Asentum

Build on Asentum

Hardened JavaScript

The contract sandbox · Estimated read time: 8 minutes

TL;DR

Contracts on Asentum run inside a Hardened JavaScript (SES — Secure ECMAScript) sandbox. It's the same model Agoric uses in production and the same proposal currently moving through TC39. The short version: primordials are frozen, ambient authority is removed, and every sandbox gets its own Compartment. The net effect is that determinism, isolation, and object-capability security are guaranteed structurally, not by convention.

What SES does

SES takes regular JavaScript and does three things to it:

  1. Freezes every primordial. Array.prototype, Object.prototype, Map.prototype — nothing can be monkey-patched.
  2. Removes ambient authority. No fetch, no Date.now(), no Math.random(). Anything that could read from or affect the outside world is gone.
  3. Isolates via Compartments. Each contract runs in its own Compartment — a nestable evaluation scope that can have its own globals. Compartments share primordials but not state.

Frozen primordials

In regular JavaScript, a malicious contract could add a getter to Object.prototype and invisibly affect every other contract that touches an object. SES freezes every built-in prototype at startup. Every contract sees the same, unmodifiable standard library.

No ambient authority

"Ambient authority" is the ability to do something privileged without being handed a reference to it. Reading the clock. Making an HTTP request. Reading a random number from the OS.

All of these are removed from the contract sandbox. If you can do it, it was passed to you as an argument or an injected global. That property — no authority without a reference — is the object-capability security model, and it's what makes Asentum contracts safe to run untrusted.

Compartments

Each contract evaluation happens inside a fresh Compartment. Compartments share primordials (you get the same Array.prototype.map as every other contract) but have their own globals, their own module registry, and their own state.

Approved VM libraries — added through governance — live in sub-Compartments with no host APIs, then are frozen and passed in as endowments. See Approved Libraries.

What you can use

  • All ES2022+ syntax — classes, async/await, template literals, destructuring, spread, optional chaining, nullish coalescing.
  • All frozen built-ins — Array, Object, Map, Set, WeakMap, WeakSet, Promise.
  • BigInt — use this for every token balance, amount, nonce. Never Number for value.
  • JSON, String, Number, Boolean constructors.
  • The injected globals documented in Writing Contracts: storage, emit, msg, E, transfer.

What is removed

  • Clocks. No Date.now(), new Date(), performance.now(). Use msg.block.timestamp.
  • Randomness. No Math.random(). There is no randomness primitive in v1.
  • Network. No fetch, XMLHttpRequest, WebSocket.
  • Timers. No setTimeout, setInterval.
  • Filesystem. No fs, require, import of arbitrary modules.
  • eval and Function. Dynamic code generation is blocked.

Why these restrictions

A contract must be a deterministic pure function of its inputs — every validator executing it has to get the exact same output. Anything that reads from the outside world (clocks, network, disk, OS randomness) breaks determinism and forks the chain.

Anything that writes to the outside world breaks isolation and opens attack surface. SES removes both, leaving you with pure JavaScript over frozen primordials — the safest surface for running untrusted code we know of.

Read next

Build on Asentum

Approved Libraries →

Build on Asentum

Writing Contracts →