Wallet-as-a-Service (WaaS)

APIs that handle the entire transaction lifecycle, from construction to finality. Key functions include:

• Gas Estimation: Dynamic fee calculation for multiple chains (EIP-1559, priority fees).
• Simulation: Pre-execution checks to prevent failed transactions and estimate outcomes.
• Batching & Bundling: Combining multiple operations into a single transaction to reduce costs and improve UX.
• Nonce Management: Automatic sequencing to prevent conflicts in high-frequency environments.

Embedded tools for enforcing regulatory and security policies at the infrastructure level.

• Transaction Screening: Real-time checks against sanctions lists and known illicit addresses (e.g., OFAC).
• Risk-Based Limits: Configurable rules for withdrawal amounts, destination addresses, and transaction frequency.
• Audit Logs: Immutable, detailed logs of all key operations and transaction attempts for compliance reporting.
• KYC/AML Integration: Hooks to plug into external identity verification providers.

APIs for managing user authentication and authorization without custodianship.

• Session Keys: Generate limited-scope keys for specific dApp interactions, expiring after a set time or action.
• Biometric & Passkey Auth: Integration with native device security (Face ID, Touch ID, WebAuthn) for seamless sign-in.
• Device Management: Allow users to view and revoke access from connected devices or applications.

A push-based notification and webhook system for monitoring on-chain activity.

• Webhook Endpoints: Instant alerts for incoming/outgoing transactions, wallet creation, and security events.
• Balance & State Updates: Real-time synchronization of token balances and NFT holdings.
• Indexed Data: Queryable history of all transactions and interactions associated with managed wallets.

WaaS provides the reliable backend infrastructure needed for high-traffic decentralized applications, handling:

• High-Volume Signing: Scalable APIs for processing thousands of transactions per second.
• Real-Time State Updates: WebSocket connections for instant balance and event notifications.
• Node Reliability: Redundant access to blockchain RPC nodes, eliminating the need for dApp teams to manage their own node infrastructure.

The core security model defines who controls the private keys. Custodial WaaS holds keys on behalf of users, similar to a bank, introducing counterparty risk. Non-Custodial WaaS (or MPC-based WaaS) uses cryptographic schemes like Multi-Party Computation (MPC) to distribute key shards, where the service provider never has full key access. Hybrid models also exist, offering tiered security levels.

WaaS platforms are high-value targets. Primary threats include:

• Infrastructure Compromise: Breach of the provider's HSMs (Hardware Security Modules) or key management servers.
• Insider Threats: Malicious or coerced employees with privileged access.
• API & SDK Vulnerabilities: Flaws in the integration layer that could allow transaction manipulation or key exfiltration.
• Social Engineering: Attacks targeting WaaS support teams to reset user access or approve fraudulent transactions.

WaaS providers must adhere to stringent standards, which shape their security architecture. Key frameworks include:

• SOC 2 Type II: Audits for security, availability, and confidentiality controls.
• ISO 27001: International standard for information security management.
• Financial regulations: Adherence to KYC (Know Your Customer), AML (Anti-Money Laundering), and Travel Rule requirements, which necessitate secure identity data handling.

A major WaaS value proposition is simplified recovery, which has security trade-offs. Methods include:

• Social Recovery: Designated guardians can approve a wallet reset.
• Cloud Backup: Encrypted key shards stored with providers like iCloud or Google Drive.
• Email/SMS Reset: A convenient but potentially vulnerable single point of failure. The security of these mechanisms depends entirely on the resilience of the backup channel and the authentication process.

Third-party security assessments are critical for trust. Reputable WaaS providers undergo:

• Smart Contract Audits: Review of any on-chain logic for vaults or factories.
• Infrastructure Penetration Tests: Simulated attacks on APIs, cloud infrastructure, and internal networks.
• Cryptographic Reviews: Expert analysis of the MPC or threshold signature implementations. Public audit reports from firms like Trail of Bits, OpenZeppelin, or Kudelski Security are a key transparency indicator.

To mitigate the risks of custodial holdings, leading providers implement financial safeguards. These include:

• Cold Storage Insurance: Coverage for digital assets held in offline HSMs, often through Lloyd's of London syndicates.
• Protocol-Level Insurance: Coverage for smart contract failures or bridge hacks.
• Internal Security Funds: A portion of fees set aside to cover potential incidents. Coverage terms, limits, and exclusions are crucial for enterprise clients.

This service layer handles the construction, simulation, and broadcasting of blockchain transactions. It provides:

• Gas estimation and fee optimization across multiple networks.
• Batch transactions for complex operations (e.g., swap then bridge).
• Nonce management to prevent conflicts and ensure proper transaction ordering.
• Integration with paymasters for sponsored or gasless transactions, improving user experience.

A core WaaS feature is providing a unified interface for interacting with diverse blockchain ecosystems. This includes:

• Native support for EVM chains (Ethereum, Polygon, Arbitrum), Solana, Cosmos, and others.
• Automated address derivation across these chains from a single seed or identity.
• Aggregated balance and token discovery APIs for NFTs and fungible tokens (ERC-20, SPL, etc.).
• Built-in cross-chain bridging and swap integrations via partner protocols.

WaaS platforms implement enterprise-grade security and regulatory features:

• SOC 2 Type II compliance and ISO 27001 certification.
• Transaction policy engines for risk scoring and fraud detection.
• Audit trails and real-time monitoring for all wallet activities.
• Integration with sanctions screening and anti-money laundering (AML) databases, making them essential for regulated DeFi and institutional applications.

To create seamless fiat-to-crypto experiences, WaaS providers integrate with fiat onramp and offramp aggregators. This allows applications to offer:

• Direct credit/debit card purchases of crypto into embedded wallets.
• Bank transfer options (ACH, SEPA).
• Local payment method support globally.
• KYC verification flows managed by the onramp provider. This turns a WaaS into a complete financial gateway for Web3 applications.