$YLDX Seed round is live · +10% bonus · listing Q4 2026 →
Security
Security model

Security model

Security is the foundation of YLDX, not a feature. The core principle: no single actor — human or machine — can move treasury funds alone.

The execution boundary

YLDX separates thinking from moving money:

LayerCan it move funds?
AI Operator (yldx-operator)No. It scores, signals and prepares unsigned transactions/recommendations. It never holds keys.
Human operatorNo, not alone. It routes and executes, but cold-wallet movements require multisig authorization.
Multisig signers (6)Only together. 4-of-6 signatures + 24h time-lock authorize any cold-wallet movement.

This breaks the "lethal trifecta" of an autonomous system that can simultaneously read untrusted data, hold secrets and take irreversible actions. The agent reads the world and proposes; it cannot act on the treasury.

Custody

The cold treasury is 5 sector-based multisig vaults, each 4-of-6 behind a 24-hour time-lock, with 6 designated signers. Vaults are segregated by function so a problem in one sector cannot drain another. See Custody & multisig.

Key hygiene

  • Unique private key per wallet; never shared.
  • Material operating balances are bound to hardware signers (Ledger / Trezor) — no hot keys for significant capital.
  • Treasury/mainnet private keys are never transmitted through chat, code or any front-end.
  • Deployment keys are single-use and generated locally; they are never committed to a repository.

Routing controls

  • Whitelist routing. Funds can only be routed to approved addresses; anomalies are blocked.
  • L1→L4 path only. No sideways movement between unrelated wallets.
  • Time-lock window. The 24h delay on cold movements is a chance to catch and cancel any anomalous transaction before it executes.

Toolchain security

Every third-party skill is security-reviewed before use. Skills capable of holding wallets or executing transactions are kept outside the treasury contour — they may prepare unsigned calldata that a human signs, but they never sign or broadcast on the treasury's behalf.

Smart-contract assurance

Contracts are reviewed against a DeFi/AMM security checklist (reentrancy, CEI ordering, donation/inflation attacks, oracle manipulation, slippage, admin controls, integer math) before testnet and mainnet. See Audits & assurance.

Defense in depth, summarized

  1. Agent cannot hold keys or move funds.
  2. No single operator or signer can move funds.
  3. Cold custody, segregated by sector, behind a time-lock.
  4. Whitelist routing and L1→L4 discipline.
  5. Hardware signers and strict key hygiene.
  6. Reviewed contracts and a reviewed toolchain.
Market signalsAudits & assurance