Security at GXT Exchange

98%+ of customer assets are held in air-gapped, geographically distributed multi-signature cold wallets. Hot wallets are limited to operational liquidity and protected by HSM-backed key shards and withdrawal velocity controls.

GXT Exchange publishes a monthly Proof of Reserves report using Merkle-tree attestations, allowing every user to cryptographically verify that their balance is fully backed 1:1 by on-chain reserves.

A $300M reserve fund is set aside in stablecoins and BTC to compensate users in the rare event of an extreme security or operational incident outside their control.

Mandatory password complexity, optional anti-phishing code, device whitelisting, withdrawal address whitelists, 24-hour withdrawal lockout on new devices, and TOTP/passkey 2FA across login, withdrawal, API and password change.

WAF, DDoS protection, secure SDLC, code review, third-party penetration tests every quarter, continuous red-teaming, SOC 2 Type II controls and 24/7 SOC monitoring.

We run a public bug-bounty programme with rewards up to $1,000,000 for critical findings. Submit reports to security@gxtexchange.com.

Please do not publicly disclose vulnerabilities before we have remediated them. We commit to acknowledge reports within 24 hours and triage within 72 hours.