Kairos Lab is a security infrastructure lab building cryptographic authentication protocols, proof engines, and on-chain verification tools for Web2 and Web3, primarily on Aster Chain.

What are the 7 security invariants?

The 7 invariants are: Non-extractable keys, Zero server material, Email privacy (hashed before on-chain reference), 2FA minimum, Merkle anchoring, Crypto agility (hot-swap algorithms), and Emergency halt (circuit breaker in under 1 block).

Security Infrastructure · Aster Chain

Security lab
on Aster Chain.

Cryptographic security infrastructure for Web2 & Web3 — authentication protocols, proof engines, and on-chain verification.

Explore the stack ↓ 11 products Audit request →

7 invariants enforced

38+ vulnerabilities found

11 products shipped

Security Stack

Core infrastructure

Component	Description	Status
KairosAuth Auth Protocol	Private key never as raw bytes. Server never holds key material. Every login: a publicly verifiable on-chain proof.	Beta sandbox.kairosauth.io
Kairos Shield Crypto Immune System	Self-evolving protection. AlgoRegistry monitors health scores, triggers cascade fallbacks, enforces rules on-chain.	Active 50 tests passing
K-PPE Proof Protocol Engine	Cryptographic proof generation and verification. KA-HAP framework, 7 security layers. Powers KairosAuth.	Active Phase 1/3
K-PPC Proof Protocol Chain	Dedicated proof chain on Aster — if K-PPE warrants it. Permissionless proofs for any EVM protocol at scale.	Concept 2027+

Security Invariants

Seven rules that never break.

Hard constraints baked into every protocol. Not guidelines. Not best practices. Invariants — they hold or the system halts.

INV-1 Non-extractable keys

Private key material never exists as raw bytes in memory or storage. Keys are generated and used inside secure enclaves (WebAuthn, TPM, Secure Enclave).

INV-2 Zero server material

Server never holds, derives, or can reconstruct any key material. Authentication is verified, never stored.

INV-3 Email privacy

Email addresses are hashed before any on-chain reference. No plaintext PII touches the blockchain.

INV-4 2FA minimum

Every authentication requires at least two independent factors. No single-factor fallback exists in the protocol.

INV-5 Merkle anchoring

Every proof is anchored to an on-chain Merkle root. Tamper-evident by construction.

INV-6 Crypto agility

Algorithm registry allows hot-swap without protocol upgrade. If an algorithm is compromised, switch in one transaction.

INV-7 Emergency halt

Circuit breaker can freeze all operations in under 1 block. Full system pause, no partial states.

Security Research

We find what attackers see.

Offensive security research across the Aster ecosystem. Every finding comes with a working proof-of-concept.

Vulnerabilities

P0 Blockers

Request an audit →

P0 Unauthenticated MCP SSE Server — Full trade execution without auth. PoC developed.

P0 Fernet Keys Co-located with Data — Encryption keys stored alongside encrypted payload.

P1 Unverified Deposit Address — Address substitution attack vector in integration.

P0 Unsigned Trade Payloads — Trade parameters modifiable in transit. No HMAC.

P0 Session Token in URL Parameters — Auth tokens exposed in server logs, browser history.

Ecosystem

11 products, 4 verticals

Security

KairosAuth Beta

Kairos Shield Active

Kairos Invisible Active

K-PPE Active

K-PPC Concept

Analytics

Kairos Analytics Live

Kairos Floor Paused

Research

Kairos Audit Active

Kairos Radar In Dev

StatShield Live

Platforms

AsterScan Live

Aster Validators Beta

Kairos Engine Beta

Story

How we got here

Jan 2026

The spark

Discovered Aster Chain and saw its potential — but noticed the security tooling gap. Started auditing the ecosystem and building from scratch.

Feb 2026

K-PPE & KairosAuth

Built the Proof Protocol Engine from scratch. Device-native keys, zero server material, Merkle-anchored proofs. KairosAuth followed as the first consumer.

Mar 2026

Security branch

Pivoted from pure product to research. Found 38+ vulnerabilities across Aster ecosystem projects. Kairos Shield, the audit practice, and StatShield emerged.

Apr 2026

Today

11 products across 4 verticals. Security infrastructure that proves everything on-chain. Building toward K-PPC — a dedicated proof chain.

Roadmap

What comes next

Q1-Q2 2026 We are here

KairosAuth public beta on Base Sepolia

K-PPE Phase 2 — multi-chain anchoring

Shield AlgoRegistry v2

Aster ecosystem security audits

Q3-Q4 2026

KairosAuth mainnet launch

K-PPE Phase 3 — permissionless proofs

Kairos Radar public launch

First external audit partnerships

2027

K-PPC feasibility study

Cross-chain proof verification

Enterprise auth integrations

2028+

K-PPC launch (if warranted)

Proof-as-a-service infrastructure

Full ecosystem sovereignty

Get Audited

Request an audit.

We review Web2 & Web3 infrastructure with an attacker mindset. Every finding gets a working proof-of-concept. No fluff, no false positives.

2 audit slots currently open

Security labon Aster Chain.