Secret Network currently supports two cross-chain messaging solutions:

1. SecretPath (recommended)

1. Axelar GMP

SecretPath consists of two core primitives: relayers and gateways.

Gateways are the onchain smart contracts that handle the broadcasting, receipt, packaging, and verification of messages. Gateways are also the mechanism by which application developers will interface with the SecretPath protocol.

These gateways are relatively simple and generic, primarily consisting of two capabilities. First, gateways can handle signature operations. For gateways on public blockchains, that means verification; for those on privacy-preserving blockchains, that means verification as well as signing. Second, gateways handle serdes operations: converting contract inputs into correctly formatted packets and vice versa.

Relayers watch for messages on one chain and then call another chain with that message. For SecretPath, the primary security-related concern is liveness, not resistance to node collusion or censorship. The relayer is not tasked with relaying funds/tokens from one chain to another, but rather with watching for encrypted messages that need to be passed. The relayer does not have access to encryption keys that can decrypt these messages or signing keys to generate new valid ones, meaning that the relayer cannot compromise the data in security or correctness.

The most a relayer can do is to not transmit the data as requested, which would cause liveness problems for the network, but would not compromise user funds, smart contract applications, or sensitive data. This also makes the requirements for running a relayer significantly lower: a relayer needs only to be able to watch for transactions on host chains and create transactions on destination chains based on those host chain transactions.

Gateways are the onchain smart contracts that handle the broadcasting, receipt, packaging, and verification of messages. Gateways are also the mechanism by which application developers will interface with the SecretPath protocol.These gateways are relatively simple and generic, primarily consisting of three capabilities.

First, gateways can handle signature operations. For gateways on public blockchains, that means verification; for those on privacy-preserving blockchains, that means verification as well as signing.

Second, gateways handle serialize/deserialize operations: converting contract inputs into correctly formatted packets and vice versa.

Third, gateways on privacy-preserving chains can re-encrypt their inputs under the key of the final compute contract.

For more background on how the high-level architecture of SecretPath differs from that of other interoperability networks, see section 4 of the Snakepath whitepaper.

Secretpath in itself is a trustless protocol, meaning that everyone can deploy a public gateway on their own chain. Here's how to do it:

Prerequisites

Before you begin, make sure you have the following installed on your system:

• Git: Version control system for cloning repositories.

• Foundry: A blazing fast, portable, and modular toolkit for Ethereum application development.

• Anaconda: For creating a virtual environment (Python 3.11).

• Python 3.11 & : Required for running the relayer scripts. Python package installer.

• Access to the Sepolia Testnet: You'll need to interact with the edeXa Testnet.

Cloning the Repository and Initial Setup

1. Clone the SecretPath Repository

   Copy

   git clone -b Solana https://github.com/SecretSaturn/SecretPath.git

2. Navigate to the Public Gateway Directory

   Copy

   cd SecretPath/TNLS-Gateways/public-gateway

3. Initialize Submodules

   Copy

   git submodule update --init --recursive

Deploying the Gateway Contract

You'll deploy the gateway contract using Foundry's forge tool.

Run the Forge Script

Replace <YOUR_PRIVATE_KEY> with your actual private key. Keep your private key secure and do not share it.

forge script script/DeployGatewayScript.s.sol:DeployGatewayScript \
  --rpc-url "https://rpc.sepolia.org" \
  --broadcast \
  --retries 10 \
  -vvv \
  --optimize \
  --optimizer-runs 10000000 \
  --legacy \
  --private-key <YOUR_PRIVATE_KEY> \
  --evm-version paris

Handling Gas Price Error

If you encounter the following error:

Error:
Failed to send transaction

Context:
- server returned an error response: error code -32009: Gas price below configured minimum gas price

You need to adjust the gas price.

a. Estimate the Correct Gas Price

Visit the Ethereum Sepolia Testnet explorer to check recent gas prices:

https://sepolia.etherscan.io

b. Add the Gas Price Flag

Re-run the forge script with the --with-gas-price flag:

forge script script/DeployGatewayScript.s.sol:DeployGatewayScript \
  --rpc-url "https://rpc.sepolia.org" \
  --broadcast \
  --retries 10 \
  -vvv \
  --optimize \
  --optimizer-runs 10000000 \
  --legacy \
  --private-key <YOUR_PRIVATE_KEY> \
  --evm-version paris \
  --with-gas-price 2gwei

Understanding the Deployment Output

Upon successful deployment, you will see two contract addresses:

• Implementation Address: The first address, representing the implementation contract.

• Gateway Address: The second address, which is the Transparent Upgradeable Proxy contract.

Note: The Gateway Admin is your wallet address (you are the owner of the contracts). The Proxy Admin is specified in the logs of the Gateway Address contract deployment. The Proxy Admin contract is exclusively used for upgrading contracts, and the Gateway Admin is the owner of this Proxy Admin contract.

Configuring the Relayer

Navigate to the Relayer Directory

cd ../../TNLS-RELAYERS

Open config.yml for Editing

nano config.yml

Add the Following Configuration

Replace <YOUR_GATEWAY_ADDRESS> with the Gateway Address obtained from the deployment step.

"11155111": #Ethereum Sepolia
  active: false
  type: "evm"
  chain_id: "11155111"
  api_endpoint: https://eth-sepolia-public.unifra.io
  contract_address: "0x3879E146140b627a5C858a08e507B171D9E43139"
  timeout: 1

Add Environment Variables

Create a .env file or set the following environment variables. Replace the placeholders with your actual private keys. Keep your private keys secure and do not share them.

ethereum-private-key = <YOUR_ETHEREUM_PRIVATE_KEY>
solana-private-key = <YOUR_SOLANA_PRIVATE_KEY>
secret-private-key = <YOUR_SECRET_PRIVATE_KEY>

Setting Up the Virtual Environment

Install Anaconda

Download and install Anaconda for your operating system:

• Anaconda Installation Guide

Create a Virtual Environment

conda create --name secretpath_env python=3.11

Activate the Virtual Environment

conda activate secretpath_env

Install Dependencies

Navigate to the relayer directory if you're not already there:

cd TNLS-RELAYERS

Install the required Python packages, make sure to not install depencencies as this may lead to dependency hell.

pip install -r requirements.txt --no-dependencies

Running the Relayer

Start the Relayer

python3 web_app.py

Handling the LRU Error

If you encounter an error related to lru-dict, update it using:

pip install --upgrade lru-dict

Basics

Usecases

Supported Networks

Connecting Metamask to Secret Network

Now you have a Secret testnet wallet address that you can use to sign transactions with your Metamask wallet!

