This page highlights concerns regarding the security and trust model of the Fordefi API Signer.
Yes, the API Signer holds a decrypted MPC share in memory but never stores it in persistent storage. Here's how it works:
- The API Signer stores a decryption key.
- On startup, it fetches the encrypted MPC share from the Fordefi backend and decrypts it using this key.
- The MPC share retrieved is the user’s own encrypted share — not Fordefi’s share, which is securely stored in our secure enclave.
- The Fordefi backend never has access to the decrypted MPC share. It only stores the encrypted version.
- The decryption key remains either in the user's mobile app or within the API Signer but never with the backend.
- The API Signer also holds an authentication key, which is used only to register public keys of new API Users. It is not involved in transaction signing.
The keys are stored in the Signer's Docker volume, which can optionally be encrypted.
Learn how to encrypt Docker volumes.
No.
Even if an attacker gains access to the decrypted MPC share in memory, they still cannot sign valid transactions unless:
- They also obtain Fordefi’s MPC share, which is stored in a secure enclave and is never exposed.
- They compromise an API User with permissions to initiate transactions.
Even in this case, transaction policies and user permissions still apply, adding an additional layer of protection.