Security
Security model, key management, and privacy. COD3X is non-custodial by design — your keys never leave your device.
Non-CustodialArchitecture
E2E EncryptedCommunication
Open SourceContracts
AuditedSmart Contracts
COD3X never holds your private keys. All trading is executed through per-agent isolated wallets where you retain full control. The platform facilitates trade execution but cannot access, move, or freeze your funds.
| Layer | What Happens | Who Controls |
|---|---|---|
| Key Generation | Private keys generated on your device | You — keys never leave your browser |
| Key Storage | Encrypted with your password/wallet signature | You — encrypted at rest, decrypted only in-browser |
| Trade Signing | Transactions signed locally before broadcast | You — COD3X sees signed transactions, not keys |
| Execution | Signed transactions submitted to Hyperliquid | Hyperliquid — settles on-chain |
| Fund Recovery | Export private key to any compatible wallet | You — full portability at all times |
Key Point
Even if COD3X servers went offline permanently, you could recover all funds using your exported private keys with any Hyperliquid-compatible wallet. The platform is a convenience layer, not a custody provider.
Custodial Exchange
They Hold Your Keys
- Exchange controls your private keys
- Counterparty risk (exchange failure/hack)
- Can freeze or restrict your account
- Withdrawal limits and delays
- FTX, Mt. Gox risk
COD3X (Non-Custodial)
You Hold Your Keys
- Private keys stay on your device
- No counterparty risk on funds
- Cannot be frozen by the platform
- Instant withdrawals, no limits
- Self-sovereign asset ownership
| Feature | Description | Status |
|---|---|---|
| Email + Password | Standard authentication with bcrypt hashing | Available |
| Wallet Connect | SIWE (Sign-In with Ethereum) for Web3 native auth | Available |
| OAuth Providers | Google, GitHub, Discord, Apple sign-in | Available |
| WebAuthn / FIDO2 | Hardware security key and biometric authentication | Available |
| Session Management | JWT tokens with 1-hour expiry, refresh token rotation | Active |
| Rate Limiting | Brute-force protection on all auth endpoints | Active |
NOTE
We recommend WebAuthn (hardware security keys) or wallet-based authentication for maximum security. These methods are phishing-resistant and don't rely on passwords.
| Aspect | Details |
|---|---|
| Audit Status | Core contracts audited by independent security firms |
| Bug Bounty | Active bug bounty program for responsible disclosure |
| Open Source | Contract source code publicly verifiable on-chain |
| Upgrade Mechanism | Timelocked upgrades with community review period |
| Emergency Controls | Circuit breakers for critical vulnerabilities only |
COD3X collects minimal data necessary for platform operation. Your trading data is yours.
| Data Type | Collected | Purpose | Retention |
|---|---|---|---|
| Email/Auth | Yes | Account access and notifications | Until account deletion |
| Trade History | Yes | Analytics, Arena verification | Until account deletion |
| Private Keys | Never | N/A — keys stay on your device | N/A |
| IP Address | Temporarily | Rate limiting and abuse prevention | 30 days |
| Usage Analytics | Anonymized | Product improvement | Aggregated, no PII |
NOTE
You can request full data export or account deletion at any time via Settings. GDPR and CCPA compliance is maintained for all user data.
| Component | Protection |
|---|---|
| API Servers | TLS 1.3, DDoS protection, WAF |
| Database | Encrypted at rest (AES-256), encrypted in transit |
| Redis/Cache | VPC-isolated, no public access |
| WebSocket | Authenticated connections, rate limited |
| Monitoring | 24/7 anomaly detection, automated alerts |
Related
Was this helpful?