Fund Security: Multi-Layer Verification, Whitelist & 2FA

Introduction

Fund security on a trading platform has two sides that most users only think about half of. There's the side the platform protects — segregating user assets, holding most of them offline, publishing on-chain Proof of Reserves so anyone can verify them. And there's the side you control — enabling two-factor authentication, whitelisting your withdrawal addresses, layering authentication on top of authentication.

Strong protection requires both. This guide walks through every layer the platform builds for you, every layer you should build for yourself, and how the two work together so that no single point of failure — on the platform's side or yours — can put your funds at risk.

1. Platform-Side: Proof of Reserves (PoR)

Proof of Reserves (PoR) is the platform's commitment that every user's deposit is backed 1:1 by real on-chain assets, fully verifiable by anyone. The implementation uses Merkle tree technology, deployed on the Arbitrum network.

Proof of Reserves (PoR) uses Merkle tree technology and is deployed on Arbitrum. MC Markets publicly discloses its on-chain reserve data, maintaining a reserve ratio of 100% or above at all times to ensure full coverage of user assets. Users can view the latest reserve ratio, total user asset value, and total platform reserve value on the [Proof of Reserves] page.

The PoR page (linked from the top navigation) displays two key numbers:

• Total Reserves — the assets the platform actually holds.
• User Assets — the total assets owed to users.

The reserve ratio is maintained at 100% or above, with snapshots updated periodically. As long as Total Reserves ≥ User Assets, the platform can honor every withdrawal request, on demand.

The critical property of this design: you don't have to trust the platform's claim — you can verify it yourself.

How to Verify Your Own Balance

1. Log in and go to the Proof of Reserves page.
2. Enter your wallet address — check that the on-chain amount matches your platform balance.
3. If you registered with email or Google, your platform-assigned address is listed on the Deposit page.
4. The core contract addresses are published directly on the PoR page. Copy them into Arbiscan to verify on-chain.

If your displayed balance matches the on-chain record, you've independently confirmed your funds are there. No "trust me bro" — just public, auditable data.

2. Platform-Side: Cold Wallet & Multi-Signature

A second protective layer sits behind PoR: how those reserves are actually stored.

The platform follows a strict cold/hot wallet separation:

• The majority of user assets are held in offline cold wallets (refer to the official security page for the latest details) — disconnected from any internet-facing system, immune to remote-attack vectors.

Cold and Hot Wallet Segregation: The majority of user assets are stored in offline cold wallets. Only funds needed for daily operations remain in hot wallets. Cold wallets are secured with multi-signature authorization, requiring multiple approvals for any movement.

• Only the funds needed for daily operational liquidity (e.g. processing pending withdrawals) are held in hot wallets.

On top of the cold/hot split, cold wallets use multi-signature authorization: any movement of funds requires approval from multiple authorized parties. There is no single key, no single person, and no single compromised credential that can move significant user funds.

This is the same architecture institutional custodians and the largest exchanges in the industry use, and it exists precisely because the historical failures in this industry have almost all involved a single point of compromise on the custody side.

3. Platform-Side: Audited Infrastructure

The platform isn't built on proprietary, opaque internals. It's constructed on independently audited public blockchain protocols:

• Arbitrum — the Layer 2 network where reserves and contracts live, and where every transaction is publicly recorded.
• Chainlink — for decentralized price oracles, providing reliable market data without single-source manipulation risk.
• Pyth — for high-frequency price feeds optimized for derivatives applications.

Two consequences worth knowing:

• User assets and operational funds are stored at separate on-chain addresses, both independently verifiable through Proof of Reserves.
• Funds can be withdrawn at any time, subject to standard processing — you are not custodially "locked in," and reserve status is verifiable by anyone using public on-chain data.

This combination — audited blockchain infrastructure, segregated addresses, on-demand withdrawals, public verifiability — is what separates a transparent platform from one where you simply have to take their word for it.

4. User-Side: Multi-Layer Authentication

The platform's protections only work as well as your account-level security. Even the strongest custody architecture can't help a user whose login credentials have been phished. This is where the user-side layers — 2FA, the withdrawal whitelist, and the broader multi-layer authentication model — come in.