Here you'll find a more in-depth overview with a detailed description of what the two core primitives (Gateways & Relayers) do. First, let us give you the core idea on what SecretPath really hinges on.

The core idea of SecretPath is the following:

The "master private gateway" is a confidential smart contract living on Secret Network.

Since this contract is confidential by default , we can store a (secret) private key, which only this smart contract can use to sign messages/packets and is unknown to the operators or to any contract administrators.

The only trust assumption that we have for this bridge model to work is therefore that the private key does not leak out the TEE (trusted execution environment)/confidential computation environment. In case the TEE breaks and that private signing keys could potentially leak, the encryption and verification keys can be rotated to new ones, keeping the bridge intact. Since we only rely on a smart contract to handle the core bridging functionality, we call this trustless. Some may argue that since we are using TEE's, we are not completely trustless but instead trust-minimized.

Everything else around this "master private gateway" is untrusted. We only use a lot of consistency checks and hashing to ensure that data weren't manipulated along any transmission path.

As outlined in the overview, the primary functions of the Gateway are:

1. Handle signature operations

For the "master public gateway" that is on a public blockchain, that means only verification of signatures. In our case, this public gateways verifies all secp256k1 signatures signed by the user or by the master private gateway.

The private master gateway does verification of the secp256k1 signed and encrypted user payloads. It also signs all outgoing messages using secp256k1 so that other user made private contracts as well as the public gateway contract can verify the validity of the message/packet.

2. Serialize/deserialize operations

Both gateways also handle serialize/deserialize operations. They convert contract inputs into correctly formatted packets and vice versa, while also doing the appropiate conversions between base64 (mainly used for secret) and hex (mainly used for EVMs) inputs.

3. Re-encrypt inputs

Third, gateways on privacy-preserving chains can re-encrypt their inputs under the key of the final compute contract. The master private gateway can handle encrypted or unencrypted payloads. In the case of encrypted payloads, the payload is encrypted using a shared key that is generated via ECDH from a user's randomly generated private key and the gateways encryption public key. We use the well known Chacha20-Poly1305 to do the symmetric encryption using that shared key.

SecretPath is a protocol for lightweight, secure, privacy preserving message-passing between chains. Its purpose is to serve as a critical building block for bringing private data onchain in a useful yet privacy-preserving manner.

In technical terms, SecretPath is a message passing system for non-malleable, trustless interchain message passing. In more practical terms, SecretPath enables public chains to call arbitrary functions on private compute chains while preserving the privacy of the inputs and validity of the outputs. SecretPath is built using a primitive that we call TNLS ("Transport Network Layer Security") which is effectively a blockchain derivative of the .

SecretPath itself does not store or compute over data. Rather, it connects public blockchains and their applications to privacy-preserving computation networks. This design allows public blockchain applications to build and operate private computation contracts on privacy-preserving chains while keeping their primary smart contract logic and liquidity on public blockchains.

Ultimately, SecretPath enables the building of new applications that combine the transparency, UX, and latency benefits of public blockchains with the trust-minimized and private computation features of privacy-preserving blockchains.

The following sections provide a detailed technical overview of the current relayer and gateway architecture for SecretPath.

1. To get an overview of the Architecture go here:

2. If you like to use SecretVRF in the most elegant way for you as an EVM developer, go here:

3. To review supported EVM chains, go here:

As an user and developer, all you need to know is how to send messages to one gateway/receive messages from a gateway, which will be covered in those respective documentation sections. More tutorials with encrypted payloads are coming soon.

As a maintainer, you might want to look more closely at the relayer section of the codebase as well here:

You can try a demo of SecretPath that bridges Secret VRF into EVMs here:

This documentation was adapted from , courtesy of Leor Fishman.

Please check out to see all of the tutorials with SecretPath.

The public EVM gateway sits at the heart of SecretPath. It coordinates the tasks (stored in the Task stuct and saved in a mapping(uint256 => Task) public tasks). It verifies the inputs when sending in encrypted Payloads in send and verifies the incoming callback packet in postExecution. A UML diagram of the upgradeable Gateway contract, together with it's dependencies, is shown below.

SecretPath 🤝 Reown

connects Secret Network to , enabling public EVM chains to call functions on Secret Network while preserving the privacy of the inputs and validity of the outputs.

With (formerly called WalletConnect), you can create a seamless user experience with one wallet login that allows users to interact with Secret Network smart contracts on every SecretPath-connected chain.

In this tutorial, you will learn how to configure SecretPath and Reown in React.js so you can create seamless UI for confidential cross-chain computation

Reown Configuration

1. Sign in to .

2. Create a .

In this tutorial, you are building a React.js application. Select "Javascript" for platform to build your React.js app:

After successfully creating a project, you will see your project id:

Connecting Reown to SecretPath

1. Clone the SecretPath Reown repository:

1. Install the dependencies:

Now you're ready to use Reown with SecretPath!

Configuring Reown for SecretPath

Now that you have your environment properly configured, let's understand how everything is connected. Run npm run start to see your Reown application:

Out of the box, you can use this React application as a starting point for your SecretPath + Reown applications.

Click "Connect Wallet" and sign in to your Metamask or EVM wallet. Click on the network you are currently connected to in order to see all of the EVM networks available:

All of these 20+ networks are connected to SecretPath, which means any of these chains can call functions on Secret Network smart contracts 🤯

Web3Modal Parameters

We must pass 5 parameters to Web3Modal: chainImages, ethersConfig, chains, projectId, and metadata.

chainImages

ethersConfig

chains

projectId

metadata

Putting it all together: SecretPath + Reown

Now that you have your Reown interface enabled to your liking, let's understand how it connects the EVM to Secret Network with SecretPath.

