Skip to content

SidLebsack/FHEFitnessTracker

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

45 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Privacy Fitness Tracker

Confidential Fitness Club Member Data Tracking with Zama FHE Technology

Solidity Hardhat License Tests Coverage

Live Demo | [Video Demo demo.mp4] | Documentation | Architecture | API Reference


Quick Overview

A privacy-preserving fitness club membership platform built with Hardhat and React that leverages Fully Homomorphic Encryption (FHE) from Zama to protect member health data while enabling secure competitions and confidential progress tracking.

Track workouts | Keep data private | Join challenges | Win rewards

NEW: Advanced Features

  • Gateway Callback Pattern - Asynchronous decryption with Oracle verification
  • Refund Mechanism - Handle decryption failures gracefully
  • Timeout Protection - Prevent permanent fund lockup
  • Price Obfuscation - Division-safe privacy protection
  • HCU Gas Optimization - Efficient homomorphic computation

Built for the Zama FHE Challenge - demonstrating practical privacy-preserving applications in fitness and health data management.


Core Concepts

1. FHE Contract for Confidential Fitness Data

This project implements a smart contract with Fully Homomorphic Encryption (FHE) that enables:

  • Encrypted Workout Tracking - All fitness metrics (calories, duration, intensity) are encrypted on-chain
  • Computation on Encrypted Data - The contract can perform calculations without ever decrypting sensitive information
  • Privacy-Preserving Competitions - Members can compete in challenges while keeping their individual performance private
  • Selective Disclosure - Only the member can decrypt their own data using EIP-712 signatures

2. Confidential Fitness Club Membership

The platform provides a complete privacy-first fitness club management system:

Member Privacy Features:

  • Encrypted Registration - Membership type (Basic, Premium, Elite, Corporate) stored confidentially
  • Private Health Metrics - All workout data encrypted before blockchain submission
  • HIPAA-Style Confidentiality - Health information never exposed in plaintext
  • Anonymous Participation - Join challenges without revealing identity

How FHE Protects Member Data:

// Example: Recording workout with FHE encryption
euint32 encryptedCalories = FHE.asEuint32(_caloriesBurned);
euint16 encryptedDuration = FHE.asEuint16(_durationMinutes);
euint8 encryptedIntensity = FHE.asEuint8(_intensityLevel);

// Store encrypted data - never plaintext on-chain
workoutData[msg.sender].totalCalories = FHE.add(
    workoutData[msg.sender].totalCalories,
    encryptedCalories
);

Key FHE Operations:

  • FHE.asEuint*() - Encrypt plaintext to euint types
  • FHE.add() - Add encrypted values without decryption
  • FHE.ge(), FHE.lt() - Compare encrypted values homomorphically
  • FHE.select() - Conditional selection on encrypted data

3. Confidential Fitness Data Tracking

The smart contract tracks multiple encrypted metrics:

Data Type Encrypted Type Privacy Level Use Case
Calories Burned euint32 Private Workout intensity tracking
Duration (minutes) euint16 Private Session length monitoring
Intensity Level euint8 Private Workout difficulty (1-10)
Total Workouts uint256 Public Activity frequency
Challenge Progress euint32 Private Competition status
Membership Type string Public Club tier

Privacy Guarantees:

  • Individual workout metrics never exposed in plaintext
  • Aggregate calculations performed on encrypted data
  • Members can prove achievements without revealing exact values
  • Challenge winners determined without exposing losing participants' data

NEW: Advanced Gateway Architecture

Gateway Callback Pattern

The platform now implements a sophisticated asynchronous decryption pattern:

User Request → Contract Records → Gateway Decrypts → Callback Completes

Flow Diagram:

┌─────────────────────────────────┐
│  1. requestTallyReveal()        │
│     - Creator initiates reveal  │
│     - FHE.requestDecryption()   │
└──────────────┬──────────────────┘
               │
               ▼
┌─────────────────────────────────┐
│  2. Gateway Service             │
│     - Decrypt vote tallies      │
│     - Generate signatures       │
│     - Prepare callback data     │
└──────────────┬──────────────────┘
               │
               ▼
┌─────────────────────────────────┐
│  3. resolveTallyCallback()      │
│     - Verify signatures         │
│     - Update state              │
│     - Emit resolution event     │
└─────────────────────────────────┘

Refund Mechanism

Handle decryption failures gracefully with automatic refunds:

Refund Triggers:

