Customer Safety and Security is Our Priority.

We use the latest technologies to keep your funds safe, and stay ahead of vulnerabilities and exploitation attempts.

Trading safely

Steer clear of social engineering and phishing

We never initiate contact with our users with requests for information about your account. You should avoid responding to unsolicited direct messages and emails. Always be vigilant. If you think a scammer has messaged you, ask in the Liquid Telegram channel.

Keep private info to yourself

Always keep your account login details private. Do not share your password or private keys. Reach out to our customer support if you need help in logging in.

Be careful when performing transactions

Always be careful when transferring money or tokens. Liquid will never ask for your information to perform a transaction on your behalf.

Exercise basic web safety rules

Our website is protected with SSL/TLS to provide an additional layer to security and data integrity. We test our website for vulnerabilities on a daily basis. Please check that you are visiting https://www.liquid.com.Email spoofing is commonly used by scammers to make it look like phishing attempts are coming from a trustworthy source. You should only be receiving emails from [email protected], [email protected] and [email protected] Always exercise caution and pay close attention to email domains to avoid interacting with suspicious senders, especially any asking for your private information.

Use 2-factor authentication

All Liquid users are required to set up 2-factor authentication to access the platform. We strongly recommend Google Authenticator and that you do not deactivate your 2FA.

We are here to help

Always exercise caution at emails or accounts that may look suspicious. If you ever need help with your account or want to get in touch, our Liquid Customer Support Champions are available 24/7 to assist via https://help.liquid.com.

background

Asset protection

We are customer-centric and we keep your information safe. At Liquid, we do our due diligence in ensuring that our accounts are verified and detect malicious attempts early to prevent illegal trading activity on our platform.

Cold wallet

Liquid uses 100% cold storage for all customer assets. We utilize hardware security modules (HSMs) that have achieved a rating of FIPS PUB140-2 Level 3 or higher. All cold private keys are generated, stored and managed by HSM for the lifetime of the keys.

KYC/AML

We have robust verification policies on Liquid. Users must provide official ID documents and proof of address to fully access our exchange.

Fund management

Our customers can only trade from pre-funded accounts. We also use multisignature technology (multisig) for transferring funds out of cold storage. Multisig is a type of address where the private key is divided into multiple parts, requiring multiple private keys for transactions and eliminating single points of failure. All fund transfers require coordination from multiple employees.

Liquid exchange

We utilize a 24/7 Security Operations Center to employ the latest techniques and tools to stop attacks before they reach our website.

DDOS countermeasures

For DDoS countermeasures, we use unmetered DDoS mitigation to maintain performance and availability of Liquid.Liquid has four stages of mitigating a DDoS attack:Detection - We distinguish an attack from a high volume of normal traffic using IP reputation, common attack patterns, and previous data to assist in proper detection of a distributed attack.Response - We respond to an incoming identified threat by intelligently dropping malicious bot traffic and absorbing the rest of the traffic.Routing - By intelligently routing traffic, we will break the remaining traffic into manageable chunks preventing denial-of-service.Adaptation - We constantly analyze traffic for patterns such as repeating offending IP blocks, attacks coming from certain countries, or specific protocols being used improperly.

Web application firewall

For countermeasures against illegal invasion, data falsification and vulnerability countermeasures, we use a Web Application Firewall (WAF). Our security engineers constantly monitor the Internet for new vulnerabilities. When we find threats, we automatically apply WAF rules to protect our Internet properties.

DNS security

We have also implemented DNS Security to prevent hijacking or spoofing of customer communications. This further secures the traffic from our servers to the customers’ browser and email inbox.

Penetration testing

We conduct precautionary security measures such as regular risk analyses and application vulnerability assessments to ensure data protection. In addition, we conduct annual penetration testing from a highly reputable pentesting firm, Cobalt Strike.We stay updated on security measures and constantly look to improve our security.

Internal protection

All of our company computers have endpoint protection mechanisms and reside behind enterprise firewalls. We are up to date on all software, constantly monitoring for threats and utilizing a least-privileged and role-based-access approach for all connectivity.

Access rights procedures

We conduct periodic reviews of access rights to detect and eliminate unnecessary account access. All staff have to undergo stringent request procedures to determine the source or purpose of the access. This adds an additional layer of internal control to protect data integrity of the exchange.

API key security

We utilise Hawk authentication protocol, which implements hash message authentication code (HMAC) signing based on the API key provided, thereby enhancing our security.

Server security

To prevent unauthorized requests to our internal network, our servers are protected with multiple security mechanisms to ensure a safe trading environment at Liquid.

Backups and monitoring

Liquid uses snapshots and off hours backup for datastores to shielded instances within our cloud provider.Our applications produce full audit logging for all activity and this information is analyzed via our SIEM and our SOC while being archived separately from our datastore.All internal and customer actions produce a full audit trail, are reviewed 24/7 and have passed successful regulatory audit.

Incident response

We implement a protocol for handling security events and product issues, which includes escalation procedures, quick remediation and post mortem of incidents. All employees are dutifully notified before informing our customers via our communication channels such as Twitter and Telegram.

background

Security questions?

If you think you may have found a security vulnerability, please get in touch with our security team at [email protected].Learn more about Liquid by reading our Terms of Use and Privacy Policy.