Back to Knowledge Protocol

advanced

Security White Paper

"Architecture of Immutable Authenticity on Scroll L2: A technical deep dive into Token Guard's security model."

6 janvier 2026Token Guard Team

Security White Paper: Architecture of Immutable Authenticity on Scroll L2

/Executive Summary

This comprehensive technical report outlines the architecture of Token Guard, an enterprise-grade solution designed to establish immutable digital authenticity for high-value assets. Commissioned for the review of Chief Information Officers (CIOs) and IT governance boards, this document provides an exhaustive analysis of the system's three foundational pillars: the Scroll zkEVM Layer 2 network for secure execution, IPFS (InterPlanetary File System) for decentralized metadata persistence, and ERC-721 Smart Contracts for logic enforcement.

The central thesis of this architecture is "Security Inheritance." By leveraging Scroll, a Zero-Knowledge Rollup (zk-Rollup), the solution inherits the cryptoeconomic security and decentralization of the Ethereum mainnet while mitigating its scalability constraints and volatile operational costs. Furthermore, the integration of EIP-4844 (Proto-Danksharding) ensures that data availability costs remain predictable and low, transforming blockchain interaction from a variable operational risk into a stable infrastructure component.

For the CIO, the transition to decentralized infrastructure often raises concerns regarding control, compliance, and data availability. This report systematically addresses these concerns, demonstrating how the proposed architecture utilizes Role-Based Access Control (RBAC), SOC2-compliant middleware (Supabase/Vercel), and redundant storage strategies to meet enterprise Service Level Agreements (SLAs).

/Investor Snapshot (Plain-Language Summary)

  • Enterprise-grade security: Scroll zkEVM inherits Ethereum security with instant finality and low fees.
  • Governance by design: Multisig-controlled roles prevent unilateral changes or misuse.
  • Durable records: Content-addressed metadata (IPFS + Filecoin) preserves authenticity over decades.

/1. Introduction: The Strategic Imperative of Digital Sovereignty

The digitization of luxury and high-value retail has necessitated a shift from centralized databases to decentralized ledgers. In a traditional architecture, a Certificate of Authenticity is only as durable as the server hosting it.

1.1 The Limitations of Legacy Systems

Centralized verification systems suffer from the "Administrator Dilemma." The database administrator holds absolute power to mutate the state. This architecture proposes a shift to Trustless Verification, where authenticity is guaranteed by cryptographic proofs verified on a public ledger rather than brand authority.

1.2 The Selection of Layer 2: Solving the Scalability Trilemma

The Ethereum mainnet (Layer 1) is the global standard for secure value but is constrained by the "Scalability Trilemma," processing only ~15-30 transactions per second (TPS). Layer 2 solutions address this by processing transactions off-chain.

Scroll was selected because it is a zkEVM rollup. Unlike Optimistic Rollups which rely on a 7-day fraud-proof window, Scroll utilizes Zero-Knowledge proofs to mathematically certify the validity of every transaction batch before it is finalized on Ethereum. This eliminates "challenge period" latency and ensures state validity by cryptographic definition.

1.3 Architectural Goals

  • Immutable Integrity: No alteration possible without a traceable on-chain audit trail.
  • Operational Continuity: Existence independent of brand IT infrastructure uptime.
  • Cost Predictability: Low and stable transaction fees via EIP-4844.
  • Compliance & Governance: Support for role separation and upgradeability patterns.

/2. The Execution Layer: Scroll zkEVM Architecture

2.1 zkEVM: Bytecode Equivalence vs. Compatibility

Scroll distinguishes itself through EVM Equivalence at the bytecode level. It executes Ethereum opcodes directly without transpilation. This provides a powerful Business Continuity Plan (BCP): smart contracts can be redeployed to Ethereum Mainnet or any other EVM-equivalent chain with zero code changes.

2.2 The Scroll Infrastructure Stack

  1. The Scroll Node: Consists of the Sequencer (orders transactions) and the Relayer (commits data to Ethereum L1 for Data Availability).
  2. The Roller Network: A decentralized network of "Rollers" that generate validity proofs using hardware accelerators (GPUs/ASICs).
  3. L1 Verification Contracts: Smart contracts on Ethereum that verify the aggregated proofs. A transaction is only final when verified on L1.

2.3 The "Security Inheritance" Model

Scroll relies entirely on Ethereum's Proof-of-Stake consensus and enforces validity before finalization. The L1 contract rejects any proof that attempts unauthorized state changes.

2.4 Liveness and the "Escape Hatch"

To prevent censorship, Scroll allows users to submit transactions directly to the L1 Rollup Contract. If the Sequencer fails to include it, the proof generation process fails, ensuring the brand always retains sovereignty over its assets.

/3. Data Availability and Economic Viability

3.1 The Anatomy of L2 Gas Fees

  • L2 Execution Fee: Negligible cost for computation.
  • L1 Data Availability (DA) Fee: The cost of publishing data to Ethereum (historically >90% of total fees).

