01
Append-only blake3 chain.
Every fill, transfer, and balance change is hashed with the previous event. Tamper with any record and the chain breaks downstream — visibly, by construction.
VERIFIABILITY
An append-only blake3 hash-chain over every event. Double-entry conservation on every transfer. WAL-durable, deterministic replay from genesis. The chain is exported off-box so it can be verified independently.
Four mechanisms — not adjectives. Each one is a system you can inspect, an export you can verify, a property you can rely on.
01
Every fill, transfer, and balance change is hashed with the previous event. Tamper with any record and the chain breaks downstream — visibly, by construction.
02
Every balance change is a conserved pair of transfers. The conservation gate verifies cache ↔ ledger lockstep on every batch. Mismatch = abort.
03
The audit DB is segregated with the minimum privileges required. The hot path can't rewrite history; history can only be appended-to.
04
The hash-tip of the chain is exported to an external system on a fixed cadence. Anyone with the tip can independently verify chain integrity.
The audit chain is not a claim you have to take on faith. Every event is hashed together with the one before it — so click any block below to tamper it, and watch every downstream hash break, visibly, by construction.
↑ Click any block (except genesis) to tamper. Downstream hashes break — visibly.
Security here is not one wall but four independent layers — who you are, what a key may do, who can move funds, and whether the record can be trusted. Each has its own deep-dive.
Passkeys + step-up
Login is phishing-resistant by construction with passkeys, and boundary actions — withdrawals, whitelist changes, key issue — demand fresh proof at the perimeter (RFC 9470). Risk-based sessions shrink the trust window when the signals look anomalous.
Deep-dive: /identity — sessions, step-up, risk.
Scoped API keys
API keys are scoped — read, trade and withdraw are separate permissions — and requests are signed with Ed25519 rather than carrying a bearer secret, so a leaked key is not a usable token on its own. Withdraw-scoped keys only work against whitelisted addresses.
Deep-dive: /identity — scoped, signed keys.
Threshold custody
Funds at rest are held under a t-of-n threshold signature: no single machine holds the whole key or can sign a withdrawal alone. New addresses wait out a time-delay hold, and an external audit gates mainnet.
Deep-dive: /custody — threshold signing.
Deterministic replay
Every event is WAL-durable before it is acknowledged, and the whole ledger replays deterministically from genesis to a bit-identical state — the record is trusted because it can be recomputed, not because it is asserted.
Deep-dive: /technology — WAL-before-ack.
What a leaked session can do, who can move funds, what tamper-evidence means concretely, and whether history can be rewritten.
A session is not a skeleton key. The high-stakes actions — moving funds, changing a whitelist, issuing a key — sit behind step-up at the perimeter and demand fresh, strong proof at the moment you request them, so a stolen session cannot silently withdraw. Risk-based sessions also shrink the trust window when the signals look anomalous, and API requests are signed rather than relying on a bearer secret.
No single party. Withdrawals are signed by a t-of-n threshold of independent parties, and the full private key is never assembled on any one machine — compromising one server is not enough to sign a withdrawal. On top of that, a withdrawal must clear step-up confirmation, a whitelisted destination, and a time-delay hold before a threshold ever signs.
Every fill, transfer and balance change is hashed together with the previous event into an append-only blake3 chain. Tamper with any record and every hash downstream breaks — visibly, by construction — because each hash depends on the one before it. The audit database runs with least privilege, so the hot path cannot rewrite history; it can only be appended-to.
Not quietly. The hot path cannot rewrite the audit database — least-privilege roles allow only appends — and the tip of the hash chain is exported off-box on a fixed cadence, so it becomes a commitment someone else already holds. To rewrite history undetectably you would have to break the chain and match a tip that has already left the building.