Summary

✨ SecretPath integrates Secret Network with over 20 EVM chains, enabling public EVM chains to execute functions on Secret Network while preserving privacy and ensuring output validity. Using Reown, developers can create a seamless user experience, allowing users to interact with Secret Network smart contracts across all SecretPath-connected chains through a single wallet login.

This tutorial provides a step-by-step guide to configuring SecretPath and Reown in a React application, starting from signing in with Reown and creating a project, to setting up the development environment. Key configurations include specifying parameters for Web3Modal, such as chainImages, ethersConfig, chains, projectId, and metadata. The tutorial also explains how to connect EVM to Secret Network using functions like requestRandomness and querySecret within the app, ensuring smooth and confidential cross-chain computations ✨

Secret Network's EVM Toolkit is a cross-chain messaging and confidential computation SDK for EVM developers.

The toolkit allows EVM developers to build novel cross-chain applications such as private DAO voting mechanisms, secure random number generation (Secret VRF), confidential data access control via EVM NFTs, encrypted DeFi order books, and more.

Secret Network currently supports two cross-chain messaging solutions:

1. SecretPath (recommended)

1. Axelar GMP

One of SecretPath's key features is the ability to use encrypted payloads to send over confidential messages to a Secret Smart contract.

SecretPath can seamlessly handle encrypted payloads, as the master gateway contract on Secret automatically decrypts the payload and hands the decrypted payload over to the target contract.

The encryption of the payload is done using the ChaCha20-Poly1305, an authenticated encryption with additional data (AEAD) algorithm.

The key for this symmetric encryption is created by using the Elliptic-curve Diffie-Hellman (ECDH) scheme, comprising of two components:

1. An extra encryption public key provided from the Secret Gateway Contract

2. A randomly created (ephemeral) encryption private key on the user side (independent of the user wallet's private key)

Combining both of these keys together via the ECDH Scheme yields our encryption key, which we use to encrypt the payload with ChaCha20-Poly1305.

As a first example for this, we have used SecretPath to encrypt a string and subsequently store it in a Secret contract.

Overview

A first-price sealed-bid auction, also known as a "blind auction", is a type of auction in which all bidders simultaneously submit sealed bids so that no bidder knows the bid of any other participant. The highest bidder pays the price that was submitted. In this tutorial you will learn how to create a cross-chain sealed bid auction dApp with encrypted bids using SecretPath.

SecretPath Contract Design

1. Contract Deployment: Participants initiate the process by deploying a Sealed Bid Contract to the Secret Network. This contract contains their auction items and encrypted bids, safeguarding the bid details from public exposure.

2. Contract Execution via Public Gateway:

   • The execution sequence begins when the Sealed Bid Contract is interacted with via the Ethereum Virtual Machine (EVM).

   • The SecretPath Public Gateway Smart Contract serves as the intermediary, facilitating communication between the EVM and Secret Network.

3. Secure Message Transmission:

   • Messages and transactions pass through the Public Gateway to the Private Gateway Smart Contract, utilizing ECDH to ensure that the data exchanged remains confidential and tamper-proof, maintaining the integrity of the sealed bid throughout the process.

4. Finalization:

   • Once the bidding period concludes, the Sealed Bid Contract processes the bids to determine the winner securely.

   • The outcome is then communicated back through the gateway contracts to the relevant parties on the EVM.

Axelar General Message Passing

Axelar enables secure interchain communication and token transfers, spanning consensus methods including Cosmos and Ethereum. Through the use of General Message Passing (GMP), developers building on Ethereum can execute smart contracts on Secret and vice versa. This means complete composability across Web3.

With GMP you can:

• Call a contract on chain B from chain A.

• Call a contract on chain B from chain A and attach some tokens.

In this tutorial, you will learn how to use Axelar GMP to send a string between Polygon Mainnet and Secret Mainnet. To learn more about the flow architecture, see the Axelar documentation here.

Prerequisites

• For GMP to work, both chain A and chain B must be EVM or Cosmos with a deployed Axelar Gateway contract. For this tutorial we will be using the Polygon Mainnet Axelar Gateway contract. We will go into this in more detail momentarily.

• Have Metamask installed and your wallet funded with POL tokens.

Upload a contract to Polygon

In order to execute a smart contract on Secret network, you must first upload and instantiate a smart contract on Polygon that can execute messages using Axelar GMP. We will be uploading the SendReceive.sol contract to Polygon for this demo.

To upload the contract, we will use Remix Online IDE, which is a powerful toolset for developing, deploying, debugging, and testing Ethereum and EVM-compatible smart contracts.

First, navigate to Remix and create a new blank workspace:

Next, create a new file called SendReceive.sol and paste the Axelar GMP solidity code. This will autofill your workspace with the necessary dependencies for your SendReceive.sol contract 🤯

Now all that's left is to compile and upload the contract. Navigate to the Solidity compiler using the sidebar and click "Compile SendReceive.sol". Then, navigate to "Deploy and run transactions." Toggle the Environment from "Remix VM (Shanghai)" to "Injected Provider - MetaMask" and make sure that in your MetaMask wallet you have currently selected Polygon network.

The constructor of SendReceive.sol contains 3 variables that you must now input in order to instantiate the contract and link it to Axelar's Polygon gateway contract and gas receiver contract, as well as the chain name:

GATEWAY CONTRACT: "0x6f015F16De9fC8791b234eF68D486d2bF203FBA8"
GASRECEIVER CONTRACT: "0x2d5d7d31F671F86C782533cc367F14109a082712"
CHAINNAME: "Polygon"

Input these strings like so and then click "Transact":

Upon successful instantiation, the contract address will be returned in the Remix terminal, which you can then view on the Polygon explorer. And the deployed contract can now be interacted with in the "Deployed Contracts" window:

Congrats, you've just deployed an Axelar GMP-compatible contract to Polygon mainnet that can send and receive messages to and from a Secret Network smart contract 🎉

Upload a contract to Secret Network

Now that you've uploaded a GMP-compatible contract to Polygon, let's do the same on Secret Network so that the contracts can communicate with each other across the Cosmos!

