OverviewSecurity Framework

Security Framework

Overview

Wafra implements a comprehensive, multi-layer security framework that combines traditional cybersecurity best practices with cutting-edge blockchain security measures. The system provides bank-grade security through hardware-backed authentication, multi-signature wallets, and robust smart contract protections.

Security Architecture

Defense-in-Depth Strategy

Wafra employs a defense-in-depth security strategy with multiple layers of protection:

Application Layer Security

  • Input validation and sanitization for all user inputs
  • Rate limiting to prevent abuse and DDoS attacks
  • Secure session management with automatic expiration

Authentication Layer Security

  • WebAuthn passkeys with hardware-backed storage
  • Biometric verification that never leaves the user’s device
  • Multi-device management with cryptographic approval workflows

Wallet Security Layer

  • Gnosis Safe multisig wallets for enhanced fund protection
  • Hardware-backed private keys stored in secure enclaves
  • Transaction validation with multi-signature requirements

Smart Contract Layer Security

  • Role-based access control with granular permissions
  • Reentrancy protection and state validation
  • Emergency pause functionality for critical situations

Infrastructure Layer Security

  • TLS 1.3 encryption for all data in transit
  • DDoS protection through Cloudflare
  • Network monitoring and intrusion detection

Zero-Trust Architecture

Wafra operates on zero-trust security principles:

  • Never Trust, Always Verify: Every request is authenticated and authorized regardless of source
  • Least Privilege Access: Each component and user receives minimal permissions necessary for operation
  • Assume Breach: Systems are designed to contain and mitigate attacks even if perimeter defenses are compromised
  • Continuous Monitoring: Real-time threat detection and response across all system components

Authentication & Identity Security

WebAuthn Passkey Implementation

Wafra uses WebAuthn passkeys for hardware-backed authentication, providing security superior to traditional passwords or SMS-based 2FA.

Hardware-Backed Security Features:

  • Private keys are stored in TPM (Trusted Platform Module) or Secure Enclave hardware
  • Keys have tamper-resistance and cannot be extracted from the device
  • Hardware random number generator ensures cryptographic strength
  • ECDSA P-256 cryptographic algorithm with hardware-generated signatures

Biometric Verification Process:

  • Fingerprint, Face ID, or Touch ID verification
  • Biometric data is processed locally and never transmitted to servers
  • Device PIN or password serves as fallback authentication method
  • User verification is required for all sensitive operations

Passkey Registration Security: When users register a new passkey, the system creates a hardware-backed public-private key pair. The private key never leaves the user’s device, while the public key is stored on Wafra’s servers for signature verification. The registration process includes attestation verification to ensure the authenticator meets security requirements.

Multi-Device Security Management

Wafra supports secure access across multiple devices through a cryptographic approval system:

Device Approval Process:

  • New devices must be approved by an existing trusted device
  • Approval requires cryptographic proof of ownership
  • 15-minute approval window prevents unauthorized access
  • Each device maintains its own passkey and session

Device Revocation Capabilities:

  • Users can instantly remove compromised or lost devices
  • Revocation propagates across all services in real-time
  • Backup devices enable recovery without losing access
  • Emergency recovery procedures available through support

Session Management Security:

  • 5-day session duration with automatic refresh
  • Per-device session termination capabilities
  • Anomaly detection monitors unusual device usage patterns
  • Session tokens are bound to specific devices

Session & Token Security

Wafra implements robust JWT (JSON Web Token) security with multiple protection layers:

Token Structure and Algorithms:

  • RS256 (RSA-PSS with SHA-256) algorithm for cryptographic security
  • 5-day expiration with automatic refresh before expiration
  • Claims include user ID, device ID, and passkey ID for verification
  • Monthly private key rotation maintains cryptographic freshness

Security Measures:

  • Token blacklist support for immediate revocation of compromised tokens
  • HttpOnly cookies prevent XSS attacks from accessing tokens
  • Secure flag ensures tokens are only transmitted over HTTPS
  • SameSite strict policy provides CSRF protection

Wallet & Transaction Security

Gnosis Safe Multisig Architecture

Wafra uses Gnosis Safe multisig wallets to provide enhanced security for user funds through multiple signature requirements.

