> Built to outlast adversaries.
Defense in depth — from the matching engine to the cold vault.
95% cold storage
The vast majority of customer funds are held in multi-sig cold wallets across geographically distributed vaults.
MPC custody
Hot wallet operations use threshold signatures (MPC) with hardware security modules and offline approval workflows.
Mandatory 2FA
Withdrawals require 2FA + anti-phishing code + 24h address whitelist cooldown for new addresses.
SOC 2 Type II
Independently audited annually. Reports available to institutional clients on request.
Bug bounty
Up to $250,000 per finding. Disclose responsibly to security@duckpot.exchange.
Insurance fund
$200M insurance fund covers smart-contract failures, market manipulation losses and exchange-side risk.
Disclosure program
We pay rewards for responsibly disclosed vulnerabilities. Critical findings (RCE, key compromise, fund-loss bugs) earn up to $250,000. Email security@duckpot.exchange with PGP-encrypted details.
