Security Architecture

Comprehensive security documentation for the Quantish trading platform and SDK.

Overview

Quantish provides secure, gasless trading infrastructure for Polymarket prediction markets. Our security model is built on multiple layers of defense, ensuring your assets and data remain protected.

Encryption at Rest

All sensitive data (keys, secrets) is encrypted using AES-256-GCM with random IVs.

Gasless Transactions

Transactions are signed in memory and relayed. Private keys are never exposed.

Audit & Logging

Comprehensive activity logging for all operations. Keys are NEVER logged.

Rate Limiting

Multi-tier rate limiting protects against abuse and DoS attacks.

Encryption Architecture

AES-256-GCM

We use AES-256-GCM (Galois/Counter Mode) for all sensitive data storage. This provides both confidentiality and integrity.

Algorithm: AES-256-GCM
Key Size:  256 bits (32 bytes)
IV:        128 bits - Random per encryption
Auth Tag:  128 bits - Tamper detection

Format: "v2:{iv}:{authTag}:{ciphertext}"

Key Hierarchy

  • Master Key: Environment variable (never in code), distinct per environment.
  • User Keys: Encrypted in database with Master Key.
  • Wallet Keys: Derived from User Keys.

Wallet Security

Safe Smart Account

Powered by Gnosis Safe

Each user is assigned a Gnosis Safe smart contract wallet. This offers superior security compared to standard EOAs.

1-of-1 Ownership

Only your EOA (Externally Owned Account) can authorize transactions.

No Backdoors

No modules or hidden owners. You have full control.

Gasless Trading

Polymarket relayers pay the gas fees. You only need USDC.

Rate Limiting & Protection

TierLimitPurpose
MCP Operations60 req/minPrevent trading abuse
General API100 req/15 minDDoS protection
Registration5 req/hourPrevent account spam

Audit & Reporting

Vulnerability Disclosure

Found a security issue?

Please DO NOT open public GitHub issues for security vulnerabilities.

Email us at security@quantish.live. We respond within 48 hours.

Activity Logging

We log:

  • Tool execution attempts & success status
  • Authentication failures
  • Wallet deployments
  • Order placements & transfers

We NEVER log:

  • Private keys or secrets
  • Decrypted credentials
  • Passwords