Security

Security and trust practices

What Abraxas does today, audit status, and the path to institutional-grade assurance.

Audit tracker

Sui Passport Move moduleIn progress

Required before external CPI integrations and mainnet Passport deployment. Results will publish here when complete.

Credential verification APIIn progress

Formal review of relying-party endpoint security and rate limiting before first external production gate.

zkLogin prover proxyScheduled

Queued after Passport module review.

What we do today

  • Supabase Row Level Security on every table
  • W3C VC credentials: proof portable, documents off-chain with certified providers
  • Veriff handles ID storage, Abraxas stores verification status only
  • Ed25519 signed JWTs for credential issuance (did:sui)
  • zkLogin user salt stored server-side only
  • Manual review for high-risk stamps (Business, Property, Asset Owner)

In progress

  • Sui mainnet Passport audit before external CPI integrations
  • Formal security review of credential verification API
  • Sponsor treasury multisig for production
  • Public bug bounty program (scope published β€” launch post-audit)

Bug bounty scope (pre-launch)

  • Scope: /api/credentials/*, /api/idv/*, /api/intent/*, zkLogin prover proxy, payment verification
  • Out of scope: social engineering, DDoS, third-party Veriff infrastructure
  • Report channel: security@abraxas-app.vercel.app (replace with dedicated inbox before launch)
  • Rewards: tiered by severity after formal program launch

Key management & custody

  • ABRAXAS_SIGNING_KEY in Vercel env only. never in client code
  • Service role key server-side only for Supabase writes
  • OAuth via Google; no passwords stored for zkLogin users
  • Utila MPC custody for verified assets requiring institutional storage
  • zkLogin for verification identity. no browser wallet required on /passport

Kill-switch & recovery (policy)

  • Passport issuer and credential signing keys rotatable via env update + redeploy
  • Veriff sessions revocable; credentials support revocation timestamp
  • Disputed assets can be flagged in pipeline before MARKETPLACE_LIVE
  • Payment verification requires matching settlement address + memo + amount on Sui
  • Progressive decentralization β€” central committee today, documented in litepaper

Privacy architecture

Sensitive identity data stays with licensed providers (Veriff). Abraxas anchors only consented proofs, attestations, hashes, and revocation state β€” never raw document images on-chain. User controls consent for credential sharing via presentation proofs.

Security program links

Risk disclosures

Real-world assets may be securities. Yield projections on asset pages are not guarantees. Read the full legal framework before investing or submitting assets.

Bug bounty program β†’Strategic roadmap