Crypto key management infrastructure provider Sodot says it’s going to put an end to the high-profile cyberattacks that plague the industry’s most prominent exchange platforms. It has just announced the availability of its flagship offering, called the Exchange API Vault, which is uniquely able to secure dozens of private keys that control billions of dollars in crypto assets while ensuring they’re still available to trade.
The company said Exchange API Vault is a highly specialized solution that’s designed to prevent the theft of API keys, which is one of the major vulnerabilities for cryptocurrency exchanges, market makers, and liquidity providers. It does so by ensuring they’re never exposed in plaintext form, even when they’re being actively used in support of trading operations.
API key theft has become a major headache for the cryptocurrency industry, facilitating recent incidents such as last February’s $1.46 billion hack of Bybit, and the $41 million heist perpetrated against Swissborg in September. They’re tempting targets for hackers because they have become essential infrastructure for institutional trading firms that operate across multiple exchange platforms.
These organizations, which generally control numerous cryptocurrencies spread across hundreds of individual wallets, generally use a similar number of API keys to try to secure those funds. Key management has become a critical operation, and it’s often so complex that institutions have no choice but to automate it, leaving themselves open to substantial risks.
While solutions for API key management do exist, they struggle with a very specific challenge – keeping them secure while they’re continually in use. It’s not like an exchange can just deposit all of its funds into a cold wallet and then lock the physical key somewhere in a safe to guarantee it’s never compromised.
That’s not possible because exchanges need these funds on hand to facilitate continuous trading operations across the globe on a 24/7 basis. The wallets they control are constantly being accessed throughout the day, and the keys are meant to ensure that whoever does the accessing is actually authorized to do so, but because everything is automated, that isn’t always the case.
Enhanced key management for high-frequency trading
Sodot aims to solve the difficulties of API key management. The Exchange API Vault can be likened to a kind of “command center” that tracks and secures all keys under a customer’s control. One of the ways it does this is by ensuring that the key is never exposed in plaintext form, not even when it’s actively being used to facilitate trading operations.
The Exchange API Vault uses a combination of multi-party computation techniques and trusted execution environments to manage API keys and make them much harder to steal. This allows each API key to be split between different locations, so that the full key never exists on a single server or developer machine.
In addition to better securing the keys, the Exchange API Vault has been purposely engineered for low-latency in order to support high-frequency trading. This ensures that users can quickly access them when required to send funds wherever they’re needed, without delays that could impact trading performance.
The combination of low-latency, MPC, and TEE is a major differentiator for Sodot’s offering that sets it apart from industry-standard key management tools such as HashiCorp’s Vault. While HashiCorp offers strong encryption, key storage, and rotation, it lacks the infrastructural support for high-frequency trading and the ability to protect against in-memory theft.
This explains why the institutional-grade liquidity provider Flow Traders decided to adopt Sodot’s solution. Flow Traders is one of the most prominent market makers in the crypto world, supplying billions of dollars in liquidity to dozens of top exchange platforms, and it relies on the Exchange API Vault to secure dozens of active API keys used to support high-frequency trading.
Flow Traders’ Head of Digital Assets Technology, Laszlo Fodor, praised Sodot for its technological innovation. “It contributes to the trust across the digital asset ecosystem, which is an important driver for broader adoption,” he said.
Sodot’s vault also enforces the trader’s internal security policies, including transaction limits and IP whitelists, and integrates a “kill switch” to prevent catastrophic losses even if a key is somehow compromised. Users can also monitor their keys and set alerts for any suspicious access or transactions. As a final benefit, Sodot’s solution is self-hosted, which means customers can deploy it on their own infrastructure and avoid having to trust Sodot or another third-party.