Key Features & Capabilities
Full Signing Authority
No single party — including Carabaas — can independently access, move, or encumber your assets. The 2-of-2 MPC threshold ensures a complete private key is never instantiated anywhere. Signing authority rests entirely with you.
60+ Blockchain Networks
Bitcoin, Ethereum, Solana, Cosmos, and 60+ networks with native coin and token support. Universal EVM addresses (@eth-like) work across all EVM-compatible chains from a single address. New networks are added without infrastructure changes.
See Supported Networks for the full list.
Role-Based Access Control
Granular permissions at both organization and vault levels. Separate roles for administrators, operators, approvers, signers, and viewers — with architecturally enforced separation of duties: initiators cannot approve their own transactions. This is a platform invariant, not a configurable setting.
| Organization Roles | Vault Roles |
|---|---|
| OrgAdmin | VaultAdmin |
| SecurityOfficer | Treasurer |
| User | Operator, Approver, Signer, Viewer |
See Data Model for full role definitions.
Vault Quorum Policies
Each vault can be configured with its own quorum-based approval policy — M-of-N approvals required before any transaction proceeds to MPC signing.
How Quorum Works
Key Properties
- Cryptographic signatures — every approval is digitally signed (RSA-PSS or Web3 signature); approvals cannot be forged or repudiated
- Multiple approval groups — different groups (e.g., "Compliance", "Treasury") can have independent consensus requirements within the same vault
- Human and automated approvers — supports both manual approval (UI or signed API call) and programmatic approval via API-authenticated clients
- Two-phase quorum updates — changes to an existing quorum require approval from the current quorum holders; an attacker cannot weaken a policy without possessing the existing approvers' keys
- Independent cosigner verification — both cosigners independently verify all approval signatures before participating in signing; a compromised platform cannot bypass quorum
Typical Quorum Configurations
| Vault Type | Quorum | Rationale |
|---|---|---|
| Hot / Operations | 1-of-2 | Speed; automated approver + manual fallback |
| Customer Funds | 2-of-3 | Compliance + Operations + Finance |
| Treasury / Reserves | 3-of-5 | CEO + CFO + COO + CTO + CISO |
| Cold Storage | 3-of-5 | Maximum security; infrequent access |
Approval Workflow
Every transaction follows a structured approval lifecycle with full audit trail:
- Operator creates a transaction — parameters are locked and immutable once submitted
- Approvers are notified — via webhook or dashboard
- Each approver reviews and signs — cryptographic signature over the transaction payload
- Quorum threshold is met — the required M-of-N approvals are collected
- Master approval binds the order — connects the approved order to the actual blockchain transaction, preventing substitution
- Both cosigners verify independently — each cosigner checks all approvals before contributing its partial signature
- Transaction is signed and broadcast
During approval, each approver sees:
- Full transaction details (destination, amount, network, asset)
- Whether the destination address is in the address book
- Who has already verified this address
- Whether the address belongs to an internal vault
Address Book
A managed registry of destination addresses with cryptographic verification — reducing withdrawal errors and improving transparency during approval.
Organization and Vault Scoping
Addresses can be stored at two levels:
| Level | Scope | Managed By |
|---|---|---|
| Organization | Available across all vaults | OrgAdmin |
| Vault | Scoped to a specific vault | OrgAdmin, VaultAdmin |
Address Verification
Addresses in the address book undergo a review process within each vault:
- Approvers manually verify that an address is correct and corresponds to the intended recipient
- Verification is confirmed with a cryptographic Web3 signature — proof that a specific person reviewed the address
- Signatures can be revoked if an address is no longer trusted
- Verification is performed per vault — even if an address is added at the organization level, each vault's approvers independently review and confirm it
Internal Address Book
A separate internal address book displays all vault addresses within the organization:
- Enables secure internal transfers without manual address entry
- Only addresses the user has permission to view are shown
- Reduces risk of copy-paste errors for vault-to-vault transfers
Destination Controls
Beyond the address book, vaults support configurable destination restrictions:
| Control | Effect |
|---|---|
| Address whitelisting | Withdrawals restricted to pre-approved addresses only |
| Vault-to-vault only | Outbound transfers allowed only to another designated vault |
| External withdrawal deny | All transfers to external addresses blocked |
These controls are enforced at the platform level, independently of the approval workflow. A transaction to a non-whitelisted address is rejected before it enters the approval queue.
Import & Export
Address books can be imported and exported (JSON/CSV) at both organization and vault levels — supporting bulk onboarding, migration, and audit.
Real-Time Webhooks
Three dedicated event streams ensure you never miss a state change:
| Stream | Events |
|---|---|
| Outgoing | Transaction lifecycle: pending, approved, signed, submitted, mined, cancelled |
| Incoming | Deposit confirmations with balance changes |
| Blockchain | All chain activity affecting vault addresses |
Configurable confirmation thresholds per network. Notification replay for missed events.
Balance Tracking & Reporting
Real-time balance tracking at vault, account, and address levels. Historical balance statements for any date range. Accounting transactions with detailed balance change breakdowns for reconciliation and compliance reporting.
Comprehensive API
Full REST API for all platform operations — vaults, accounts, addresses, transactions, approvals, webhooks, and reporting. Self-signed JWT authentication ensures your signing keys never leave your infrastructure.
Interactive API explorer available via Swagger UI.
Secure Execution Environment
Production cosigners run inside AWS Nitro Enclaves — hardware-isolated VMs with no persistent storage, no network access, and no interactive access. The host application is a message relay only and never sees key material.
See Security Model for the full security architecture.
Seal / Unseal Lifecycle
Cosigners are sealed by default — inert until explicitly unsealed by 2-of-3 designated unsealers. Every restart, reboot, or upgrade returns the cosigner to sealed state. Infrastructure operators cannot unseal the cosigner or access cryptographic material.
Independence & Recovery
Two independent recovery mechanisms ensure you are never locked in:
- Per-vault recovery — export a specific vault's MPC share with a 24-hour security delay
- Full seed backup — encrypted backup held by your designated escrow; recoverable without Carabaas cooperation
Recovery is a cryptographic mechanism, not a contractual promise.
Complete Audit Trail
All custody operations are recorded as structured JSON logs — transaction lifecycle, access control changes, signing operations, and API calls. Sensitive data is never included in log output. Configurable retention up to 10 years.