Security is foundational to MalkiurSwap. We follow a defense-in-depth strategy with multiple layers of protection to safeguard your transactions and the integrity of the platform.
MalkiurSwap never holds your funds. Deposits are processed through an automated sweep pipeline — tokens arrive at a temporary deposit address, are forwarded through the swap route, and the output is sent directly to your destination wallet. At no point do we have long-term custody of user assets.
Temporary deposit wallet keys are encrypted at rest using AES-256-GCM, the industry standard for authenticated encryption. The encryption key is validated with strict format requirements and stored securely in environment variables — never in source code.
Each encrypted value uses a unique initialization vector (IV) and produces an authentication tag, ensuring both confidentiality and integrity of the stored data.
Private keys for temporary deposit wallets are generated per-transaction and are not retained beyond the transaction lifecycle. Once a swap is completed and funds are delivered, the encrypted key material serves no further purpose and is only retained in database records for audit traceability.
All API endpoints are protected by tiered rate limits to prevent abuse. Quote endpoints allow 30 requests per minute, swap endpoints allow 5 per minute, and status endpoints allow 60 per minute. Admin endpoints are restricted to 5 requests per minute with bearer token authentication. When the primary rate limiter (Redis) is unavailable, a stricter in-memory fallback automatically activates.
The application enforces a strict Content Security Policy (CSP) that blocks unsafe-eval and restricts resource loading to trusted origins. This mitigates cross-site scripting (XSS) and code injection attacks. All API responses include security headers including X-Content-Type-Options, X-Frame-Options, and Referrer-Policy.
We welcome security researchers to responsibly disclose vulnerabilities. If you discover a security issue, please report it to us before making it public. We are committed to investigating and addressing all valid reports promptly.
When reporting, please include a detailed description of the vulnerability, steps to reproduce, and the potential impact. We will acknowledge receipt within 48 hours and aim to resolve critical issues within 7 days.
For security-related reports and inquiries, please contact us at security@malkiurswap.xyz. Please do not disclose vulnerabilities publicly until we have had the opportunity to investigate and address them.