Security One Pager

Kinto is the safety-first L2, built on the Arbitrum Nitro stack (first of its class) that features user-owned KYC/KYB, AML, fraud detection and KYT, enforced at the node level. These features are seamlessly integrated with your smart account - multisig by default- powered with account abstraction, making Kinto not only the safest L2 but also the most usable.

🔒Security before joining KINTO

Kinto’s onboarding starts with the user selecting a KYC/KYB provider (on launch we feature and ), these providers have been selected for their past security history, GDPR compliance and strict PII handling. These KYC/KYB processes always include a biometric liveness check and document fraud/ manipulation detection. It is worth mentioning that no PII is stored on Kinto servers or on the chain itself. All individuals/corporations are also checked for AML, fraud, PEP, OFAC list hits.

Upon approval of this, first-level users are generated a passkey based (non-custodial) EOA signer and minted a soulbound NFT, the . Finally, the smart contract is deployed and the user can set additional signers and custom signing policy. Every signer added to any Kinto Wallet is also analyzeds via . Chainalisys KYT service provides good insight on source of funds (Tornado Cash) and interactions in previous scams, frauds or illegal activities. Once an individual/corporation has passed all these checks, they are allowed to interact with the network.

🔒Security while on KINTO

All transactions to the network need to be initiated by a Kinto Wallet with a valid KintoID, our set of smart contracts together with the node-level whitelisting of the account abstraction EntryPoint achieve this. We have modified the Arbitrum Nitro stack with the help of the Arbitrum team and these changes (alongside all of our smart contracts) are audited by three external teams: Pessimistic, MixBytes and Certora. More information about security, the audits and our processes can be found in our Github security .

All of the KYC/KYB and Chainalysis integrations offer continued monitoring systems for all mentioned checks above. KintoIDs will become invalid upon the receival of any flags by these systems. Additionally, KintoIDs also become invalid if not positively monitored by our systems. Protocols can install a firewall that verifies every tx before they happen using .

The Kinto chain integrated protections constantly monitoring (statically and dynamically) for hacks/rugs/scams at the smart contract level, analyzing both the contracts themselves and the behaviors of the txs for potential bad actors.

🔒Security when leaving KINTO

If none of the previously mentioned systems have been able to stop an attack against the network or its users, our is able to intervene and reveal the information of the attackers to the KYC/KYB providers and in turn to the authorities. In extreme cases, the security council can stop the bridge itself before the 7 days finality limit.

🔒The KINTO team and best practices

Members receive security training, abide by industry best practices in password/passkeys, MFA, hardware based security, VPNs and threats both digital and physical. Team access is limited and audited. All API keys and secrets are managed via enclaves/secret managers/vaults and rotated often based on criticality.

For more information please contact security@kinto.xyz