← XORA

How Xora protects deposits

Xora is a custodial XRP neobank. Funds sit in a segregated XRPL treasury wallet, deposits are mapped by destination tag, and the protocol publishes treasury balances for on-chain verification at any time. Multisig migration is on the custody roadmap.

Custody architecture

User deposits land at a single XRPL treasury address with a per-user destination tag. The treasury is segregated from app infrastructure and reconciled daily against the internal user ledger so owed balances can be checked against on-chain funds.

Outbound movement is controlled through restricted operational flows, rate limits, health checks, and panic-mode circuit breakers. A 3-of-5 XRPL multisig migration is on the roadmap and should not be treated as live custody until the signer list is published on-chain.

On-chain verifiability

Because XRPL is a transparent ledger, every deposit, withdrawal, and treasury balance is publicly queryable. You can verify the sum of all user-owed balances against the treasury balance using any XRPL explorer:

• xrpscan.com — XRPL account and transaction explorer
• bithomp.com — XRPL account history and balance explorer
• livenet.xrpl.org — official XRPL mainnet explorer

Live protocol numbers (TVL, treasury balance, depositors, yield distributed) are published at xora.finance/stats and exposed as a public JSON endpoint at /api/stats.

Insurance reserve

5% of all protocol revenue is automatically routed to a dedicated depositor protection reserve, held in a segregated XRPL wallet separate from the operational treasury. The reserve is the first source of recovery in the event of a lending counterparty default exceeding posted collateral.

This is not an FDIC-style guarantee. It is a sized capital buffer with a public address. The current reserve size is visible on-chain and grows with protocol activity.

Operational controls

• Daily reconciliation: sum of user ledger balances vs treasury balance.
• Panic mode: a single switch freezes all yield distribution and outbound flows during incidents.
• Per-IP rate limits and lockouts on auth and admin endpoints.
• HTTP-only session cookies, Svix-signed webhooks, Clerk-managed identity.
• Strict Content Security Policy headers on every response.
• Owner-only health endpoint at /api/health with signer/treasury/yield-distribution status.

Responsible disclosure

If you find a vulnerability, please report it privately first. We acknowledge within 48 hours.

security@xora.finance security.txt

Reward tiers

• $5,000 – $25,000 — direct fund loss, mass user impact, auth bypass with privilege escalation.
• $1,000 – $5,000 — single-user fund loss, account takeover, sensitive data exposure.
• $250 – $1,000 — limited information disclosure, XSS with auth context, rate limit bypass.
• $50 – $250 — minor information leaks, low-impact XSS, denial-of-service requiring exotic conditions.

Rewards paid in USDC or XRP. Out of scope: third-party services (Clerk, Plaid, Vercel, Cloudflare), social engineering of staff, physical attacks, content spoofing without security impact, missing security headers without proof of exploit.

Common questions

In an orderly shutdown, Xora reconciles the internal ledger against the on-chain treasury and coordinates withdrawals back to depositors. In a hostile shutdown, the on-chain treasury history remains public, but Xora is still a custodial product and not a self-custody wallet.

The 5% revenue reserve is the protocol-level buffer. There is no government-backed deposit insurance — cryptocurrency custody is not FDIC or SIPC eligible anywhere. Anyone telling you otherwise is misleading you.

Smart contract code is not applicable — Xora is a custodial product on a permissioned ledger setup, not an on-chain protocol. The yield distribution logic, custody flow, and reserve accounting are published in the whitepaper.