SettleMint
Security

Security overview

DALP security separates identity, access, wallet verification, on-chain compliance, and custody controls so reviewers can see which gate owns each asset-operation decision.

DALP protects digital asset operations through layered controls. A browser session or API credential can start a request, but the platform still verifies permissions, wallet confirmation when required, on-chain compliance rules, and signer or custody policy before submitting a transaction to an EVM network.

Use this overview to map each control before you read the detailed pages.

One rule governs the platform's security model: login is not enough to move assets. To complete an asset operation, a request must pass the platform checks for the caller and the per-operation checks, plus the EVM contract checks for the current token state. Use this page to understand where the platform stops a bad request and where that responsibility shifts to the EVM contract.

System context

Rendering diagram...

Security model

Each layer owns a separate control decision. Keeping those decisions separate prevents the system from treating any single gate, such as login, a role assignment, or a wallet challenge, as a complete approval on its own.

Rendering diagram...

The diagram shows the normal path. A request can stop at any layer before any asset state changes on chain: the caller can fail authentication, lack the right role, miss wallet verification, fail a compliance rule, or be blocked by signer or custody policy.

Control areaDALP checkControl ownerWhat changes when it passesOut of scope for this section
IdentityAuthentication through session, API key, SSO, or passkey-backed flowConsole and Platform APIDALP knows which organisation, user, or API credential made the requestThe customer's identity-provider policy and staff lifecycle
AccessRole-based and resource-level authorizationPlatform API middlewareThe request can continue for the specific organisation, resource, and operationCustomer role design, approval policy, and segregation-of-duties model
Operator confirmationWallet verification through PIN, TOTP, or backup codesPlatform API before browser-session blockchain writesA browser-session write has fresh operator confirmationLost-wallet recovery and customer endpoint protection
Asset-rule complianceIdentity claims and compliance modulesSMART Protocol contractsA standard token operation satisfies configured holder and asset rulesLegal advice, off-platform KYC operations, and non-EVM enforcement
Signing approvalCustody-provider policy and MPC or signer backendKey Management and custody providersThe prepared transaction can be signed by the configured signing pathCustody-provider SLA, quorum governance, and customer key ceremonies
Deployment evidenceAddress records, bytecode checks, wiring checks, and indexed eventsContract deployment and indexing surfacesReviewers can compare deployed addresses, code, and indexed activityCustomer DR targets, external SIEM retention, and unrelated chain data

The layers are independent. A request can be authenticated and still fail authorization. An authorized request can still require wallet verification. A verified request can still fail on-chain compliance or custody-provider policy. If an operator or holder loses access to a registered wallet, use the identity recovery workflow rather than editing the registered wallet binding directly.

Request path

The same checks run whether you use the Console or the Platform API:

  1. The caller signs in or presents an API credential.
  2. The API checks the caller's permission for the organisation, resource, and operation.
  3. Browser-session blockchain writes enter the execution path with a wallet-verification payload for the Platform API to validate. API-key write requests follow the API-key authorization path and omit that payload.
  4. After authorization and any required wallet verification pass, execution services prepare the transaction and run the SMART Protocol compliance pre-check for standard token operations.
  5. Transactions that pass the pre-check route signing through the configured signer or custody provider. The SMART Protocol enforces identity and compliance modules again when the transaction changes asset state on chain.
  6. Indexing and audit surfaces record the resulting transaction and state for later review.

This means the browser and API are entry points, not the whole security perimeter.

Tokenization control responsibilities

For tokenized assets, DALP separates platform controls from EVM contract enforcement. Platform controls decide who can request an operation and whether that request carries the required operator confirmation and signing approval. Contract controls decide whether the submitted transaction can change token state on chain.

Rendering diagram...
Control areaEnforced byExamplesIf the platform layer is unavailable
Sensitive user and organisation dataConsole, Platform API, and customer identity systemsSessions, API credentials, SSO, passkeys, roles, and resource checksNew console or API requests cannot be approved through DALP until the platform path is available again. Existing on-chain token state is not weakened by the platform outage.
Operator confirmationPlatform API before browser-session blockchain writesWallet PIN, TOTP, or backup-code verificationBrowser-session writes that need fresh wallet verification cannot proceed through DALP until verification is available.
Privileged platform operationPlatform API and execution servicesToken deployment requests, mint requests, burn requests, compliance configuration requests, and role-management requestsDALP does not create new platform-originated signed transactions while the required authorization, validation, or execution path is unavailable.
Signing approvalConfigured signer or custody providerMPC signing, custody-provider policy, and provider-side approval before transaction submissionTransactions that have not been signed cannot be submitted through that signing path until the signer or custody provider is available and approves the request.
Token state changeEVM contractsAccess-manager roles, identity registry checks, compliance modules, supply mint and burn roles, freeze functions, and pause controlsContract rules continue to apply on chain. A transaction that reaches the chain still needs the required contract role, and standard token operations must satisfy the identity, compliance, freeze, and pause checks that apply to that operation.
Evidence and reviewChain indexer and audit viewsTransaction hashes, deployed addresses, indexed events, and current role or compliance stateChain state remains the source of truth. Review surfaces may lag until indexing catches up, so operators should compare against the configured EVM network for time-critical verification.

