> For the complete documentation index, see [llms.txt](https://vexar.gitbook.io/docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://vexar.gitbook.io/docs/security-and-best-practices.md). # Security & Best Practices ### Platform Security #### Cold Storage * **95% of funds** stored in cold wallets (offline) * Multi-signature wallets requiring 3-of-5 keys * Geographic distribution of keys * Regular security audits #### Hot Wallet Protection * Only 5% of funds in hot wallets for liquidity * Real-time monitoring and anomaly detection * Automatic withdrawal limits * Instant freeze mechanisms #### Infrastructure Security * **Encryption:** AES-256 for data at rest, TLS 1.3 for data in transit * **DDoS Protection:** Enterprise-grade mitigation * **Penetration Testing:** Quarterly third-party audits * **Bug Bounty Program:** Up to $100,000 rewards ### Account Security #### Two-Factor Authentication (2FA) **Strongly Recommended for All Users** **Setting Up 2FA** 1. Go to **Settings → Security → Two-Factor Authentication** 2. Download an authenticator app: * Google Authenticator * Authy * Microsoft Authenticator 3. Scan QR code with your app 4. Enter 6-digit code to confirm 5. **Save backup codes** in a secure location **2FA Best Practices** ✅ **DO:** * Use authenticator apps (not SMS) * Store backup codes offline * Enable 2FA on email account * Use different 2FA for each service ❌ **DON'T:** * Use SMS-based 2FA (vulnerable to SIM swapping) * Share 2FA codes with anyone * Store backup codes digitally without encryption #### Strong Passwords **Requirements:** * Minimum 12 characters * Mix of uppercase, lowercase, numbers, symbols * Unique to VEXAR (no reuse) **Use a Password Manager:** * 1Password * Bitwarden * LastPass * KeePassXC **Example Strong Password:** ``` Vx$9mK2#pL8@qR5n ``` #### Anti-Phishing Code Set a custom code that appears in all genuine VEXAR emails. **Setup:** 1. Settings → Security → Anti-Phishing Code 2. Enter a unique phrase (e.g., "BlueWhale2025") 3. Verify in all future emails from VEXAR **Red Flag:** Email from "VEXAR" without your code = SCAM ### Withdrawal Security #### Whitelist Addresses Only allow withdrawals to pre-approved addresses. **How to Enable:** 1. Settings → Security → Withdrawal Whitelist 2. Add trusted addresses 3. 24-hour waiting period before first use **Benefits:** * Protection against account compromise * Peace of mind even if password is stolen #### Withdrawal Confirmations All withdrawals require: * Email confirmation * 2FA code * Optional: SMS confirmation **Processing Time:** * Manual review for large withdrawals (>$50,000) * 1-hour security hold for first-time addresses ### API Security #### API Key Management **Create Separate Keys for Each Purpose:** * Read-only keys for monitoring * Trade-only keys for bots (no withdrawal permission) * Full access keys (use sparingly) **Key Restrictions:** * IP whitelist: Limit access to specific IPs * Permission levels: Grant minimum required access * Expiration dates: Set automatic key expiry #### API Key Storage ✅ **DO:** * Store in environment variables * Use secrets management (AWS Secrets Manager, HashiCorp Vault) * Encrypt keys at rest ❌ **DON'T:** * Hardcode in source code * Commit to GitHub * Share via email/chat **Example (Environment Variables):** ```bash export VEXAR_API_KEY="your_key_here" export VEXAR_API_SECRET="your_secret_here" ``` #### Rotating API Keys Change API keys regularly: * **Minimum:** Every 90 days * **Best Practice:** Every 30 days * **Immediately:** If potentially compromised ### Common Threats #### Phishing Attacks **Warning Signs:** * Emails asking for passwords/2FA codes * Suspicious sender addresses ( ❌) * Urgent language ("Account suspended! Act now!") * Links to fake login pages **Legitimate VEXAR Domains:** * ✅ * ✅ app. * ✅ api.vexatrade.com * ❌ vexar-trade.com (FAKE) * ❌ vexar.net (FAKE) **If Unsure:** * Type directly into browser * Check SSL certificate * Contact support through official channels #### Social Engineering **Common Tactics:** * Impersonating VEXAR support * Fake "account verification" calls * "Investment opportunities" from "VEXAR partners" * Tech support scams **Remember:** * VEXAR will NEVER ask for your password * VEXAR will NEVER ask for 2FA codes * VEXAR will NEVER ask you to send crypto for "verification" #### Malware & Keyloggers **Protection:** * Keep operating system updated * Use reputable antivirus software * Don't download suspicious files * Avoid trading on public Wi-Fi * Use hardware wallets for long-term storage #### SIM Swapping Attackers hijack your phone number to bypass SMS 2FA. **Prevention:** * Use authenticator apps (not SMS) * Set up carrier PIN/password * Use Google Voice or similar for account recovery ### Insurance & Protection #### VEXAR Insurance Fund * $50 million reserve fund * Covers platform failures (not user error) * Annual third-party audits #### What's Covered ✅ **Covered:** * Exchange security breaches * Hot wallet compromises * Platform technical failures ❌ **NOT Covered:** * User account compromises (weak password, phishing) * API key leaks * User trading losses * External wallet hacks ### Reporting Security Issues #### Found a Vulnerability? Email: security@ **Include:** * Description of vulnerability * Steps to reproduce * Potential impact * Your contact information **Bug Bounty Rewards:** * Critical: $10,000 - $100,000 * High: $5,000 - $10,000 * Medium: $1,000 - $5,000 * Low: $100 - $1,000 #### Compromised Account? **Immediate Actions:** 1. Change password from a secure device 2. Enable/reset 2FA 3. Revoke all API keys 4. Check recent activity and withdrawals 5. Contact support: ### Compliance #### KYC (Know Your Customer) **Required for:** * Withdrawals over $2,000/day * Fiat deposits/withdrawals * Advanced trading features **Documents Needed:** * Government-issued ID * Proof of address (utility bill, bank statement) * Selfie with ID #### AML (Anti-Money Laundering) VEXAR complies with international AML regulations: * Transaction monitoring * Suspicious activity reporting * Source of funds verification for large deposits #### Jurisdictions VEXAR is not available in: * United States * North Korea * Iran * Syria * Cuba * Crimea ### Best Practices Checklist * [ ] Enable 2FA with authenticator app * [ ] Set strong, unique password * [ ] Configure anti-phishing code * [ ] Enable withdrawal whitelist * [ ] Set up IP whitelist for API keys * [ ] Store API keys securely * [ ] Complete KYC verification * [ ] Review account activity regularly * [ ] Bookmark official VEXAR URLs * [ ] Use hardware wallet for long-term storage ### Resources * Getting Started * API Reference * Support **Stay Safe and Trade Wisely!** --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://vexar.gitbook.io/docs/security-and-best-practices.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.