What we hide, we cannot defend.
So we hide nothing.

Asylia is built for the three attacks a serious Bitcoin owner actually worries about: a single hardware device compromise, a compromised operator machine, and a compromised Asylia service tier. The multisig quorum addresses the first two; the hardware isolation model addresses the third.

Out of scope: a nation-state physical-coercion attack on a majority of your signers, the collapse of the Bitcoin consensus layer, and vulnerabilities inside the hardware devices themselves. We trust the hardware manufacturers secure elements the same way the rest of the industry does - and we show our work in hw-trezor and hw-ledger.

Asylia is native-SegWit P2WSH multisig only. Every vault is a wsh(sortedmulti(N, key1, ..., keyN)) descriptor - the single policy reviewed, implemented, and run in production across Sparrow, Caravan, Unchained, and Bitcoin Core since 2020.

wsh(sortedmulti(N, xpubKey1, …, xpubKeyN))

Narrowing to one script means the inherited attack surface is BIP-143 signing rules, BIP-48 derivation, and bech32 encoding - specifications that have been stable, reviewed, and deployed for years. Anything outside that envelope is explicitly refused on import.

Asylia exchanges unsigned PSBTs with each hardware wallet and waits for a signed PSBT in return. The browser never sees a private key, the server never stores one, and the seed phrase stays on the device where it was generated.

Current support: Trezor Safe 3, Model T, and Safe 5 for full register + sign flows; Ledger Nano X and Nano S Plus for full register + sign flows. No other wallets are currently wired. BitBox02, Coldcard, and Jade are on the roadmap, each gated on the same signing-model review.

Email OTP through Supabase gives you a portable account for watch-only state across browsers and machines. The account stores public descriptors, historical balances, and UI preferences - never private keys, signed transactions, or seed material. Deleting the account wipes the watch-only state; your on-chain funds are untouched because Asylia never held them.

The same policy is visible in every export. Point Sparrow or Bitcoin Core at the exact same descriptor and you see the same UTXO set. Asylia is replaceable. That is the point.

The wallet application is proprietary, but the Bitcoin surface is not. Every package that performs a cryptographic operation or touches a hardware device ships under MIT: btc-core for descriptors, derivation and PSBT assembly, blockchain-data-btc for chain and mempool reads, hw-trezor and hw-ledger for hardware transports, and shared-types for the domain contract.

The MIT boundary is drawn on purpose: the primitives your money depends on are reviewable and forkable under MIT. The marketing site, wallet app chrome, and product UI are proprietary so we can operate the service sustainably. If the company goes away, the open-source packages keep your keys reachable from any other wsh(sortedmulti) tool.

No external audit has been completed yet. We are in the planning stage with two reputable Bitcoin-native audit firms, scoping a btc-core + hardware-transport review as the first pass. When an audit lands, this section will link to the report and any findings + fixes, unredacted.

In the meantime, the MIT packages are yours to read. The policy decision to only support wsh(sortedmulti) means most of the risky surface - policy parsing and script construction - is directly verifiable against the Bitcoin Core reference.

Email [email protected] with a description of the issue, reproduction steps, and a suggested severity. We acknowledge within 48 hours and aim to ship a fix or transparent mitigation within 14 days. Critical issues get a dedicated coordination channel; we credit every reporter unless you ask us not to.

A bug bounty program will launch alongside the first external audit.