Skip to main content

Security First

At Matchr, security isn’t an afterthought—it’s foundational. We handle sensitive financial data and user funds, so we’ve built our infrastructure with security at every layer.
Non-Custodial by Design — We never have access to your funds. Your assets are held in your own Safe smart contract wallet.

Wallet Security

Safe Smart Contracts

Your trading wallet is a Safe (formerly Gnosis Safe), the most battle-tested smart contract wallet in crypto.

$100B+ Secured

Safe secures over $100 billion in digital assets across the ecosystem.

Audited

Multiple security audits by top firms including OpenZeppelin.

Proxy Architecture

Upgradeable contracts allow security patches without fund migration.

Self-Custody

Only you control your Safe. We cannot access your funds.

Your Keys, Your Coins

┌─────────────────────────────────────────┐
│           Your Connected Wallet          │
│    (MetaMask, Coinbase, Social Login)    │
│                   │                       │
│                   ▼                       │
│         Controls Your Safe               │
│                   │                       │
│                   ▼                       │
│          Your Trading Funds              │
│              (USDC)                      │
└─────────────────────────────────────────┘

Matchr only has permission to:
✓ Submit trades on your behalf
✓ View your balances and positions

Matchr cannot:
✗ Withdraw your funds
✗ Transfer to arbitrary addresses
✗ Change Safe ownership

Authentication

Privy Integration

We use Privy for secure authentication, supporting:
  • Social Login — Twitter, Discord, email with secure embedded wallets
  • External Wallets — MetaMask, Coinbase Wallet, Rainbow, WalletConnect

Session Security

  • JWT tokens with short expiration
  • Secure HTTP-only cookies
  • Automatic session invalidation on suspicious activity
  • Multi-device session management

Wallet Verification

Every action requiring authentication verifies wallet ownership: 
// Server-side verification
const { userId, wallet } = await privy.verifyAuthToken(token);
const isOwner = await verifyWalletOwnership(wallet.address, userId);

API Security

Authentication

All API requests require authentication via:
  1. API Keys — For server-to-server communication
  2. Bearer Tokens — For user-authenticated requests
# API Key authentication
curl -H "X-API-Key: your_api_key" https://api.matchr.xyz/v1/markets

# Bearer token authentication
curl -H "Authorization: Bearer your_token" https://api.matchr.xyz/v1/portfolio

Rate Limiting

Aggressive rate limiting prevents abuse:
Endpoint TypeRate Limit
Public100/min
Authenticated1,000/min
Agent10,000/min
Trading100/min per market

Input Validation

All inputs are validated and sanitized:
  • SQL injection prevention via parameterized queries
  • XSS prevention via output encoding
  • Request body size limits
  • Type validation on all parameters

Infrastructure Security

Architecture

┌─────────────────────────────────────────────────────────┐
│                    Cloudflare WAF                        │
│            DDoS Protection • Bot Detection               │
├─────────────────────────────────────────────────────────┤
│                     Load Balancer                        │
│              SSL Termination • Rate Limiting             │
├─────────────────────────────────────────────────────────┤
│                   Application Servers                    │
│         Next.js • Node.js • Isolated Containers          │
├─────────────────────────────────────────────────────────┤
│                     Database Layer                       │
│          Supabase (PostgreSQL) • Encrypted              │
├─────────────────────────────────────────────────────────┤
│                  Blockchain Networks                     │
│              Polygon RPC • Secure Signers                │
└─────────────────────────────────────────────────────────┘

Hosting & Network

  • Vercel — Enterprise-grade hosting with automatic scaling
  • Supabase — SOC2-compliant database hosting
  • Cloudflare — DDoS protection and WAF
  • VPC isolation — Backend services in private networks

Data Encryption

Data TypeEncryption
In TransitTLS 1.3
At RestAES-256
API KeysArgon2 hashed
SecretsEncrypted environment variables

Smart Contract Security

Polymarket Integration

We integrate with Polymarket’s audited contracts:
  • CTF Exchange — Conditional token framework
  • CLOB — Central limit order book
  • Proxy Wallets — Safe-based trading wallets

Our Contracts

Any smart contracts we deploy undergo:
  1. Internal Review — Code review by multiple engineers
  2. External Audit — Third-party security audit
  3. Bug Bounty — Public bounty program
  4. Staged Rollout — Testnet → Limited mainnet → Full release

Operational Security

Team Practices

  • Principle of Least Privilege — Minimal access by default
  • Multi-Factor Authentication — Required for all team accounts
  • Hardware Security Keys — For critical infrastructure access
  • Regular Access Reviews — Quarterly permission audits

Incident Response

We have documented procedures for:
  1. Detection — Automated monitoring and alerting
  2. Containment — Immediate isolation of affected systems
  3. Investigation — Root cause analysis
  4. Recovery — Service restoration
  5. Post-Mortem — Public disclosure (when appropriate)

Monitoring

  • 24/7 Uptime Monitoring — Automatic alerts on anomalies
  • Security Event Logging — All access attempts logged
  • Anomaly Detection — ML-based unusual activity detection
  • Regular Penetration Testing — External security assessments

User Responsibilities

While we implement robust security, users should also follow best practices:

Protect Your Wallet

Never share your seed phrase or private keys. We will never ask for them.

Verify URLs

Always access Matchr via matchr.xyz. Bookmark it and check for HTTPS.

Review Transactions

Before signing, verify the transaction details match your intent.

Secure Your Email

Use a strong, unique password and 2FA on your email (if using email login).

Phishing Prevention

We will never:
  • Ask for your seed phrase or private key
  • Send unsolicited DMs asking you to connect your wallet
  • Offer airdrops that require wallet connections
  • Ask for payments to “unlock” features
If someone claims to be from Matchr and asks for sensitive information, it’s a scam. Report it to us.

Bug Bounty

Program Overview

We reward security researchers who responsibly disclose vulnerabilities.
SeverityReward
Critical5,0005,000 - 25,000
High2,0002,000 - 5,000
Medium500500 - 2,000
Low100100 - 500

In Scope

  • matchr.xyz web application
  • api.matchr.xyz endpoints
  • Smart contracts deployed by Matchr
  • Authentication and session management

Out of Scope

  • Third-party services (Polymarket, Kalshi, Privy)
  • Social engineering attacks
  • Denial of service attacks
  • Issues requiring physical access

Reporting

Report vulnerabilities to security@matchr.xyz with:
  1. Description of the vulnerability
  2. Steps to reproduce
  3. Potential impact
  4. Any proof-of-concept code
We’ll respond within 48 hours and work with you on remediation.

Compliance

Data Protection

  • GDPR Compliant — EU user data rights respected
  • Data Minimization — We only collect necessary data
  • Right to Deletion — Request account and data deletion anytime
  • Transparent Privacy Policy — Clear explanation of data use

Financial Regulations

  • We operate as a technology provider, not a financial institution
  • We do not provide financial advice
  • We comply with applicable laws in our operating jurisdictions
  • Users are responsible for their own tax obligations

Contact

Security Reports

Report vulnerabilities

General Support

Security questions