STAXIS
Start

How it works · Property 1

Non-custodial by design.

Your capital lives in your wallet or exchange account. STAXIS receives only the minimum permissions needed to trade — withdrawal is not possible. This is verifiable from the permissions scope.

The architectural promise

The worst-case STAXIS-compromised scenario is bad trades — not funds leaving your control.

YOUR WALLETtrade onlyno withdrawalSTAXISSTRATEGY LAYER

Two paths

STAXIS supports two custody architectures.

The internal structure is the same on both sides — to make the architectural equivalence plain: your account holds the funds, a scoped permission reaches STAXIS, and STAXIS reaches only the trading venue.

Path A

DEX (Privy delegated signing)

  • Wallet owned by user
  • STAXIS receives scoped permission via Privy delegated signing
  • Permission: swap up to a set daily amount of approved assets
  • Withdrawal: not possible
  • Revocable any time in the Privy dashboard

Trading venue: decentralized exchanges (DEX aggregators with permitted protocols).

Path B

CEX (trade-only API keys)

  • Exchange account owned by user
  • User creates an API key with TRADE enabled, WITHDRAW disabled
  • API key stored in HashiCorp Vault Transit on STAXIS infrastructure
  • Withdrawal: not possible (verified at the exchange-permission level)
  • Revocable any time in the exchange account

Supported exchanges: Coinbase, Kraken, Gemini.

The architectural property is the same in both: STAXIS cannot withdraw your funds.

Permissions scope

What STAXIS cannot do.

These are not promises; they are properties of the API permissions scope — each one struck out at the source.

  • STAXIS cannot withdraw your funds from your wallet or exchange account.

  • STAXIS cannot transfer your funds to other wallets or exchanges.

  • STAXIS cannot trade assets outside the pre-approved list (BTC/ETH/SOL spot in Phase 1).

  • STAXIS cannot exceed the daily volume or position limits set in the API key or delegated-signing scope.

  • STAXIS cannot change your account’s other settings (KYC info, withdrawal addresses, and so on).

Verifiable by you, any time, from your Privy dashboard or exchange-account permissions.

The worst-case scenario

If STAXIS itself were compromised, what could attackers do?

PERMISSION-SCOPE BOUNDATTACKERSTAXIScompromisedYOUR FUNDS · SAFE

Path A (Privy DEX)

  • Attempt swaps on permitted DEX protocols
  • Trade up to the daily volume bound
  • Cannot withdraw to attacker wallets
  • Cannot trade outside permitted protocols

Path B (CEX)

  • Attempt trades on the user’s exchange account
  • Trade up to the daily volume bound
  • Cannot withdraw funds
  • Cannot transfer to other accounts

In both paths, the worst-case is bad trades — not lost custody. Your capital remains where it was; the value may have decreased due to bad trades, but the funds are not gone.

This is the architectural bound. We cannot eliminate trade-quality risk in a compromise scenario; we have eliminated custody risk.

Next property

Next: the daily circuit breaker.

Custody is one bound. The breaker is the other — a daily technical risk control on trade behaviour, three-layer enforced.

The 2.5% / 3% circuit breaker →All four properties