Domain separation bugs — where two different data types serialize to identical byte sequences — have caused real-world vulnerabilities in Bitcoin, Ethereum DEXs, TLS, JWTs, and AWS. Existing mitigations are ad-hoc and error-prone. Snowpack, an IDL developed for the FOKS project, addresses this by embedding random, immutable 64-bit domain separators directly into struct definitions. The type system then enforces that only structs with domain separators can be passed to Sign, Verify, Encrypt, or MAC functions, making cross-type signature forgery impossible at compile time. Snowpack also guarantees canonical encodings by using positional array encoding fed into a constrained Msgpack serializer, avoiding issues like non-canonical key ordering. The system supports forwards and backwards compatibility similar to protobufs, and is open-sourced on GitHub targeting Go and TypeScript.
Table of contents
The Idea: Domain Separators in the IDLThe Snowpack IDL: Domain Separation + Canonical Encodings + More!SummarySort: