Security

Shelly is designed around minimizing trust and reducing attack surface. The goal is simple. Protect users, contributors, and payout flows without adding unnecessary friction.

Non-custodial by design

Shelly does not hold user funds. Mining earnings flow through the conversion pipeline and then to user wallets through on-chain contracts.

That means users keep control of their assets.

Smart contract audits

All smart contracts will be audited by reputable firms before mainnet deployment. Security review is a launch requirement, not a post-launch task.

No private key exposure

Users authenticate with wallet signatures only. Shelly never asks for private keys. Shelly never stores private keys.

Contributor isolation

Contributor machines run mining workloads inside sandboxed environments.

The Shelly daemon does not access contributor files or personal data. Its permissions are limited to the CPU or GPU resources allocated for mining.

Infrastructure controls

Shelly applies standard production security controls across backend services. These include:

• encrypted API keys at rest

• rate-limited endpoints

• service monitoring

• alerting across critical systems

Open source verification

Core smart contracts will be open source. They will also be verifiable on BaseScan.

This makes payout logic and contract behavior inspectable by anyone.

Security posture

No system is risk-free. Shelly’s approach is to reduce trust assumptions, keep the architecture inspectable, and audit critical paths before scale.