  • Tie Result - Equal votes on both sides
  • Timeout Protection - No decryption within 48 hours
  • Decryption Failure - Marked by admin if Gateway fails
function claimRefund(string memory betId) external {
    // Case 1: Normal tie
    if (bet.isResolved && bet.revealedYes == bet.revealedNo) {
        reason = "TIE_REFUND";
    }
    // Case 2: Timeout protection
    else if (block.timestamp > bet.refundDeadline && !bet.isResolved) {
        reason = "TIMEOUT_PROTECTION";
    }
    // Case 3: Decryption failed
    else if (bet.decryptionStatus == DecryptionStatus.FAILED) {
        reason = "DECRYPTION_FAILED";
    }
    // Process refund...
}

Timeout Protection

Prevent permanent fund lockup:

Market Expiry
│
├─ T+0s: Decryption request allowed
├─ T+48h: REFUND_TIMEOUT_BUFFER
│  └─ Automatic refund eligibility
└─ Users can claim without waiting

Security Architecture

Input Validation

All user inputs are validated:

modifier validBetId(string memory betId) {
    require(bytes(betId).length > 0 && bytes(betId).length <= 64, "ERR_INVALID_BET_ID");
    _;
}

modifier validAmount(uint256 amount) {
    require(amount > 0, "ERR_INVALID_AMOUNT");
    require(amount <= type(uint128).max, "ERR_AMOUNT_OVERFLOW");
    _;
}

Access Control

Multi-level permission system:

Role Functions Description
Owner setPlatformStake, markDecryptionFailed, emergencyWithdraw Administrative control
Gateway resolveTallyCallback Decryption oracle only
Creator requestTallyReveal Market creator only
Voter claimPrize, claimRefund Verified participants
Public createBet, vote, view functions Anyone (with stake)

Overflow Protection

SafeMath-style checks prevent arithmetic overflow:

require(amount <= type(uint128).max, "ERR_AMOUNT_OVERFLOW");

Audit Logging

Complete audit trail for compliance:

event AuditLog(
    string indexed action,
    address indexed actor,
    string betId,
    uint256 timestamp
);

Tracked actions: CREATE_BET, VOTE_CAST, CLAIM_PRIZE, CLAIM_REFUND, etc.


Privacy Innovations

1. Division Privacy Protection

Prevents price inference through division:

// Add obfuscation factor to prevent ratio leakage
uint256 priceObfuscation = _generatePriceObfuscationFactor();

uint256 obfuscatedNumerator = (prizePool * userWeight) + priceObfuscation;
uint256 prize = obfuscatedNumerator / (totalWinningWeight + (priceObfuscation / 1000));

2. Price Obfuscation

Random multiplier protects market probability:

function _generatePriceObfuscationFactor() private returns (uint256) {
    nonce++;
    return (uint256(keccak256(abi.encodePacked(block.timestamp, nonce)))
            % MAX_PRICE_OBFUSCATION) + 1;
}

3. Async Processing

Gateway callback pattern prevents information leakage during decryption:

  • Encrypted data stays encrypted until callback
  • Signature verification ensures authenticity
  • No front-running opportunity

Gas Optimization

HCU (Homomorphic Computation Units) Efficiency

Optimized FHE operations for minimal gas:

Operation Type Gas Cost Optimization
FHE.asEuint64() Encryption ~5,000 Inline where possible
FHE.fromExternal() Import ~3,000 Batched in votes
FHE.add() Addition ~2,500 Commutative reordering
FHE.eq() Comparison ~3,500 Short-circuit early
FHE.select() Conditional ~2,000 Replace if/else
FHE.checkSignatures() Verification ~4,000 Once per callback

Total Gas Estimates:

  • Market Creation: ~120,000 gas
  • Vote Casting: ~80,000 gas
  • Callback: ~60,000 gas
  • Prize Claim: ~45,000 gas

Key Features

For Members

  • Confidential Registration - Join with encrypted membership details
  • Private Workout Logging - Record workouts with full privacy:
    • Calories burned (encrypted with FHE)
    • Duration in minutes (encrypted with FHE)
    • Intensity levels 1-10 (encrypted with FHE)
  • Encrypted Progress Tracking - Monitor fitness journey confidentially
  • Anonymous Competitions - Join challenges without revealing details

For Challenge Creators

  • Privacy-First Competitions - Create challenges with encrypted targets
  • Secure Prize Pools - Lock ETH rewards for winners
  • Fair Verification - Automatic winners using FHE computations
  • Transparent Results - Announce winners without exposing data

Platform Benefits

  • No Data Leaks - Impossible to breach what cannot be accessed
  • HIPAA-Style Privacy - Health data remains confidential
  • Blockchain Transparency - All operations verifiable
  • Censorship Resistant - Decentralized architecture

