Security Architecture
Vortum implements a multi-layer security model to protect user assets and ensure system integrity.
Security Model
Non-Custodial Design
Users maintain full control of their assets:
- No private keys stored — Keys are distributed across ICP nodes
- Threshold signatures — Transactions require consensus from multiple nodes
- User-controlled — Only you can authorize withdrawals
- Auditable — All operations recorded on-chain
Authentication Methods
ICP Identity Providers
| Provider | Type | Description |
|---|---|---|
| Internet Identity | WebAuthn/FIDO2 | ICP's native decentralized identity with biometric support |
| NFID | Email-based | II-compatible with email recovery option |
| OISY | Wallet | ICP wallet with transaction signing |
Blockchain Wallet Login
| Blockchain | Wallets | Protocol |
|---|---|---|
| Solana | Phantom, Solflare | Sign-In with Solana (SIWS) |
| Bitcoin | Phantom, Unisat | Sign-In with Bitcoin (SIWB) |
Blockchain wallet authentication uses a "Sign-In with X" (SIWx) pattern:
- User signs a message with their wallet
- Vortum verifies the signature
- A delegated ICP identity is created linked to the wallet address
- User can interact with the platform using their wallet identity
Coming Soon
| Feature | Description |
|---|---|
| Passkeys | WebAuthn-based passwordless authentication |
Cryptographic Security
| Feature | Implementation |
|---|---|
| Bitcoin signing | Threshold ECDSA (secp256k1) |
| Solana signing | Threshold Ed25519 |
| Key derivation | BIP32/BIP44 HD wallet standards |
| Encryption | VetKeys for sensitive data |
| 2FA secrets | Client-side only with Merkle commitments |
Rate Limiting
Protection against abuse with tiered access:
| Tier | Rate Limit |
|---|---|
| Unregistered | 10 req/min |
| Registered | 100 req/min |
| Verified | 1000 req/min |
Two-Factor Authentication
Optional TOTP-based 2FA using a Merkle tree commitment scheme:
Security properties:
- Secret stays with you — TOTP secret is never transmitted to the server
- Cryptographic commitment — Server stores only a 32-byte Merkle root
- Proof-based verification — You prove knowledge via Merkle proofs
- Encrypted backup — Optional recovery backup encrypted with VetKeys
Verifiable Execution
| Feature | Description |
|---|---|
| Deterministic matching | Price-time priority ordering |
| Audit trails | Complete settlement history per account |
| Deterministic ordering | Orders processed in arrival sequence |
| Transparent | Your settlements queryable on-chain |
Asset Security
- All deposits go to unique per-user addresses
- Withdrawals require authentication (+ optional 2FA)
- Address book for trusted withdrawal addresses
- Minimum withdrawal amounts per chain
- Treasury controlled by multi-sig
Security Features Status
| Feature | Status |
|---|---|
| Internet Identity | ✅ Live |
| NFID | ✅ Live |
| OISY Wallet | ✅ Live |
| Solana wallet login (SIWS) | ✅ Live |
| Bitcoin wallet login (SIWB) | ✅ Live |
| Passkeys | 🔜 Coming Soon |
| TOTP 2FA | ✅ Live |
| Rate limiting | ✅ Live |
| Address book | ✅ Live |
| Audit trails | ✅ Live |
| Multi-sig treasury | ✅ Live |