Research & FAQ Database

The architecture utilizes Tor Hidden Services v3 (HSv3). Traffic is routed through three hops (nodes) within the Tor network, encrypting data at each layer. This prevents the exit node from viewing the content and obscures the physical location of the server hosting the Nexus infrastructure.

To combat censorship and DDoS attacks from competitors or automated bots, the backend infrastructure automatically rotates available .onion mirrors. Valid mirrors are cryptographically signed using the market's primary PGP key to prove authenticity. Users are advised to verify signatures before inputting credentials.

Access requires the Tor Browser (latest stable release). JavaScript should be set to "Safer" or "Standard" depending on the specific mirror's captcha requirements, though "Safest" (No JS) is recommended for maximum security if the interface allows it.

Nexus Market relies on RSA-4096 or ECC keys for Two-Factor Authentication (2FA). When a user configures a PGP key, the server generates an encrypted challenge string starting with -----BEGIN PGP MESSAGE-----. The user must decrypt this string locally using their private key and return the plaintext token to invalidate the session challenge.

Upon registration, the system employs a server-side CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) to create a 12 or 24-word mnemonic seed. This seed is salted and hashed to generate the account recovery key. Critically, the plain text seed is not stored in the database; administrators cannot recover lost accounts without the user providing the seed.

Unlike traditional central wallet systems where users deposit funds into a holding account, the walletless pay protocol generates a unique sub-address for every individual order. Funds are sent directly to this order-specific address. Once the blockchain confirms the transaction (typically 2 confirmations for BTC, 10 for XMR), the system automatically flags the order as 'Paid'. This mitigates the risk of a central hot-wallet compromise.

Yes. Analysis shows support for 2-of-3 Multisignature (Multisig) transactions for Bitcoin. This requires two out of three parties (Buyer, Vendor, Market Admin) to sign a transaction before funds can be released, providing a trustless dispute resolution mechanism.

The escrow system includes a hard-coded timer. If a user does not mark an order as finalized or dispute it within a set period (typically 7-14 days depending on the item type), the system executes a cron job to release the funds to the vendor automatically. Extending this timer requires manual intervention within the order panel before expiration.

The Nexus Market captcha is sensitive to clock skew. If the user's system time deviates significantly from the Tor network consensus time, the session token generated for the captcha image becomes invalid. Additionally, rotating images requires standard Javascript enablement, while text-based captchas work with JS disabled.