First, clone this Secret Network examples repository:

git clone https://github.com/SecretFoundation/secret-ethereum-gmp.git

Compile the contract by running make build-mainnet in your terminal:

make build-mainnet

Now, open a new terminal window and cd into node:

cd node

npm install to install the package.json dependencies:

npm install

Create a .env file in /node and add your wallet mnemonic in order to upload the contract:

You can then upload and instantiate the contract by running node index.js.

node index.js

Upon successful instantiation, a Secret contract address is returned that you can then use to send messages to and from Polygon:

Now let's send a string from Polygon to Secret! 🚀

Send a string from Polygon to Secret

Now that you have a GMP-compatible contract instantiated on Secret Network, you have all of the variables needed in order to send a cross-chain message using the SendReceive.sol contract.

In order to send messages using Axelar GMP, the user prepays the relayer gas fee on the source chain to Axelar’s Gas Services contract.

To make sure you have enough gas, add .60 Matic, (roughly .40 USD or 800000000000000000 Wei), to the transaction:

Now all that's left is to execute the transaction! From the "Deployed contracts" section of Remix, open the dropdown for the send function, which should have three inputs: destinationChain, destinationAddress, and message. Input the following:

destinationChain: "secret"
destinationAddress: "Your Secret Contract Address"
destinationMessage: "Your message that you want to send!"

Once you have inputed these strings and your contract address, select "transact." Congratulations! You've just sent a string from Polygon to Secret Network! 🎉

Query the string on Secret

Now that you've successfully executed a cross-chain message from Polygon to Secret using Axelar GMP, let's query the message on Secret Network to see if the message was actually received by the Secret contract.

First, confirm that the transaction has been successfully relayed by Axelar.

Once the transaction has been executed successfully, you can use Secret.js to query the message:

let get_stored_message = async () => {
  let query = await secretjs.query.compute.queryContract({
    contract_address: contractAddress,
    query: {
      get_stored_message: {},
    },
    code_hash: contractCodeHash,
  });

  console.log(query);
};

get_stored_message();

To execute this query, navigate to the query.js file in examples/secret-ethereum-gmp/node and replace the contractAdress and contractCodeHash with your contract address and code hash, respectively.

Then run node query.

node query

If the message was executed successfully, the query will return the Ethereum wallet address that sent the transaction as well as the message that the wallet included:

{
sender: `0x49e01eb08bBF0696Ed0df8cD894906f7Da635929`,
message: `one small step for Secret!`
}

Great work! Now let's send a string from Secret to Polygon!

Send a string from Secret to Polygon

To execute the SendMessageEvm transaction, navigate to the execute.js file in examples/secret-ethereum-gmp/node and replace the contractAdress and contractCodeHash with your contract address and code hash.

Then, update destinationAddress to your Polygon contract address, and myMessage to the message that you want to send:

Gas Token

Next, in order to send a GMP message from Secret to Polygon, you need to acquire some AXL tokens and include the correct IBC denom representing those tokens to your transaction to pay for gas, so that the message can be executed over IBC

The correct IBC denom is already included in the secret.js transaction, but in order for it to execute successfully, you need to have this IBC denom funded in your wallet. To add this token to your wallet, you can send Axelar tokens to your Secret wallet address over IBC.

Once you have properly configured your execute.js file and procured the IBC denom needed to execute the transaction, all that's left is to run node execute.

node execute 

The transaction should return a transactionHash as well as data about the IBC routing:

Now, navigate to Axelarscan to monitor the status of the transaction.

And for good measure, view the transaction on the Polygon Explorer to see that the message was received!

Congratulations! You now have all of the tools to send a message from Secret Network to Polygon using Axelar GMP! 🎉

Summary

Axelar's General Message Passing (GMP) offers a powerful solution for achieving secure interchain communication and token transfers across Secret and Ethereum. This documentation has guided you through the process of deploying GMP-compatible contracts on both Polygon and Secret Network, illustrating how to send messages across these networks.

If you run into any errors or questions, ping the #dev-issues channel on Secret Network's Discord and somebody will get back to you shortly 😊

Overview

SecretPath seamlessly handles encrypted payloads on the EVM, which means EVM developers can use SecretPath to encrypt and decrypt messages cross-chain with little-to-no Rust experience required.

This tutorial explains how to:

1. Upload your own Key-value store contract on Secret Network

2. Encrypt data on the EVM and transmit encrypted data cross-chain to Secret Network

3. Connect your key value store contract to a React frontend.

After this tutorial, you will have the tools you need to use SecretPath to encrypt messages on any EVM-compatible chain.

Getting Started

To get started, clone the EVM key value store repository:

git clone https://github.com/writersblockchain/evm-kv-store-demo.git

Configuring Environment

cd into secret-contract/node

cd secret-contract/node

Install the dependencies:

npm install

Upload the Key-value contract to Secret Network

In the node folder, open the upload.js file and review the instantiate message at line 56:

 let init = {
    gateway_address: gatewayAddress,
    gateway_hash: gatewayHash,
    gateway_key: gatewayPublicKeyBytes,
  };

• gatewayAddress is the SecretPath gateway contract address for testnet

• gatewayHash is the SecretPath gateway contract hash for testnet

• gatewayKey is public key used for SecretPath encryption on Secret testnet

To upload and instantiate the contract, run node upload:

node upload

Upon successful upload, a contractHash and address will be returned:

codeId:  5701
Contract_hash: "6311a3f85261fc720d9a61e4ee46fae1c8a23440122b2ed1bbcebf49e3e46ad2"
contract_address:  "secret1j0gpu6tlwnc9fw55wcfsfuml00kqpcnqz7dck7"

make build-mainnet

Encrypt a payload

Now that you have your key value store smart contract uploaded to Secret Network, let's use it to store encrypted messages passed from the EVM. Most of the ECDH cryptography has been abstracted away so there are only a few values you need to change.

cd into evm-kv-store-demo/kv-store-frontend:

cd evm-kv-store-demo/kv-store-frontend

Install the dependencies:

npm i

Open .env and change the routing_contract and routing_code_hash to the address and code hash for your contract:

REACT_APP_SECRET_ADDRESS="secret1neeyum9p9h6u0d5jkxlqx9w5nrz49hzrr63jsw"
REACT_APP_CODE_HASH="6994d8ff9ed1af73ef4685a9f5c8a5568804afb5fa5ce49ec8496fb271a9760a"

That's it! You dApp is now connected to your Secret smart contract and ready to encrypt key value pairs. To start the application, run:

npm run start

Now that you have successfully uploaded a key-value contract to Secret Network and connected it to a React frontend, let's examine the code to understand how SecretPath passes encrypted data from the EVM to Secret Network.

