Arbiter

Arbiter is an open-source permissioned signing service for cryptocurrency wallets. It runs as a background daemon with an optional desktop client for vault management.

Core guarantee. The vault never exposes private key material under any circumstances. It only produces a signature when the request satisfies the policies configured by the owner — automation tools and SDK clients get exactly the access they were granted, nothing more.

Authentication. Every peer — whether a management client or an automation tool — authenticates via public-key challenge-response. The server issues a nonce-based challenge, the peer signs it, and the server verifies before allowing any operations. On first run, a one-time bootstrap token registers the first management client; all subsequent SDK clients must be explicitly approved by an already-registered owner.

Key hierarchy. Keys are arranged in three layers: a user password derives the root key, and the root key encrypts individual wallet keys. This means password rotation only re-encrypts the root key — not every wallet — and root key rotation is independent of the user’s password. Everything at rest is encrypted with versioned symmetric AEAD; the vault automatically migrates older entries to the current scheme on unseal.

Vault lifecycle. On startup, Arbiter boots in a Sealed state and cannot produce any signatures. To unseal, the management client encrypts the password with a server-generated one-time key and sends the ciphertext — the plaintext password never travels over the wire. Once unsealed, the root key is held in a hardened memory cell protected against dumps, page swaps, and hibernation files.

Permission engine. SDK clients have zero access by default. Grants are issued explicitly by the vault owner, scoped to a specific wallet and chain. For EVM chains, Arbiter decodes known contract calls and presents them with human-readable meaning (e.g., “transfer 500 USDT to 0x…”), enforcing configurable volume limits, rate limits, and time-window restrictions per grant. Unknown contracts can also be permitted with transaction count and rate caps. Nonce management is handled automatically to prevent replay attacks.