Security and trust practices
What Abraxas does today, audit status, and the path to institutional-grade assurance.
Audit tracker
Required before external CPI integrations and mainnet Passport deployment. Results will publish here when complete.
Formal review of relying-party endpoint security and rate limiting before first external production gate.
Queued after Passport module review.
What we do today
- Supabase Row Level Security on every table
- W3C VC credentials: proof portable, documents off-chain with certified providers
- Veriff handles ID storage, Abraxas stores verification status only
- Ed25519 signed JWTs for credential issuance (did:sui)
- zkLogin user salt stored server-side only
- Manual review for high-risk stamps (Business, Property, Asset Owner)
In progress
- Sui mainnet Passport audit before external CPI integrations
- Formal security review of credential verification API
- Sponsor treasury multisig for production
- Public bug bounty program (scope published β launch post-audit)
Bug bounty scope (pre-launch)
- Scope: /api/credentials/*, /api/idv/*, /api/intent/*, zkLogin prover proxy, payment verification
- Out of scope: social engineering, DDoS, third-party Veriff infrastructure
- Report channel: security@abraxas-app.vercel.app (replace with dedicated inbox before launch)
- Rewards: tiered by severity after formal program launch
Key management & custody
- ABRAXAS_SIGNING_KEY in Vercel env only. never in client code
- Service role key server-side only for Supabase writes
- OAuth via Google; no passwords stored for zkLogin users
- Utila MPC custody for verified assets requiring institutional storage
- zkLogin for verification identity. no browser wallet required on /passport
Kill-switch & recovery (policy)
- Passport issuer and credential signing keys rotatable via env update + redeploy
- Veriff sessions revocable; credentials support revocation timestamp
- Disputed assets can be flagged in pipeline before MARKETPLACE_LIVE
- Payment verification requires matching settlement address + memo + amount on Sui
- Progressive decentralization β central committee today, documented in litepaper
Privacy architecture
Sensitive identity data stays with licensed providers (Veriff). Abraxas anchors only consented proofs, attestations, hashes, and revocation state β never raw document images on-chain. User controls consent for credential sharing via presentation proofs.
Security program links
Risk disclosures
Real-world assets may be securities. Yield projections on asset pages are not guarantees. Read the full legal framework before investing or submitting assets.