From a high-level, all that you need to know is there is a public SecretPath contract deployed on every EVM chain listed here, which communicates with a private SecretPath contract deployed on Secret Network, and it is these public/private contract pairs that encrypt your data and pass messages from the EVM to Secret Network.

When you create your cross-chain dApp, you simply need to format your data so that it can be transmitted successfully from the public SecretPath contract to the private SecretPath contract.

All of the data formatting for the public EVM contract happens in submit.js. This is almost entirely boilerplate code except for the variables handle and data:

  // The function name of the function that is called on the private contract
  const handle = "store_value";

  // Data are the calldata/parameters that are passed into the contract
  const data = JSON.stringify({
    key: key,
    value: value,
    viewing_key: viewing_key
  });

handle is the name of the function that we are executing in our private Secret smart contract, and data is the data that we pass to the function that we are executing in the Secret contract, which in the case of the key value contract is key, value, and viewing_key.

Let's now look at the Secret Network contract that we uploaded to better understand the store_value function and how it uses the parameters key, value, and viewing_key.

Understanding the Private (Secret) Contract

At line 109, we have a match statement, which includes the handle "store_value":

 // determine which function to call based on the included handle
    let handle = msg.handle.as_str();
    match handle {
        "store_value" => store_value(deps, env, msg.input_values, msg.task, msg.input_hash),
        "retrieve_value" => retrieve_value(deps, env, msg.input_values, msg.task, msg.input_hash),
        "change_value" => change_value(deps, env, msg.input_values, msg.task, msg.input_hash),
        _ => Err(StdError::generic_err("invalid handle".to_string())),
    }

Since we pass the handle store_value from your dApp to your Secret contract, it knows to execute the store_value function!

Inside of the store_value function, we use the key, value, and viewing_key parameters that we pass from the EVM in order to create a key map with our key-value pairs:

let input: InputStoreMsg = serde_json_wasm::from_str(&input_values)
        .map_err(|err| StdError::generic_err(err.to_string()))?;
  
  // create a task information store
    let storage_item = StorageItem {
        value: input.value,
        viewing_key: input.viewing_key,
    };
    
  // map task to task info
    KV_MAP.insert(deps.storage, &input.key, &storage_item)?;

This data is encrypted and stored inside of your Secret smart contract. The data can now only be revealed with a query that uses the proper viewing_key:

const secretjs = new SecretNetworkClient({
                url: "https://lcd.testnet.secretsaturn.net",
                chainId: "pulsar-3",
            });

            const query_tx = await secretjs.query.compute.queryContract({
                contract_address: process.env.REACT_APP_SECRET_ADDRESS,
                code_hash: process.env.REACT_APP_CODE_HASH,
                query: {
                    retrieve_value: {
                        key: key,
                        viewing_key: viewingKey
                    }
                },
            });

Summary

In this tutorial, you've learned how to deploy a key-value store smart contract on Secret Network, encrypt and transmit messages from an EVM-compatible chain, and integrate the contract with a React frontend. Using SecretPath, you can now seamlessly handle encrypted payloads cross-chain with minimal Rust experience. By following the steps outlined, you're equipped to build decentralized applications that leverage SecretPath for secure, cross-chain communication and data storage.

Introduction

Confidential voting on Secret Network enables developers to create and manage voting systems where proposals and votes remain encrypted and secure. This ensures confidentiality and integrity in voting processes across EVM-compatible chains. There are 2 cross-chain voting solutions on Secret Network, the first uses SecretPath, and the other ECDH cryptography.

• Overview: Introduction to using SecretPath as a Confidential Computation Layer for EVM chains, allowing encrypted data transfer and storage on Secret Network. Description of how SecretPath functions as a bridge for encrypted data, facilitating the creation and voting on proposals within a Secret smart contract.

• Setup and Deployment: Step-by-step guide on setting up the development environment, compiling and uploading the Secret contract, and configuring the frontend to interact with the SecretPath-enabled voting system.

• Passing Encrypted Data: Detailed explanation of how to pass encrypted proposals and votes from the EVM to the Secret Network using SecretPath.

• Introduction: Guide to encrypting and decrypting votes using Secret Network smart contracts, aimed at building confidential voting on any EVM chain.

• Setup and Configuration: Instructions for setting up the developer environment, configuring environment variables, and generating cryptographic keys for encryption. Steps to upload and instantiate the Secret Network and Polygon smart contracts, enabling creation and voting on proposals.

• Executing Contracts: Processes for creating proposals, voting, and decrypting votes using the deployed smart contracts on the Polygon testnet and Secret Network.

Overview

enables EVM developers to use Secret Network as a Confidential Computation Layer (CCL) for .

In this developer tutorial, you will learn how to use SecretPath to enable confidential voting on the EVM.

Understanding SecretPath

At a high level, you can think of SecretPath as a confidential bridge that passes encrypted data from your EVM chain to a Secret Network smart contract where the data remains encrypted.

To work with SecretPath, you must first create a Secret smart contract that stores the encrypted data that you want to send from the EVM. For our purposes, we have created a Secret smart contract with 2 functionalities:

1. Create proposals

2. Vote on existing proposals

You create and vote on proposals from the EVM, and then that data is sent to your Secret smart contract via SecretPath where it remains encrypted . Pretty cool, right!? 😎 Let's start by examining our Secret voting contract, and then we will breakdown how to send messages to it from the EVM with SecretPath.

Secret Network Prerequisites

1. .

2. .

