Built Secure from the Ground Up
Every layer of ALIAS is designed with security as the foundation. From encrypted card storage to zero-knowledge proofs, here is how we keep you and your funds safe.
Security Architecture
Six core security properties enforced across the entire stack.
Card Encryption
All card data encrypted at rest using AES-256-GCM. Card numbers, CVVs, and expiry dates are never stored in plaintext.
Session Security
JWT tokens stored in HTTP-only cookies. No sensitive data in localStorage. Automatic session expiry enforced server-side.
Wallet Verification
Every authenticated request requires a valid wallet signature. Your wallet is your identity — no passwords, no accounts.
Zero-Knowledge Proofs
Privacy pool uses Poseidon commitments and SHA-256 binding proofs. Deposits and withdrawals are cryptographically unlinkable.
Rate Limiting
Endpoint-level rate limits protect against abuse. Deposits: 5/hour, Withdrawals: 10/hour, Split deposits: 3/hour.
Minimal Data
No KYC. No names, emails, or phone numbers collected. Only wallet addresses and transaction data are stored.
Our Security Commitments
These are the non-negotiable properties that govern every decision we make when building the ALIAS protocol.
- No KYC or identity collection
- Cryptographic authentication via wallet signature
- AES-256-GCM encryption for all card data
- HTTP-only cookies — no localStorage tokens
- ZK-proof based privacy with on-chain nullifier tracking
- Open source protocol code for public review
Privacy Protocol
Step 1
Amount Splitting
Your deposit is split into 2–4 randomized parts. Each part is independently processed to obscure the total amount from on-chain observers.
Step 2
DEX Routing
Each part is swapped USDC→SOL→USDC via Jupiter V6. This breaks the on-chain link between the sender address and the deposited token account.
Step 3
ZK Commitment
A Poseidon commitment is written on-chain. Withdrawal requires a SHA-256 binding proof. The nullifier prevents double-spend while revealing nothing about the depositor.
Open Source
ALIAS is committed to transparency. Our protocol code is open source and available for review. Anyone can audit the smart contracts, the commitment scheme, and the relayer logic.
Responsible Disclosure
Security is a collaborative effort. If you discover a vulnerability in the ALIAS protocol, smart contracts, or web application, we ask that you report it to us privately before disclosing it publicly. This gives us the opportunity to investigate and remediate the issue without putting users at risk.
Please send a detailed report to security@alias.cards. Include a description of the vulnerability, steps to reproduce, and the potential impact. We will acknowledge your report within 48 hours and keep you informed of our progress.