We have a comprehensive threat model that addresses all possible attack vectors, including technological, human, and counterparty, and it is continuously evolving. Moreover, we run continuous security testing and a bug bounty program and have threat intelligence feeds for proactive mitigation.

Fund storage

  • Xena Exchange funds are stored in multisig cold wallets, and the keys are geographically distributed in secure locations with no exposure to any networks.

  • The minimum possible amount of funds is stored in hot wallets. The keys are spread on the cloud in encrypted containers detached from specific servers or physical locations.

Products and infrastructure

  • All sensitive operations, such as deposits and withdrawals, are protected by cryptographical multifactor verification 

  • Internal networks are segregated from the web, both physically and by firewalls

  • All external communications are routed via demilitarized zones

  • All external endpoints are protected from DDoSs and web threats by Cloudflare

  • White hackers run penetration tests of each software release to ensure no vulnerabilities in the software

User side

  • Two-factor authentication and services are used to detect unusual user activities

  • User passwords and API keys are encrypted with a modern asymmetrical algorithm (Argon2) that makes decryption impossible

  • An automatic fraud-monitoring platform is used to decrease the risk of users’ accounts being taken over

  • Trading operations are analyzed to detect and prevent market manipulation and other toxic activity by malicious users

  • Wash trades are prohibited to prevent market manipulation


To learn more about the security measures Xena Exchange implements, read the article Security is the cornerstone of our business approach.


Secure your account

Use strong, unique passwords

The current OWASP recommendations include:

  • A password length of at least 10 characters

  • Using different cases, special characters, numbers, etc.

  • Using long pass-phrases consisting of several random dictionary words

  • Choosing a unique password you don’t use on any other website

Enable Google Authenticator 2FA

Two-factor authentication (2FA) is a method of verifying a user’s identity by asking for two independent pieces of proof. On Xena Exchange, 2FA is implemented with the Google Authenticator application. To perform any sensitive operation, such as a withdrawal, a hacker would have to know your login and password to log in to the platform and initiate the operation and have access to the unique six-digit code that is randomly generated by an application installed on your smartphone and that is valid for only one minute.

Configure 2FA by going to the Security Settings page in your account on Xena Exchange. To configure 2FA:

  1. Install the Google Authenticator application (Android or iOS)

  2. Click the "Disabled" warning on "Two-factor authentication for sensitive operations”

  3. Follow the instructions

IMPORTANT: Please write down the code as suggested by the instructions and keep the hard copy in a secure location. It will be required if you lose your smartphone and need to recover access to your account.

There are two independent processes used with 2FA:

  • Sensitive operations (withdrawals, trusted addresses, password changes, and account recovery)

  • Logging in

Both of these functions use the same 2FA setup, so once you configure your Google Authenticator for one of the functions, you can use the same code for the other.

Never share passwords or 2FA codes

Never disclose the password of your account or 2FA codes to anyone, including those claiming to be Xena Exchange support. Our support team will never ask for your password.