Getting Started with Secret Network

To get started, clone the :

cd into secretpath-tutorials/secretpath-voting/voting-contract:

Compiling and uploading the Secret contract

Compile the contract

cd into voting-contract/node:

Install the node dependencies

Set SecretPath parameters:

Upload and instantiate the contract:

Send encrypted data to your Secret Contract on the EVM

Now that you have instantiated your confidential voting contract on Secret Network, it's time to pass your encrypted data from the EVM to Secret Network. Remember the create_proposal and create_vote functions from the Secret contract? Now you will execute those functions and send encrypted data to the voting contract! 🤯

Bootstrapping the frontend

Let's create and vote on your first proposal with SecretPath!

cd into secretpath-voting/frontend:

Install the dependencies

Configure env

Run the application

You should see the following React application running locally in the browser:

Now, create and vote on a proposal to understand the frontend functionality. Then, let's look at the underlying code to understand how we are passing encrypted data from the EVM to Secret Network 🙂

Passing Encrypted Data with SecretPath

Create a Voting Proposal

Now that you have all of your SecretPath code configured, execute the frontend to send your voting proposal to the Secret contract!

Vote on a Proposal

Execute the frontend to vote on an existing proposal and send the encrypted vote to the Secret contract!

Secret Queries - retrieving proposals and votes from Secret contract storage

These queried proposals and their associated votes are then displayed in our React frontend.

Conclusion

For a detailed demonstration, you can watch our video tutorial available here:

After we've gone through an extensive example on how our example contract works, here's how to implement SecretVRF via SecretPath in your own contract in 4 easy steps:

Importing the Interface

First, import the ISecretVRF interface into your Solidity Contract:

Set the SecretVRF gateway contract

Call the SecretVRF Gateway contract

Now, we implement the function that calls the SecretVRF Gateway on EVM. Note that you have to pay an extra amount of your gas token as CallbackGas:

The callback gas is the amount of gas that you have to pay for the message coming on the way back. If you do pay less than the amount specified below, your Gateway TX will fail:

Wait for the callback

From here, the SecretVRF Gateway will take care of everything, just wait 1-2 blocks for Gateway to provide you the random number by getting it from the Secret Networks on chain VRF and do the callback.

The SecretVRF gateway contract will always call the contract that called the VRF contract (using msg.sender) with the function selector bytes 0x38ba4614, which is the function:

Now, the SecretVRF Gateway contract will verify the validity of the call and when all checks pass, it will call this function. In this case, we just emit a log as an example to finish our demo. Emitting a log is not obligatory and optional.

Overview

over SecretPath enables EVM developers to access on-chain verifiable random numbers at a fraction of the cost and block time of traditional RNG oracles such as ChainlinkVRF. With fewer than 100 lines of code, you will have access to an infinite supply of randomness.

Getting Started

To get started, clone the repo:

EVM Prerequisites

2. .

Configuring Environment Variables

Install the node dependencies:

Update the env file with your EVM wallet private key and API key.

Upload & Instantiate RandomnessReceiver.sol

Compile your Solidity smart contract:

Once the contract is compiled successfully, upload the contract to Polygon testnet:

Note the contract address:

Add the RandomnessReceiver contract address to your env file:

Execute RandomnessReceiver.sol

Now that you've uploaded your contract, it's time to set the SecretPath gateway address for Polygon Amoy and then request on-chain verifiable random numbers!

Set Gateway Contract

First, set the gateway address for Polygon Amoy testnet. You can do this by executing set_gateway.js:

Create Randomness Event Listener

Next, create an event listener so you can listen to when the random numbers that you request have been fulfilled.

Create the event listener by executing fulfill_randomness_event.js:

Request Random Numbers

Once you have configured how many random numbers you want to request, execute request_random.js:

Upon successful execution, your terminal will log the following:

Navigate to your event listener terminal to see the returned random numbers:

Congrats! You've just used SecretPath to request your first verifiable on-chain random numbers! 🎉

Conclusion

Secret VRF offers an innovative and cost-effective solution for EVM developers seeking access to verifiable random numbers. By following this guide, you've successfully set up your environment, deployed the RandomnessReceiver.sol contract, and interacted with the SecretPath network to request and receive random numbers. Dive into the world of decentralized randomness with SecretPath, where security meets simplicity. 🌟

Overview

A first-price sealed-bid auction, also known as a "blind auction", is a type of auction in which all bidders simultaneously submit sealed bids so that no bidder knows the bid of any other participant. The highest bidder pays the price that was submitted. In this tutorial you will learn how to create a cross-chain sealed bid auction dApp with encrypted bids using.

You will start by configuring your developer environment and then learn how to use SecretPath to enable cross-chain encryption and decryption, using Secret Network as a Confidential Computing Layer (CCL) for the EVM.

Getting Started

To get started, clone the SecretPath tutorials repository:

EVM Prerequisites

1. your Sepolia wallet.

Secret Network Prerequisites

1. .

2. .

Uploading Sealed Bid Contract

cd into sealed-bid-auctions/sealed-bid-contract

Compile the contract

cd into secret-contract/node:

Install the node dependencies

Set SecretPath parameters:

Upload and instantiate the contract:

List an Auction Item

Now that you've instantiated a sealed bid contract on Secret Network, it's time to create your first auction item with SecretPath!

cd into sealed-bid-auctions/evm-contract:

Install the dependencies

Configure env

Configure SecretPath

Now that you have all of your SecretPath code configured, execute the SecretPath Sepolia public gateway contract to send your auction item to the Secret contract:

Upon successful execution, info about your SecretPath payload will be returned:

Bid On Auction Item

Once you have set your bid, execute the bid function:

Upon successful execution, info about your SecretPath payload will be returned. Now let's query your auction item and bids with secret.js.

Querying Auction Items and Bids

cd into sealed-bid-auctions/sealed-bid-contract/node:

Make sure you have added your Sealed bid contract address and codehash to your env file, and then query the auction item with node query_auction:

If your auction item was submitted successfully, it should be returned like so:

If the bidding is still open, it will return the message:

If the bidding is closed, it will return the highest bid:

Conclusion

Note that the end user of the application is not exposed to Secret Network and is only working directly in the EVM environment. However, the data is fully protected and cannot be viewed by anyone.

Introduction

In this tutorial you will learn how to implement the @secret-network/share-document SDK to store, view, and share confidential documents on the EVM using Secret Network as a confidential storage layer.

