Self-custody wallet

Auth0

Auth0 is our authentication and authorization provider. They have a strong track record of auth services and security. They also provide us features like auth actions, advanced user management, and social provider login.

Auth0 was chosen over a Web3 Auth provider specifically for the fully-featured user management. This allows us to manage user accounts, update user metadata, and send recovery communications to users for password recovery/reset and lost access to social accounts.

Web3Auth Web3Auth is our Externally Owned Account (EOA) wallet provider. We leverage a “custom provider” via Auth0 to generate Web3Auth wallet accounts for our users using their Auth0 token and identifier.

This means that a user’s Web3Auth wallet is only ever interacted with when logging into Mainline Alpha.

On sign up, a new Web3Auth EOA wallet will be generated for a user. On every subsequent login, that user’s credentials will be linked to that wallet.

ZeroDev

ZeroDev is a smart wallet platform powered by Account Abstraction (ERC-4337). A smart wallet is an EVM smart contract wallet which allows us to make programmatic transactions for our users without the needs for a wallet’s private key.

How it works: When a user signs up to Mainline ALPHA and a Web3Auth EOA wallet is generated for the user, that wallet is then used to generate a smart (contract) wallet for the user. This smart wallet’s public address is what gets displayed on the Wallet page to deposit funds to and withdraw funds from.

Under the hood, the smart wallet contains policies that define scopes and permissions for its use, increasing security and locking down programmatic functions to only that which is explicitly stated.

When the smart wallet is generated, we additionally generate something called a session key which allows our platform to perform user transactions (those specified and approved in the call policies), allowing our users to “set it and forget it”. This means users are not prompted via a modal or dialog window every time an operation needs to be executed.

Our backend infrastructure is able to reconstruct this session key via ZeroDev for use with automated workflows and programmatic trading.

As an additional security measure, the session key allows both our user (via our Mainline ALPHA UI) and our platform to revoke this session key. In practice, this means a user will be able to manage their session key on the Settings page, revoking Mainline Intel from accessing it if needed.

On our end, this means we could programmatically revoke our access to the user’s wallet in the case of a security incident. This would protect user funds if our infrastructure was compromised.

Furthermore, it is straight forward to generate a new session key in the future, but would need to be generated by the user within the Settings page since it is their Web3Auth wallet that is responsible for controlling their smart wallet.

We will only ever

• reconstruct the user’s session key via integration with ZeroDev

• revoke our own access from the smart wallet.