This picture will be mintable soon

Examining the Security of onXRP’s Key Management Infrastructure: A Comprehensive Audit

At onXRP, our mission is to provide our users with a secure and reliable blockchain-based signing solution. As part of our ongoing commitment to the highest standards of security, we recently underwent an extensive audit in April 2023 to evaluate the robustness of our key management infrastructure. We are delighted to share the purpose, process, and outcomes of this audit, as it reaffirms our dedication to ensuring optimum security for our users’ assets. The audit was conducted by BuildTomorrow and Garantir, renowned cybersecurity professionals with extensive expertise in cryptography and key management.

Purpose of the Audit

The primary objective of the audit was to assess the effectiveness and security of onXRP’s cryptographic key management system. Our goal was to ensure that our key management practices not only adhered to the most stringent industry standards but also provided our users with the highest level of protection. By conducting this audit, we aimed to identify any potential vulnerabilities, fortify our security measures, and enhance the overall robustness of our key management infrastructure.

The audit encompassed a comprehensive review of our key management practices, covering various critical aspects of our system. Our system’s architecture underwent a meticulous examination to evaluate its reliability and adherence to best practices. Additionally, our foundational source code was subjected to thorough scrutiny, involving manual reviews and static code analysis, to identify any potential implementation flaws related to private key usage.

Key Management Lifecycle

onXRP utilizes two secp256k1 keys, with the first key stored in AWS Secrets Manager and the second key stored in AWS Key Management Service (KMS). The Secrets Manager key is exported in plaintext format to the application server (via TLS) during usage, while the KMS key is generated, stored, and utilized within a non-exportable FIPS 140-2 certified HSM. The Secrets Manager key is securely distributed, and no evidence of compromise or mishandling was found. The audited authentication keys were properly controlled, ensuring their security.

The audit found that the AWS KMS key provided a high level of security, making it practically impossible for attackers to compromise its private key bytes. In comparison, the Secrets Manager key offered a good level of protection, and when used in conjunction with the AWS KMS key, it further enhanced the security of wallets. Wallets that required both keys for transaction signing benefited from the combined strength of these keys, ensuring a robust level of security.

During the audit, the usage of cryptographic keys within onXRP’s system was examined to ensure their appropriate usage and adherence to defined limits. It was found that while the application associated with the KMS key did not perform full data validation, this risk was effectively mitigated by the robust authentication carried out by AWS API Gateway and the calling application.

While key rotation was not planned at the time, onXRP’s security strategy was aligned with NIST’s ongoing development of post-quantum cryptographic algorithms. Furthermore, the anticipated support from HSM and cloud vendors assured future readiness. As these advanced algorithms became available and industry standards were established, onXRP could seamlessly incorporate a key rotation plan to maintain optimal security and stay in line with evolving best practices. In terms of key revocation and destruction, onXRP was advised to define and document processes as part of their key management lifecycle to minimize the risk of unauthorized access or misuse of outdated or compromised keys.

Results of the Audit

We are pleased to share that the audit yielded positive results, underscoring the effectiveness and robustness of onXRP’s key management practices. By leveraging the highly secure AWS Key Management Service (KMS), we have successfully strengthened the security of our users’ wallets and transactions.

The audit highlighted the exceptional level of security provided by our AWS KMS key. Its highly resistant nature against private key compromise significantly mitigates the risk of unauthorized access. Furthermore, our Secrets Manager key, securely distributed without any evidence of compromise or mishandling, enhances the overall security of our wallets. The combination of these keys ensures a robust and reliable security framework for our users.


Throughout the audit, our comprehensive understanding of the importance of secure key management practices was validated. We have implemented a range of security measures that align with industry standards and prioritize the protection of our users’ assets. The positive findings of the audit serve as a testament to our unwavering commitment to maintaining the highest standards of key security.


We extend our heartfelt appreciation to the experienced teams at BuildTomorrow and Garantir for conducting this meticulous audit of our key management infrastructure. Their expertise and guidance have been instrumental in reinforcing our security practices and fortifying our key management system.


At onXRP, the security of our users’ assets remains our top priority. By conducting regular audits and remaining proactive in our approach to security, we are committed to continuously enhancing our key management practices. Rest assured, we will continue to prioritize the highest standards of security to ensure the utmost protection for our valued users.

To read the full report click here.

Marta Cid
Marta Cid