๐Security One Pager
Kinto is the safety-first L2, built on the Arbitrum Nitro stack (first of its class) that features user-owned KYC/KYB, AML, fraud detection and KYT, enforced at the node level. These features are seamlessly integrated with your smart account - multisig by default- wallet powered with account abstraction, making Kinto not only the safest L2 but also the most usable.
๐Security before joining KINTO
Kintoโs onboarding starts with the user selecting a KYC/KYB provider (on launch we feature Onfido, Synaps and Plaid), these providers have been selected for their past security history, GDPR compliance and strict PII handling. These KYC/KYB processes always include a biometric liveness check and document fraud/ manipulation detection. It is worth mentioning that no PII is stored on Kinto servers or on the chain itself. All individuals/corporations are also checked for AML, fraud, PEP, OFAC list hits.
Upon approval of this, first-level users are generated a passkey based Turnkey (non-custodial) EOA signer and minted a soulbound NFT, the KintoID. Finally, the smart contract wallet is deployed and the user can set additional signers and custom signing policy. Every signer added to any Kinto Wallet is also analyzeds via Chainalysis. Chainalisys KYT service provides good insight on source of funds (Tornado Cash) and interactions in previous scams, frauds or illegal activities. Once an individual/corporation has passed all these checks, they are allowed to interact with the network.
๐Security while on KINTO
All transactions to the network need to be initiated by a Kinto Wallet with a valid KintoID, our set of smart contracts together with the node-level whitelisting of the account abstraction EntryPoint achieve this. We have modified the Arbitrum Nitro stack with the help of the Arbitrum team and these changes (alongside all of our smart contracts) are audited by three external teams: Pessimistic, MixBytes and Certora. More information about security, the audits and our processes can be found in our Github security repository.
All of the KYC/KYB and Chainalysis integrations offer continued monitoring systems for all mentioned checks above. KintoIDs will become invalid upon the receival of any flags by these systems. Additionally, KintoIDs also become invalid if not positively monitored by our systems. Protocols can install a firewall that verifies every tx before they happen using IronBlocks.
The Kinto chain integrated Hypernative protections constantly monitoring (statically and dynamically) for hacks/rugs/scams at the smart contract level, analyzing both the contracts themselves and the behaviors of the txs for potential bad actors.
๐Security when leaving KINTO
If none of the previously mentioned systems have been able to stop an attack against the network or its users, our security council is able to intervene and reveal the information of the attackers to the KYC/KYB providers and in turn to the authorities. In extreme cases, the security council can stop the bridge itself before the 7 days finality limit.
๐The KINTO team and best practices
Members receive security training, abide by industry best practices in password/passkeys, MFA, hardware based security, VPNs and threats both digital and physical. Team access is limited and audited. All API keys and secrets are managed via enclaves/secret managers/vaults and rotated often based on criticality.
For more information please contact security@kinto.xyz
Last updated