By using our SDK, you will have the possibility to:

• Store a new document

• See the contents of this document

• Grant/Revoke access to the document to another wallet address

Note that when you want to share a document with another wallet address, you need to provide the Secret Network address of the person you want to share it with.

Getting Started

Create an empty wagmi project:

npm create wagmi

During the install process, wagmi will ask you to select a framework and a variant. To follow along with this tutorial, select React for framework, and Next for variant. Once you have installed your wagmi project, cd into your project:

cd <your project name>

Install the dependencies & the sdk:

npm i @secret-network/share-document

This tutorial will teach you how to use the SDK on Polygon Mainnet. Update your wagmi.ts file for Polygon Mainnet configuration like so:

import { http, createConfig } from 'wagmi'
import { polygon } from 'wagmi/chains'
import { coinbaseWallet, injected, walletConnect } from 'wagmi/connectors'

export const config = createConfig({
  chains: [polygon], // Add Polygon chain
  connectors: [
    injected(),
    coinbaseWallet({ appName: 'Create Wagmi' }),
    // walletConnect({ projectId: process.env.NEXT_PUBLIC_WC_PROJECT_ID }),
  ],
  ssr: true,
  transports: {
    [polygon.id]: http(), // Add polygon chain
  },
})

declare module 'wagmi' {
  interface Register {
    config: typeof config
  }
}

Create a .env file with the following content since we are interacting with the Polygon Mainnet contract:

ENVIRONMENT= "mainnet" 

ENVIRONMENT can use the following variables depending on which dev environment you are using:
"mainnet" | "testnet" | "local"

Custom chain

import { scroll } from "viem/chains";
import { Config, EvmChain } from "@secret-network/share-document"

const config = new Config({
  sourceChain: EvmChain.SCROLL,
  customChain: scroll  
});

Storage API Keys

Next, navigate to Pinata and generate a new API key + JWT token to use for storing documents. Make sure you save the credentials in a safe place because we will use them shortly :D

React Imports & State Variables

Navigate to /src/page.tsx.

Configure your React imports + state viarables like so:

'use client'

import { useAccount, useConnect, useDisconnect, useWalletClient } from 'wagmi'
import { Config, SecretDocumentClient, Environment, MetaMaskWallet, PinataStorage } from "@secret-network/share-document";
import { useEffect, useState } from 'react';

function App() {
  const { address } = useAccount();
  const { connectors, connect, status, error } = useConnect();
  const { disconnect } = useDisconnect();
  const { data: walletClient } = useWalletClient();
  const [client, setClient] = useState<SecretDocumentClient>();
  const [downloadFileId, setDownloadFileId] = useState('');
  const [shareFileId, setShareFileId] = useState('');
  const [secretAddress, setSecretAddress] = useState('');
}

Your environment is now configured to store confidential documents on Polygon Mainnet using Secret Network!

Initialize the Client

Configure the SDK client like so:

// Initialize user wallet for the SDK
  useEffect(() => {
    const initializeClient = async () => {
      if (!walletClient) return;

      const config = new Config({ env: Environment.MAINNET });
      config.useEvmWallet({ client: walletClient });
      console.log("config: ", config);

      const wallet = await MetaMaskWallet.create(window.ethereum, address || "");
      config.useSecretWallet(wallet);

      const gateway = "https://gateway.pinata.cloud";
      const accessToken = "Your JWT token";
      
      const pinataStorage = new PinataStorage(gateway, accessToken);
      config.useStorage(pinataStorage);

      const secretClient = new SecretDocumentClient(config);
      setClient(secretClient);
      console.log("client: ", secretClient);
    };

    initializeClient();
  }, [walletClient, address]);

Store a File

// Store File to Secret Network
  const storeFile = async () => {
    if (!client) {
      console.error('Client is not initialized');
      return;
    }
    try {
      const file = new File(["Hello, world!"], "hello.txt", { type: "text/plain" });
      const res = await client.storeDocument().fromFile(file); 
      console.log('File stored successfully:', res);
    } catch (error) {
      console.error('Error storing file:', error);
    }
  };

View a File

 // View file
  const viewFile = async () => {
    if (!client) {
      console.error('Client is not initialized');
      return;
    }
    try {
      const res = await client.viewDocument().getAllFileIds();
      console.log('File viewed successfully:', res);
    } catch (error) {
      console.error('Error viewing file:', error);
    }
  };

Download a File

// Download file
  const downloadFile = async (fileId: string) => {
    if (!client) {
      console.error('Client is not initialized');
      return;
    }
    try {
      const uint8Array = await client.viewDocument().download(fileId);

      // Convert Uint8Array to Blob
      const blob = new Blob([uint8Array], { type: 'application/octet-stream' });

      // Create a link element
      const link = document.createElement('a');
      link.href = URL.createObjectURL(blob);
      link.download = 'downloaded_file'; // Set the desired file name here

      // Append the link to the body
      document.body.appendChild(link);

      // Programmatically click the link to trigger the download
      link.click();

      // Remove the link from the document
      document.body.removeChild(link);

      console.log('File downloaded successfully');
    } catch (error) {
      console.error('Error downloading file:', error);
    }
  };

Share a File

// Share file
  const shareFile = async (fileId: string, secretAddress: string) => {
    if (!client) {
      console.error('Client is not initialized');
      return;
    }
    try {
      const shareDocument = client.shareDocument(fileId);

      // Get existing file access
      // const fileAccess = await shareDocument.getFileAccess();
      // console.log('Existing file access:', fileAccess);

      // Share viewing access to a file
      const addViewingRes = await shareDocument.addViewing([secretAddress]);
      console.log('Viewing access added:', addViewingRes);

      // Delete viewing access to a file
      // const deleteViewingRes = await shareDocument.deleteViewing([secretAddress]);
      // console.log('Viewing access deleted:', deleteViewingRes);

      // Transfer the ownership
      // const changeOwnerRes = await shareDocument.changeOwner(secretAddress);
      // console.log('Ownership transferred:', changeOwnerRes);

      // All in one share operation
      const shareRes = await shareDocument.share({
        // changeOwner: secretAddress,
        addViewing: [secretAddress],
        // deleteViewing: [secretAddress],
      });
      console.log('All-in-one share operation completed:', shareRes);

    } catch (error) {
      console.error('Error sharing file:', error);
    }
  };

Summary

This documentation provides a step-by-step guide on how to implement the @secret-network/share-document SDK to securely store, view, and share confidential documents on the EVM using Secret Network as a confidential storage layer. You learned how to create a new wagmi project, configure it for Polygon Mainnet, and integrate the Secret Network SDK. By following this guide, you can now store documents, view their content, and manage access permissions all on the EVM chain of your choosing.

