Announcing Knox: The First Custody Solution Built for Digital Securities

Today, TokenSoft is announcing the beta availability of Knox — a mobile-first, institutional-grade cold storage custody system for enterprises managing digital securities and digital assets. Knox is the first custody solution designed from the ground up for security tokens: compliant, multi-signature, and air-gapped by architecture.

"As real-world assets enter the blockchain world, it's important to protect them with the same level of security we treat traditional digital assets. Almost $1 billion of cryptocurrency was stolen by hackers in the first three quarters of 2018 alone." — Mason Borda, CEO, TokenSoft

Named after Fort Knox — where the United States stores its gold reserves — Knox was purpose-built for the era of regulated digital securities. While existing hardware wallets handle cryptocurrencies reasonably well, they were never designed for the compliance requirements of tokenized equity, debt, real estate, or other securities subject to SEC regulation. Knox is.

Why Existing Solutions Fall Short

Digital securities are fundamentally different from cryptocurrencies. Bitcoin and Ethereum are permissionless — any address can send to any other address, any time. Security tokens are the opposite: they encode transfer restrictions directly into the smart contract. An ERC-1404 security token enforces rules about who may hold it, in what quantity, under what regulatory regime, and when. Accreditation checks, jurisdiction restrictions, lockup periods, ownership caps — these are all enforced at the protocol layer.

The problem: every custody solution that existed before Knox — Ledger, Trezor, Gnosis Safe, BitGo, Fireblocks — treats security tokens as if they were ordinary ERC-20 tokens. They will sign any transaction you put in front of them, without asking whether that transfer would pass the token's compliance rules. The result is predictable and expensive: wasted gas fees when transactions fail on-chain, potential regulatory exposure from the mere attempt of a non-compliant transfer, and zero audit trail at the custody layer.

Mason Borda put it plainly when announcing Knox to CoinDesk: "The digital asset industry has been comfortable with storing coins for the last few years. Digital securities are kind of new ground." Knox was built to close that gap.

Three Layers of Security

Knox is built on three interlocking security principles that together create an institutional custody architecture unlike anything previously available for security tokens:

1. Offline Cold Storage

Knox uses an air-gapped, offline signing application — an Electron desktop app — that integrates directly with Ledger hardware wallets. The private keys that authorize security token transfers never exist in software and never touch a networked device. Unsigned transactions are transmitted to the air-gapped signing device via QR code or USB file transfer, physically isolating the key material from any network-connected system. After the Ledger physically displays the transaction details and the operator confirms on the device, the signed transaction travels back to the online system for broadcast.

This architecture makes remote compromise essentially impossible: there is no network path from an attacker to the private key. The signing device is offline. Period.

2. Role-Based Access Control & Multi-Signature Approval

Knox supports both single-signature and multi-signature wallet configurations. In a multi-sig setup, a configurable threshold of authorized signers must approve a transfer request before it can proceed to the hardware signing step. Each approval is cryptographically authenticated and logged with the approver's identity and timestamp. No single operator — no matter their role — can unilaterally move assets.

Role-based access control is enforced via a JWT-based permissions system. Operators have defined roles (viewer, approver, signer, admin), and the system enforces these boundaries at every step of the transaction lifecycle. This is the same model used by institutional custodians in traditional finance — adapted for blockchain.

3. Compliance Pre-Check: The Innovation That Defines Knox

This is what separates Knox from every other custody product on the market — before or since.

When an operator submits a transfer request for an ERC-1404 security token, Knox does something no other cold storage system does: it calls the token contract's detectTransferRestriction(from, to, value) function on-chain before building the unsigned transaction. This function — defined in the ERC-1404 standard co-authored by Tokensoft — returns a numeric restriction code. If the code is non-zero, the transfer is not compliant. Knox blocks it at the custody layer immediately, surfaces the human-readable error message via messageForTransferRestriction(), and never builds a transaction at all.

The compliance check flow is as follows:

1. Operator submits a transfer request (from address, to address, token quantity)
2. Knox calls detectTransferRestriction(from, to, value) on the token contract via an Ethereum full node
3. If restriction code ≠ 0: transfer is blocked. Human-readable error returned — e.g., "SENDER_NOT_WHITELISTED", "TOKENS_LOCKED", "RECEIVER_EXCEEDS_OWNERSHIP_LIMIT". No transaction is built.
4. If restriction code = 0: unsigned transaction is constructed and delivered to the air-gapped Ledger device for signing
5. Multi-sig approval threshold must be met before the signing request is presented to the hardware device
6. Operator physically confirms on the Ledger device display; signed transaction is broadcast to the network

Every compliance query — whether the transfer was ultimately executed or not — is recorded to an immutable audit log containing the from address, to address, quantity, restriction code, error message, and timestamp. This is a compliance audit trail that operates at the custody layer, not just the blockchain layer.

