BitKuruş
Wallet

Architecture and technology analysis

About BitKuruş

BitKuruş combines a UTXO-style token ledger, Ed25519 signatures, and multi-node replication. This page explains the current design and compares it with alternative stacks.

Docs Network
01

End-to-end transaction flow

Clients sign transactions locally. Nodes only accept signed envelopes, validate shape and ownership rules, then lock inputs and commit atomically.

Before persistence, a node requires peer validation quorum (minimum configured approvals). Offline peers can be tolerated, but zero peer approval is rejected.

Client signs -> /api/tx/submit
Peer validation -> min approvals
Local validate + lock + commit
Queue replication -> /api/peer/replicate
Peers verify signature + idempotent apply
02

Defense in depth — what an attacker must defeat

BitKuruş is engineered so that no single component — your browser, our servers, a peer node, or even a database administrator — can move funds without leaving a public, cryptographic trail. To steal or alter a single token, an attacker has to defeat every one of the following layers at the same time, on every node in the federation, without producing a divergence anyone can audit.

1. Private keys never leave the user's device

Wallets are pure-browser: Ed25519 keypairs are generated and stored client-side, encrypted under a password-derived key, and only signatures are sent over the wire. The server cannot sign for the user, cannot recover keys from a backup, and cannot impersonate a wallet — there is no server-side custody surface to compromise.

2. Every accepted transaction is cryptographically authenticated

Each transaction is serialized as canonical JSON (sorted keys, raw UTF-8, preserved zero fractions) and signed with the wallet's Ed25519 private key. Nodes reject any envelope with a missing, malformed, replayed, stale-version, or non-matching signature before any database write happens.

3. Spend-once UTXO semantics, enforced atomically

Inputs are locked with a TTL before commit, their version is checked, and burn/mint happen inside one database transaction. Duplicate inputs, duplicate outputs, value-conservation breaks, output collisions, and stale token versions are all rejected deterministically — the same way, on every node.

4. Quorum of independent validators before commit

Every user transaction is sent to peer validators for a pre-flight check. Commit requires a configurable quorum (default floor(N/2)+1). A solo node cannot push a transaction into the ledger — at least a majority of independent validators have to agree on shape, ownership, and value flow first.

5. Peer replication is signed and time-bounded

Cross-node convergence happens through signed HTTP envelopes carrying a kind, payload, issuer node id, issuer public key, ISO-8601 issued-at, and an Ed25519 origin_signature. Inbound envelopes are rejected unless they match a trusted public key, fall inside a 60-second TTL window, come from a non-suspended peer, and pass strict shape validation. Replays, forgeries, and stale envelopes all fail closed.

6. Continuous integrity monitoring

After every committed write, an asynchronous job pulls each peer's /api/state and compares state_hash. Mismatches, conflicting issuance, dropped envelopes, and failed signatures all open structured alerts (state_divergence, issuance_conflict, replication_rejected, replication_failed) on the operator dashboard. A scheduled cross-check then re-verifies every peer's signed /api/network identity card against the local registry — a peer that mutates its key, its peer list, or its commission wallet is flagged immediately.

7. Operator hardening at the perimeter

A production preflight script blocks deployment unless APP_DEBUG is false, dev endpoints are off, the faucet is off, the node signing seed is set, peers and validators are configured, and the trusted-proxy list is explicit. Admin endpoints are gated behind session + role + an admin_enabled flag (and return 404 otherwise). Every public route has its own per-minute rate limit (submit, mutating, public read, peer replicate, ledger export) so no single client can drown the cluster.

8. Conservative monetary policy

A hard total supply cap (default 21,000,000 BK$) is enforced at issuance time. The validator commission is a fixed 0.02% inflation rate, split deterministically across the configured eligible validator set — same set on every node, defined in the environment file, not in mutable database tables. There is no path that mints uncapped supply, even from an admin console.

03

Don't trust — verify

You don't have to take our word for any of this. Three public, signed endpoints let anyone — including a competitor or a journalist — confirm in seconds that every node in the federation tells the exact same story.

GET /api/state
Returns the live state_hash — a SHA-256 over every active token (id, value, owner, version). Two honest nodes always return the same hash. A node that hides or alters a token cannot fake this value without breaking SHA-256.
GET /api/network
Returns the node's signed identity card: node id, public key, configured peers, validator pubkeys, commission wallet, supply cap, commission rate. The response is Ed25519-signed by the node itself. You can pin this once and detect any silent change later.
GET /api/ledger/export
Returns a cross-node deterministic JSON snapshot — every node returns byte-identical bytes. A SHA-256 canonical_hash covers all committed transactions, ledger events, tokens, and parent links. Download it from two nodes, diff the hash, done. Differences localise to one of four named sections.

In practice: a single curl … | sha256sum against two different domain names is all anyone needs to prove the federation is in agreement. If the hashes ever drift, the divergence is visible to every observer at once — not buried in a private log.

04

Replication and commission mechanics

Each node has independent storage and converges through signed envelopes. Inbound events are idempotent and suppress re-broadcast loops.

Validator commission is 0.02% by default and is minted as new system tokens (not deducted from user outputs). Rewards are split across validating nodes that have commission wallets configured in Admin.

Compared with other stacks

BitKuruş vs EVM chains
EVM chains prioritize decentralized consensus and censorship resistance, but usually with higher latency/cost. BitKuruş targets controlled validator federations and simpler operations.
BitKuruş vs centralized SQL ledger
A single SQL writer is easy to operate but creates a single failure domain. BitKuruş keeps per-node independence with signed cross-node convergence.
BitKuruş vs event sourcing + Kafka
Kafka pipelines provide high throughput and rich stream semantics, but with heavier operational complexity. BitKuruş uses signed HTTP envelopes for leaner validator clusters.
BitKuruş vs permissioned blockchain frameworks
Permissioned frameworks are strong for enterprise governance but costly to run. BitKuruş is a lighter prototype platform for fast web integration.

Best-fit scenarios

  • Trusted-federation networks with known validator identities.
  • Rapid prototyping, testnet validation, and demos.
  • Auditable flows where full BFT is not mandatory.
  • Teams needing fast wallet + API product iteration.
05

Honest limits and operational guidance

BitKuruş is intentionally not Byzantine-fault tolerant. A coalition larger than the validator minority can refuse to validate, delay, or selectively forward — the protocol relies on signed gossip and public divergence alerts rather than BFT consensus. This is a deliberate trade-off for operational simplicity, and it is why every node's behaviour is publicly auditable through state_hash and canonical_hash.

For production: enforce private peer access, maintain a trusted public-key registry, monitor replication retries and integrity alerts, run the production preflight before every deploy, and keep admin/dev endpoints restricted. Divergence is operational — not silent.