Last week, we detected suspicious trade activity related to third-party services used by clients to access Liquid via API. These activities resulted in a very small number of unauthorized trades being made whereby one crypto asset was sold for another at a price well outside the current market range. We believe these were related to vulnerabilities at third party services where customers stored their API keys.
We detected this malicious activity very quickly and immediately froze withdrawals as a precautionary measure while we investigated and identified the anomalies. Suspicious accounts were banned. We are reaching out to any impacted users directly.
We pride ourselves on our unwavering commitment to customer security. However, we cannot control what happens outside of our exchange platform.
As a precaution, we strongly advise Liquid customers to:
- Whitelist IP addresses for API access on Liquid. Instructions can be found here: https://help.liquid.com/connect-to-liquid-via-api/how-to-whitelist-ip-addresses
- Never share API keys with write permission enabled to third-parties
- Never keep API keys anywhere they could potentially be viewed or stolen. API keys cannot be used to withdraw directly from your account, but if shared with third parties, can cause trade losses on your account.