Security is not just a feature but a fundamental aspect of Reown’s architecture. The infrastructure has undergone multiple rounds of third-party security reviews, audits, penetration testing, and threat modeling to ensure the highest standards of protection. Security is viewed as a continuously evolving discipline, with regular system audits to identify and address potential vulnerabilities.

AppKit - Embedded Wallet Key Management

Architecture and Custody

AppKit Embedded wallets enable applications to provide end-users with a quick onboarding experience by provisioning a non-custodial wallet through social login or email wallets. While the implementation varies per network, Reown relies on a SOC 2 Type 2 compliant third-party vendor for key management. The vendor’s security overview and list of audits are available in their documentation.

For a subset of EVM Networks, gas abstraction functionality requires deploying a Smart Account on behalf of the end-user. In this case, the key management provider acts as a signer for this Smart Account. Reown relies on a third-party vendor for the Smart Account implementation. The Smart Account implementation audits are available in their documentation.

Key Export

Reown enables end-users to export their keys when needed.

Audits

Both the key management vendors and Smart Account vendors have undergone multiple audits (see links above). The integration of the key management provider into AppKit has been audited by Halborn. The complete audit report is available here.

WalletKit

Architecture

WalletKit provides an end-to-end encrypted solution for wallets to connect to applications and sign messages/transactions. As an open-source SDK, it supports multiple transport methods, from WebSockets to Universal Links.

Handshake & End-to-End Encryption

For a detailed overview of the handshake and end-to-end encryption protocol, refer to the technical specification.

Audits

WalletKit, including its encryption stack, was audited by Trail of Bits. The audit report is available here. This comprehensive security review covered the source code and included a lightweight Threat Model covering upstream and downstream dependencies. The broader WalletConnect system underwent Threat Modeling by Spearbit. The threat model is available here.

Dependencies

WalletKit’s design philosophy prioritizes minimizing third-party dependencies to reduce the attack surface area.

Third-Party Reviews

The security infrastructure of Reown has undergone multiple rounds of audits by independent security auditing firms, including Trail of Bits, Halborn, and Spearbit. These audits cover both AppKit and WalletKit, along with a comprehensive company-wide Threat Model.

Audit ScopeAuditorReport
WalletConnect Comprehensive Threat ModelSpearbitView Report
AppKit Embedded Wallet Integration PentestHalbornView Report
WalletKit Security Review & Lightweight Threat ModelTrail of BitsView Report

Bug Bounty Program

Reown maintains an active bug bounty program to encourage security researchers to responsibly disclose vulnerabilities and help strengthen the systems. For more information, visit the security text file or the security page.

Get in Touch

For security-related inquiries, please visit the security contact page.