Published in


The serverless ⚡️ architecture powering blockimmo

The security and robustness of our platform is essential as it enables us to ensure a safe and secure environment for our customers. We’re one of the first regulatory compliant blockchain powered platforms issuing asset-backed tokens — this comes with great responsibility towards the security and robustness of our systems.

- Bastiaan Don, Founder and Managing Director of blockimmo

Security and quality are everybody's responsibility at blockimmo, and any solution that doesn’t require these is likely unnecessary in the first place, or follows from a suboptimal spec (this goes along with one of our core principles — minimalism).

Now we’re engaging Hosho to conduct a penetration test of our ÐApp, ensuring we are ready to launch 🚀. This post serves as the accompanying technical documentation for Hosho to conduct a thorough grey-box pen-test of the blockimmo platform. It describes the architecture, components, and design of our backend, cloud infrastructure, and frontend.

From our first conversation with blockimmo, it was apparent that they take security seriously and are concerned not only about protecting themselves, but their investors and members of their community. This was reinforced throughout our interactions as blockimmo remained highly responsive on even the smallest of issues as they arose. They took quick action to remediate security concerns and plan on maintaining strong security with Hosho’s assistance.

- Yo Sub Kwon, Co-founder and CEO of Hosho

Completely serverless

Going serverless was one of the key design decisions made early on as we determined it would lead to the most minimal, simple solution by offloading responsibility onto our cloud provider (AWS) and building on the reliability and robustness of fully-managed cloud services.


Guests are able to freely browse our ÐApp without logging in. To actually invest or submit a property for-sale, logging in is required. We partner with Civic and uPort for secure login and registration without the need for usernames or passwords. Each of our users is uniquely identified by blockimmo via their Civic and/or uPort identity.


Each of our users is assigned a federated identity in our Cognito identity pool the first time they are authenticated (guests that haven’t logged in are granted an unauthenticated identity). Identities are used to generate temporary credentials with specific Permissions attached to them. As our ÐApp is completely serverless, most code runs client-side in the user’s browser. These temporary credentials provide this client-side code fine-grained, least-privileged access control to specific resources/services in our backend.


We define two separate Identity and Access Management (IAM) Roles, one mapped to unauthenticated identities and another to authenticated identities. These roles are attached to the temporary credentials generated with a given identity, and enable interaction with specific resources/services in our backend. Unauthenticated users are granted read-only permission to certain resources/services, enabling them to browse our platform freely as a guest. Authenticated users are granted additional permissions (ie an authenticated user is able to read notifications directed towards themselves, and modify the description of a property listed for-sale by themselves). These roles/permissions strictly enforce least-privileged access control.


All persistent data is stored in dynamodb tables and s3 buckets. Small records with low latency access requirements are stored in dynamodb tables, which automatically scale their read/write capacity based on traffic. Large objects are stored in s3, and often referenced by dynamodb. Dynamodb has significant benefits over a traditional (SQL) database for our use-case (ie it’s fully managed, serverless, and an extremely simple key-value store which perfectly fits our needs).


Our legal framework requires the completion of certain KYC (know your customer) and AML (anti money laundering) checks before users may invest according to Swiss (and international) laws and regulations. We partner with the Swiss identity verification platform Intrum (IDnow) to ensure the best possible service for our users.


All user data is stored in a Users dynamodb table. The only resource with permission to access this table is the Kyc lambda function, which mutates user data upon a user completing KYC/AML. The Authentication lambda function has permission to query a single attribute in this Users table, enabling it to determine a given user’s level of completed KYC/AML at login.


Information about properties for-sale on the blockimmo platform is stored in a Listings dynamodb table. This table is read-only for all users, whether authenticated or unauthenticated. The seller of a property has additional permissions to mutate certain attributes of a listing. This is enforced in the resolver of the GraphQL API (ie TokenSaleAddress may only be mutated by blockimmo, but the description of a property may be mutated by the seller).


0x is used to allow investors to freely sell/buy tokens of property for Ether. A order book is maintained that contains all offers and allows buyers to browse these offers and complete trades.


Real-time notifications are provided for our users with Apollo GraphQL / AWS AppSync subscriptions. The visibility of these notifications is tied to the user’s underlying Cognito identity, so that users only have read access to their own notifications (ie notifications are directed towards property sellers, and are triggered when users purchase shares of a propety).


The services/resources in our backend generate thorough, structured logs to provide tracing capabilities and visibility. Every resource is granted permission to interact with other resources on a least-privileged basis. Logs is an IAM role that grants these services permission to generate these logs. We utilize AWS CloudTrail for improved visibility into these logs.


All data is backed-up in an s3 bucket incase it is required in the future for any reason. Any time data changes, a snapshot of it is delivered to the s3 bucket via a Firehose stream.


Static files and assets are stored in an s3 bucket, and served via a cloudfront content delivery network (CDN). The s3 bucket where these files live is accessible only by this specific CDN, and any other request to it will fail with a 403 Forbidden error. The use of a CDN to serve content has many benefits, including securely deliver data with low latency and high transfer speeds globally. Cloudfront also integrates seamlessly with other services we utilize, like AWS shield for managed DDOS protection, and our web application firewall (WAF) described in the next section.


A bad bot 🤖… but we ❤️ good bots (SEO)


We watch various metrics /services and have CloudWatch alarms configured to email and text the appropriate people at blockimmo via SNS. This is critical for fast response times to certain events.


Each service is deployed by a blockimmo admin with serverless deploy -v. The admin must have the proper IAM role to complete this process. Keeping these admin credentials secure is blockimmo’s responsibility which we take extremely seriously.

Penetration test findings



Facilitating an accessible, streamlined real-estate market

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store