The key control handoff is the last EVM state change. DALP services can stop a bad request before signing or submission. After submission, the contract decides whether the operation has the required role and token-state conditions to mutate asset state on chain.

Smart contract vulnerability controls

DALP uses Solidity 0.8.x arithmetic checks, role-gated privileged operations, and path-specific reentrancy controls. External-call entrypoints that own a payout or settlement call use OpenZeppelin ReentrancyGuard where that guard applies. Treasury-funded redemption and yield payout paths update accounting before the ERC20 payout. Reviewers should verify each deployed external-call path against its guard coverage, checks-effects-interactions ordering, audit pack, role assignments, and scanner outputs.

This section uses a table rather than a diagram so each control can be matched to deployment evidence without implying identical treatment across all payout paths.

Vulnerability classDALP controlWhat reviewers should verify in an evidence pack
ReentrancyToken operations run through ordered checks and revert if a required identity, compliance, freeze, pause, or role condition fails. Guarded token payout and settlement entrypoints use OpenZeppelin ReentrancyGuard where the contract owns the external call. Treasury-funded redemption and yield payouts update accounting before the ERC20 payout.Confirm which deployed functions make external calls, then verify ReentrancyGuard coverage or checks-effects-interactions evidence for each path. Include rejected-call review for unauthorized or invalid paths, plus audit findings, remediation notes, and retest evidence.
Integer overflow and underflowDALP contracts use Solidity 0.8.x arithmetic, where overflow and underflow revert by default. Accepted unchecked arithmetic is limited to reviewed exceptions such as bounded loops or invariants that prove the subtraction cannot underflow.Confirm the Solidity compiler version, review accepted unchecked-arithmetic exceptions, and match each invariant to the deployed contract scope. Include scanner output and audit evidence for any accepted exception.
Access controlPrivileged token operations are role-gated. Examples include supply management for mint and burn, custodian authority for freezes and forced transfers, emergency authority for pause and recovery, and governance authority for identity, compliance, metadata, and feature configuration.Confirm role assignments, signer or custody policy, negative tests or rejected-call review for missing roles, and CI/CD static-analysis evidence for missing-access-control findings before deployment, including Slither and MythX output when those scans are part of the evidence pack. Include audit findings, remediation notes, and retest evidence.

The contract layer is the final enforcement point for token state. Authentication, authorization, and wallet verification can stop a request before submission. Signer policy can stop it during signing. A submitted transaction still needs the required contract role and token-state conditions to mutate assets on chain.

Use this page for the control model. Use source verification and deployment auditability for address, bytecode, audit, remediation, retest, and deployed-scope evidence.

Reader paths

Reader pathStart withContinue with
Product and buyerIdentity and compliance for the asset eligibility modelClaims and identity and compliance and custody split for control responsibilities
OperatorAuthentication for sign-in, sessions, SSO, passkeys, and API keysAuthorization, Wallet verification, Recover user identity, and Identity recovery API for roles, confirmation checks, lost-wallet recovery, and API-led recovery status
Security reviewerPublic chain privacy for public EVM visibility and off-chain dataSigning flow, source verification and deployment auditability, and Custody providers for transaction and deployment evidence
Procurement reviewerVendor governance responsibility model for DORA, outsourcing, and third-party risk responsibility splitsDeployment topology, High availability, and Operational integration patterns for deployment, recovery, and provider evidence
Integration reviewerFrom external mint instruction to on-chain transactionStablecoin control responsibilities, Compliance modules, and Bridge and cross-chain security for asset-rule responsibilities and EVM-only scope

Secure authentication with passwordless passkey support

Responsibility model

Three control layers define where responsibility changes between callers, DALP services, and blockchain execution:

  1. Platform controls: external users and systems enter DALP through the Console or Platform API. Authentication, API credentials, and rate limits apply here. Customers own their identity-provider configuration, staff lifecycle, endpoint security, and API-key handling.
  2. Execution services: validated API requests move into backend services. Authorization, request validation, durable execution, browser-session wallet verification, and signer routing apply here. Customers own the approval model that decides who receives each role.
  3. Chain execution: prepared transactions reach the EVM network. SMART Protocol compliance rules and custody-provider policy decide whether a transaction can change on-chain state. Custody providers and network operators own their external approval policy, availability, and final transaction inclusion.

Use the page map to find the detailed behaviour of each control that applies to your integration.

See also

On this page