Multisig Signer Configuration:

Controller Key:

  • Stored in server Hardware Security Module (HSM)
  • Used for automated protocol operations and yield management
  • Access restricted to verified, pre-approved operations
  • Monitored for unusual activity patterns

User Passkey:

  • Stored in user device hardware (TPM/Secure Enclave)
  • Required for user-initiated transactions and withdrawals
  • Protected by biometric verification
  • Cannot be extracted or duplicated

Backup Key:

  • Stored in secure cloud HSM infrastructure
  • Reserved for emergency recovery operations only
  • Requires multi-party approval for activation
  • Provides recovery without traditional seed phrases

Current Configuration:

  • 2-of-3 signature threshold for operational efficiency
  • Future upgrades may implement higher thresholds for enhanced security
  • Programmable security policies can be customized per user
  • No single point of failure in key management

Transaction Security Controls

All transactions undergo comprehensive security validation before execution:

Transaction Validation Flow:

  1. User initiates transaction through the mobile application
  2. Client generates transaction data with proper formatting
  3. User provides biometric authentication for passkey signature
  4. Client submits signed transaction to server for validation
  5. Server validates signature and applies controller signature
  6. Transaction is submitted to Gnosis Safe with required signatures
  7. Safe verifies signature threshold before execution
  8. Transaction is executed on blockchain with confirmation

Signature Verification Process:

  • DER-encoded ECDSA signatures are parsed and validated
  • Message hash is calculated using authenticator data and client data
  • ECDSA signature verification using SHA-256 hashing
  • Additional validation checks on authenticator and client data
  • Comprehensive error handling and logging for failed verifications

Gas & MEV Protection

Wafra implements several mechanisms to protect users from transaction failures and MEV (Maximal Extractable Value) attacks:

Gas Management Security:

  • 20% safety margin added to gas estimates to prevent failed transactions
  • Multiple gas price strategies (Slow, Standard, Fast) for user preference
  • Real-time gas price tracking for optimal transaction timing
  • Automatic gas price adjustment during network congestion

MEV Protection Strategies:

  • Private mempool submission when available to prevent frontrunning
  • Maximum slippage limits protect against sandwich attacks
  • Commit-reveal schemes for sensitive operations
  • Transaction timing optimization to avoid peak MEV periods

Transaction Failsafes:

  • Automatic transaction cancellation after predefined timeouts
  • Intelligent retry mechanisms with adjusted gas prices
  • Real-time monitoring and alerting for transaction status
  • User notifications for failed or stuck transactions

Smart Contract Security

Access Control Framework

Wafra’s smart contracts implement comprehensive role-based access control using OpenZeppelin’s AccessControl framework:

Role Definitions and Hierarchy:

  • ADMIN_ROLE: Full administrative control over contracts and role management
  • CONTROLLER_ROLE: Operational control for protocol functions and user transactions
  • STRATEGY_ROLE: Management of yield strategies and fund allocation

Role Administration:

  • Role hierarchy prevents privilege escalation attacks
  • Admin role can grant and revoke controller and strategy roles
  • Role changes are logged and monitored for security
  • Time-locked role changes for critical administrative functions

Protected Function Implementation: Critical operations require appropriate role permissions and additional security checks including pause state verification and parameter validation.

