Trust & Safety
Security Built Without Shortcuts
Every layer of VaultNova is designed from first principles around adversarial threat models — from password storage to withdrawal approval to network perimeter.
Built like a bank. Operated like a protocol.
Every layer of the platform is independently hardened. No single point of failure. Assets remain secured regardless of any disruption at the application layer.
Cold Storage by Default
95% of all assets are held in air-gapped, multi-signature cold wallets at all times. The hot wallet holds only the liquidity required for same-day withdrawals.
Argon2id Authentication
All passwords are hashed with Argon2id — the Password Hashing Competition winner. Mandatory TOTP two-factor authentication on every account. WebAuthn hardware-key passkeys supported.
Client-Side Field Encryption
Wallet addresses, account balances, and all personally identifiable information are encrypted at the field level using MongoDB CSFLE. A database breach yields only ciphertext — never plaintext data.
Time-Locked Withdrawals
All first-time withdrawal addresses are subject to a mandatory 24-hour review queue. Any transfer exceeding $25,000 requires explicit administrator approval before release.
Third-Party Audited
Smart contract logic and custody workflows are independently audited by CertiK. Full audit reports are publicly available. Re-audits are conducted on an annual cycle.
Cloudflare Enterprise Protection
Enterprise-grade Web Application Firewall, DDoS mitigation, and Bot Fight Mode at the network edge. Rate limiting enforced at both CDN and application layers.
Authentication
Argon2id Password Hashing
Passwords are hashed with Argon2id at 64 MB memory cost, 3 time iterations, and a server-side pepper. Industry-leading resistance to GPU and ASIC brute-force attacks.
Authentication
Mandatory TOTP 2FA
All accounts require time-based one-time password (TOTP) authentication via Google Authenticator, Authy, or any RFC 6238-compliant app. TOTP verification is enforced on every sign-in.
Authentication
WebAuthn Passkeys
Hardware security keys (YubiKey, Apple Touch ID, Windows Hello) can be registered as a second factor or primary credential, eliminating phishing risk entirely.
Session Management
Rotating Refresh Tokens
Every session uses a rotating refresh token family. Reuse of a revoked token triggers immediate revocation of all tokens in that family — detecting and stopping session hijacking.
Session Management
15-Minute Access Tokens
JWT access tokens expire after 15 minutes. All tokens are verified with issuer and audience claims. Compromised tokens have a minimal blast radius.
Custody
95% Cold Storage
At least 95% of platform assets are held in air-gapped cold wallets. Hot wallet exposure is capped at 5% of total value locked to minimise breach impact.
Custody
Withdrawal Review Queue
First-time withdrawal addresses enter a 24-hour review queue. Withdrawals above $25,000 require manual admin approval and email + 2FA confirmation from the account holder.
Audit
Append-Only Audit Log
Every significant platform event — sign-in, stake creation, yield credit, withdrawal — is written to an append-only MongoDB collection. Updates and deletes on audit logs are prohibited at the schema level.
Network
Cloudflare WAF + DDoS
All traffic passes through Cloudflare's Web Application Firewall, Bot Fight Mode, and DDoS mitigation. Rate limiting is applied at the edge before requests reach the application layer.