Withdrawal Security at Panxora

Withdrawal Security at Panxora


When it comes to client capital, Panxora made a decision to favour security over speed.

Any financial service business has to have a policy covering customer asset security, but there is no business where this is more critical than the cryptocurrency industry. A decision needs to be made that balances security against the convenience of quick access to cash. The truth that most cryptocurrency companies don’t publicise is that the act of making a system more convenient will by definition make it less secure and, conversely, the techniques needed to make a system that is very secure means that processing cash transactions through that system will be slower.

This document addresses the reasons behind the decision Panxora management has made concerning fund security and what this means in practice to Panxora traders.

In the cryptocurrency industry it is a fairly standard practice to hold client funds in hot wallets or Smart Contracts. This makes the withdrawal process pretty quick and has set that expectation in the minds of traders. A trader’s withdrawal request will trigger the release of funds to their designated wallet. This is very convenient and very quick to process … but what about security?

Hot wallets, by definition, store the private keys needed to sign a transaction in a system connected to the Internet. If those keys are exposed at any time, permanent access to the wallet is established. They do not have to remove the funds immediately, once the hot wallet is compromised and the private keys copied, the funds, can be withdrawn at will – slowly so it escapes notice or in one massive purge. Both have happened in the past 24 months.

This is evidenced by the continuous news articles about the number of compromised exchanges  – See Washington Post piece: Why Bitcoin Exchanges Keep getting Hacks and How to Protect Yourself.

The answer, some argue, is a smart contract that holds funds. In this case, the smart contract interacts directly with the trader allowing them to deposit and withdraw their funds at their convenience. This is the approach being adopted by many decentralised exchanges.

Just like a hot wallet, this is only as good as the developers that write the code. Any flaw in the smart contract code (and there have been a growing number of compromised smart contracts in their short period of use) and the funds can be accessed and stolen – client funds lost because of over-confidant developers playing with other people’s money. (See A short history of smart contract hacks…)

How is Panxora Different?

At Panxora we take a slightly traditional approach to asset management. Unlike the cryptocurrency industry standard, we believe client capital should be secured offline. Where standard cryptocurrency exchanges keep private keys online, all the private keys needed to access Panxora client wallets are retained in an air-locked vault – this is a small network of servers that have never and will never touch the internet.

When a customer sends money to their unique wallet address, those funds are immediately secure. Wallets can receive deposits, but because the private keys have never been on a system connected to the Internet there is no way for an outsider to make a withdrawal.

How the Withdrawal Process Works

When a trader makes a withdrawal, it must first be authorised by the trader using two factor authentication.

When the authorisation has been completed, the withdrawal request is handed over to the Operations team. The online system that the Operations team has access to hosts read-only copies of the addresses used by traders and internal systems. The team creates transactions in an unsigned form under the authority of a Senior Operations Staff member.

The unsigned transactions are then transferred to another physical location where they are reviewed by a member of the Risk Team. Any transactions that are over the Standard Review Threshold will be passed to the Customer Relationship Manager who will contact the customer and confirm that the transaction is valid. Only when confirmation is provided will the withdrawal of these large amounts be actioned. The Standard Review Threshold is not fixed and change based on volatility and relative price of cryptocurrency to fiat.

All approved withdrawals are then moved by a Risk Officer from the online system onto the air-locked vault. The vault is enabled by a senior staff member and transactions are signed by the system in the vault – at no point do staff have access to the private keys.

Finally the Risk Officer transfers the signed transactions back to the online system where they undergo a final review before publishing onto the respective Blockchains.

Does this process take more time than withdrawals that are automatically authorised online? The answer is yes. If a trader is dissatisfied with the Panxora withdrawal process they can make a conscious choice that the Panxora Exchange is not a good fit for them. But we find that most traders appreciate the level of care taken of their capital and they take the expected process delay into account when they need to execute a cash withdrawal.

Even using the Panxora procedure we process 90% of all transactions within 6 hours and 98% within 24 hours.