We have a comprehensive threat model that addresses all possible attack vectors, including technological, human, and counterparty, and it is continuously evolving. Moreover, we run continuous security testing and a bug bounty program and have threat intelligence feeds for proactive mitigation.
Xena Exchange funds are stored in multisig cold wallets, and the keys are geographically distributed in secure locations with no exposure to any networks.
The minimum possible amount of funds is stored in hot wallets. The keys are spread on the cloud in encrypted containers detached from specific servers or physical locations.
Products and infrastructure
All sensitive operations, such as deposits and withdrawals, are protected by cryptographical multifactor verification
Internal networks are segregated from the web, both physically and by firewalls
All external communications are routed via demilitarized zones
All external endpoints are protected from DDoSs and web threats by Cloudflare
White hackers run penetration tests of each software release to ensure no vulnerabilities in the software
Two-factor authentication and services are used to detect unusual user activities
User passwords and API keys are encrypted with a modern asymmetrical algorithm (Argon2) that makes decryption impossible
An automatic fraud-monitoring platform is used to decrease the risk of users’ accounts being taken over
Trading operations are analyzed to detect and prevent market manipulation and other toxic activity by malicious users
Wash trades are prohibited to prevent market manipulation
To learn more about the security measures Xena Exchange implements, read the article Security is the cornerstone of our business approach.
Secure your account
Use strong, unique passwords
The current OWASP recommendations include:
A password length of at least 10 characters
Using different cases, special characters, numbers, etc.
Using long pass-phrases consisting of several random dictionary words
Choosing a unique password you don’t use on any other website
Enable Google Authenticator 2FA
Two-factor authentication (2FA) is a method of verifying a user’s identity by asking for two independent pieces of proof. On Xena Exchange, 2FA is implemented with the Google Authenticator application. To perform any sensitive operation, such as a withdrawal, a hacker would have to know your login and password to log in to the platform and initiate the operation and have access to the unique six-digit code that is randomly generated by an application installed on your smartphone and that is valid for only one minute.
Configure 2FA by going to the Security Settings page in your account on Xena Exchange. To configure 2FA:
Click the "Disabled" warning on "Two-factor authentication for sensitive operations”
Follow the instructions
IMPORTANT: Please write down the code as suggested by the instructions and keep the hard copy in a secure location. It will be required if you lose your smartphone and need to recover access to your account.
There are two independent processes used with 2FA:
Sensitive operations (withdrawals, trusted addresses, password changes, and account recovery)
Both of these functions use the same 2FA setup, so once you configure your Google Authenticator for one of the functions, you can use the same code for the other.
Never share passwords or 2FA codes
Never disclose the password of your account or 2FA codes to anyone, including those claiming to be Xena Exchange support. Our support team will never ask for your password.