Skip to main content

Security Model

Kleidi's security model is built on the principle that time is a security primitive.

Core Insight

Traditional wallet security assumes you're always in full control. Kleidi protects you even when you're not.

The Threat Model

Kleidi is designed to protect against:

  • Physical coercion ("$5 wrench attack")
  • Key compromise (stolen/leaked private keys)
  • Social engineering attacks
  • Insider threats (compromised multisig signers)

Defense in Depth

Multiple overlapping security layers ensure no single point of failure:

1. Timelock Delay

All sensitive operations require waiting 1-30 days (configurable).

Why this matters: An attacker forcing you to sign a malicious transaction would need to maintain control over you for weeks. This is impractical and creates opportunity for intervention.

2. Guard Contract

Prevents the Safe from removing its own security measures.

Enforces:

  • Cannot disable guard
  • Cannot rotate owners except through timelock
  • Cannot add/remove modules except through timelock
  • No delegate calls (prevents multicall exploits)

Attack Scenarios & Mitigations

Scenario 1: Compromised Cold Signers

Attack: Attacker steals cold signer keys and schedules malicious withdrawal.

Defenses:

  1. Timelock delay gives you time to detect the unauthorized proposal
  2. You can cancel the proposal before execution if you still have access to your keys

Result: Attack prevented if you detect and cancel the proposal in time.

Important: This is why secure key management and monitoring are critical. There is no recovery mechanism if keys are lost or stolen.

Scenario 2: Wrench Attack (Physical Coercion)

Attack: Attacker forces you to schedule fund transfer.

Defenses:

  1. Long delay (up to 30 days) means they must maintain control for weeks or months
  2. You can cancel the proposal once you're safe
  3. The extended delay makes the attack impractical for most attackers

Result: Attack impractical due to time requirement. The attacker would need to maintain control over you for the entire delay period without detection.

Configuration Recommendations

Timelock Delay

Choose your timelock delay based on your security needs:

  • Maximum security: 21-30 days - Best for high-value holdings where security is paramount
  • Balanced security: 7-14 days - Good balance of security and operational flexibility
  • Minimum security: 1-7 days - For testing or lower-value wallets

Important: Longer delays provide more time to detect and cancel unauthorized transactions, but reduce operational speed. Choose based on your threat model and the value you're protecting.

Trust Assumptions

What You Must Trust

  • Your cold signing keys (you control these)
  • The guard contract (immutable, audited)
  • The timelock contract (immutable, audited)
  • Block explorers (to monitor proposals)

What You Don't Need to Trust

  • Third parties (fully self-custodial)
  • Centralized services (all operations are on-chain)

Monitoring & Incident Response

Active Monitoring

Monitor your Safe address for:

  • Scheduled proposals (especially unauthorized ones)
  • Changes to modules
  • Changes to owners

Set up alerts: Use block explorers or monitoring services to get notified of any activity on your Safe address.

If Compromised

  1. If you still have access to keys: Immediately cancel any malicious proposals
  2. If keys are lost or stolen: Contact exchanges and relevant parties to report the compromise
  3. Prevention is key: There is no recovery mechanism, so secure key management is critical

Limitations

Not Protected Against

  • Poor operational security (insecure key storage)
  • Lost or destroyed keys (no recovery mechanism)
  • Smart contract bugs (mitigated by audits but not eliminated)
  • Inability to access your keys during the delay period

Requires

  • Understanding of the system and how timelocks work
  • Excellent key management (backups, secure storage)
  • Active monitoring of your wallet address
  • Ability to access and use your keys to cancel malicious proposals

Summary

Kleidi's security model provides protection through:

  1. Time delays make coercion attacks impractical
  2. Guard restrictions prevent bypassing timelock security

Remember: Kleidi has no recovery mechanism. Secure key management, proper backups, and active monitoring are essential. The timelock protects you from being forced to immediately transfer funds, but you must maintain access to your keys to cancel unauthorized proposals.

No system is perfect, but Kleidi dramatically raises the bar for attackers by making coercion attacks impractical.