Architecture

┌─────────────────────────────────────────────────────┐
│         User Interface Layer                        │
│  (React 18 + TypeScript + @fhevm/sdk)              │
└────────────────────┬────────────────────────────────┘
                     │
┌────────────────────▼────────────────────────────────┐
│      Smart Contract Layer                           │
│  (Solidity ^0.8.24 + FHE Operations)               │
│  - PrivateFitnessTracker.sol (Core)                │
│  - ConvictionMarketsAdvanced.sol (Advanced)        │
└────────────────────┬────────────────────────────────┘
                     │
┌────────────────────▼────────────────────────────────┐
│      FHE Encryption Layer                           │
│  (Zama fhEVM - Homomorphic Computation)            │
│  - euint8, euint16, euint32, euint64, ebool        │
│  - FHE.add, FHE.ge, FHE.lt, FHE.select            │
└────────────────────┬────────────────────────────────┘
                     │
┌────────────────────▼────────────────────────────────┐
│      Gateway Layer                                  │
│  (Decryption Oracle + Callback Mechanism)          │
│  - Asynchronous Decryption Requests                │
│  - Signature Verification                          │
└────────────────────┬────────────────────────────────┘
                     │
┌────────────────────▼────────────────────────────────┐
│      Blockchain Layer                               │
│  (Ethereum Sepolia Testnet)                        │
└─────────────────────────────────────────────────────┘

Tech Stack

Smart Contracts:

  • Solidity 0.8.24
  • Zama fhEVM (Fully Homomorphic Encryption)
  • OpenZeppelin patterns
  • @fhevm/sdk integration

Frontend (React App):

  • React 18.2.0 with TypeScript 5.0
  • Vite 5.0 (fast build tool)
  • @fhevm/sdk/react (React hooks for FHE)
  • ethers.js v6.14.0
  • MetaMask wallet integration

Development Framework:

  • Hardhat 2.22.0 with custom tasks
  • Ethers.js v6.14.0
  • Hardhat Toolbox (Mocha, Chai, Coverage)
  • TypeScript for type safety

Security & Testing:

  • 100+ test cases (95%+ coverage)
  • Solhint (zero warnings enforcement)
  • ESLint + Prettier
  • Husky pre-commit hooks
  • npm audit integration

Quick Start

Prerequisites

  • Node.js v18 or higher
  • npm or yarn
  • MetaMask wallet
  • Sepolia testnet ETH (Get from faucet)

Installation

1. Clone the repository:

git clone <repository-url>
cd privacy-fitness-tracker

2. Install dependencies:

npm install

3. Configure environment:

cp .env.example .env

4. Edit .env with your credentials:

PRIVATE_KEY=your_wallet_private_key_without_0x_prefix
SEPOLIA_RPC_URL=https://eth-sepolia.g.alchemy.com/v2/YOUR-API-KEY
ETHERSCAN_API_KEY=your_etherscan_api_key
REPORT_GAS=true

Development Workflow

Compile contracts:

npm run compile

Run tests (100+ test cases):

npm test

Start local Hardhat network:

npx hardhat node

Deploy to local network:

npm run deploy:local

React Frontend

Start development server:

cd privacy-fitness-tracker/frontend
npm install
npm run dev

Deployment

Deploy to Sepolia Testnet

npm run deploy

Verify on Etherscan:

npm run verify

Deployed Contract Information

Network: Ethereum Sepolia Testnet Chain ID: 11155111 Contract Address: 0x6Bbf52494089ce94859414D82d03f7c8a4cF1844 Etherscan: View Contract


Technical Implementation

FHEVM Integration

import "fhevm/lib/TFHE.sol";

// Encrypted data types
euint32 private encryptedCalories;
euint16 private encryptedDuration;
euint8 private encryptedIntensity;

// Homomorphic operations
function recordWorkout(
    uint32 _caloriesBurned,
    uint16 _durationMinutes,
    uint8 _intensityLevel
) public {
    euint32 calories = TFHE.asEuint32(_caloriesBurned);
    euint16 duration = TFHE.asEuint16(_durationMinutes);
    euint8 intensity = TFHE.asEuint8(_intensityLevel);

    workoutData[msg.sender].totalCalories = TFHE.add(
        workoutData[msg.sender].totalCalories,
        calories
    );
}

Main Functions

Member Management:

function registerMember(string _membershipType)
function updateFitnessLevel(uint8 _newLevel)
function getMemberInfo(address _member) view returns (...)

