VA - Security Basics

Virtual Accounts simplify and speed up asset management via an off-chain ledger trading engine.

The Virtual Account ledger communicates with the blockchain when assets are deposited or withdrawn from, or to, a blockchain address you may not control (PrivateKey holder).

While Tatum conducts regular code and infrastructure audits, Tatum users are also strongly encouraged to conduct due diligence and ensure that their blockchain operations follow best practices to secure their assets.


For deposits and withdrawals, it is strongly recommended to verify effective on-chain assets liquidity as well as the legitimacy of the operation.

UTXO-based chains (like Bitcoin)

Verifying transactions

  1. Depending on the use case, wait for a few blocks from the tip (optional)
    • Account for chain reorg issues, usually 3-6 blocks from the tip
  2. Fetch transaction by hash independently
    • Ideally from 3rd provider’s node, to eliminate chain split or any other possible node issues
  3. Parse the outputs of a transaction:
    1. All UTXO-based transactions consume inputs and produce outputs
    2. Find the output(s) related to the recipient's address
    3. Verify that the output is directly related only to the recipient's address (not multi-sig address e.g.)
  4. Check the output is not spent (verify it is UTXO - unspent tx output)

HOT <-> COLD Wallet Schema

  1. UTXO-based chain Virtual Accounts, all based on one XPUB
  2. All virtual accounts on this XPUB - consider them as a HOT wallet
  3. Define logically one specific Virtual Account on the same XPUB as the Account for HOT<->COLD assets movement
  4. Let's name said Virtual Account as "Cold in-out" Account
  5. To move assets from HOT to COLD wallet:
    1. External User deposits to a Deposit Address (Virtual Account)
    2. You manage ledger transactions to move assets from the user's Virtual Account deposit address to the defined "Cold in-out" Account
    3. Having balance on "Cold in-out" account - you can move assets using withdrawal to COLD storage
    4. COLD storage - depending on the specific use case, usually via a physical ledger wallet (sometimes even without internet access, just offline signing) or with an address outside of any other system, with limited access. There should be enough balance allocated between usability and safety.
  6. To move assets from COLD to HOT wallet - all operations should be in reverse order
    1. Deposit back from COLD wallet itself to "Cold in-out" Account
    2. Ledger transaction from "Cold in-out" Account to the user's Account
    3. Withdrawal from the User's account

Exchange or Application Security Suggestions

  • Database and Keys Protection
  • Access Protection
  • Injection Prevention
  • Cross-Site Scripting Protection
  • DDoS Protection
  • Man in the Middle Protection
  • SQL Injection Protection
  • Creation of Monitoring and Alerting Strategies
  • Creation of Reporting Systems for system activity
  • Enable 2FA for users
  • Encryption of user data using public/private keys
  • Data policy
  • Hardware and Software Firewalls
  • Ensure Backup systems
  • External security audit

User DataBase Security Suggestions

  • Stores User signup information
  • Stores Country and additional information for Risk & Compliance
  • Stores User Deposit Addresses
  • Stores User Transaction history
  • Stores User Balance information


  1. Tatum does not store PrivateKeys and or Mnemonics.
  2. The steps outlined in this article are general suggestions based on best practices. Additional security measures and verifications may apply depending on a specific Use Case or User's country legal entity.
  3. Ensuring on-chain asset liquidity is the responsibility of the user.
  4. For Mainnet and/or a Production Environment, it is recommended to use KMS.