Private Key Security & TEEs

ChainPro takes security extremely seriously. Our team has spent years working at the intersection of security and user-experience. We completed the first audit of our infrastructure in December 2024 from Cantina with 0 critical or high risk issues. The audit report is here.

Private Key Management

Private keys are managed in secure enclaves by Turnkey. Turnkey are industry leaders in private key management, the founding team previously having built Coinbase Custody. A secure enclave is a trusted execution environment, which is a private, confidential computing environment that neither ChainPro nor Turnkey can see into. All signing operations occur within the secure enclave and are authenticated by a user’s passkey or an API key managed by the user’s browser.

On the web, users use their passkey to authenticate a request for a time bound API key (15 minute expiry) so that subsequent trades in the same session are seamless. Passkeys are cryptographic keypairs guarded by a device’s biometric sensors (i.e. fingerprint and facial recognition). Passkeys are built on FIDO standards.

The time-bound API key is stored in the browser similar to how Hyperliquid and dYdX store user’s private keys in the browser. Our approach additionally adds the restriction that these keys are time-bound and stored in IndexedDB rather than Local Storage. These additions greatly reduce the surface area for a hack, compared to our peers.

On mobile, the user’s API key is stored in the device’s keychain and guarded by biometrics. This is the same approach that popular wallets like MetaMask, Phantom and Uniswap use.

Exporting Private Key

Requests to export the seed phrase from the secure enclave are always authenticated by the user and the seed phrase is encrypted in transit such that only the user can decrypt it. More specifically, a public/private key pair is generated on the client and then the seed phrase is encrypted with that public key in transit.

Key Recovery

In the event that a user has lost their device, they can contact us to start the key recovery flow:

• There is a 3 day waiting period to help prevent a hacker from being able to recover a user’s account through accessing their email.

• The waiting period may be expedited if the user can prove their identity for an email connected to their legal name.

• At the end of the 3 day period, we kick off the account recovery process. We email you a link where you can add a new passkey that gives you access to your account.

In the future, ChainPro will provide a 2FA backup option where you’ll be able to register an security key or authenticator app to expedite the recovery process.

Trusted Execution Environments

In addition, ChainPro has architected bespoke transaction automation infrastructure with TEEs. To be specific, ChainPro uses AMD SEV-SNP Virtual Machines on Azure Confidential Compute.

TEEs enable ChainPro to securely automate user transactions in an isolated environment, ensuring that sensitive data remains encrypted in memory and inaccessible even to the ChainPro team. This mitigates risks associated with external tampering or insider threats.

With this design, the team never has access to the underlying private keys for wallets, and our TEE engine is only able to sign and submit transactions that have been approved by users.

Build and Runtime Integrity

All of our transaction automation infrastructure is automatically verified by Microsoft Azure Attestation for build and runtime integrity. This check occurs during the Secure Key Release process that our transaction automation engine relies on when it boots. As a result, our engine can only run known, safe code.