Rach Payments

Appearance

Security

Security best practices for implementing Rach Wallet-as-a-Service.

Key Security Principles

1. Never Expose Master Seeds

Critical Security

Never expose wallet master seeds or private keys in:

  • Client-side code (JavaScript, mobile apps)
  • Logs or error messages
  • Public repositories
  • URLs or query parameters

Rach handles all key management server-side with enterprise-grade encryption.

API Key Security

Environment Variables

bash
# .env file
RACH_API_KEY=live_sk_your_production_key
RACH_WEBHOOK_SECRET=your_webhook_secret

# Never commit .env to git!

Key Rotation

Rotate API keys periodically:

  1. Generate new key in dashboard
  2. Update your environment
  3. Test with new key
  4. Revoke old key

Webhook Security

HMAC Verification

Always verify webhook signatures:

javascript
const crypto = require('crypto');

function verifyWebhookSignature(payload, signature, secret) {
  const hmac = crypto.createHmac('sha256', secret);
  hmac.update(JSON.stringify(payload));
  const computed = hmac.digest('hex');
  
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(computed)
  );
}

app.post('/webhooks/wallet', (req, res) => {
  const signature = req.headers['x-rach-signature'];
  
  if (!verifyWebhookSignature(req.body, signature, process.env.RACH_WEBHOOK_SECRET)) {
    return res.status(401).send('Invalid signature');
  }
  
  // Process webhook
  res.sendStatus(200);
});

Withdrawal Security

Multi-Factor Authentication

Require MFA for withdrawals:

javascript
async function processWithdrawal(userId, amount, address) {
  // 1. Verify user session
  const user = await verifyUserSession(userId);
  
  // 2. Check MFA code
  if (!await verifyMFACode(user, req.body.mfa_code)) {
    throw new Error('Invalid MFA code');
  }
  
  // 3. Check withdrawal limits
  if (amount > user.daily_limit) {
    throw new Error('Exceeds daily limit');
  }
  
  // 4. Verify destination address
  if (!await isWhitelistedAddress(user, address)) {
    throw new Error('Address not whitelisted');
  }
  
  // 5. Process withdrawal
  return await executeWithdrawal(userId, amount, address);
}

Withdrawal Limits

Implement tiered limits:

javascript
const WITHDRAWAL_LIMITS = {
  tier1: { daily: 1000, perTransaction: 500 },
  tier2: { daily: 10000, perTransaction: 5000 },
  tier3: { daily: 100000, perTransaction: 50000 }
};

Address Whitelisting

javascript
async function addWhitelistedAddress(userId, address, network) {
  // Send confirmation email
  await sendConfirmationEmail(userId, address);
  
  // Add to whitelist after 24h delay
  await db.whitelistedAddresses.create({
    user_id: userId,
    address: address,
    network: network,
    active_at: new Date(Date.now() + 24 * 60 * 60 * 1000)
  });
}

Data Protection

Encrypt Sensitive Data

javascript
const crypto = require('crypto');

function encryptSensitiveData(data, key) {
  const iv = crypto.randomBytes(16);
  const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
  
  let encrypted = cipher.update(data, 'utf8', 'hex');
  encrypted += cipher.final('hex');
  
  const tag = cipher.getAuthTag();
  
  return {
    encrypted,
    iv: iv.toString('hex'),
    tag: tag.toString('hex')
  };
}

Monitoring & Alerts

Set Up Alerts

javascript
// Alert on large deposits
async function handleDeposit(event) {
  const { amount, currency } = event;
  
  if (parseFloat(amount) > 10000) {
    await sendAlert({
      type: 'LARGE_DEPOSIT',
      amount,
      currency,
      wallet_id: event.wallet_id
    });
  }
}

// Alert on unusual activity
async function checkUnusualActivity(userId) {
  const recentWithdrawals = await getRecentWithdrawals(userId, '24h');
  
  if (recentWithdrawals.length > 10) {
    await sendAlert({
      type: 'UNUSUAL_ACTIVITY',
      user_id: userId,
      count: recentWithdrawals.length
    });
  }
}

Compliance

KYC/AML

  • Verify user identity before large transactions
  • Monitor for suspicious patterns
  • Implement transaction reporting
  • Keep audit logs

Audit Logging

javascript
async function logWalletAction(action, userId, details) {
  await db.auditLogs.create({
    timestamp: new Date(),
    action: action,
    user_id: userId,
    details: details,
    ip_address: req.ip,
    user_agent: req.headers['user-agent']
  });
}

// Log all wallet operations
await logWalletAction('WALLET_CREATED', userId, { wallet_id });
await logWalletAction('ADDRESS_DERIVED', userId, { address, network });
await logWalletAction('WITHDRAWAL_INITIATED', userId, { amount, address });

Security Checklist

Security Checklist

  • ✅ Use environment variables for secrets
  • ✅ Verify all webhook signatures
  • ✅ Implement MFA for withdrawals
  • ✅ Set withdrawal limits
  • ✅ Whitelist withdrawal addresses
  • ✅ Encrypt sensitive data at rest
  • ✅ Use HTTPS everywhere
  • ✅ Implement rate limiting
  • ✅ Set up monitoring and alerts
  • ✅ Keep audit logs
  • ✅ Regular security audits
  • ✅ Incident response plan

##Next Steps

Built with ❤️ by Rach Finance

Copyright © 2025 Rach Finance