Security Information
Security is not just a feature but a fundamental aspect of Reown’s architecture. The infrastructure has undergone multiple rounds of third-party security reviews, audits, penetration testing, and threat modeling to ensure the highest standards of protection. Security is viewed as a continuously evolving discipline, with regular system audits to identify and address potential vulnerabilities.
AppKit - Embedded Wallet Key Management
Architecture and Custody
AppKit Embedded wallets enable applications to provide end-users with a quick onboarding experience by provisioning a non-custodial wallet through social login or email wallets. While the implementation varies per network, Reown relies on a SOC 2 Type 2 compliant third-party vendor for key management. The vendor’s security overview and list of audits are available in their documentation.
For a subset of EVM Networks, gas abstraction functionality requires deploying a Smart Account on behalf of the end-user. In this case, the key management provider acts as a signer for this Smart Account. Reown relies on a third-party vendor for the Smart Account implementation. The Smart Account implementation audits are available in their documentation.
Key Export
Reown enables end-users to export their keys when needed.
Audits
Both the key management vendors and Smart Account vendors have undergone multiple audits (see links above). The integration of the key management provider into AppKit has been audited by Halborn. The complete audit report is available here.
WalletKit
Architecture
WalletKit provides an end-to-end encrypted solution for wallets to connect to applications and sign messages/transactions. As an open-source SDK, it supports multiple transport methods, from WebSockets to Universal Links.
Handshake & End-to-End Encryption
For a detailed overview of the handshake and end-to-end encryption protocol, refer to the technical specification.
Audits
WalletKit, including its encryption stack, was audited by Trail of Bits. The audit report is available here. This comprehensive security review covered the source code and included a lightweight Threat Model covering upstream and downstream dependencies. The broader WalletConnect system underwent Threat Modeling by Spearbit. The threat model is available here.
Dependencies
WalletKit’s design philosophy prioritizes minimizing third-party dependencies to reduce the attack surface area.
Third-Party Reviews
The security infrastructure of Reown has undergone multiple rounds of audits by independent security auditing firms, including Trail of Bits, Halborn, and Spearbit. These audits cover both AppKit and WalletKit, along with a comprehensive company-wide Threat Model.
| Audit Scope | Auditor | Report |
|---|---|---|
| WalletConnect Comprehensive Threat Model | Spearbit | View Report |
| AppKit Embedded Wallet Integration Pentest | Halborn | View Report |
| WalletKit Security Review & Lightweight Threat Model | Trail of Bits | View Report |
Bug Bounty Program
Reown maintains an active bug bounty program to encourage security researchers to responsibly disclose vulnerabilities and help strengthen the systems. For more information, visit the security text file or the security page.
Get in Touch
For security-related inquiries, please visit the security contact page.