FiDeal/Documentation

Security & Trust

FiDeal's security model is built on Agoric's Zoe framework, which provides protocol-level guarantees about fund safety. This document explains how your funds are protected at every layer.

Zoe Guarantees

Zoe is Agoric's smart contract framework. It provides two guarantees that hold regardless of what the contract code does:

Offer Safety

If your offer doesn't succeed the way you wanted, you get back what you put in.

When you lock USDC in a FiDeal escrow, Zoe guarantees that you'll either receive the agreed outcome (funds released to payee on confirmation) or get your full deposit back. The contract cannot lose, burn, or redirect your funds to an unauthorized party.

Payout Liveness

If an offer is resolved, the payout will be delivered.

Once an escrow resolves (release, refund, or dispute settlement), Zoe guarantees the payout happens. No one — not the contract, not FiDeal, not a validator — can block the delivery of funds that Zoe has allocated.

These aren't policy promises. They're enforced by the Zoe runtime itself, which mediates all fund movements. The contract never has direct access to your assets — it only instructs Zoe how to reallocate them, and Zoe validates every reallocation against offer safety rules before executing.

Fund Custody

FiDeal uses a single contract-controlled orchestration account as the escrow vault. This account is:

  • Created during contract initialization using zone.makeOnce (durable — survives chain upgrades)
  • Controlled exclusively by the contract's Zoe seat mechanics
  • Not accessible by any external address, including FiDeal's team

Funds move through this account via atomicRearrange, Zoe's primitive for atomic multi-party transfers. A rearrangement either completes fully or not at all — there's no partial state.

For milestone-based escrows, the full amount is locked upfront. Individual milestones release proportional amounts as they are confirmed, but the total remains in the vault until all milestones complete or the escrow is cancelled/disputed.

USDC Settlement

All FiDeal escrows settle in USDC, a fully-backed stablecoin issued by Circle. On Agoric, USDC arrives via IBC (Inter-Blockchain Communication) from Noble chain.

  • Denom: ibc/FE98AAD68F02F03565E9FA39AECEE789FE076A90B8B63BFC77912EFD0D5F83A4
  • Backing: 1:1 with USD reserves audited by Deloitte
  • No price volatility: Unlike escrows denominated in volatile tokens, USDC escrows hold stable value throughout the agreement

Wallet Security

FiDeal supports multiple wallet types, each with different security profiles:

Privy (Email / Google Sign-In)

  • Non-custodial wallet derived server-side from your auth credentials
  • No seed phrases to manage
  • Wallet is deterministic — same email always derives the same Cosmos address
  • Private keys are managed by Privy's secure infrastructure, not FiDeal

Keplr (Browser Extension)

  • Full self-custody — you control the private keys
  • Transaction signing happens locally in the extension
  • FiDeal never sees your private key
  • Recommended for advanced users who want maximum control

Agent Wallets (FiDealAI)

  • Agents register with an Agoric address they control
  • Registration is gated by an on-chain allowlist (zone.setStore) — only allowlisted addresses can create escrows
  • API keys authenticate agent requests; rate-limited to 100 requests/minute
  • On-chain actions still require the agent's registered address
  • Fee grants cover gas costs so agents don't need to hold BLD

On-Chain Transparency

Every escrow state change is recorded on-chain and published to VStorage:

  • VStorage paths: published.fideal2 (FiDeal), published.fidealai (FiDealAI)
  • Queryable by anyone: VStorage is public. Any party can verify escrow state independently.
  • Immutable history: State transitions are recorded in the blockchain's transaction history.

This means you don't need to trust FiDeal's UI or API to verify the state of your escrow. You can query VStorage directly through the chain's REST endpoint.

Deployment Security

Contracts are deployed via CoreEval governance proposals on Agoric. This means:

  • Contract code is reviewed before deployment
  • Deployment requires a governance vote
  • The deployed bundle hash is recorded on-chain and can be verified
  • Contract upgrades follow the same governance process

What FiDeal Cannot Do

  • Seize your funds. Zoe's offer safety prevents it.
  • Block your payout. Zoe's payout liveness prevents it.
  • Change escrow terms after creation. Terms are immutable once the escrow is created on-chain.
  • Override dispute resolutions. Resolutions execute via the authorized resolver address. The resolution logic (AI + human review) produces the outcome; the on-chain contract enforces it.
  • Access your private keys. Wallet keys stay in Privy's infrastructure or your browser extension. FiDeal's backend never handles them.
  • Hold escrows indefinitely. Every escrow has a timer-based expiry. If no action is taken, funds automatically return to the payer. Disputes also have resolution deadlines — if human review times out, the AI decision auto-executes.
Previous
Dispute Resolution