We have taken a defense in depth approach to software design
with security in mind. This means that it is possible
to lock everything down to a very high degree so that if an attacker
is able to get through one layer of defense, there will still be more
before they can reach any funds.
There are four main components:
the frontend, the database, the wallet actor and the individual
wallets (bitcoind, litecoind). The frontend does not have direct access
to the wallets. Only the wallet actor does. The wallet actor periodically
looks at the database and processes deposits and withdrawals. In the event
of an attacker compromising the frontend, we (or whoever is hosting the exchange)
will have the opportunity of
detecting them and preventing them from stealing any coins. The frontend
has very few permissions on the database, only the ability to run predefined
"safe" functions, which further limits what an attacker can do.
Our release includes automatic wallet backups and transfers to cold storage as well as a strong
password policy, two factor authentication, and email confirmations with PGP encryption.