Beta

MEDUSA — Digital Custody Platform

Pull-Based • Multi-Signature • Zero-Trust

Institutional-grade security meets modern crypto. This custody platform protects digital assets with hardened key management, multi-signature workflows, and MPC technology. Policy-based approvals, segregated accounts, and tamper-evident audit trails give institutions the confidence they need. Integrates seamlessly with blockchain nodes and banking rails while maintaining strict compliance and recovery procedures.

Kotlin Spring Boot React Security Multi-Signature Zero-Trust
🔐
M-of-N
Threshold Signature Policies
🛡️
0
Inbound Connections to Secure Zone
⛓️
2 Chains
Bitcoin & Stellar Support
The Challenge

Custody Is a Single Point of Failure

Institutions want digital asset exposure, but traditional custody architectures concentrate risk in exactly the places attackers target: keys, admin access, and mutable logs.

🔑

One Key, Total Loss

A single compromised key or rogue administrator can move funds irreversibly. Most breaches trace back to concentrated signing authority.

🚪

Exposed Attack Surface

Conventional custody backends accept inbound connections into the systems that hold keys, so every internet-facing service is a path to the vault.

📝

Mutable Audit Trails

Database logs can be edited or deleted after the fact. Regulators and clients have no cryptographic proof that history wasn't rewritten.

🏢

Shared-Everything Tenancy

Multi-client platforms commingle data, policies, and secrets, so one tenant's incident becomes every tenant's incident.

The Solution

Zero-Trust, Pull-Based Custody

MEDUSA — Multi-signature Enterprise Digital Custody Architecture — removes single points of failure with threshold signatures, an immutable governance chain, and a secure zone that never listens.

✍️

Multi-Signature by Default

Every sensitive change requires ECDSA SECP256K1 signatures under configurable policies: auto-approve, single, all, or M-of-N threshold — with witness signature binding.

📡

Pull-Based Governance

Secure components never accept inbound connections. Governance and wallets poll outward for work, so there is no route from the internet to the keys.

⛓️

Immutable Governance Chain

Approvals are sealed into hash-chained blocks with Merkle roots and exponential back-references — a tamper-evident record of every decision.

🏦

True Tenant Isolation

Schema-level database isolation, independent per-tenant governance chains, and scoped Vault secret paths keep every institution's world separate.

Four Layers, Zero Inbound Trust

From the browser down to the secure zone, each layer only reaches outward — approvals flow through cryptographic checkpoints, never through open ports.

4
Layer 4
🖥️

Client Layer

React frontend and browser extension where users initiate operations, compute payload hashes client-side, and verify signatures in-browser before anything is trusted.

⚛️React + TypeScript 🧩Browser Extension #️⃣Client-Side Hashing 🔏In-Browser Verification
Outbound Poll
3
Layer 3
🌐

DMZ Backend

The only internet-facing service. The Spring Boot backend authenticates users, records pending changes, and waits to be polled — it can never reach into the secure zone.

🌱Spring Boot 3.2 Kotlin / JDK 21 🔑Spring Security + JWT 🐘PostgreSQL 16
Outbound Poll
2
Layer 2
⛓️

Governance Chain

An append-only event store that polls the DMZ for pending changes, validates them against policy, collects signatures, and seals approvals into hash-chained blocks.

🌳Merkle Roots ✍️ECDSA SECP256K1 🔁M-of-N Workflows ⏱️Anti-Rewind / Replay
Outbound Poll
1
Foundation
🔐

Secure Zone

Wallet gateway plus Stellar and Bitcoin wallet services, backed by HashiCorp Vault. Keys never leave; wallets poll for approved operations and push results outward.

🔐HashiCorp Vault 🔒AES-256-GCM Stellar Network Bitcoin Network

Pull-Based Operation Flow

Every operation travels through four checkpoints. No component in the secure zone ever accepts an inbound connection.

