How Lockx Works

Cryptocurrency security has been plagued with trade-offs between convenience and protection. Traditional wallets require users to manage private keys directly, while centralized exchanges control user funds entirely. This creates a fundamental problem: either users bear the full burden of security, or they surrender complete control to third parties.

Lockx addresses this through a smart contract system that distributes cryptographic responsibilities between users and infrastructure without requiring complete trust in any single party. The system operates through soulbound NFTs that function as asset containers, holding ERC-20 tokens, ERC-721 NFTs, and native ETH within their smart contract structure.

Each NFT is linked to a unique signing key that authorizes asset withdrawals through EIP-712 message signing. These keys are generated using a process that splits cryptographic material between user wallet signatures and encrypted server-side components, ensuring no single party can access complete key material independently.

Soulbound NFT Implementation

The lockbox system uses soulbound NFTs, which cannot be transferred between addresses once minted. This design choice prevents unauthorized movement of the lockbox itself while preserving the programmable properties needed for asset management. Each lockbox is permanently bound to the wallet address that created it, eliminating the risk of theft through social engineering or compromised approvals.

Assets are deposited into lockbox NFTs through smart contract calls that transfer ownership from the user's wallet to the lockbox contract. The contract maintains internal mappings of which assets belong to each NFT token ID, supporting ERC-20 tokens, ERC-721 NFTs, and native ETH within a single container structure.

Unlike traditional NFTs that derive value from external metadata or artwork, lockbox NFTs derive their utility from the cryptographic access control they provide to contained assets. The NFT serves as both proof of ownership and the access mechanism for withdrawal operations.

Key Fraction Technology

Each lockbox NFT is linked to a unique signing key that authorizes asset withdrawals through EIP-712 message signing. Traditional approaches store complete private keys, creating single points of failure. Lockx instead generates signing keys through a process that splits cryptographic material between user-controlled wallet signatures and encrypted server-side random values.

When a user creates a lockbox, their wallet provides a signature over a standardized message that includes domain-specific information and a unique message key fraction. Simultaneously, the system generates a cryptographically secure random value that undergoes HMAC-SHA256 processing with the user's wallet address and domain separation salt. These components are combined through PBKDF2 key derivation with 10,000 iterations to produce the final signing key, whose public key is registered with the lockbox NFT.

This approach ensures that neither the user's wallet signature alone nor the server's encrypted random value can reconstruct the complete signing key. Both components must be present and combined during withdrawal operations, creating a system where no single party holds sufficient information for unauthorized access.

The security model operates on the principle that server compromise cannot result in key theft, as only encrypted fragments are stored. Similarly, user wallet compromise cannot provide access to lockbox assets without the corresponding server component. This cryptographic separation eliminates traditional single points of failure while maintaining the operational capabilities needed for asset management.

Two-Factor Authentication

Traditional two-factor authentication systems store TOTP secrets in encrypted databases, requiring trust that servers properly manage these secrets and decrypt them only for legitimate validation requests. This approach creates a central repository of cryptographic secrets that, if compromised, undermines the security of the entire 2FA system.

Lockx applies the same key fraction approach to 2FA implementation. Rather than storing TOTP secrets, the system generates them on-demand using the identical HMAC-SHA256 and PBKDF2 derivation process employed for signing key generation. The 10,000-iteration key strengthening provides computational resistance against brute-force attacks, while domain separation ensures that authentication secrets are cryptographically isolated from signing keys.

This approach eliminates persistent storage of TOTP secrets entirely. Each authentication event requires fresh reconstruction of the secret, and the secret is discarded immediately after validation. Server compromise cannot reveal 2FA secrets because they do not exist in storage, and user wallet compromise alone cannot generate valid TOTP codes without the corresponding server component.

The result is a 2FA system that provides equivalent security to traditional implementations while eliminating the storage-based vulnerabilities that have compromised numerous authentication systems. Users must possess both their wallet (for signature generation) and their authenticator device (for TOTP code entry) to complete withdrawal operations.

Withdrawal Operations

Asset withdrawals from lockbox NFTs require authorization through EIP-712 structured message signing. This standard ensures that withdrawal requests contain properly formatted, tamper-evident data that smart contracts can verify cryptographically. Each withdrawal creates a structured message containing the lockbox NFT token ID, asset details, destination address, and protective elements like nonces and timestamps.

The withdrawal process begins when users initiate a request through the interface. The system first requests a wallet signature for TOTP generation, requiring users to provide their 6-digit authenticator code. This dual authentication (wallet signature plus TOTP code) enables reconstruction of both the signing key and verification of the user's possession of their authenticator device.

Once authenticated, the wallet signature combines with the decrypted server fragment to reconstruct the complete signing key. This key signs the EIP-712 structured message containing the withdrawal details, creating cryptographic proof that the authorized key holder initiated the operation. The smart contract validates this signature against the registered public key before executing the asset transfer.

This process ensures that withdrawals require active participation from both the user (through wallet signatures and TOTP codes) and verification by the smart contract (through signature validation). The combination of cryptographic proofs and on-chain verification prevents unauthorized access while maintaining user control over their assets.

Conclusion

The Lockx architecture addresses fundamental trade-offs in cryptocurrency security by distributing cryptographic responsibilities without requiring complete trust in any single party. Through soulbound NFTs, key fraction technology, and dynamic 2FA generation, the system maintains the security properties of self-custody while reducing the operational burden on users.

Key fraction technology eliminates single points of failure by ensuring that neither user wallets nor server infrastructure hold complete cryptographic material. The application of this same approach to 2FA implementation removes the storage-based vulnerabilities that have compromised traditional authentication systems, creating a more robust security model.

This approach demonstrates that trustless systems need not sacrifice usability for security. By carefully distributing cryptographic operations between users and infrastructure, Lockx provides practical asset management capabilities while maintaining the decentralized principles that make cryptocurrency valuable. The result is a system that enhances security through cryptographic design rather than relying solely on operational trust.