Skip to content
Pybara Docs

Blackhole Canister

Pybara routes all payments through a blackhole canister — an Internet Computer smart contract with no controllers, making its code permanently immutable.

What Is a Blackhole Canister?

Section titled “What Is a Blackhole Canister?”

On the Internet Computer, every canister has one or more “controllers” — principals that can upgrade code, change settings, or delete the canister.

A blackhole canister has its controllers removed (or set to the NNS blackhole, which is itself immutable). Once done, no one — not even Pybara — can change the code.

The Pybara Payment Splitter

Section titled “The Pybara Payment Splitter”

Canister ID: wvzyq-tiaaa-aaaaj-qp2qa-cai
Status: Active — blackholing planned after final audit

Every payment and donation goes through this canister. It:

  1. Receives tokens from the buyer (ICRC-1 transfer)
  2. Splits the amount: (100% − commission%) to the merchant, commission% to Pybara
  3. Forwards a log entry to the admin canister (fire-and-forget with retry)

The commission rate is locked per merchant at registration time and cannot be changed unilaterally.

Reproducible Builds

Section titled “Reproducible Builds”

Anyone can verify that the deployed canister matches the published source code.

The WASM is built deterministically via Docker — the same source always produces the same binary:

Terminal window
# Clone the source
git clone https://github.com/pybara/pybara-blackhole
cd pybara-blackhole


# Build reproducibly (requires Docker)
npm run build
sha256sum out/out_Linux_x86_64.wasm


# Compare against the deployed canister's module hash
dfx canister info wvzyq-tiaaa-aaaaj-qp2qa-cai --network ic

The SHA-256 hash of the locally built WASM must match the Module hash reported by the IC. Pybara’s CI checks this automatically on every push.

Verify the Canister Status

Section titled “Verify the Canister Status”
Terminal window
dfx canister info wvzyq-tiaaa-aaaaj-qp2qa-cai --network ic

Once blackholed, the output will show either:

  • Controllers: [] — fully permissionless, no one can change it
  • Controllers: e3mmv-5qaaa-aaaah-aadma-cai — controlled by the NNS blackhole canister (also immutable, publicly auditable)

Trade-offs

Section titled “Trade-offs”
✅ Code cannot be upgraded to steal funds❌ Cannot patch bugs
✅ Commission rate is locked❌ Cannot add features
✅ Independently verifiable❌ New logic requires a new canister version

New versions are deployed as separate canisters. Merchants can migrate at their discretion.

Next Steps

Section titled “Next Steps”