πŸ”Security

Soon to be the first secure telegram bot! Better than a HOT wallet.

Okay hooman, we are robots so we take security very serious.

Is COINBOT secure?
  • No one has access to your private key or password. Never stored on a server, database, or website.

  • Private keys will soon be encrypted using OPAQUE cryptographic system. This system is similar to Zero-Knowledge proofs.

  • Everything will soon be encrypted with OPAQUE so we will never know anything of your PK or PW

  • Better than a HOT wallet and definitely better than CEX

  • Grant temporary asymmetrical access for key signing sessions for "x" amount of transactions or for "y" duration of time

How are Private Keys stored?

Private keys will be encrypted asymmetrically via OPAQUE system.

They are not stored externally anywere.

What is OPAQUE?
  • OPAQUE is purpose-built for shielding both participating parties from seeing any information about the other’s secret auth data, yet being able to confirm if the data used as input to the protocol matches what was registered without knowing what the input data itself actually is or obtaining any information about it

  • Designed and implemented to ensure client-only symmetrical encryption and storage of arbitrary data

  • Comes with built-in secure session capabilities through the derivation of a session key on both sides of the protocol. Keeps malicious parties from seeing anything going across the wire, even if on a fully compromised network

  • Doesn’t need or impose hardware security module requirements that almost all MPC implementations require

  • Compatible with any type of wallet secret, as it doesn’t matter what underlying data is being secured. Seed, priv key, MPC shard, etc, doesn’t matter. For MPC integrations, however, it requires deeper cooperation between the MPC provider and Sequel, as I don't know of any MPC provider that will give you direct access to your specific keyshare. It's a "managed" process for all of them.

How is it different to ZK?

This including security that the previous ZK approach doesn't cover:

  • You never send your master key to the server, so there is nothing that can be sniffed by MitM or replayed, nor can your master key leak in any way

  • The "salt" is also never available to eavesdroppers, which makes pre-computation impossible

  • Memory-hard password hashing functions are running on the client, which makes computational denial of service attacks against servers much less of a problem

  • There is even support to mitigate user enumeration attacks

  • It even works in insecure environments, such as over HTTP (not https)

Where can I read more on OPAQUE?

Built by Sequel, the first solution to crypto inheritance: https://sequelfi.com/security

Last updated