// Security

> Built to outlast adversaries.

Defense in depth — from the matching engine to the cold vault.

95% cold storage

The vast majority of customer funds are held in multi-sig cold wallets across geographically distributed vaults.

MPC custody

Hot wallet operations use threshold signatures (MPC) with hardware security modules and offline approval workflows.

Mandatory 2FA

Withdrawals require 2FA + anti-phishing code + 24h address whitelist cooldown for new addresses.

SOC 2 Type II

Independently audited annually. Reports available to institutional clients on request.

Bug bounty

Up to $250,000 per finding. Disclose responsibly to security@duckpot.exchange.

Insurance fund

$200M insurance fund covers smart-contract failures, market manipulation losses and exchange-side risk.

Disclosure program

We pay rewards for responsibly disclosed vulnerabilities. Critical findings (RCE, key compromise, fund-loss bugs) earn up to $250,000. Email security@duckpot.exchange with PGP-encrypted details.