Two-Factor Authentication (2FA)

2FA requires a second proof of identity beyond your password — typically a time-based code generated by an authenticator app (Google Authenticator, Authy, etc.). Even if someone obtains your password through phishing, malware, or a leaked database elsewhere, they still cannot log in without the rotating code on your physical device.

Enable 2FA the moment you create your account. This single action eliminates the most common category of account compromise.

Withdrawal Whitelist

The withdrawal whitelist is a list of pre-approved addresses that you've explicitly authorized to receive withdrawals from your account. Once enabled, the platform will refuse to send funds to any address not on that list — no matter who's logged in.

Why this matters: if an attacker somehow gains full access to your account, they still cannot move your funds to their own address — only to addresses you've already whitelisted. The whitelist is the last line of defense in account security.

Adding a new address to the whitelist usually requires a delayed confirmation (e.g. via email) so that even the act of adding malicious addresses is itself protected.

Multi-Layer: Stacking Independent Defenses

The principle behind "multi-layer" security is that no single defense should be able to fail catastrophically. Each layer is designed to stop a different kind of attack:

• Password — protects against casual unauthorized access.
• 2FA — protects against password compromise.
• Withdrawal whitelist — protects against full account compromise.
• Email confirmations on sensitive actions — protects against session hijacking.
• Anti-phishing codes (when offered) — help you verify that an "official" email is actually from the platform.

You don't pick one. You enable all of them. The goal is for any single attack vector to fail safely — because the next layer catches it.

5. The Full Picture: Two Sides Working Together

Putting it all together, here's the model:

• The platform protects against systemic risk — keeping reserves backed, segregating user from operational funds, holding the majority offline, publishing verifiable proof.
• You protect against account-level risk — securing your login, controlling withdrawal destinations, layering verifications on sensitive actions.

Either side alone is incomplete. The strongest custody in the world can't protect a user whose credentials are stolen; the most disciplined personal security can't protect against a platform that mismanages reserves. Both layers, working together, are what fund security actually looks like.

6. Your Practical Checklist

A short, blunt list of things to do — most of them once, then forget:

• Enable 2FA today if you haven't. Use an authenticator app, not SMS.
• Set up a withdrawal whitelist with the address(es) you actually use. Adding new addresses later takes a few minutes; preventing fraudulent withdrawals is worth those minutes.
• Verify your reserves once (using the steps in section 1) so you've done it at least one time and know how. Repeat occasionally for peace of mind.
• Confirm sensitive actions through email when prompted. Don't dismiss the prompt to save 5 seconds.
• Use a unique, strong password for this account — not one shared with any other service.

Anti-Fraud Statement: MC Markets will never DM you requesting a transfer, password, private key, seed phrase, or 2FA code. We will never ask you to send funds to a 'security address.' All official communications are sent only through our public channels. If you receive a suspicious message, ignore it and report it immediately.

Is my money safe? Yes. All reserves are held on Arbitrum and backed 1:1 through Proof of Reserves, which can be independently verified by users. Your funds are fully separated from the platform's operational funds.

7. Quick Recap

The four ideas worth keeping:

• Proof of Reserves is on-chain, Merkle-tree-based, and deployed on Arbitrum. The reserve ratio sits at 100% or above, and you can verify your own balance independently using Arbiscan.
• Cold wallet + multi-signature keeps the majority of user funds offline, with any movement requiring multi-party approval. No single key can move user funds.
• The platform is built on audited public infrastructure — Arbitrum, Chainlink, Pyth. User assets and operational funds are kept at separate, verifiable on-chain addresses.
• Account-level security is your responsibility — enable 2FA, set up a withdrawal whitelist, and treat email confirmations on sensitive actions as a feature, not a nuisance. Multi-layer security only works when every layer is on.

Risk Disclosure

The fund-security architecture and verification mechanisms described here reflect the platform's current implementation and may be updated; always check the official Security & Audits page for the most current details. While the platform implements industry-standard custody and verification protections, no security system is absolute. Account-level security ultimately depends on the user's own credentials and configuration. Trade only with capital you can afford to lose.