Web3’s most extensible policy engine lets you write sophisticated risk management policies—in Rust (and more)—to define exactly what each key is allowed to sign.
An execution engine that runs custom code in a TEE-based runtime: enforce any policy logic, and get an attestation of the code locking down your keys.
DogeOS uses CubeSigner to verify that only properly attested validator nodes can sign transactions allowing users to withdraw funds from DogeOS. These custom policies give DogeOS strong guarantees that only software they wrote has signing privileges—that is, every withdrawal signature used in the DogeOS multi-sig originates from a DogeOS-owned Nitro Enclave running the expected CubeSigner software. The result is a signing workflow that’s resistant to node compromise and other common bridge attacks.
“CubeSigner gives DogeOS a secure bridge layer by ensuring only our own verified enclave code can sign withdrawals. It’s a critical safeguard against node compromise and the kind of exploits that plague other ecosystems."
Write custom code to restrict what your keys can sign.
Express even the most complex policy rules by writing code in your language of choice. Security and compliance policies should work for you—not the other way around.
Protect yourself from malicious UIs: CubeSigner will only issue a signature if all policy checks pass. A malicious frontend can’t trick the backend policy enforcement.
Get a cryptographic attestation that the policy code you wrote is exactly what’s running inside the TEE. This gives you integrity and your users transparency.
Incorporate your favorite risk management systems, AML software, trading oracles, and other data sources—including on-premise legacy systems—into your unique policy logic.
Replace simple rules with programmable security that reflects how your business operates.
