A FrostCard wallet is not one thing — it's three independent pieces that check each other. The card generates and signs. The app builds transactions. The Kaspa network enforces the rules. No app, server, or person can move your money on its own. Here is how the whole system fits together.
See the architecture ↓Most wallets are a single app that holds your keys and trusts itself. FrostCard splits the job across three independent components, each doing one thing — and crucially, each unable to do the others' jobs. Tap below to light them up.
The card is an NXP J3R200 smart-card chip — the same class of silicon used in passports, SIMs, and bank cards. It runs an open-source JavaCard applet that handles key generation, BIP-32 derivation, Schnorr signing, PIN, the secure channel, and backup locking.
The chip holds 150 KB of EEPROM (persistent memory that retains data 25+ years with no power), a hardware True Random Number Generator, and hardware-accelerated secp256k1, AES, SHA-256 and SHA-512. It talks over ISO 14443 Type A NFC at 13.56 MHz — contactless only, no battery, no port.
Every NFC session opens with a key exchange, and from then on everything is encrypted and authenticated. An eavesdropper holding an antenna next to your phone hears only ciphertext. Here is the exact handshake, straight from the applet.
Kaspa uses Schnorr signatures over secp256k1 with BLAKE2b-256 sighashes. The heavy lifting — picking coins, building the transaction, hashing it — all happens in the app. The card only ever sees small 32-byte hashes, and you only tap once.
FrostCard derives child keys on-card using the standard BIP-32 algorithm. The master key stays on the chip; every address you ever use is a deterministic branch off it.
111111 is Kaspa's registered coin type; index is the address number (0, 1, 2…). Index 0 is your Primary Vault — the only address that gets covenant protection.
idx 0, 1, 2… — checking each one's balance and history. When it hits a run of 20 empty addresses in a row (the standard BIP-44 "gap limit"), it stops. Everything you ever used is recovered deterministically, with no seed phrase to type.The script is deployed as a P2SH address. FrostCard compiles three protections into one branching script:
OP_TX_OUTPUT_SPK + OP_EQUALVERIFY. Up to 4 addresses; the first activates instantly, later ones serve a configurable cooling period (default 3 days). Optionally, sends to an unknown address are allowed after a 24-hour cooling-off.OP_CHECKSEQUENCEVERIFY) plus the heir's signature, and bypasses all other rules.OP_CHECKLOCKTIMEVERIFY. No card can undo it. After expiry the owner retrieves with a cold-key signature, or — if also 6 months inactive — funds fall back to a preset address with no signature needed, the covenant itself enforcing the destination. Requires Inheritance enabled as a safety net.BLAKE2b-256(script) encoded as a Kaspa address (version byte 0x08). To spend, you must reveal the exact script that matches the hash — and then satisfy it. The rules travel with the money.Because the key is born sealed and never leaves silicon, there are no words to write down. Instead, during setup the key is copied chip-to-chip to your backup cards over an encrypted link — then the whole set is permanently locked.
LINK_BACKUP phase 1 and returns a 32-byte random challenge. The primary card receives it in phase 2, derives an AES key from SHA-256(challenge), encrypts its private key, and hands back an encrypted bundle. The backup card stores it. A 2-pack makes one backup; a 3-pack makes two.LOCK_BACKUP (0x0B) flips an irreversible EEPROM flag. After it, LINK_BACKUP returns SW=0x6985 forever — the flag can't be cleared even by reflashing the applet. The 2 or 3 cards from setup are the only copies of the key that will ever exist.Put the three components together and you get five nested layers. Layers 1–4 answer "can someone get to the key?" Layer 5 answers "even if they do, what can they spend?"
FrostCard is the first fully open-source NFC cold wallet for Kaspa. The applet that generates and signs, the app that builds transactions, the covenant compiler that writes the on-chain rules — all of it is readable, line by line.