Skip to Content
Security

Security

Verus is built so that you stay in control of your funds. This page explains the model in plain terms.

Non-custodial by design

When you sign up, Verus creates an embedded account tied to your login. Verus orchestrates trades on your behalf, but it cannot take custody of your funds or send them to an address you did not authorize.

Non-custodial means there is no Verus-held balance. Your USDC sits in your account on Arbitrum. Verus moves collateral to a venue only while you hold a position, and it returns to your account when you close.

Signing policies

Your account runs on Privy embedded wallets under a strict signing policy enforced at the signing layer, not in app code that could be bypassed. The policy is designed around a small set of guarantees:

  • Scoped signing. Verus can only sign actions inside its own trading and withdrawal flows. Arbitrary signatures, free-form approvals, and unfamiliar contract calls are denied.
  • Controlled destinations. Funds can only move to addresses you control: your own embedded account on close, or the external address you submit via the Withdraw dialog. There is no path for the trading flow to send funds to a third-party address.
  • Same protections for everyone. The protective policy is shared across every account, and the equivalent protections are also applied to autonomous agent accounts when those are issued.

For security reasons we do not publish the full rule set here. Suspected issues belong in Reporting a vulnerability below.

Withdrawals

Withdrawals go to an external address. Verus runs a preflight check before a withdrawal so you do not submit something that will fail (for example, below a venue’s minimum). See Deposits & withdrawals.

Your responsibilities

  • Protect your login. Whoever can sign in can authorize your account. Use a secure account and enable any available 2FA.
  • Verify the network and token when depositing. Send USDC on Arbitrum only. Funds sent on the wrong network may be unrecoverable.
  • Beware of phishing. Verus will never ask you for a seed phrase or to verify your account on another site. The only app URL is app.verusapp.io .

Reporting a vulnerability

If you believe you have found a security issue, please report it privately by emailing team@verusapp.io. For non-sensitive questions you can also DM us on X . Do not post suspected vulnerabilities in public channels.

Last updated on
VenuesFAQ