Hardened Derivation
MPCVault is the only MPC provider with patented hardened hierarchical derivation. In the non-MPC world, all wallets use hardened derivation - MPCVault brings this security standard to MPC.
Why Hardened Derivation Matters
Without hardened keys:
| Risk | Impact |
|---|
| Former team members | Can track your newly added assets |
| Compromised child key | Exposes master keys and assets on other blockchains |
| Cross-chain attacks | Signature reuse across different chains |
How It Works
For each new address you create:
- A new derived key is generated from your master key
- The derivation uses hardened paths that prevent key leakage
- Each blockchain and address is cryptographically isolated
Granular Permissions
The hierarchical derivation tree enables precise permission control:
- Grant access to specific vaults only
- Limit users to certain blockchains
- Follow the principle of least privilege
Allocate minimum necessary permissions to users for managing vaults.
Derivation Paths & Networks
MPCVault uses a structured derivation path format to generate unique keys for each vault, network, and address.
[prefix, vault_index, coin_type, account, change, address_index]
| Position | Name | Description |
|---|
| 0 | prefix | Always 9 (MPCVault identifier) |
| 1 | vault_index | Vault number starting from 0 |
| 2 | coin_type | Blockchain identifier (see table below) |
| 3 | account | Account index (typically 0) |
| 4 | change | Change index (typically 0) |
| 5 | address_index | Address index (0, 1, 2, …) |
Hardening Rules
Different networks use different hardening for the last two path positions:
| Network | Last Two Positions | Example |
|---|
| Bitcoin | Non-hardened (N0, N1) | [9,0,2147483648,0,N0,N0] |
| All others | Hardened (0, 1, 2…) | [9,0,2147483708,0,0,0] |
Non-hardened derivation (marked with N) allows public key derivation without the private key, which is required for Bitcoin’s address discovery mechanism.
Supported Networks
| Network | Coin Type | Key Type | Curve | Example Path |
|---|
| EVM (Ethereum, etc.) | 2147483708 | ECDSA | secp256k1 | [9,0,2147483708,0,0,0] |
| Bitcoin | 2147483648 | ECDSA | secp256k1 | [9,0,2147483648,0,N0,N0] |
| Tron | 2147483843 | ECDSA | secp256k1 | [9,0,2147483843,0,0,0] |
| Aptos | 2147484285 | EdDSA | Ed25519 | [9,0,2147484285,0,0,0] |
| Solana | 2147484149 | EdDSA | Ed25519 | [9,0,2147484149,0,0,0] |
| Sui | 2147484432 | EdDSA | Ed25519 | [9,0,2147484432,0,0,0] |
| TON | 2147484355 | EdDSA | Ed25519 | [9,0,2147484355,0,0,0] |
Coin types follow the SLIP-0044 standard with the hardened bit (0x80000000) applied. Key Types
MPCVault supports two cryptographic signature schemes:
| Key Type | Curve | Used By |
|---|
| ECDSA | secp256k1 | EVM chains, Bitcoin, Tron, Litecoin |
| EdDSA | Ed25519 | Aptos, Solana, Sui, TON |
Address Generation
Each network derives addresses from public keys using different algorithms:
| Network | Hash Algorithm | Address Format | Example |
|---|
| EVM | Keccak-256 (last 20 bytes) | 0x + 40 hex chars | 0x1234...abcd |
| Bitcoin | SHA-256 + RIPEMD-160 | SegWit P2SH (Base58Check) | 3J98t1... |
| Tron | Keccak-256 + Base58Check | T prefix | TJRyWw... |
| Aptos | SHA3-256 | 0x + 64 hex chars | 0x1234... |
| Solana | Direct public key | Base58 | 7EcDhS... |
| Sui | BLAKE2b | 0x + 64 hex chars | 0x1234... |
| TON | SHA-256 | Base64 or raw | EQDk2V... |
Deriving Multiple Addresses
To create multiple addresses within the same vault and network, increment the address_index:
Vault 0, EVM, Address 0: [9,0,2147483708,0,0,0]
Vault 0, EVM, Address 1: [9,0,2147483708,0,0,1]
Vault 0, EVM, Address 2: [9,0,2147483708,0,0,2]
