Secure Smart Contract Runtime

Introducing Rivet

Rivet enforces typed storage, linear handles, and explicit capability authority at the host boundary, even under adversarial WASM.

Runtime invariantsExplore topology ↗

Why Rivet?

Most smart contract runtimes expose users to broad blast radius risk through escrow-heavy designs and ambient approvals.

Rivet keeps assets in account-controlled storage by default and requires explicit capabilities for cross-account actions.

Contract Rust ownership helps ergonomics, but the runtime trusts no WASM and enforces authorization, linearity, type correctness, and atomic commit itself.

See guarantees ↗
Contract Side

↔ Untrusted WASM

No ambient authority and no implicit account access.

Host Boundary

↔ Runtime Validation

Capabilities, handles, and type tags are checked on every call.

Commit Layer

↔ Atomic State Transition

Journaled commit/abort with deterministic gas accounting.

Invariant scope: non-negotiableFailure mode: abort safely

Built around explicit authority and typed storage

Storage keys are derived from canonical schema identity, and sensitive operations require typed capabilities that can be attenuated and revoked.

View crate map ↗

Runtime invariants enforced at the host boundary

Always

Linearity, authorization, and type checks are runtime-owned.

Storage addressing model

Typed

Namespaces + canonical serialization, not string paths.

Execution substrate

WASM

Deterministic execution with gas metering + journaling.

Contract SDK model

no_std

Developer APIs are thin wrappers, runtime does enforcement.

Workspace architecture

9 crates

Core, stdlib, execution, runtime, harness, and more.

Current maturity

Prototype

Foundations work today; consensus remains pluggable.

Runtime Core

rivet-runtime enforces state, authority, and linearity

  • Typed storage with namespace identity and access control
  • Capability issuance, attenuation, and revocation surfaces
  • Handle lifecycle checks to prevent double-consume or forgery
$ cargo test -p rivet-runtime --offline

Invariant checks active

Execution Engine

rivet-execution runs deterministic WASM transactions

  • WASM validation and host dispatch wiring
  • Instruction and host-call gas metering
  • Atomic commit/abort through transaction journaling
$ cargo test -p rivet-execution --offline

Deterministic tx flow

Contract SDK

rivet-stdlib gives contract authors no_std primitives

  • Resource and capability wrappers for contract code
  • Entry-point/event macros with canonical codec bindings
  • Storage primitives aligned with runtime type identity
$ cargo build -p example-counter --target wasm32-unknown-unknown

WASM-ready SDK