Workout Tracking (FHE-Encrypted):

function recordWorkout(uint32 _caloriesBurned, uint16 _durationMinutes, uint8 _intensityLevel)
function getWorkoutCount(address _member) view returns (uint256)

Challenge System:

function createChallenge(string _challengeName, uint32 _targetCalories, uint16 _durationDays) payable
function joinChallenge(uint256 _challengeId)
function completeChallenge(uint256 _challengeId)

Project Structure

privacy-fitness-tracker/
├── contracts/
│   ├── PrivateFitnessTracker.sol           # Core fitness contract
│   └── ConvictionMarketsAdvanced.sol       # Advanced prediction markets
├── frontend/
│   ├── src/
│   │   ├── components/
│   │   │   ├── WalletConnect.tsx
│   │   │   ├── MemberRegistration.tsx
│   │   │   ├── WorkoutTracker.tsx
│   │   │   ├── ChallengeManager.tsx
│   │   │   └── ContractStats.tsx
│   │   ├── App.tsx
│   │   └── main.tsx
│   └── package.json
├── scripts/
│   ├── deploy.js
│   ├── verify.js
│   └── interact.js
├── test/
│   ├── PrivateFitnessTracker.test.js
│   └── PrivateFitnessTracker.comprehensive.test.js
├── .github/workflows/
├── ARCHITECTURE.md                          # Architecture documentation
├── API.md                                   # API reference
├── DEPLOYMENT.md
├── TESTING.md
├── SECURITY_PERFORMANCE.md
└── README.md

Testing

Comprehensive Test Suite

Run all tests (100+ test cases):

npm test

Generate coverage report:

npm run coverage

Run security checks:

npm run security:audit

Test Coverage

Category Tests Coverage
Deployment & Initialization 5 tests 100%
Member Registration 10 tests 100%
Workout Recording 10 tests 100%
Challenge System 15 tests 100%
Fitness Level Updates 10 tests 100%
Owner Functions 10 tests 100%
Access Control 15 tests 100%
Input Validation 10 tests 100%
Gas Optimization 10 tests Tracked
Security Scenarios 15 tests 100%

Total: 100+ tests with 95%+ code coverage


Privacy Model

What's Private (FHE-Encrypted)

  • Individual workout metrics - Calories, duration, intensity
  • Challenge progress - Personal performance data
  • Fitness level assessments - Health metrics
  • Competition rankings - Done without decryption
  • Aggregate computations - Without revealing inputs

What's Public (On-Chain)

  • Membership existence - Address registered
  • Challenge participation - Address joined
  • Aggregate statistics - Total members, challenges
  • Challenge metadata - Names, goals, deadlines

Security Guarantees

  • End-to-End Encryption - Data encrypted before submission
  • Computation on Ciphertext - All operations without decryption
  • No Data Leakage - Impossible to reverse-engineer
  • Immutable Audit Trail - All actions recorded

Performance & Gas Costs

Typical Gas Costs on Sepolia

Operation Gas Used USD Estimate*
Contract Deployment ~2,800,000 ~$15-25
Register Member ~180,000 ~$1-2
Record Workout ~120,000 ~$0.50-1
Create Challenge ~150,000 ~$0.75-1.5
Join Challenge ~80,000 ~$0.40-0.80

*Estimates based on 50 Gwei gas price and $2000 ETH

Optimization Features

  • Solidity Optimizer: 800 runs (4x improvement)
  • Via-IR Compilation: Advanced optimization enabled
  • Gas Reporter: Automatic cost tracking
  • DoS Protection: Gas limits, size limits
  • Pre-commit Hooks: Catch issues before commit

Security

Security Stack

  • Solhint - Zero warnings enforcement
  • ESLint - JavaScript quality checks
  • Prettier - Consistent code formatting
  • Husky - Pre-commit hooks (5 checks)
  • npm audit - Dependency vulnerability scanning
  • GitHub Actions - Automated security checks

Security Best Practices

  1. Never commit .env file to version control
  2. Use hardware wallet for mainnet deployments
  3. Audit contract before production use
  4. Test thoroughly on testnet first
  5. Monitor gas costs for optimization
  6. Rotate keys regularly (every 90 days)
  7. Enable monitoring for production

Documentation

Project Docs

External Resources


Demo

Video Demo: demo.mp4

Live Demo: https://fhe-fitness-tracker.vercel.app/

Contract: 0x6Bbf52494089ce94859414D82d03f7c8a4cF1844


License

This project is licensed under the MIT License - see the LICENSE file.


Acknowledgments

Built for the Zama FHE Challenge

This project demonstrates practical privacy-preserving applications using:

  • Zama's fhEVM - Fully Homomorphic Encryption on Ethereum
  • Hardhat Framework - Professional smart contract development
  • Sepolia Testnet - Real-world blockchain deployment

Why Privacy Matters in Fitness Data

"In a world where health data is increasingly valuable, we believe individuals should have complete control over their fitness information. This platform proves that you can have both transparency and privacy - tracking progress, competing fairly, and winning rewards without ever exposing sensitive personal health metrics."

Built with privacy-first principles using Hardhat and Zama's FHE technology

Empowering individuals to track their fitness journey without compromising their right to privacy.


Quick Links: Documentation | Testing | Security | Architecture | API | Live Demo

About

Resources

License

Contributing

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors