{"id":136925,"date":"2026-02-20T13:16:48","date_gmt":"2026-02-20T13:16:48","guid":{"rendered":"https:\/\/mycryptomania.com\/?p=136925"},"modified":"2026-02-20T13:16:48","modified_gmt":"2026-02-20T13:16:48","slug":"guide-to-cross-chain-key-generation-evm-base-with-oasis-rofl","status":"publish","type":"post","link":"https:\/\/mycryptomania.com\/?p=136925","title":{"rendered":"Guide To Cross-Chain Key Generation (EVM \/ Base) With Oasis ROFL"},"content":{"rendered":"

Oasis introduced the framework for runtime off-chain logic ( ROFL<\/a>) to help build and run apps off-chain while ensuring privacy and maintaining trust with on-chain verifiability. There are many moving parts to building with ROFL.
In this tutorial, I will demonstrate how to build a tiny TypeScript app, generating a secp256k1 key inside ROFL<\/strong>. It will be using the @oasisprotocol\/rofl-client TypeScript SDK<\/strong>, which talks to the appd REST API<\/strong><\/a> under the hood. The TypeScript app will\u00a0also:<\/p>\n

There will be a simple smoke test<\/strong> that prints to\u00a0logs.<\/p>\n

Prerequisites<\/h3>\n

To do the steps described in this guide, you will\u00a0need:<\/p>\n

Node.js 20+<\/strong> and Docker<\/strong> (or\u00a0Podman)Oasis CLI<\/strong> and a minimum of 120 TEST tokens in your wallet (Oasis Testnet\u00a0faucet<\/a>)Some Base Sepiola test ETH (Base Sepiola\u00a0faucet<\/a>)<\/p>\n

For the setup details, please refer to the documentation on Quickstart Prerequisites<\/a>.<\/p>\n

Init App<\/h3>\n

The first step is to initialize a new app using the Oasis\u00a0CLI.<\/p>\n

oasis rofl init rofl-keygen
cd rofl-keygen<\/p>\n

Create App<\/h3>\n

At the time of creating the app on the Testnet, you will be required to deposit tokens. Assign 100 TEST tokens at this\u00a0point.<\/p>\n

oasis rofl create –network testnet<\/p>\n

As output, the CLI will produce the App ID<\/strong>, denoted by\u00a0rofl1\u2026.<\/p>\n

Init a Hardhat (TypeScript) project<\/h3>\n

Now, you are ready to kickstart the\u00a0project.<\/p>\n

npx hardhat init<\/p>\n

Since we are showcasing a TypeScript app, choose TypeScript<\/strong> when prompted, and then accept the defaults.
The nextstep would be to add the small runtime deps for use outside of\u00a0Hardhat.<\/p>\n

npm i @oasisprotocol\/rofl-client ethers dotenv @types\/node
npm i -D tsx<\/p>\n

Hardhat\u2019s TypeScript template automatically creates a tsconfig.json<\/strong>. We need to add a small script so that the app code can compile to\u00a0dist\/<\/strong>.<\/p>\n

\/\/ tsconfig.json
{
“compilerOptions”: {
“rootDir”: “.\/src”,
“outDir”: “.\/dist”
},
“include”: [“src”]
}<\/p>\n

App structure<\/h3>\n

In this section, we will add a few small TS files and one Solidity contract.<\/p>\n

src\/
\u251c\u2500\u2500 appd.ts # thin wrapper over @oasisprotocol\/rofl-client
\u251c\u2500\u2500 evm.ts # ethers helpers (provider, wallet, tx, deploy)
\u251c\u2500\u2500 keys.ts # tiny helpers (checksum)
\u2514\u2500\u2500 scripts\/
\u251c\u2500\u2500 deploy-contract.ts # generic deploy script for compiled artifacts
\u2514\u2500\u2500 smoke-test.ts # end-to-end demo (logs)
contracts\/
\u2514\u2500\u2500 Counter.sol # sample contractsrc\/appd.ts<\/strong>\u200a\u2014\u200athin wrapper over the SDK Here, you will need to use the official client to talk to appd<\/strong> (UNIX socket). We will also need to keep an explicit local\u2011dev fallback<\/strong> when running outside\u00a0ROFL.<\/p>\n

src\/appd.ts<\/strong><\/p>\n

import {existsSync} from ‘node:fs’;
import {
RoflClient,
KeyKind,
ROFL_SOCKET_PATH
} from ‘@oasisprotocol\/rofl-client’;<\/p>\n

const client = new RoflClient(); \/\/ UDS: \/run\/rofl-appd.sock<\/p>\n

export async function getAppId(): Promise<string> {
return client.getAppId();
}<\/p>\n

\/**
* Generates (or deterministically re-derives) a secp256k1 key inside ROFL and
* returns it as a 0x-prefixed hex string (for ethers.js Wallet).
*
* Local development ONLY (outside ROFL): If the socket is missing and you set
* ALLOW_LOCAL_DEV=true and LOCAL_DEV_SK=0x<64-hex>, that value is used.
*\/
export async function getEvmSecretKey(keyId: string): Promise<string> {
if (existsSync(ROFL_SOCKET_PATH)) {
const hex = await client.generateKey(keyId, KeyKind.SECP256K1);
return hex.startsWith(‘0x’) ? hex : `0x${hex}`;
}
const allow = process.env.ALLOW_LOCAL_DEV === ‘true’;
const pk = process.env.LOCAL_DEV_SK;
if (allow && pk && \/^0x[0-9a-fA-F]{64}$\/.test(pk)) return pk;
throw new Error(
‘rofl-appd socket not found and no LOCAL_DEV_SK provided (dev only).’
);
}<\/p>\n

2. src\/evm.ts<\/strong>\u200a\u2014\u200aethers\u00a0helpers<\/p>\n

import {
JsonRpcProvider,
Wallet,
parseEther,
type TransactionReceipt,
ContractFactory
} from “ethers”;<\/p>\n

export function makeProvider(rpcUrl: string, chainId: number) {
return new JsonRpcProvider(rpcUrl, chainId);
}<\/p>\n

export function connectWallet(
skHex: string,
rpcUrl: string,
chainId: number
): Wallet {
const w = new Wallet(skHex);
return w.connect(makeProvider(rpcUrl, chainId));
}<\/p>\n

export async function signPersonalMessage(wallet: Wallet, msg: string) {
return wallet.signMessage(msg);
}<\/p>\n

export async function sendEth(
wallet: Wallet,
to: string,
amountEth: string
): Promise<TransactionReceipt> {
const tx = await wallet.sendTransaction({
to,
value: parseEther(amountEth)
});
const receipt = await tx.wait();
if (receipt == null) {
throw new Error(“Transaction dropped or replaced before confirmation”);
}
return receipt;
}<\/p>\n

export async function deployContract(
wallet: Wallet,
abi: any[],
bytecode: string,
args: unknown[] = []
): Promise<{ address: string; receipt: TransactionReceipt }> {
const factory = new ContractFactory(abi, bytecode, wallet);
const contract = await factory.deploy(…args);
const deployTx = contract.deploymentTransaction();
const receipt = await deployTx?.wait();
await contract.waitForDeployment();
if (!receipt) {
throw new Error(“Deployment TX not mined”);
}
return { address: contract.target as string, receipt };
}<\/p>\n

3. src\/keys.ts<\/strong>\u200a\u2014\u200atiny\u00a0helpers<\/p>\n

import { Wallet, getAddress } from “ethers”;<\/p>\n

export function secretKeyToWallet(skHex: string): Wallet {
return new Wallet(skHex);
}<\/p>\n

export function checksumAddress(addr: string): string {
return getAddress(addr);
}<\/p>\n

4. src\/scripts\/smoke-test.ts<\/strong>\u200a\u2014\u200asingle end\u2011to\u2011end flow<\/p>\n

This is an important step as this script has multiple functions:<\/p>\n

print the App ID (inside ROFL), address, and a signed\u00a0messagewait for\u00a0fundingdeploy the counter\u00a0contractimport “dotenv\/config”;
import { readFileSync } from “node:fs”;
import { join } from “node:path”;
import { getAppId, getEvmSecretKey } from “..\/appd.js”;
import { secretKeyToWallet, checksumAddress } from “..\/keys.js”;
import { makeProvider, signPersonalMessage, sendEth, deployContract } from “..\/evm.js”;
import { formatEther, JsonRpcProvider } from “ethers”;<\/p>\n

const RPC_URL = process.env.BASE_RPC_URL ?? “https:\/\/sepolia.base.org”;
const CHAIN_ID = Number(process.env.BASE_CHAIN_ID ?? “84532”);
const KEY_ID = process.env.KEY_ID ?? “evm:base:sepolia”;<\/p>\n

function sleep(ms: number): Promise<void> {
return new Promise((r) => setTimeout(r, ms));
}<\/p>\n

async function waitForFunding(
provider: JsonRpcProvider,
addr: string,
minWei: bigint = 1n,
timeoutMs = 15 * 60 * 1000,
pollMs = 5_000
): Promise<bigint> {
const start = Date.now();
while (Date.now() – start < timeoutMs) {
const bal = await provider.getBalance(addr);
if (bal >= minWei) return bal;
console.log(`Waiting for funding… current balance=${formatEther(bal)} ETH`);
await sleep(pollMs);
}
throw new Error(“Timed out waiting for funding.”);
}<\/p>\n

async function main() {
const appId = await getAppId().catch(() => null);
console.log(`ROFL App ID: ${appId ?? “(unavailable outside ROFL)”}`);<\/p>\n

const sk = await getEvmSecretKey(KEY_ID);
\/\/ NOTE: This demo trusts the configured RPC provider. For production, prefer a
\/\/ light client (for example, Helios) so you can verify remote chain state.
const wallet = secretKeyToWallet(sk).connect(makeProvider(RPC_URL, CHAIN_ID));
const addr = checksumAddress(await wallet.getAddress());
console.log(`EVM address (Base Sepolia): ${addr}`);<\/p>\n

const msg = “hello from rofl”;
const sig = await signPersonalMessage(wallet, msg);
console.log(`Signed message: “${msg}”`);
console.log(`Signature: ${sig}`);<\/p>\n

const provider = wallet.provider as JsonRpcProvider;<\/p>\n

let bal = await provider.getBalance(addr);
if (bal === 0n) {
console.log(“Please fund the above address with Base Sepolia ETH to continue.”);
bal = await waitForFunding(provider, addr);
}
console.log(`Balance detected: ${formatEther(bal)} ETH`);<\/p>\n

const artifactPath = join(process.cwd(), “artifacts”, “contracts”, “Counter.sol”, “Counter.json”);
const artifact = JSON.parse(readFileSync(artifactPath, “utf8”));
if (!artifact?.abi || !artifact?.bytecode) {
throw new Error(“Counter artifact missing abi\/bytecode”);
}
const { address: contractAddress, receipt: deployRcpt } =
await deployContract(wallet, artifact.abi, artifact.bytecode, []);
console.log(`Deployed Counter at ${contractAddress} (tx=${deployRcpt.hash})`);<\/p>\n

console.log(“Smoke test completed successfully!”);
}<\/p>\n

main().catch((e) => {
console.error(e);
process.exit(1);
});<\/p>\n

5. contracts\/Counter.sol<\/strong>\u200a\u2014\u200aminimal\u00a0sample<\/p>\n

\/\/ SPDX-License-Identifier: MIT
pragma solidity ^0.8.24;<\/p>\n

contract Counter {
uint256 private _value;
event Incremented(uint256 v);
event Set(uint256 v);<\/p>\n

function current() external view returns (uint256) { return _value; }
function inc() external { unchecked { _value += 1; } emit Incremented(_value); }
function set(uint256 v) external { _value = v; emit Set(v); }
}<\/p>\n

6. src\/scripts\/deploy-contract.ts<\/strong>\u200a\u2014\u200ageneric\u00a0deployer<\/p>\n

import “dotenv\/config”;
import { readFileSync } from “node:fs”;
import { getEvmSecretKey } from “..\/appd.js”;
import { secretKeyToWallet } from “..\/keys.js”;
import { makeProvider, deployContract } from “..\/evm.js”;<\/p>\n

const KEY_ID = process.env.KEY_ID ?? “evm:base:sepolia”;
const RPC_URL = process.env.BASE_RPC_URL ?? “https:\/\/sepolia.base.org”;
const CHAIN_ID = Number(process.env.BASE_CHAIN_ID ?? “84532”);<\/p>\n

\/**
* Usage:
* npm run deploy-contract — .\/artifacts\/MyContract.json ‘[arg0, arg1]’
* The artifact must contain { abi, bytecode }.
*\/
async function main() {
const [artifactPath, ctorJson = “[]”] = process.argv.slice(2);
if (!artifactPath) {
console.error(“Usage: npm run deploy-contract — <artifact.json> ‘[constructorArgsJson]'”);
process.exit(2);
}<\/p>\n

const artifactRaw = readFileSync(artifactPath, “utf8”);
const artifact = JSON.parse(artifactRaw);
const { abi, bytecode } = artifact ?? {};
if (!abi || !bytecode) {
throw new Error(“Artifact must contain { abi, bytecode }”);
}<\/p>\n

let args: unknown[];
try {
args = JSON.parse(ctorJson);
if (!Array.isArray(args)) throw new Error(“constructor args must be a JSON array”);
} catch (e) {
throw new Error(`Failed to parse constructor args JSON: ${String(e)}`);
}<\/p>\n

const sk = await getEvmSecretKey(KEY_ID);
\/\/ NOTE: This demo trusts the configured RPC provider. For production, prefer a
\/\/ light client (for example, Helios) so you can verify remote chain state.
const wallet = secretKeyToWallet(sk).connect(makeProvider(RPC_URL, CHAIN_ID));
const { address, receipt } = await deployContract(wallet, abi, bytecode, args);<\/p>\n

console.log(JSON.stringify({ contractAddress: address, txHash: receipt.hash, status: receipt.status }, null, 2));
}<\/p>\n

main().catch((e) => {
console.error(e);
process.exit(1);
});<\/p>\n

Hardhat (contracts only)<\/h3>\n

At this stage, we will need minimal config to compile Counter.sol<\/strong><\/p>\n

hardhat.config.ts<\/strong><\/p>\n

import type { HardhatUserConfig } from “hardhat\/config”;<\/p>\n

const config: HardhatUserConfig = {
solidity: {
version: “0.8.24”,
settings: {
optimizer: { enabled: true, runs: 200 }
}
},
paths: {
sources: “.\/contracts”,
artifacts: “.\/artifacts”,
cache: “.\/cache”
}
};<\/p>\n

export default config;<\/p>\n

Point to note is that local compilation is optional, so you can skip it if you want. Next step is a choice\u200a\u2014\u200aeither delete the existing contracts\/Lock.sol<\/strong> file or you can update it to Solidity version\u00a00.8.24<\/strong>.<\/p>\n

npx hardhat compile<\/p>\n

Containerize<\/h3>\n

This is an essential step. Here, you need to a Dockerfile that builds TS and compiles the contract. The file will also run the smoke test<\/strong> once, and then stand idle while you inspect\u00a0logs.<\/p>\n

Dockerfile<\/strong><\/p>\n

FROM node:20-alpine
WORKDIR \/app<\/p>\n

COPY package.json package-lock.json* .\/
RUN npm ci<\/p>\n

COPY tsconfig.json .\/
COPY src .\/src
COPY contracts .\/contracts
COPY hardhat.config.ts .\/
RUN npm run build && npx hardhat compile && npm prune –omit=dev<\/p>\n

ENV NODE_ENV=production
CMD [“sh”, “-c”, “node dist\/scripts\/smoke-test.js || true; tail -f \/dev\/null”]<\/p>\n

Next, you must mount appd socket<\/strong> provided by ROFL. Rest assured that no public ports are exposed in the\u00a0process.<\/p>\n

compose.yaml<\/strong><\/p>\n

services:
demo:
image: docker.io\/YOURUSER\/rofl-keygen:0.1.0
platform: linux\/amd64
environment:
– KEY_ID=${KEY_ID:-evm:base:sepolia}
– BASE_RPC_URL=${BASE_RPC_URL:-https:\/\/sepolia.base.org}
– BASE_CHAIN_ID=${BASE_CHAIN_ID:-84532}
volumes:
– \/run\/rofl-appd.sock:\/run\/rofl-appd.sock<\/p>\n

