Non-custodial MPC-powered wallets for customers and institutional clients with threshold signatures and key share rotation.

MPC Wallets — Non-Custodial Client Wallets

Lux Financial uses MPC (Multi-Party Computation) threshold signatures for all client wallets. No single party — not even Lux — ever holds a complete private key. Clients maintain true self-custody with institutional-grade security.

How It Works

Client Device          Lux MPC Node          Recovery Node
     |                      |                      |
     |    Key Share 1       |    Key Share 2       |    Key Share 3
     |                      |                      |
     +----------+-----------+----------+-----------+
                |                      |
           Threshold Signing (2-of-3)
                |
           Valid Signature
                |
           Broadcast to Chain

Key Properties

Non-custodial: The client's key share never leaves their device

2-of-3 threshold: Any 2 of 3 shares can produce a valid signature

No single point of failure: Compromise of any single share reveals nothing

Key rotation: Shares can be refreshed without changing the public key or addresses

Multi-chain: One key management plane, 16+ blockchain networks

Wallet Lifecycle

Account Creation

When a client registers on app.lux.financial, the platform:

Creates the client account in the Bank API
Runs compliance checks (KYC/AML/PEP)
Once cleared, triggers MPC keygen via the MPC cluster

// Bank triggers wallet creation after compliance clearance
const wallet = await tradingService.mpcCreateWallet(accountId);
// Returns: { wallet_id, ecdsa_pub_key, eth_address, btc_address }

Key Generation (Distributed)

The MPC cluster runs CGGMP21 or FROST keygen across 3 nodes:

POST /api/v1/vaults/{vaultId}/wallets
{
  "protocol": "cggmp21",
  "curve": "secp256k1",
  "threshold": 2,
  "parties": 3,
  "label": "client-{accountId}"
}

Each node stores its encrypted key share in KMS (AES-256-GCM):

Node 1 (Client device) -> Encrypted share in device secure enclave
Node 2 (Lux MPC node)  -> Encrypted share in Hanzo KMS
Node 3 (Recovery node)  -> Encrypted share in cold storage HSM

Transaction Signing

When a client submits a trade or withdrawal:

Client approves on device (biometric/PIN)
Client share + Lux node share participate in threshold signing
Signature is produced without reconstructing the full key
Transaction is broadcast

POST /api/v1/generate_mpc_sig
{
  "wallet_id": "w_...",
  "payload": "0xabc123...",  # Transaction hash (hex)
  "chain": "ethereum"
}

Key Rotation (Proactive Refresh)

Shares are periodically rotated to limit exposure window:

POST /api/v1/wallets/{walletId}/reshare
{
  "new_threshold": 2,
  "new_participants": ["node-1", "node-2", "node-3"]
}

The public key and all derived addresses remain unchanged.

Supported Chains

Chain	Curve	Protocol	Addresses
Ethereum / EVM	secp256k1	CGGMP21	`0x...`
Bitcoin	secp256k1	CGGMP21	`bc1...`
Solana	ed25519	FROST	`...`
Lux C-Chain	secp256k1	CGGMP21	`0x...`
Lux X-Chain	secp256k1	CGGMP21	`X-lux1...`
Lux P-Chain	secp256k1	CGGMP21	`P-lux1...`
XRP Ledger	ed25519	FROST	`r...`
Cosmos	secp256k1	CGGMP21	`cosmos1...`

Integration with Trading

The bank's TradingService integrates MPC signing directly:

// Sign a withdrawal transaction
const sig = await tradingService.mpcSign(
  walletId,
  txHash,    // hex-encoded transaction hash
  'ethereum'
);
// Returns: { r, s, signature }

// Sign via KMS for simpler operations
const sig = await tradingService.kmsSign(keyId, payload);

Smart Order Router

Orders are routed between CEX and DEX based on best price:

const result = await tradingService.submitOrder(accountId, {
  symbol: 'BTC-USD',
  side: 'buy',
  type: 'limit',
  quantity: 1.5,
  price: 45000,
});
// Returns: { venue: 'cex' | 'dex', order: {...} }

For DEX orders, the MPC wallet automatically signs the on-chain transaction.

Security Model

Layer	Protection
Key shares at rest	AES-256-GCM (KMS master key via Argon2id)
Key shares in transit	TLS 1.3 + Ed25519 message signing
Client device share	Secure enclave / TEE
Recovery share	Offline HSM in geographically separate facility
Signing requests	JWT + RBAC + policy engine approval
Key rotation	Automatic proactive refresh on configurable schedule

Compliance Integration

MPC wallets are fully integrated with the compliance engine:

Wallet creation is gated on KYC clearance

Transaction signing checks account sanctions status in real-time

Large withdrawals trigger surveillance alerts

PEP accounts require additional approval workflows

All signing operations produce audit logs

Source

MPC Cluster: luxfi/mpc (Go, CGGMP21/FROST)

KMS: luxfi/kms (TypeScript/Go, AES-256-GCM)

Bank Integration: luxfi/bank/app/api/src/trading/ (TypeScript/NestJS)

Wallet UI: luxfi/exchange/packages/wallet (TypeScript/React)

MPC Wallets

On this page