English

日本語
Español
Português
Русский
한국어
Türkçe
Tiếng Việt
Bahasa Indonesia
हिन्दी

English

日本語
Español
Português
Русский
한국어
Türkçe
Tiếng Việt
Bahasa Indonesia
हिन्दी

Appearance

Trust & Security

Echo is designed so that no single party — not even the coordinator that bootstraps the network — can unilaterally control the system. Trust is distributed across the participants, and critical invariants are enforced on-chain by Cardano validators.

TRUST BOUNDARIESCOORDINATORLimited operational role · Bootstraps epochsFacilitates communicationCANNOTForge signatures · Alter membershipAccess fundsECHO NETWORKThreshold consensus · Byzantine fault tolerant · Epoch-scoped keysPARTICIPANTSThreshold required to signSECURITY PROPERTIESNo single party can forge a signatureMinority of bad actors toleratedKeys expire and rotate each epochCompromised key? Damage limited to one epochCARDANO L1On-chain validators independently verify every state transitionNFT ownership · Proof validity · Threshold met · Epoch not expired

Minimized Coordinator Trust

The coordinator plays a limited operational role: it bootstraps new epochs and facilitates communication between participants. However, the coordinator cannot:

  • Forge consensus signatures — only the collective network can produce a valid threshold signature
  • Alter membership — every membership change requires on-chain verification of NFT ownership and cryptographic proofs
  • Steal funds — applications built on Echo (such as Sailfish) enforce their own on-chain safety mechanisms independently of the coordinator

The coordinator's signing key is only used for administrative actions like initializing epochs. The actual consensus key belongs to the collective network and rotates every time the membership changes.

Threshold Signatures

Echo uses a threshold signature scheme where a minimum number of participants must independently agree before any action can be approved. No single participant — and no subset below the threshold — can produce a valid signature.

This means that even if some participants are compromised or go offline, the network continues to operate correctly as long as the threshold is met. The system is Byzantine fault tolerant: it produces correct results even in the presence of malicious actors, as long as they remain a minority.

On-Chain Verification

Every state transition in Echo is verified by Cardano's on-chain validators. When the membership changes, the validators check:

  • The new member holds the required NFTs in their Smart Account
  • The member cryptographically proved they authorized joining
  • The membership registry was correctly updated
  • The previous consensus key authorized the transition to the new key

When an application references an Echo proof, the validators independently confirm that the proof was signed by a valid consensus key, that the membership count meets the required threshold, and that the state has not expired. No off-chain claim is taken at face value.

Epoch-Based Expiry

Echo state tokens have a built-in expiry. Once an epoch ends, its consensus key can no longer be used to produce new proofs. This limits the damage window if a key were ever compromised and ensures the network regularly refreshes its participant set.

Safety Net: Self-Withdrawal

Applications built on Echo can implement their own safety mechanisms. For example, if the Echo coordinator or network ever becomes unavailable, users of dependent services are not locked out of their funds. Services like Sailfish include a time-locked self-withdrawal process that allows users to reclaim their assets directly on Cardano — no cooperation from any operator is required.

This safety mechanism is enforced on-chain. In the event that the coordinator disappears and the Echo network goes offline, the self-withdrawal process is designed to allow users to reclaim their assets directly on Cardano.

Built by Pond Labs

Copyright © 2026 Pondora