3.2 The Revolution of EIP-4844 (Proto-Danksharding)

EIP-4844 introduced "Blobs"—temporary data packets that are pruned after ~18 days. This decoupled L2 storage costs from Ethereum's main execution fee market.

| Feature | Pre-4844 (Calldata) | Post-4844 (Blobs) | Enterprise Benefit | | :--- | :--- | :--- | :--- | | Storage Duration | Permanent | Ephemeral (~18 Days) | No "eternal storage" tax | | Cost Market | Shared with ETH txs | Separate "Blob Gas" | Decoupled from DeFi volatility | | Typical Cost | $0.50 - $2.00 / tx | < $0.01 / tx | Enables high-volume minting |

/4. The Persistence Layer: IPFS and Metadata Sovereignty

4.1 The Risk of Location Addressing (HTTP)

Standard URLs (https://brand.com/watch.json) are vulnerable to Mutability (file can be changed without changing the URL) and Link Rot (404 errors if the server goes down).

4.2 The Solution: Content Addressing via IPFS

IPFS uses Content Identifiers (CIDs) based on a cryptographic hash of the file.

  • The Formula: $CID = Multibase(Multicodec(Multihash(Content)))$
  • Immutability: If one bit of the file changes, the CID changes. This creates an unbreakable cryptographic chain between the Smart Contract and the asset metadata.

4.3 Ensuring Persistence: The Pinning Strategy

To meet SLAs, Token Guard uses a tiered pinning strategy:

  1. Tier 1: Enterprise Pinning: Services like Filebase/Pinata provide S3-compatible APIs and geo-redundancy.
  2. Tier 2: Decentralized Archival: Long-term preservation via Filecoin (Proof of Spacetime) and NFT.Storage.

/5. Smart Contract Security Architecture

5.1 The ERC-721 Standard

Built on the OpenZeppelin library, implementing ERC721Enumerable for on-chain query capability, optimized for Scroll's low gas costs.

5.2 Access Control and Governance

  • Role-Based Access Control (RBAC): Uses AccessControl for granular permissions (MINTER_ROLE, PAUSER_ROLE, etc.).
  • Multi-Signature Model: Critical roles are held by a Gnosis Safe (3-of-5 setup) involving CIO, CTO, and Legal, ensuring no single point of failure.

5.3 Advanced Functionality: Gasless Minting

Implements EIP-712 Typed Structured Data Signatures. The brand's backend signs an authorization, and a Relayer submits it to the contract, covering the gas fees to provide a "Web2-like" user experience.

5.4 Upgradeability and Emergency Procedures

  • UUPS Proxy Pattern: Allows for bug fixes while maintaining state; no unilateral upgrade is possible without multisig governance.
  • Pausability: The PAUSER_ROLE can freeze transfers instantly in an emergency.
  • Recovery (Clawback): A specialized role for legal compliance (e.g., theft recovery) subject to strict verification.

/6. Enterprise Integration: Middleware and Compliance

6.1 The "Web2.5" Tech Stack

  • Next.js on Vercel: Enterprise-grade hosting with SOC2 Type 2 compliance and SSO integration.
  • Supabase (PostgreSQL): Acts as a high-performance Indexer and caching layer for blockchain events. SOC2 and HIPAA compliant.

6.2 Key Management Systems (KMS)

Private keys used for signing (Minter Role) are stored in AWS KMS or HashiCorp Vault (HSM-backed). Keys never touch application memory or disk.

6.3 Monitoring and Observability

  • OpenZeppelin Defender: 24/7 contract monitoring with automated Sentinels.
  • Automated Response: Autotasks can pause contracts if suspicious activity (e.g., mass minting) is detected.

/7. Conclusion: The Robustness Verdict

The Token Guard architecture satisfies enterprise DSI requirements through a defense-in-depth strategy:

  1. Robustness: Inherits Ethereum L1 security via Scroll ZK-proofs.
  2. Longevity: IPFS/Filecoin ensures metadata survives corporate or server failures.
  3. Scalability: EIP-4844 Blobs reduce OpEx to a trivial level.
  4. Governance: Multisig RBAC and proxy patterns provide professional-grade control.

/Appendix: Technical Specifications Summary

| Component | Technology Selection | Rationale | | :--- | :--- | :--- | | Execution Layer | Scroll zkEVM | Bytecode equivalence; ZK-proof validity. | | Data Availability | Ethereum Blobs | >90% cost reduction; separate fee market. | | Metadata Storage | IPFS + Filecoin | Content addressing; decentralized persistence. | | Smart Contract | ERC-721 (OpenZeppelin) | Industry standard; audited libraries. | | Governance | Gnosis Safe | Prevents single key compromise; Multisig. | | Middleware | Next.js + Supabase | SOC2 Type 2; SSO; Edge protection. | | Key Management | AWS KMS / Vault | Hardware Security Module (HSM) isolation. |

Knowledge Index
Token Guard / Documentation / v2.0