| 5 | 1 | 1 faulty | Yes (5 >= 4) |
| 7 | 2 | 2 faulty | Yes (7 >= 7) |
| 10 | 3 | 3 faulty | Yes (10 >= 10) |
| 5 | 2 | - | No (5 < 7) |
A threshold of t means the system tolerates up to t malicious or faulty parties. Higher thresholds require more parties but provide stronger security guarantees.
Production Recommendations
| Environment | Recommended Config | Reasoning |
|---|
| Development | n=4, t=1 | Minimum viable for testing |
| Staging | n=5, t=1 | Allows for node failures |
| Production | n=7+, t=2+ | Higher fault tolerance |
Raw inputs on-chain would be visible to everyone. Masking ensures privacy:
Always validate sufficient inputs before computation:
Replay Attack Prevention
Each input mask can only be used once:
Failing to invalidate used indices allows mask reuse attacks, which can leak information about client inputs.
Round State Machine
Why Rounds Must Be Sequential
The round state machine ensures:
- Preprocessing completes before inputs are collected
- All inputs are gathered before computation
- Computation finishes before outputs are published
The atRound Modifier
Always use atRound to enforce correct sequencing:
Common Round Pitfalls
| Pitfall | Consequence | Prevention |
|---|
| Skipping rounds | Missing preprocessing data | Always use atRound modifier |
| Re-entering rounds | State corruption | Use _nextRound() only once per function |
| Stuck in round | Computation blocked | Implement timeout mechanisms |
Timeout Handling
For production systems, implement timeouts to handle stuck states:
Common Vulnerabilities
2. Missing Round Checks
3. Incorrect Threshold Configuration
5. Missing Events for Critical Actions
Security Checklist
Before deploying your MPC contract, verify:
Access Control
Round Management
General
Next Steps