Security Framework

How we protect your Bitcoin.

Security is not a feature at KeyBay — it is the foundation every product is built on. No protocol can be considered entirely risk-free, but we design for the worst case at every layer.

Overcollateralization

Every vault position is overcollateralized at 150% or higher. Delta exposure is capped at 0.24 across all strategy sleeves. The drawdown-first risk framework means capital preservation comes before yield optimization.

Smart Contract Audits

All vault contracts (KeyBayVault, CreditVault, Oracle, kbBTC, WithdrawalQueue, ReserveProof) are written in AssemblyScript and compiled to WASM for execution on OP_NET. Contracts undergo third-party security audits before mainnet deployment. We are currently scheduling our initial audit engagement — audit reports will be published here when complete.

On-Chain Reserve Proof

The ReserveProof smart contract enables independent verification that vault deposits are fully backed. Anyone can query the contract to confirm that reported TVL matches on-chain reserves. This is not a trust-me statement — it is verifiable cryptographic proof.

Bitcoin L1 Settlement

Your BTC never leaves Bitcoin. OP_NET executes vault logic via WASM smart contracts with epoch-based settlement to Bitcoin mainnet. OP_NET handles current vault execution with settlement anchored to Bitcoin mainnet. Arkade remains a future expansion path with unilateral exit design goals. Neither protocol uses bridges, wrapped tokens, or synthetic representations of BTC.

Self-Custodial Exit (Arkade)

Arkade vaults guarantee unilateral exit to Bitcoin L1 via the Ark protocol. Even if KeyBay’s infrastructure goes offline, users can always exit their positions to on-chain BTC without operator cooperation. This is a protocol-level guarantee, not an operational promise.

Infrastructure Security

The KeyBay API server enforces strict Content Security Policy headers, CORS origin whitelisting, rate limiting, and input sanitization on all endpoints. Admin operations require wallet-signed authentication with public key verification. All data is encrypted in transit via TLS 1.3.

Bug Bounty

We maintain a security.txt file at .well-known/security.txt with contact information for responsible vulnerability disclosure. If you discover a security issue, please report it through the channels listed there.

Risk Acknowledgment

No protocol can eliminate all risk. Digital asset activities involve substantial risk of loss. Smart contracts may contain undiscovered vulnerabilities despite auditing. Market conditions can cause losses regardless of collateralization levels. We encourage all users to read our full risk disclosures before depositing.