TESTNET
Markets
Trade
Lending Vaults
More
User Docs Developer Docs Sdk API Docs Help
Welcome to Polyester
Concepts
Overview
Creating an Account
Authentication Methods
Turnkey
Smart Wallets
Dashboard
Account Security
MFA
Asset Lifecycle
Supported Assets
Deposit Funds
Withdraw Funds
Transfer Funds
Inventory and Supply
Overview
Trading Fees
Base vs Quote
Lending Fees
Withdrawal Fees
Liquidation Fees
Rebates
Overview
On-chain Visibility
Overview
Supplying
Borrowing
Collateral
Interest
Liquidations
Overview
Trades
Candles
Order Book
Data Delivery
Notifications
Appearance
Localization
Sound Effects
Overview
Architecture
Benchmarks
Matching Engine
Settlement
Safeguards
Overview
Validators
Gas Abstraction
Layer-1 Benchmarks
Audits
Read Pre-compiles
Create Invite Code
Managing Links/Codes
Claiming Rewards
Auto-Convert Rewards
Overview
Create/Delete subaccounts
Permissions
Roles
Audit Logs
Unified Trading Account
Spot Trading
Order Types
Tools
Privacy
Custom Layouts
Overview
Asset Wrapping
Vaults
Zipper Security
What Is TEE?
  1. Accounts
  2. /
  3. Account Security

Account Security

Account Security

Account security on Polyester focuses on protecting access and confirming intent.

Multiple layers of security work together: authentication, MFA for sensitive actions, on-chain enforcement for fund movement, and withdrawal whitelisting. These protections can be configured separately for primary accounts, subaccounts, and API keys.

For details on how account authority is implemented on-chain, see Smart Wallets.


Authentication Security

No matter which method is chosen, the security of an account ultimately depends on how well each user protects their authentication method. Polyester does not custody user assets and cannot act on their behalf.

Wallet login (MetaMask, Phantom, WalletConnect)

If an account is accessed via a self-custodied EOA wallet, control of that wallet's private key or seed phrase means full control over the Polyester account.

Security best practices:

  • Never store the seed phrase digitally in notes, cloud storage, or screenshots
  • Never share the seed phrase or private key with anyone
  • Use a hardware wallet whenever possible
  • Carefully review every wallet signature before confirming

Social or email login (via Turnkey)

If an account is created through Google or email via Turnkey, access to that login controls the wallet that authorizes the Polyester account. If the email or social account is compromised, the Polyester account may be at risk.

Security best practices:

  • Enable MFA on the Google or email account used to sign in
  • Use passkeys or hardware-backed authentication where available
  • Monitor login activity for unfamiliar sessions on the email or Google account

See Turnkey for details on how private keys are secured.

Polyester Accounts Are Non-Custodial
If access to the active authentication method is lost and the account cannot be authenticated, the account cannot be recovered. Polyester cannot reset, override, or regain access.

MFA

MFA

MFA (Multi-Factor Authentication) adds a verification layer that protects sensitive actions even if a session is stolen.

Two factor types are supported:

  • Passkeys (Face ID, Touch ID, laptop PIN, hardware security keys)
  • Authenticator apps (Google Authenticator, 1Password, Authy).

Actions that require MFA:

  • Withdrawals
  • Transfers
  • API key management
  • Whitelist modifications
  • subaccount member management.

See MFA for setup instructions and the full list of gated actions.

Trading does not require MFA.

Guard Signer

Guard Signer

Guard Signer adds on-chain multi-signature control to sensitive account operations. When enabled, on-chain actions such as whitelist changes require Guard Signer approval in addition to the account owner. An attacker who gains access to the account cannot modify on-chain security settings without also controlling the Guard Signer.

See Guard Signer for setup and configuration.


Withdrawal Whitelisting

Withdrawal Whitelisting

Withdrawal whitelisting restricts fund movement to pre-approved destination addresses. When enabled, withdrawals and transfers can only be sent to whitelisted addresses. This protects funds even if the account is compromised, since an attacker cannot redirect funds to an arbitrary destination.

Whitelist changes are enforced on-chain by the Funding Account contract and require Guard Signer approval, making unauthorized modifications resistant to session compromise.

See Whitelisting for setup, address management, and how whitelists apply across subaccounts and API keys.


API Keys and subaccounts

API Keys and subaccounts

API keys and subaccounts allow users to structure, automate, and delegate activity with precision. Both support granular permission controls, including restricting which markets can be traded, setting order size limits, limiting internal transfers to specific accounts, and restricting access to approved IP addresses.

API key sessions are exempt from MFA step-up. MFA applies to browser sessions, not to API key authenticated requests.

Both API keys and subaccount permissions can be revoked at any time if compromised. See Permissions and the Developer Documentation for full detail.


Sessions

Sessions

Sessions are time-limited to reduce the risk of unattended logins. The default session duration is 4 hours. Certain sensitive actions, such as withdrawals, always require fresh MFA confirmation regardless of how recently MFA was completed.


Security Notifications

Security Notifications

Polyester provides notifications for key security-related events:

  • Account logins from new devices or IPs
  • Authentication rotation attempts
  • API key creation
  • Failed withdrawal attempts

View and manage notifications via the bell icon in the header or on the Notifications page.


Report a Security Risk

Please visit the Report a Bug page for details on submitting a suspected vulnerability issue.

Previous

Dashboard

Next

MFA

  • Authentication Security
  • Wallet login (MetaMask, Phantom, WalletConnect)
  • Social or email login (via Turnkey)
  • MFA
  • Guard Signer
  • Withdrawal Whitelisting
  • API Keys and subaccounts
  • Sessions
  • Security Notifications
  • Report a Security Risk