Pop Up to create Secrets
My vaults page
Explore vaults page
Home page

Secret Vaults: True Privacy NFT Game

Inspiration

My friend called me at 2 AM panicking about lost family photos locked in a defunct cloud service. "Why isn't there something permanent for this stuff?" That question stuck with me.

I started looking into NFTs as a solution, but the more I dug, the worse it got. People were minting family photos, medical records, and private journals as NFTs, completely unaware that anyone could see everything. The metadata, images, IPFS hashes pointing to their most intimate moments all sitting there in plain view.

I found wallets with ultrasound images, voice recordings labeled "Dad's last message." These weren't meant to be public. People thought they were preserving memories privately but had accidentally broadcast them to the world.

That's when it hit me: blockchain can prove you own something without exposing what that something is.

What it does

Secret Vaults splits NFT ownership into two experiences:

Personal Vaults (Private NFTs)

Every private NFT looks identical on-chain
Generic metadata: "Private Secret"
Real content lives encrypted on backend
Only served after verifying NFT ownership
Zero IPFS links or metadata leaks

Brand Vaults (Public NFTs)

Complete brand challenges and tasks
Earn points through engagement
Win real NFTs with public artwork
Designed for trading and display

4-Stage Authentication System

Email + security question (creation)
Wallet signature (minting)
Standard wallet auth (normal access)
Social verification (high-value access)

For sensitive content, trusted contacts verify your identity by answering relationship-based questions only they'd know. Plus, everything runs in a Trusted Execution Environment to prevent MEV bots from stealing claims.

How we built it

Blockchain Layer: Dojo on Starknet

Cairo smart contracts with zkSTARK privacy
ECS framework for composable game logic
On-chain scoring for brand challenges

#[derive(Component)]
struct Vault {
    vault_id: felt252,
    owner: ContractAddress,
    vault_type: VaultType,
    encrypted_ref: felt252,  // Backend reference, not content
    creation_time: u64
}

Privacy Layer: Rust + TEE

AES-256-GCM encryption for all content
Keys derived from wallet address + vault ID
Intel SGX enclaves for decryption
Real-time on-chain ownership verification

Frontend: React + starknet.js

Seamless Argent and Braavos integration
WebSocket for instant content delivery
Progressive UI based on auth stage

Key Derivation Formula

$$K = \text{HKDF}(\text{salt}=v, \text{IKM}=\text{Sign}_w(\text{"vault_key"} \parallel v), \text{info}=s)$$

User signs a message proving wallet ownership, we hash it with vault ID and server secret. Reproducible but requires both wallet access and server cooperation.

Challenges we ran into

1. The IPFS Privacy Trap

Started with encrypted files on IPFS. Seemed perfect until I realized NFTs pointing to specific hashes still leak information through access patterns. Took 2 weeks to accept the only solution: identical on-chain metadata for all private NFTs and move content off IPFS entirely.

2. MEV Bot Nightmare

Bots destroyed our testnet by front-running claims:

Bot sees claim transaction in mempool
Bot submits higher gas price
Bot steals the NFT
User gets nothing

Solution: TEE-generated claim signatures submitted directly to sequencer. No mempool visibility = no front-running. Took 3 weeks to rebuild the architecture.

3. Dojo Learning Curve

Documentation was sparse. Figuring out basic queries meant reading other projects' code and asking Discord questions at 3 AM. The ECS pattern is powerful once you understand it, but getting there was rough.

4. Social Auth Trust Model

How do you verify identity through relationships without creating a honeypot of personal data?

Our solution:

User creates 5+ relationship questions
Questions stored encrypted, answers hashed with bcrypt
Trusted contacts must answer 3/5 correctly
Questions rotate after successful verification
We never store plaintext permanently

Accomplishments that we're proud of

✅ Actual privacy, not privacy theater. You can mint deeply personal content and it stays genuinely private.

✅ Proved blockchain permanence doesn't require blockchain exposure. Every private NFT looks identical on-chain while representing completely different content.

✅ MEV-resistant claiming through hardware security. Not game theory, actual computational barriers.

✅ Social authentication that feels natural. People understand "have your friend verify who you are" better than password managers or hardware keys.

✅ Sustainable dual model. Public brand NFTs can eventually subsidize privacy infrastructure.

What we learned

Privacy requires uncomfortable tradeoffs. You cannot have complete decentralization and actual content privacy. We picked privacy and accepted centralized backend, mitigating through TEE and open-source code.

MEV is everywhere. Not just DeFi. Any valuable on-chain action in a public mempool is vulnerable.

Users conflate encrypted and private storage. "Encrypted on IPFS" sounds secure but leaks everything through metadata and access patterns.

Dojo's ECS pattern scales better. Stop thinking smart contract calls, start thinking world state and modifying systems.

Key management is still blockchain's biggest UX problem. We threw everything at it (deterministic derivation, wallet signatures, TEE security) and it's still what users struggle with most.

Social authentication is underrated. Relationship-based verification is contextual, flexible, survives device loss, and feels more human than hardware keys.

What's next for Secret Vaults

Near-term features:

🔒 Time-locked vaults - "Open this on my kid's 18th birthday" or "If inactive for 5 years, transfer to this address"

👥 Multi-sig vaults - Families co-own photo albums where everyone has access but nobody can delete alone

🌉 Cross-chain bridges - Prove Starknet vault ownership to unlock content on Ethereum or Polygon

⚰️ Vault inheritance - Dead man's switch where designated inheritors automatically get access after inactivity period

Platform expansion:

📱 Native mobile apps - Better than web browsers for accessing memories anywhere

🏢 No-code brand interface - Templates and dashboards so non-technical brands can create campaigns

💾 Optional decentralized storage - IPFS/Arweave support for users who want it and understand tradeoffs

Long-term vision:

The real goal is infrastructure other projects can build on. Personal medical records, private achievements, identity documents—anything needing permanence and privacy together.

We're talking with DAOs about private governance proposals. Vote public, reasoning private until execution. Could reduce coordination attacks and bribery in on-chain governance.

Secret Vaults proves the concept works. Now we want others to use our privacy primitives to build things we never imagined.