Secure by design
The system is comprised of several independent components, including a network monitor, order processor, transaction sender, (external) transaction signer, and others. Each component can be stopped at any time without affecting functionality of the other parts of the system. Components can be duplicated for redundancy.
The system can be configured to require administrative approval (manual, rule-based automatic, or both) for each outgoing payment, and the payment will not enter the processing queue until such approval is given ("level 1 of withdraw limit control").
Any number of transaction signers can run on entirely separate, highly secured systems, and talk to the main system only through API via a secure channel. Each transaction signer can handle one or more private keys for signing. The public key parts of these keys can be composed into different single- or multisignature configurations on the main system.
Signers may connect to the API via onion routing networks like TOR (“stealth mode”) – without going through public networks - so that in the unfortunate event that the main system gets compromised, hackers are unable to even locate the system with the signer, and cannot mount any network attacks against it – and are thus unable to circumvent spending limits configured for the signer.
Signers may not be connected to any network at all, and sign transactions offline (configuration known as “cold wallet”) – with transaction signing proposals and resulting signatures transferred on SD cards or other offline media. You can accept deposits straight to this cold wallet, as only the public keys are required to create deposit addresses.
Transaction signers that sign transactions automatically, have a built-in funds-flow limiter, that can be configured to proceed with signing only if funds outflow does not exceed a certain value per second (for example, 0.04 bitcoin/minute – “level 2 of withdraw limit control”), and not exceed a pre-configured total limit (for example, 100 Litecoins total, and after that, manual limit reset will be required - “level 3 of withdraw limit control”). Limits are configured for each signer individually.
Limits for automatic transaction signers can be set via QR-coded commands printed on paper. This makes it possible to have a paper trail of the limit control operation: for example, a sealed envelope with a command “allow withdrawal of 10 more BTC” can be put into a safe, and when a legitimate need arises, authorized personnel, observing proper paper trail procedures, can take that envelope and scan it into the system. The transaction signer that the command is directed to, will check a digital signature embedded in the command, to ensure that this command was created by higher management who have access to the appropriate cryptographic keys, and then will apply the command, allowing withdrawal of more funds.
As transaction signers connect to the main system via a public API, implementing a circuit breaker is straightforward: just disconnect the system with the signer from the network. As transactions without correct signatures cannot be accepted by the blockchain, funds outflow from the system will be immediately stopped.
Certain deposits can be tagged on receive to isolate them from other funds. Coins from illicit sources that were isolated can be returned to their rightful owners, or transferred to law enforcement control without affecting other funds in the system.
Additional independent systems can be deployed and configured to track address usage of the main system via blockchain. This enables:
- Independent cross-checking of incoming payments;
- Deposits wallet completely isolated from the main system: the main system can detect deposits, but only the second, isolated, “shadow” system can spend from this deposits wallet. This “shadow” system does not need to receive incoming connections, only need to be connected to blockchain, and can be located anywhere.