Build the\u00a0image<\/h3>\n

It is important to remember that ROFL only runs on Intel TDX-enabled hardware. So, if you\u2019re compiling images on a different host, such as macOS, then passing the\u200a\u2014\u200aplatform linux\/amd64<\/strong> parameter is an essential extra\u00a0step.<\/p>\n

docker buildx build –platform linux\/amd64
-t docker.io\/YOURUSER\/rofl-keygen:0.1.0 –push .<\/p>\n

An interesting point to note here is that you can opt for extra security and verifiability. You just need to pin the digest and use image:\u00a0\u2026<\/strong>@sha256<\/strong><\/a>:\u2026<\/strong> in compose.yaml<\/strong>.<\/p>\n

Build ROFL\u00a0bundle<\/h3>\n

There is a step that you must take before running the oasis rofl build<\/strong> command. Since building the image segment comes after containerization, you will need to update the services.demo.image<\/strong> in compose.yaml<\/strong> to the image you built.
For simple TypeScript projects, like this one, there is sometimes a possibility that the image size is larger than anticipated. It is thus advisable to update the rofl.yaml<\/strong> resources<\/strong> section to at least: memory: 1024<\/strong> and storage.size: 4096<\/strong>.
Now, you are\u00a0ready.<\/p>\n

oasis rofl build<\/p>\n

You can next publish the enclave identities and\u00a0config.<\/p>\n

oasis rofl update<\/p>\n

Deploy<\/h3>\n

This is an easy enough step where you deploy to a Testnet provider.<\/p>\n

oasis rofl deploy<\/p>\n

End\u2011to\u2011end (Base\u00a0Sepolia)<\/h3>\n

This is a 2-step process, although the second step is optional.
First, you view smoke\u2011test logs.<\/p>\n

oasis rofl machine logs<\/p>\n

If you have completed all the steps till now correctly, you will see in the\u00a0output:<\/p>\n

App IDEVM address and a signed\u00a0messageA prompt to fund the\u00a0addressOnce funding is done, a Counter.sol deployment<\/p>\n

Next, local dev. Here, you need to run npm run build:all<\/strong> to compile the TypeScript code and the Solidity contract. Skip this step if not\u00a0needed.<\/p>\n

export ALLOW_LOCAL_DEV=true
export LOCAL_DEV_SK=0x<64-hex-dev-secret-key> # DO NOT USE IN PROD
npm run smoke-test<\/p>\n

Security & notes to\u00a0remember<\/h3>\n

Provider logs are not encrypted at rest. So, never<\/strong> log secret\u00a0keys.The appd socket \/run\/rofl-appd.sock<\/strong> exists only inside\u00a0ROFL<\/strong>.There may be rate limits in public RPCs. So, it is advisable to opt for a dedicated Base RPC\u00a0URL.<\/p>\n

There is a key generation demo<\/strong> in the Oasis GitHub, which you can refer to as an example of this tutorial. https:\/\/github.com\/oasisprotocol\/demo-rofl-keygen<\/a><\/p>\n

Now that you have successfully generated a key in ROFL with appd<\/strong>, signed messages, deployed a contract, and moved ETH on Base Sepolia, let us know in the comments section your feedback. For a quick chat with the Oasis engineering team for help with specific issues, you can drop your comments in the dev-central channel<\/strong> in the official\u00a0Discord<\/a>.<\/p>\n

Originally published at <\/em>https:\/\/dev.to<\/em><\/a> on February 20,\u00a02026.<\/em><\/p>\n

Guide To Cross-Chain Key Generation (EVM \/ Base) With Oasis ROFL<\/a> was originally published in Coinmonks<\/a> on Medium, where people are continuing the conversation by highlighting and responding to this story.<\/p>","protected":false},"excerpt":{"rendered":"

Oasis introduced the framework for runtime off-chain logic ( ROFL) to help build and run apps off-chain while ensuring privacy and maintaining trust with on-chain verifiability. There are many moving parts to building with ROFL. In this tutorial, I will demonstrate how to build a tiny TypeScript app, generating a secp256k1 key inside ROFL. It […]<\/p>\n","protected":false},"author":0,"featured_media":136926,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-136925","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-interesting"],"_links":{"self":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/136925"}],"collection":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=136925"}],"version-history":[{"count":0,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/136925\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/media\/136926"}],"wp:attachment":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=136925"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=136925"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=136925"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}