Reentrancy & State Protection

Smart contracts implement multiple layers of protection against common attack vectors:

Reentrancy Protection:

  • OpenZeppelin’s ReentrancyGuard prevents reentrancy attacks
  • State changes occur before external calls
  • Checks-Effects-Interactions pattern followed throughout
  • Custom modifiers provide additional validation layers

State Validation:

  • Custom error types provide clear failure reasons
  • Amount validation prevents zero or invalid inputs
  • Balance checks ensure sufficient funds before operations
  • Contract pause functionality enables emergency stops

Security Modifiers:

  • Combined security modifiers provide comprehensive protection
  • Atomic operations ensure state consistency
  • Gas optimization while maintaining security
  • Clear error messages for debugging and user feedback

Upgrade Safety Framework

Wafra uses UUPS (Universal Upgradeable Proxy Standard) for safe contract upgrades:

Upgrade Authorization:

  • Only admin role can authorize contract upgrades
  • Additional validation through upgrade validator contract
  • Storage layout compatibility verification
  • Interface compatibility validation

Upgrade Safety Measures:

  • Storage gaps reserved for future variables
  • Comprehensive upgrade validation process
  • Test environment validation before production deployment
  • Rollback procedures for failed upgrades

Validation Requirements:

  • Storage layout must remain compatible with existing data
  • Interface compatibility ensures client application compatibility
  • Security requirements verification prevents downgrade attacks
  • Multi-signature approval for critical upgrades

Application Security

Input Validation & Sanitization

Wafra implements comprehensive input validation to prevent injection attacks and ensure data integrity:

Address Validation:

  • Ethereum address format verification using ethers.js
  • Zero address prevention for security
  • Checksum validation for address integrity
  • Blacklist checking for known malicious addresses

Amount Validation:

  • Decimal precision validation for financial amounts
  • Range checking to prevent overflow attacks
  • Positive value enforcement
  • Maximum value limits to prevent economic attacks

Input Sanitization:

  • Special character removal to prevent injection attacks
  • Input length limits to prevent buffer overflow
  • Whitespace trimming and normalization
  • SQL injection prevention through parameterized queries

Rate Limiting Implementation:

  • Redis-based rate limiting with sliding windows
  • Per-user and per-IP rate limits
  • Intelligent rate limiting based on user behavior
  • Automatic IP blocking for abuse patterns

API Security Framework

Wafra’s tRPC API implements multiple security layers:

Security Middleware Stack:

  • Rate limiting middleware prevents API abuse
  • Authentication middleware validates JWT tokens
  • Input validation middleware using Zod schemas
  • Passkey verification for sensitive operations

Secure Procedure Implementation:

  • Public procedures for non-sensitive operations
  • Protected procedures requiring authentication
  • Sensitive procedures requiring passkey verification
  • Comprehensive audit logging for all operations

Security Audit Logging:

  • All sensitive operations are logged with full context
  • User identification and operation details recorded
  • Timestamp and IP address tracking
  • Log data sanitization to prevent information leakage

Data Protection & Privacy

Wafra implements comprehensive data protection measures:

Encryption at Rest:

  • AES-256-GCM encryption for all sensitive data
  • AWS KMS or Azure Key Vault for key management
  • Automatic key rotation every 90 days
  • Encrypted database fields for PII data

Encryption in Transit:

  • TLS 1.3 for all communications
  • Certificate auto-renewal via Let’s Encrypt
  • Modern cipher suites only
  • Certificate pinning for mobile applications

Data Minimization:

  • Collection of only necessary user data
  • Automatic deletion based on retention policies
  • Data anonymization after legal requirements expire
  • Regular data cleanup and archival processes

Privacy Compliance:

  • GDPR, CCPA, and SOX compliance measures
  • Right to be forgotten implementation
  • Data portability for user data export
  • Privacy policy transparency and user consent

Infrastructure Security

Network Security

Wafra implements comprehensive network security measures:

DDoS Protection:

  • Cloudflare Pro provides Layer 3/4 DDoS mitigation
  • Application layer protection against sophisticated attacks
  • Rate limiting by IP address and API endpoint
  • Geographic blocking for high-risk regions

Web Application Firewall:

