Securing the Ledger: Hybrid Off-Chain Policy Guards vs. Modular Bugs
By Security Team · May 24, 2026 · 6 min read
The risk of pure on-chain modularity
Modern smart-contract wallets are designed to be modular. That flexibility lets developers add features like spending limits and time-locks — but it also expands the attack surface. If a single module contains a signature-verification flaw, an attacker can bypass the wallet's main security controls and drain its assets.
Furlpay's hybrid guard architecture
To protect user assets from contract exploits, Furlpay implements a Hybrid Guard System that combines on-chain smart wallets with an off-chain security engine:
[ User Action ] ──> [ Policy Guard ] ──(verified?)──> Yes ──> [ HSM co-signs ] ──> [ Safe executes ]
└──────────────────> No ──> [ Blocked ]Every transaction requires a 2-of-2 signature:
- Signature 1: generated by the user's local passkey (client-side).
- Signature 2: generated by Furlpay's HSM backend (server-side).
Before the HSM co-signs, it runs real-time security checks:
- Velocity limits — does this transaction exceed the user's typical patterns?
- Address screening — is the destination linked to high-risk wallets (via the Chainalysis API)?
- Sanctions checks — does the transaction comply with global regulatory guidelines?
If an attacker exploits a bug in a smart-contract module, they still can't drain your wallet — they lack the HSM's co-signature. This hybrid approach gives you the security of self-custody alongside the active protection of a traditional bank.