The critical legal implication: attempting to initiate a restricted transfer — even one that ultimately fails on-chain — can create regulatory exposure. Knox eliminates that exposure by refusing to construct the transaction in the first place. Non-compliant transfers are architecturally impossible, not merely likely to fail.

What Knox Supports

Knox is token-agnostic at the asset layer, but compliance-native at the restriction layer. Supported token standards at launch include:

• ERC-1404 — Tokensoft's own restricted token standard; full detectTransferRestriction and messageForTransferRestriction support
• DS Protocol / DS-20 — Securitize's security token standard
• ST-20 — Polymath's security token standard
• R-Token — Harbor's regulated token standard
• ERC-20 — Any standard fungible token
• Bitcoin and Ethereum — Digital assets alongside digital securities

Knox also has full ABI support loaded for major institutional token deployments — including INX (the first SEC-registered security token IPO), SEBA Bank's security tokens, and Tokensoft's own Wrapped assets (wXRP, wFIL, wCELO). These token-specific integrations allow Knox to decode incoming transfer transactions into human-readable summaries for signers, not just raw hex.

The Five-Component Architecture

Under the hood, Knox is composed of five integrated components working in concert:

• Offline Signing Application — Electron desktop app, air-gapped, Ledger integration via USB/HID. Signs transactions only after physical device confirmation. Private keys never in software.
• GraphQL API Server — Manages wallet accounts, user authentication, transaction lifecycle state machine (PENDING → APPROVED → COMPLIANCE_CHECKED → UNSIGNED_BUILT → SIGNED → BROADCAST), multi-sig approval workflow, and the compliance oracle subsystem.
• ETH Worker — Ethereum blockchain indexer and raw transaction builder. Constructs unsigned transactions from transfer parameters, monitors account balances and nonces, and handles gas estimation.
• ERC-20 Worker — Token-specific monitoring layer. Maintains ABIs for all supported token standards. Decodes transfer events into human-readable log entries. Handles ERC-1404 restriction queries via the on-chain oracle.
• Mobile Approval App — React Native application for authorized approvers. Receives push notifications for pending transaction approval requests, allows review and sign-off from mobile, and feeds approvals back into the multi-sig threshold workflow.

Why This Was a Missing Piece of Infrastructure

Mason Borda built his first institutional custody system at BitGo — Goldman Sachs-backed, the earliest Ethereum multisig custody platform in the industry. From that foundation, he saw clearly what the security token market was missing as it emerged in 2017–2018.

"We built Knox for our clients of all types who are launching asset-backed tokens and collectively are planning to place over $1 billion in digital securities onto the blockchain in 2019. As these assets arrive on the blockchain, there should be adequate solutions to secure them." — Mason Borda

The market agreed. Knox was described by CoinDesk at launch as "the first cold-storage multi-signature wallet designed specifically for security tokens." Borda called it "a key piece of infrastructure that the industry had ignored up until now." It wasn't hyperbole — no comparable product existed.

Gnosis Safe offered multi-sig but had no concept of ERC-1404 compliance. BitGo offered institutional custody but ran compliance checks as an off-chain policy layer, not as an on-chain oracle query before transaction construction. Ledger and Trezor were consumer hardware wallets with no concept of transfer restrictions. Fireblocks didn't exist yet. None of them would refuse to sign a non-compliant security token transfer — they simply couldn't know one was non-compliant until it failed on-chain.

Knox knew. And it refused to build the transaction at all.

The IP Foundation

Knox represents a patentable innovation with no prior art at the time of development and — as far as Tokensoft's research has identified — no comparable prior art since. A provisional patent application has been drafted covering the core method: a compliance-aware hardware-secured signing system and method for regulated blockchain security tokens, in which the on-chain transfer restriction function is queried before unsigned transaction construction, and non-compliant transfers are blocked at the custody layer with a human-readable restriction message returned to the operator.

The patent surface includes independent and dependent claims covering: the core pre-check method, multi-sig threshold requirements, air-gap communication channels (QR code and USB), ERC-1404-specific implementation, timelock/lockup enforcement, delegated external validator architecture, and full audit logging.

Any acquirer of Tokensoft's IP portfolio receives this technology stack in full: the source code (offline signing app, GraphQL API, ETH worker, ERC-20 worker, mobile app), the provisional patent filing, the institutional deployment history (INX, SEBA Bank, Wrapped assets), and the documentation accumulated across six years of production use managing hundreds of millions in security token custody.