Security Architecture

y0.exchange is designed with a zero-trust, non-custodial architecture. We never store, access, or manage your private keys.

Core Principles

Non-Custodial by Design

y0.exchange is a frontend portal. All wallet operations happen between you and your chosen wallet provider. Our servers are never involved in transaction signing.

Zero Backend for Wallet Operations

The wallet app has no backend database. There are no user accounts on our servers. Your session exists only in your browser.

Provider-Managed Key Storage

When you connect through Reown, Privy, MetaMask, or any other provider — your private keys are stored and managed by that provider.

Key Export Always Available

You can export your private keys at any time. There is no lock-in. If you want to leave, take your keys and go.

Server-Side API Proxy

Swap quotes from 1inch/0x require API keys. These keys are kept server-side. Your wallet private keys never leave your browser.

Open-Source & Auditable

The wallet app is MIT-licensed. Every line of code is auditable. We encourage security researchers to review our code.

Data Flow

  User Browser                    Provider              Blockchain
  ┌─────────────┐                ┌──────────┐         ┌──────────┐
  │ y0.exchange  │ ── connect ──▶│  Reown   │         │ Ethereum │
  │ (frontend)   │               │  Privy   │──sign──▶│ BNB Chain│
  │              │               │ MetaMask │         │ Arbitrum │
  │ Keys: NEVER  │               │  etc.    │         │  etc.    │
  │ stored here  │               └──────────┘         └──────────┘
  └──────┬───────┘
         │ swap quotes only
         ▼
  ┌─────────────┐
  │ API Proxy    │  (server-side, no wallet keys)
  │ 1inch / 0x  │
  └─────────────┘

Found a vulnerability?

Please report it responsibly. Open an issue on GitHub or contact us directly.

Report on GitHub