  • SQL injection prevention with pattern matching
  • XSS attack filtering and sanitization
  • CSRF protection through token validation
  • Malicious bot detection and blocking

Network Segmentation:

  • Public-facing tier for API gateway and static assets
  • Application tier for business logic and services
  • Data tier for database and sensitive operations
  • Zero-trust network architecture with micro-segmentation

Monitoring & Incident Response

Wafra operates a comprehensive Security Operations Center (SOC):

Real-Time Monitoring:

  • Datadog and Sentry for application monitoring
  • Custom dashboards for security metrics
  • Failed authentication attempt tracking
  • Unusual transaction pattern detection

Alerting System:

  • Critical alerts trigger immediate security team notification
  • Automated escalation procedures for unresolved incidents
  • Multiple notification channels including PagerDuty, Slack, email, and SMS
  • Alert correlation to reduce false positives

Incident Response Procedures:

  • Documented response playbooks for various incident types
  • Automated threat containment for known attack patterns
  • Complete audit trail preservation for forensic analysis
  • Tested disaster recovery procedures with regular drills

Compliance & Auditing

Wafra maintains compliance with multiple regulatory frameworks:

Regulatory Standards:

  • SOX compliance for financial reporting
  • PCI DSS Level 1 for payment processing
  • GDPR and CCPA for privacy protection
  • SOC 2 Type II and ISO 27001 for security management

Audit Trail Requirements:

  • Complete logging of all user actions and system events
  • Tamper-proof log storage with cryptographic integrity
  • 7-year retention for financial records
  • Real-time audit query capabilities for compliance reporting

Third-Party Assessments:

  • Quarterly external penetration testing
  • Annual smart contract security audits
  • Continuous bug bounty program
  • Regular compliance assessments by certified auditors

Security Incident Response

Incident Classification

Wafra categorizes security incidents by severity level:

Critical Incidents:

  • Active security breaches with fund loss potential
  • Smart contract exploits or vulnerabilities
  • Large-scale user data compromise
  • Complete system outages

High Severity Incidents:

  • Potential security breaches under investigation
  • Significant user data exposure
  • Failed authentication attacks at scale
  • Major service disruptions

Medium Severity Incidents:

  • Security policy violations
  • Suspicious activity patterns
  • Minor data exposure incidents
  • Service degradation affecting security

Low Severity Incidents:

  • Minor security concerns
  • Failed individual authentication attempts
  • Non-critical system anomalies
  • Security tool false positives

Incident Response Process

Detection and Analysis:

  • Automated anomaly detection systems
  • 24/7 security team monitoring
  • Bug bounty and responsible disclosure programs
  • User and partner reporting channels

Response and Containment:

  • Immediate automated threat containment where possible
  • Rapid impact and scope analysis
  • Stakeholder notification according to severity
  • Evidence preservation for investigation

Recovery and Lessons Learned:

  • System restoration procedures with security validation
  • User communication and transparency
  • Post-incident analysis and improvement implementation
  • Security control enhancement based on findings

Emergency Procedures

Wafra implements comprehensive emergency controls:

Protocol Emergency Controls:

  • Emergency pause functionality to halt all operations
  • Emergency withdrawal capabilities for user fund protection
  • Strategy emergency withdrawal from DeFi protocols
  • Administrative override capabilities for critical situations

Emergency Response Team:

  • 24/7 on-call security engineering team
  • Clear escalation procedures and contact information
  • Predefined emergency response playbooks
  • Regular emergency response drills and training

Communication Procedures:

  • Transparent user communication during incidents
  • Regular status updates through multiple channels
  • Post-incident detailed reporting
  • Coordination with law enforcement when required

This comprehensive security framework provides multiple layers of protection, ensuring the safety of user funds and maintaining the integrity of the Wafra platform across all components of the system. The security measures are continuously updated and improved based on threat landscape changes, security research, and lessons learned from the broader DeFi ecosystem.

Money FlowTechnology Stack