Documentation

Technical reference for the Blind Omnichain Vault. For the full architecture doc, see GitHub .

Overview Ika dWallets Encrypt FHE Deposit → Rebalance → Withdraw

Overview

The Blind Omnichain Vault (BOV) is a Solana program that lets users deposit native cross-chain assets (BTC, ETH, etc.) without bridges using Ika dWallets, while keeping every position and rebalance strategy encrypted via Encrypt FHE. No observer — including validators — ever learns a user's balance or the vault's strategy.

Ika dWallets

Ika uses a 2PC-MPC protocol to distribute private keys across a committee. A Solana program instruction can conditionally authorize a cross-chain signature without any party learning the key. BOV registers one dWallet per supported chain. When a deposit arrives, it stays on the native chain (e.g. Bitcoin) — the Solana program controls the spending key.

// On-chain CPI stub (programs/bov/src/ika.rs)
pub fn cpi_approve_dwallet_sign_if(
    ika_program: &AccountInfo,
    dwallet_id:  &[u8; 32],
    guard_ct:    &EncBool,   // FHE-encrypted boolean
) -> Result<()>

Encrypt FHE

Encrypt provides a REFHE (Reusable FHE) protocol on Solana. Ciphertexts are stored on-chain as account data. Homomorphic operations (add, subtract, compare) run inside Solana without decryption. Threshold decryption only occurs when a user explicitly requests withdrawal — and only their own share is decrypted.

// Client-side encryption (sdk/src/encrypt.ts)
const ct = await encrypt.encryptU64(amountLamports);
// ct.bytes is a 1024-byte FHE ciphertext
// -> stored in UserLedger.encrypted_shares on-chain

Deposit → Rebalance → Withdraw

1. User encrypts deposit amount client-side with Encrypt SDK. 2. Solana instruction stores ciphertext in UserLedger account. 3. Cranker calls request_rebalance — the program evaluates the rebalance policy purely on ciphertexts (FHE compare). 4. If the FHE guard evaluates to encrypted-true, Ika CPI authorizes a native cross-chain transfer. 5. Withdrawal triggers threshold decryption of only the caller's share.

// Rebalance policy (programs/bov/src/policy.rs)
let diff     = fhe_sub(actual_ct, target_ct)?;
let exceeded = fhe_gt(diff, band_ct)?;
// exceeded is EncBool — never decrypted on-chain
cpi_approve_dwallet_sign_if(ika_program, dwallet_id, &exceeded)

Threat Model

Threat	Mitigation
MEV / front-run rebalance	Rebalance trigger is an encrypted boolean — unreadable by searchers
Balance surveillance	All balances are FHE ciphertexts on-chain
Bridge hack (wrapped asset)	No bridge — native custody via Ika 2PC-MPC dWallets
Unauthorized withdrawal	Threshold decrypt only runs on explicit user request + Solana signer check
Rogue cranker	Cranker can only call request_rebalance; gated by the FHE guard evaluation
Vault key compromise	Ika committee threshold > f+1; single node cannot sign alone

Deployed Program

NetworkSolana Devnet

Program ID6jkfCwYGm33xFqBfajHHWxcnG1YJzm2Jd7cME2jUNaaf

Frontendblind-omnichain-vault.vercel.app

Ready to try it?

Connect your Solana wallet and make a blind deposit.

Go to Deposit