Deposit Address (per user)
- Key-path sweeps user deposits into the Cold Reserve once the validator quorum authorizes Wallet A to sign.
- Script-path lets the user reclaim their deposit after 7 days (1,008 blocks) with no validator involvement.
signMessage) and feeding the
ed25519 signature through HKDF-SHA256. Only the Solana secret key
holder can reproduce the signature — and therefore only they can sign
the script-path spend. The resulting x-only is committed on-chain at
create_hot_reserve; anyone can re-derive the Deposit Address from
that x-only and verify it against the on-chain record before
depositing.
Cold Reserve (shared vault)
- Key-path pays out user redemptions and rotations: the validator quorum authorizes Wallet A, and Wallet A produces the on-chain Schnorr signature. This is the normal-operations path.
- Script-path is emergency only. Admin (3-of-5 multisig, aggregated via MuSig2) can sweep the Cold Reserve after a 7-day timelock if the validator quorum is permanently lost. Off-chain monitors publicly log any use of this path.
Deposit Address derivation
A user’s Deposit Address is built as follows:- User-emergency x-only. The user’s Solana wallet signs a canonical
message — a fixed-layout 62-byte payload containing a domain tag,
the network, and the owner’s Solana pubkey. HKDF-SHA256 over the
resulting 64-byte ed25519 signature (with tag
nacre-hot-reserve-user-key-v2) yields a secp256k1 secret; its x-only is the user-emergency pubkey committed on-chain atcreate_hot_reserve. - Internal key. The TEE-enforced signing quorum (Wallet A, secp256k1) is the Taproot internal key — shared across all users.
- Taproot tweak. BIP-341 tweak of the internal key against the
single-leaf script
<1008> OP_CSV OP_DROP <user_emergency_xonly> OP_CHECKSIG. The tweaked key is the Deposit Address.