The Digital Asset Risk & Compliance Standard
A purpose-built opsec standard with a continuous monitoring platform to keep you protected. When your GitHub, cloud, or multisig drifts, you know instantly. When a new attack vector emerges, your controls update automatically.
One standard, one platform, keeping you compliant in real time.
The Threat Landscape · 2024 to 2026
The Solution
DARC combines two approaches: a standard that defines what operational security looks like for digital asset teams, and a platform that keeps you measured against it every day. The standard sets the bar. The platform makes sure you stay above it.
Continuous monitoring
DARC is not a one-time check. Through the platform, your code repository, cloud infra, DNS, multisig wallets, and more, are monitored every day. Continuous by default, wherever possible.
Always-current controls
When the threat landscape shifts, controls are added or updated for every subscriber. We see incidents across the industry firsthand. That intelligence becomes a control update before most teams have even heard of the attack.
Subscription-based · monitored daily · updated as threats evolve
For the Team
Every DARC plan includes an employee portal. Security travels down to every team member, with their own controls and scope-specific training.
Onboarding a new employee? Get them to your security baseline from day one — controls assigned, training queued, contracts ready to sign.
Each team member sees their own controls and exactly what's expected of them. No more buried, stagnant security policies that nobody reads.
Modules on the most common crypto-native attack vectors: recruiting scams, wallet drainers, clipboard swaps, fake meeting links.
Ready-to-sign templates drafted to satisfy DARC controls: NDAs, security policies, acceptable use, and key holder agreements.
Forged in Practice
The Security Alliance
SEAL is one of the leading security organizations in digital assets. Their emergency response team has protected billions in on-chain assets and responded to many of the industry's largest security incidents.
Every control in the DARC framework was written and reviewed by Wonderland and SEAL practitioners with hands-on incident experience.
Audit Domains
Named security owner, plain-language policy, asset inventory, secure onboarding & offboarding, NDAs, social engineering awareness.
Risk register, data classification, security metrics, regulatory awareness, threat intelligence, domain-specific ownership, change management.
Keys encrypted at rest, tested backup recovery, 2FA on all key systems, no two keys on same device, written Key Compromise Protocol.
Formal key lifecycle docs, geographic backup distribution, rotation schedules, tamper-evident storage, background checks, spend verification.
Multisig on all fund wallets, hardware wallets required, independent signer verification per transaction, no single-entity threshold control.
Risk classification, signer training & assessment, transaction simulation, emergency playbooks, monitoring, 12-hour quorum reachability.
MFA everywhere (no SMS), password manager, full-disk encryption, auto-lock, 24-hour offboarding, no shared credentials.
Hardware security keys for critical accounts, least privilege, quarterly access reviews, phishing simulations, malware protection, MDM.
Branch protection, signed commits, automated secret scanning, dependency pinning, no production credentials in dev environments.
Multi-party code review, SAST in CI/CD, isolated dev environments, dedicated secrets management, staging before production.
One external audit before mainnet, all critical findings resolved, verified deployed bytecode matches audited source, privileged functions documented.
Two+ audits for core contracts, timelocks on privileged ops, pause mechanism, bug bounty, re-audit triggers, remediation tracking.
Named incident owner, emergency contact list, written response plan (contain, scope, notify), incident channel known to all.
IR team with defined roles, per-scenario playbooks, 24/7 monitoring with paging, tamper-evident logs, post-incident reviews.
Multisig treasury wallets, company funds segregated from user funds, test transactions, basic spend approval policies.
Custody model documented, risk classification per wallet, fund allocation limits, video-call verification for large transfers, monitoring.
Monitor all treasury/multisig wallets, alerts on large transfers & signer changes, named alert reviewer with defined cadence.
Smart contract monitoring, credential leak monitoring, DeFi attack pattern detection, severity-based escalation, on-call schedule.
Inventory of critical dependencies, official sources only, version pinning with lockfiles, automated vulnerability scanning in CI/CD.
Vendor risk assessments, oracle architecture documented, RPC redundancy (2+ providers), SBOM, frontend build integrity verification.
Domain inventory, MFA on all registrars, auto-renewal, SPF/DKIM/DMARC configured, TLS certificate expiration tracking.
DNSSEC, CAA records, registry locks, CT log monitoring, CSP headers, SRI for externally-loaded scripts on signing pages.
Hardware wallets in locked storage, clear desk policy, visitor policy for signing areas, verified hardware supply chain.
Physical access control with logging, cameras in secure areas, environmental protections, designated key ceremony areas.
Certification Tiers