Special Thanks

Special thanks to the FiftyWei team for building out this SDK as part of the Secret Network Q1 2024 grants cohort :D

Install and import dependencies

First, install all of the the dependencies via NPM:

npm install @solar-republic/cosmos-grpc @solar-republic/neutrino ethers secure-random

Next, import the following into your code:

import { ethers } from "ethers"; 
import { arrayify, hexlify, SigningKey, keccak256, recoverPublicKey, computeAddress } from "ethers/lib/utils"; 
import {ecdh, chacha20_poly1305_seal} from "@solar-republic/neutrino"; 
import {bytes, bytes_to_base64, json_to_bytes, sha256, concat, text_to_bytes, base64_to_bytes} from '@blake.regalia/belt';

In your vite.config.ts in the project, you need to add the support for bigInt into the esbuildOptions:

optimizeDeps: { 
    esbuildOptions: { 
        target: "esnext", 
        supported: { 
        bigint: true 
        }, 
    } 
}

Defining variables

To start, we first define all of our variables that we need for the encryption, as well as the gateway information:

const publicClientAddress = '0x3879E146140b627a5C858a08e507B171D9E43139' //EVM gateway contract address
const routing_contract = "secret1fxs74g8tltrngq3utldtxu9yys5tje8dzdvghr" //the contract you want to call in secret
const routing_code_hash = "49ffed0df451622ac1865710380c14d4af98dca2d32342bb20f2b22faca3d00d" //its codehash

First, we define the Gateway address that is specific to each chain, which can you can look up here Supported Networks.

Second, you need to input the private contract that you are going to call, in our case the Secret VRF RNG contact on Secret Network. The code for this example contract can be found here in case you want to deploy it yourself.

Initializing the Ethereum client

Next, init the Ethereum client that you are using to call the contract with. Here, we init the chainId to use the Ethereum sepolia testnet and use ethers.js to retrieve the address.

 await (window as any).ethereum.request({
    method: 'wallet_switchEthereumChain',
    params: [{ chainId: '0xAA36A7' }], // chainId must be in hexadecimal numbers
});

// @ts-ignore
const provider = new ethers.providers.Web3Provider(window.ethereum);
const [myAddress] = await provider.send("eth_requestAccounts", []);

Generating the encryption key using ECDH

Next, you generate ephermal keys and load in the public encryption key for the Secret Gateway that you can look up in Supported Networks. Then, use ECDH to create the encryption key:

//Generating ephemeral keys
const wallet = ethers.Wallet.createRandom();
const userPrivateKeyBytes = arrayify(wallet.privateKey);
const userPublicKey: string = new SigningKey(wallet.privateKey).compressedPublicKey;
const userPublicKeyBytes = arrayify(userPublicKey)

//Gateway Encryption key for ChaCha20-Poly1305 Payload encryption
const gatewayPublicKey = "A20KrD7xDmkFXpNMqJn1CLpRaDLcdKpO1NdBBS7VpWh3";
const gatewayPublicKeyBytes = base64_to_bytes(gatewayPublicKey);

//create the sharedKey via ECDH
const sharedKey = await sha256(ecdh(userPrivateKeyBytes, gatewayPublicKeyBytes));

Define the Calldata for the secret contract & Callback information

Next, you define all of the information that you need for calling the private contract on Secret + add the callback information for the message on its way back.

We begin by defining the function that we are going to call on the private secret contract, here it's request_random . Next, we add the parameters/calldata for this function, which is ("{ numWords: Number(numWords) }"and convert it into a JSON string.

Next, we define the callback Information. In this case, we are using the gateway contract as an example callback. Here, you would typically put in your own custom callback address and callback selector in.

//the function name of the function that is called on the private contract
const handle = "request_random"

//data are the calldata/parameters that are passed into the contract 
const data = JSON.stringify({ numWords: Number(numWords) })
    
const callbackAddress = publicClientAddress.toLowerCase();
//This is an empty callback for the sake of having a callback in the sample code.
//Here, you would put your callback selector for you contract in. 
const callbackSelector = iface.getSighash(iface.getFunction("upgradeHandler"))
const callbackGasLimit = Number(callback_gas_limit)

After defining the contract call and callback, we now construct the payload:

//payload data that are going to be encrypted
const payload = {
      data: data,
      routing_info: routing_contract,
      routing_code_hash: routing_code_hash,
      user_address: myAddress,
      user_key: bytes_to_base64(userPublicKeyBytes),
      callback_address: bytes_to_base64(arrayify(callbackAddress)),
      callback_selector: bytes_to_base64(arrayify(callbackSelector)),
      callback_gas_limit: callbackGasLimit,
}

Encrypting the Payload

Next, we encrypt the payload using ChaCha20-Poly1305. Then, we hash the encrypted payload into a ciphertextHash using Keccak256.

//build a Json of the payload 
const payloadJson = JSON.stringify(payload); 
const plaintext = json_to_bytes(payload);
//generate a nonce for ChaCha20-Poly1305 encryption 
//DO NOT skip this, stream cipher encryptions are only secure with a random nonce!
const nonce = crypto.getRandomValues(bytes(12));

//Encrypt the payload using ChachaPoly1305 and concat the ciphertext+tag to fit the Rust ChaChaPoly1305 requirements
const [ciphertextClient, tagClient] = chacha20_poly1305_seal(sharedKey, nonce, plaintext);
const ciphertext = concat([ciphertextClient, tagClient]);

//get Metamask to sign the payloadhash with personal_sign
const ciphertextHash = keccak256(ciphertext)