MEDUSA — Digital Custody Platform
Pull-Based • Multi-Signature • Zero-Trust
Institutional-grade security meets modern crypto. This custody platform protects digital assets with hardened key management, multi-signature workflows, and MPC technology. Policy-based approvals, segregated accounts, and tamper-evident audit trails give institutions the confidence they need. Integrates seamlessly with blockchain nodes and banking rails while maintaining strict compliance and recovery procedures.
Custody Is a Single Point of Failure
Institutions want digital asset exposure, but traditional custody architectures concentrate risk in exactly the places attackers target: keys, admin access, and mutable logs.
One Key, Total Loss
A single compromised key or rogue administrator can move funds irreversibly. Most breaches trace back to concentrated signing authority.
Exposed Attack Surface
Conventional custody backends accept inbound connections into the systems that hold keys, so every internet-facing service is a path to the vault.
Mutable Audit Trails
Database logs can be edited or deleted after the fact. Regulators and clients have no cryptographic proof that history wasn't rewritten.
Shared-Everything Tenancy
Multi-client platforms commingle data, policies, and secrets, so one tenant's incident becomes every tenant's incident.
Zero-Trust, Pull-Based Custody
MEDUSA — Multi-signature Enterprise Digital Custody Architecture — removes single points of failure with threshold signatures, an immutable governance chain, and a secure zone that never listens.
Multi-Signature by Default
Every sensitive change requires ECDSA SECP256K1 signatures under configurable policies: auto-approve, single, all, or M-of-N threshold — with witness signature binding.
Pull-Based Governance
Secure components never accept inbound connections. Governance and wallets poll outward for work, so there is no route from the internet to the keys.
Immutable Governance Chain
Approvals are sealed into hash-chained blocks with Merkle roots and exponential back-references — a tamper-evident record of every decision.
True Tenant Isolation
Schema-level database isolation, independent per-tenant governance chains, and scoped Vault secret paths keep every institution's world separate.
Four Layers, Zero Inbound Trust
From the browser down to the secure zone, each layer only reaches outward — approvals flow through cryptographic checkpoints, never through open ports.
Client Layer
React frontend and browser extension where users initiate operations, compute payload hashes client-side, and verify signatures in-browser before anything is trusted.
DMZ Backend
The only internet-facing service. The Spring Boot backend authenticates users, records pending changes, and waits to be polled — it can never reach into the secure zone.
Governance Chain
An append-only event store that polls the DMZ for pending changes, validates them against policy, collects signatures, and seals approvals into hash-chained blocks.
Secure Zone
Wallet gateway plus Stellar and Bitcoin wallet services, backed by HashiCorp Vault. Keys never leave; wallets poll for approved operations and push results outward.
Pull-Based Operation Flow
Every operation travels through four checkpoints. No component in the secure zone ever accepts an inbound connection.
Initiate
Client → DMZWhat Happens
- Operation signed via browser extension or CLI
- Payload hash computed client-side
- Backend records a pending change
- 7-day workflow expiry starts
Approve
Governance ChainWhat Happens
- Governance polls the DMZ for pending changes
- Policy evaluated: auto, single, all, or M-of-N
- Witness signatures bound to the payload hash
- Approval sealed into a hash-chained block
Execute
Secure ZoneWhat Happens
- Wallets poll governance for approved operations
- Anti-replay: hash dedup and ±5min timestamp bounds
- Anti-rewind: external chain tip verification
- Transaction signed with Vault-held keys and broadcast
Settle & Audit
DMZ → ClientWhat Happens
- Wallet pushes the result outbound to the backend
- Backend updates state and notifies the user
- Exponential back-references enable fast chain verification
- Prometheus + Grafana observability end to end
Four Pillars of Defense
Each pillar closes a class of attack: signing authority, secret storage, tenant boundaries, and history manipulation.
Multi-Signature Crypto
Signing AuthorityControls
- ECDSA SECP256K1 signatures
- M-of-N threshold signing
- Witness signature binding
- Founder keys with defined recovery
Vault Integration
Secret StorageControls
- HashiCorp Vault AppRole authentication
- Path-based secret isolation
- Transit secrets engine
- AES-256-GCM encryption
Tenant Isolation
Tenant BoundariesControls
- Schema-level database isolation
- Independent governance chains per tenant
- Scoped Vault secret paths
- Segregated accounts per institution
Anti-Rewind / Replay
History IntegrityControls
- External chain tip files
- Payload hash deduplication
- ±5min timestamp bounds
- Exponential back-references
From Beta to Bank-Grade
The core custody engine is live in beta. Each phase widens reach without loosening the zero-trust foundation.
Beta
Live TodayDelivered
- Bitcoin & Stellar custody services
- Policy engine with signed workflows
- Immutable governance chain
- Browser-extension signing
Chain Expansion
In DesignPlanned Deliverables
- Additional chain integrations (Cardano next)
- Pluggable wallet-service architecture
- Unified multi-chain policy controls
- Extended asset coverage
Banking Rails
PlannedPlanned Deliverables
- Fiat on/off-ramp integrations
- Banking rail connectivity
- Settlement reporting
- Treasury operations tooling
Institutional Onboarding
PlannedPlanned Deliverables
- Compliance certifications
- Expanded recovery procedures
- Enterprise support & SLAs
- Institutional client onboarding
Custody Institutions Can Verify, Not Trust
Security, compliance, and operations each get cryptographic guarantees instead of promises.
For Institutions
For Security Teams
For Compliance & Ops
Ready to Secure Institutional Digital Assets?
Let's talk about bringing zero-trust, multi-signature custody to your institution — from architecture review to production deployment.