​

Our Security-First Philosophy

Security is not an afterthought at Refract; it is the cornerstone of our architecture. We are committed to providing a non-custodial, omni-chain ecosystem where user assets are protected by state-of-the-art cryptographic techniques and robust engineering practices. Our goal is to empower developers to build secure, user-friendly Web3 applications with confidence.

Our security model is built on several key pillars:

1. Non-Custodial Key Management: At the heart of our system is a 2-of-3 Multi-Party Computation (MPC) protocol based on the cggmp-24 scheme. This ensures that users always have full control over their assets. A user’s private key is never stored in a single location, mitigating the risk of a single point of failure.

2. Hardware-Level Isolation: We leverage Trusted Execution Environments (TEEs), specifically AWS Nitro Enclaves, to securely store and manage the server-side key shard. This provides a hardware-enforced boundary that isolates sensitive computations from the host system, protecting against even privileged attackers.

3. Comprehensive Transaction Sandboxing: Every transaction initiated through a dApp is processed within our SecureSign protocol. Before a user approves anything, they see a clear, human-readable breakdown of the transaction’s effects in a sandboxed UI. This prevents dApp-level exploits from tricking users into signing malicious payloads.

4. Cryptographic Integrity and Authorization: Every communication channel, from the dApp’s postMessage calls to backend transaction submissions, is rigorously validated. We bind requests to application and user IDs, employ single-use nonces to prevent replay attacks, and ensure every action is explicitly authorized by the user.

These principles combine to create a layered defense system that protects users at every stage of their Web3 journey. The following sections provide a deeper technical dive into each of these components.