Kaspa Forge OfficeForge
Documentation · Kaspa Safe

How Kaspa Safe works

Kaspa Safe is a vault for KAS that lives directly on the blockchain. Every withdrawal waits out a delay you chose; a separate alarm key can cancel a theft in progress; an optional dead-man switch passes the vault to an heir. This page walks through the actual mechanics — down to the covenant's spend paths — and the security model.

The covenant: every coin has a fixed set of exits

A vault is an instance of the open-source covenant contract vault.sil (Kaspa Toccata, mainnet). The coins are locked by a script with exactly two states — in vault and withdrawal pending — and a short list of transitions. Anything not on this list is not a "forbidden action" the server refuses; it's a transaction the Kaspa network itself won't accept, because no such path exists in the script.

Start a withdrawalHot key. Moves the vault to "withdrawal pending". The destination address is fixed on-chain at this very moment — nobody can swap it afterwards, not even the owner.
Cancel a withdrawalAlarm key. Any time during the delay window, one move returns everything to the vault. This is the anti-theft brake.
Complete a withdrawalNo key at all. Only possible after the full delay has passed, and only to the address fixed at the start. Because the path is keyless, anyone may broadcast it — our watcher does it for you — yet the coins can go nowhere else.
Check in ("I'm alive")Hot key. Resets the inheritance timer by re-creating the vault coin. Used only if inheritance is enabled.
Inheritance — automaticNo key. If the owner hasn't checked in for the whole inheritance period, this keyless path pays the vault out — strictly to the heir address set at creation.
Inheritance — manualHeir's key. Alternative mode chosen at creation: after the period, the heir claims the vault with the private key of their own address.

The keyless paths are the trick that lets the server be helpful without being trusted: our watcher can complete your matured withdrawal or deliver an inheritance, but the covenant hard-wires where the money goes. Time is measured in DAA — Kaspa's native "ticks", roughly 10 per second (36 000 DAA ≈ 1 hour); the interface always shows human units.

The three keys

Hot keyStarts withdrawals and check-ins. Lives in your encrypted Desk profile — fine on your everyday device.
Alarm keyCancels a theft. Keep it apart from the hot key: paper, a home safe, another device. A thief with only the hot key gets nothing — the alarm key is your veto.
Funding keyOne-time key used to place coins into the vault at creation; unimportant afterwards.

All three are generated in your browser and saved automatically into your encrypted master key file. Nothing to download separately; one Desk export backs up everything. We never see the keys.

Creating a vault, step by step

  1. Pick the rules. Cancel window: presets 6 h / 24 h / 48 h / 7 d / 14 d, or custom 1 hour – 90 days (24 h is a sane default — under 6 h you might sleep through a theft). Optional inheritance: 6 / 12 / 24 months or custom 1 day – 5 years, delivery automatic or by the heir's key.
  2. Keys are forged. The browser generates the three keys straight into your Desk profile. If inheritance is on, you enter the heir's Kaspa address (and, optionally, their email for a free notification when the window opens).
  3. Fund it. Send KAS to the shown funding address, then press "Lock into vault" — your browser assembles and signs the covenant transaction. The funding address is your own address (its key was just created into your profile), not ours: until you press the button, the coins are entirely under your control. This intermediate step exists because a covenant can't be created by a plain transfer. Never send coins directly to the vault address — a direct transfer doesn't become part of the covenant. Topping up later = one more funding cycle (or one click of "To safe" from the Desk wallet).
  4. Sealed. You see the vault address, amount and txid — and can connect Telegram alerts. Everything cryptographic happened in your browser; the server received only public parameters.

When the alert says "a withdrawal has started"

You have the whole cancel window, and you don't need your own device — any browser plus your alarm key (or your key file) is enough. Open My vault, press ⛔ Cancel withdrawal, and the coins return. Then move them to a fresh vault with a normal withdrawal: the thief can't cancel yours — they don't have the alarm key. The full playbook, including the heir's path and lost-key cases, lives on the Recovery page.

Inheritance, honestly

  1. The timer is the on-chain age of the vault coin: check in at least once per period and the vault stays yours. Cancelling a theft also resets it.
  2. In automatic mode the heir needs no key and no software — after the period the coins arrive at their address by the keyless path. In manual mode the heir claims with their own key. Before the period expires the heir can see and take nothing.
  3. The optional heir email notification is free and doesn't depend on any subscription — it fires when the window opens, contains the vault address and instructions, and never any keys or amounts.
  4. Point inheritance at your own second address and it doubles as insurance against losing the hot key.

What it costs

All on-chain operationsFree forever — create, withdraw, cancel, check in, inherit. You pay only the Kaspa network fee (fractions of a KAS).
Telegram alerts & remindersThe only paid thing, and optional: 100 KAS / year, first 30 days free. Instant "withdrawal started" pings and check-in reminders (~80% of the period). Without it the vault works fully — you just learn about a theft later than you'd like.

Security model

  1. The server can't steal. No private keys ever reach it, and the keyless covenant paths hard-wire their destinations (a matured withdrawal → its fixed address; auto-inheritance → the heir). What the server stores: public keys, delay parameters, and — if you opted in — an heir email / Telegram link. See Privacy.
  2. A thief with the hot key gets zero. The only way out is the delayed withdrawal with a publicly visible, fixed destination — and the alarm key cancels it.
  3. The service dying doesn't touch your money. The vault is an on-chain contract that checks only keys and time. The open-source vaultctl CLI performs every operation from a terminal against any Kaspa v2+ node (run with --utxoindex); the offline decryptor extracts your keys from the backup without any network. To simply watch a vault, paste its address into any Kaspa explorer.
  4. Lost both keys, no inheritance? The coins are frozen forever — nobody, including us, can reach them. That is the flip side of non-custodial; enable inheritance, even "to yourself".
  5. Verify, don't trust. The contract and tools are public: github.com/pcdoctormsk-ctrl/kaspa-safe. vaultctl selftest runs 18 checks of every path and attack inside the node VM.
Beta limits. The contract passed our full on-chain test cycle and adversarial attacks; an external audit is still ahead. Recommendation: keep a vault under ~5 000 KAS for now. There's also an official Android APK with the same crypto inside (checksummed, reproducible, plus our F-Droid repo).

See also: Kaspa Safe overview · Recovery · the Desk & your keys · how Escrow works