01

Initiate

Client → DMZ

What Happens

  • Operation signed via browser extension or CLI
  • Payload hash computed client-side
  • Backend records a pending change
  • 7-day workflow expiry starts
Checkpoint: Pending change awaits approval — nothing has moved
02

Approve

Governance Chain

What Happens

  • Governance polls the DMZ for pending changes
  • Policy evaluated: auto, single, all, or M-of-N
  • Witness signatures bound to the payload hash
  • Approval sealed into a hash-chained block
Checkpoint: Decision is cryptographically immutable
03

Execute

Secure Zone

What Happens

  • Wallets poll governance for approved operations
  • Anti-replay: hash dedup and ±5min timestamp bounds
  • Anti-rewind: external chain tip verification
  • Transaction signed with Vault-held keys and broadcast
Checkpoint: Funds move only with a sealed approval
04

Settle & Audit

DMZ → Client

What Happens

  • Wallet pushes the result outbound to the backend
  • Backend updates state and notifies the user
  • Exponential back-references enable fast chain verification
  • Prometheus + Grafana observability end to end
Checkpoint: A tamper-evident record of the full lifecycle

Four Pillars of Defense

Each pillar closes a class of attack: signing authority, secret storage, tenant boundaries, and history manipulation.

✍️

Multi-Signature Crypto

Signing Authority

Controls

  • ECDSA SECP256K1 signatures
  • M-of-N threshold signing
  • Witness signature binding
  • Founder keys with defined recovery
Closes: single-key compromise and rogue admins
🔐

Vault Integration

Secret Storage

Controls

  • HashiCorp Vault AppRole authentication
  • Path-based secret isolation
  • Transit secrets engine
  • AES-256-GCM encryption
Closes: key exfiltration from application hosts
🏦

Tenant Isolation

Tenant Boundaries

Controls

  • Schema-level database isolation
  • Independent governance chains per tenant
  • Scoped Vault secret paths
  • Segregated accounts per institution
Closes: cross-tenant blast radius
⏱️

Anti-Rewind / Replay

History Integrity

Controls

  • External chain tip files
  • Payload hash deduplication
  • ±5min timestamp bounds
  • Exponential back-references
Closes: replayed approvals and rewritten history

From Beta to Bank-Grade

The core custody engine is live in beta. Each phase widens reach without loosening the zero-trust foundation.

Now

Beta

Live Today

Delivered

  • Bitcoin & Stellar custody services
  • Policy engine with signed workflows
  • Immutable governance chain
  • Browser-extension signing
Milestone: Core custody engine in production beta
Next

Chain Expansion

In Design

Planned Deliverables

  • Additional chain integrations (Cardano next)
  • Pluggable wallet-service architecture
  • Unified multi-chain policy controls
  • Extended asset coverage
Milestone: One policy engine, many chains
Planned

Banking Rails

Planned

Planned Deliverables

  • Fiat on/off-ramp integrations
  • Banking rail connectivity
  • Settlement reporting
  • Treasury operations tooling
Milestone: Crypto custody meets traditional finance
Planned

Institutional Onboarding

Planned

Planned Deliverables

  • Compliance certifications
  • Expanded recovery procedures
  • Enterprise support & SLAs
  • Institutional client onboarding
Milestone: Bank-grade custody, end to end

Custody Institutions Can Verify, Not Trust

Security, compliance, and operations each get cryptographic guarantees instead of promises.

🏛️

For Institutions

M-of-N approval policies match real governance structures
Segregated accounts with schema-level tenant isolation
Founder keys and defined recovery procedures
Multi-chain custody: Bitcoin and Stellar today
🛡️

For Security Teams

Zero inbound connections to key-holding components
Keys sealed in HashiCorp Vault with AppRole and path isolation
Replay and rewind protection built into execution
Client-side hashing and in-browser signature verification
⚖️

For Compliance & Ops

Immutable, hash-chained record of every approval
Merkle roots make change history independently verifiable
Policy changes themselves require signed workflows
Full observability with Prometheus and Grafana

Ready to Secure Institutional Digital Assets?

Let's talk about bringing zero-trust, multi-signature custody to your institution — from architecture review to production deployment.

M-of-N
Threshold Policies
0
Inbound Connections
2 Chains
Bitcoin & Stellar