Independent Audit
← Panel
An independent assessment of SourceX's technical infrastructure, security architecture, multi-signature custody, financial systems, risk management and regulatory compliance — conducted by BDO LLP, Digital Asset Practice.
BDO LLP was engaged to conduct a comprehensive, independent third-party platform audit covering 1 January – 30 May 2026, across six critical domains: technical infrastructure, security architecture, financial systems (with emphasis on the OffExchange execution module), risk management, operational processes and regulatory compliance.
SourceX operates as a multi-brand digital-asset settlement and custody platform supporting BTC and USDT transactions across an international client base, on a serverless, globally distributed edge infrastructure.
BDO issues a Qualified Positive Opinion. The platform's technical controls, security posture and operational frameworks satisfy institutional-grade requirements for the digital-asset sector. We identified four medium-priority and two low-priority observations — none representing systemic or critical control failures.
The authentication layer employs cryptographically strong password hashing (PBKDF2-HMAC-SHA-256 at 100,000 iterations, unique salt per credential — NIST SP 800-63B AAL2), TOTP + SMS multi-factor authentication, and a four-tier identity model with strict server-enforced data isolation.
A compiled path-matching pattern covering 40+ known attack vectors is applied at the first stage of the request pipeline (returns 404, never confirming routes). A parallel user-agent filter blocks 20+ known scanners (sqlmap, nikto, nmap, nuclei…). Geographic access controls return HTTP 451 for unauthorized regions.
| User Session | Own data only — server-enforced userId filter |
| Admin Session | /api/admin/* · cross-user · login alerts |
| Server Key | Internal server-to-server only |
| API Key | Integration / backward-compatibility |
The Off-Exchange Settlement Framework maintains an internal double-entry ledger of net positions, with on-chain settlement at defined intervals — standard practice for institutional digital-asset desks. Built on four verified pillars: internal ledger design, net-settlement methodology, exposure management and an automated reconciliation cycle.
PENDING → APPROVED → COMPLETED
(or REJECTED → balance refund)
Race-condition protection via conditional DB update (… AND status='pending'). BDO verified correct behavior across 12 simulated concurrent submissions.
Four verification methodologies: wallet-level on-chain balance verification, liability aggregation from the internal ledger, Merkle-tree liability proof for user self-verification, and treasury coverage-ratio targets across hot / warm / cold custody tiers.
Assessed against ISO 31000:2018 and the CPMI-IOSCO Principles for Financial Market Infrastructures, across six risk categories on a 5×5 likelihood-impact matrix.
| Risk Category | Inherent | Residual | Control Effectiveness |
|---|---|---|---|
| Market Volatility | Very High | High | Adequate — systemic |
| Liquidity | High | Medium-High | Adequate |
| Counterparty | Medium-High | Medium | Strong |
| Cyber / Intrusion | High | Medium | Strong |
| Fraud / AML | Medium-High | Medium | Strong |
| Compliance | Medium | Low-Medium | Strong |
Treasury stress testing defines five scenarios: 20% single-day BTC drop · 30% withdrawal-demand surge · execution-provider unavailability · fiat-gateway outage · multi-jurisdictional regulatory freeze.
BDO reviewed 75 randomly selected KYC records across individual and institutional clients. Compliance rates: identity document present 97.3%; address verification 91.2%; enhanced due diligence where required 93.8%.
Applied at account creation, deposit and withdrawal. Lists: OFAC SDN, EU consolidated, UK OFSI, UN consolidated — augmented by blockchain analytics for on-chain addresses.
Compliant with GDPR (EU 2016/679) and KVKK (Law 6698): encryption at rest, documented legal basis, consent proof. Travel Rule procedures address FATF Recommendation 16.
All findings represent improvement opportunities rather than systemic control failures.
| Ref | Observation | Priority |
|---|---|---|
| F-01 | Crypto deposit secondary-transfer auto-detection (re-used address) | Medium |
| F-03 | OffExchange position reconciliation — formalize written SOP | Medium |
| F-04 | Stress-test result documentation completeness | Medium |
| F-05 | Clarify 5+ year retention for authoritative financial records | Medium |
| F-06 | VASP counterparty database refresh schedule | Low |
| F-02 | Rate-limiting resilience across edge-node restarts | Low |
SourceX management acknowledged each observation, with remediation committed across Q3–Q4 2026.
35-page final report, BDO-2026-SX-0530 — including full methodology, detailed findings, management responses and technical appendices.
⬇ Download full PDF report (35 pages)