IO
← All work
Crypto · Regulated currency exchange licence · 2024

A Solana-based crypto exchange

Built quietly, audited, shipped under a regulated licence.

Client identity redacted under NDA.
Engagement
Technical partner. End-to-end delivery.
Year
2024
Domains
Crypto custody Regulated exchange External audit AWS KMS

Overview

A Solana trading product operating under a regulated currency exchange licence. From a chat interface a user could spin up a wallet, on-ramp fiat, get a quote, confirm a trade and see a fill. The surface looked like a chat. Underneath it was a licensed exchange holding real user funds on a public chain.

IO Corp was the technical partner on the build. We owned the engineering, the custody architecture and the security posture that took the product through external review.

Custody architecture

A licensed exchange that holds user funds on a public chain has one job that can ruin the company. The version we shipped to production had four properties.

Private keys are not in the database

An early version of the system stored the private key directly on the wallet record. Before going live, we removed that column entirely. The relational database holds the public address and metadata only. A database snapshot does not leak funds.

Encrypted at rest with KMS envelope encryption

Encrypted key material lives in object storage, wrapped in AWS KMS envelope encryption. KMS holds the master key, with HSM-backed key material. To decrypt a private key requires a real KMS call, which is logged, auditable and IAM-gated.

Signing happens in an isolated function

The API that handles user conversations never touches plaintext private keys. When a trade needs to be signed, the API passes user and wallet identifiers to a separate function. That function is the only thing in the system that fetches encrypted material from storage, decrypts it via KMS, builds a keypair in memory, signs the transaction and returns the signed result. A compromise of the chat-side API cannot, on its own, move funds.

Last-mile guard on the response

The signing function checks its response payload before returning, scanning for anything that looks like a private key. If a future change ever accidentally bundles key material into a response, the function refuses to send it.

Audit

The platform was put through a formal third-party penetration test before launch. Findings were worked through, remediations were shipped, and the engagement was completed before the product went live to users.

The product is operated and licensed by its own team. IO Corp acted as the technical partner that designed and delivered the platform. The client name and product brand are withheld under a non-disclosure agreement.