Withdrawal whitelist = the lock on your principal
Quiver’s Bitfinex API key technically has withdrawal permission (required for internal wallet transfers and D-3 redeems). The critical protection is not “Quiver has no permission” — it is “you enable Bitfinex’s withdrawal whitelist and only allow your own Quiver deposit address.” This page explains the actual model, how to set it up, and the worst-case analysis.
Worst case: Quiver is fully compromised
Assume Quiver is 100% breached, the master key leaks, and an attacker holds your API key in plaintext. What can they do?
- Place or cancel your funding offers (loss: idle gap before re-posting).
- Transfer between your Bitfinex internal wallets (exchange ↔ funding).
- Call the BF withdraw API to move USDT — but only to whitelisted addresses.
If your whitelist only contains your own Quiver deposit address, any withdrawal lands back in your own Quiver account (not the attacker's). To pull funds out of Quiver, the attacker would still need to defeat Quiver's email + 2FA + KYC — an entirely separate defense layer.
Bitfinex API permissions Quiver requests
What Quiver needs
- Funding · read/write
Submit / cancel funding offers and read your current positions on your behalf.
- Wallets · read
View USDT / USD balances across wallets.
- Wallets · internal transfer
Move funds between exchange ↔ funding (BF classifies this under withdrawal permission).
- Wallets · withdrawal
D-3 redeem sends principal back to your own Quiver deposit address (paired with whitelist).
- Orders · spot conversion (USDT ↔ USD only)
Convert USDT to USD after deposit so we can lend on the fUSD market.
What Quiver does NOT need
- Margin Trading
Cannot leverage, short, or open positions with your principal.
- Derivatives / perpetuals
No perpetuals, no options, no derivatives.
- Sub-account operations
Cannot create or operate sub-accounts.
- Account settings
Cannot change your password, email, or KYC data.
Enable Bitfinex's withdrawal whitelist (strongly recommended)
This is the core of the whole security model. With it enabled, even if the API key leaks, attackers cannot withdraw to their own address — funds can only land back in your whitelisted address.
- 1
Get your Quiver USDT deposit address
Go to Quiver’s wallet page and copy your USDT-TRC20 deposit address (34 chars, starts with T). - 2
Open the Bitfinex withdrawal whitelist page
Visit setting.bitfinex.com/api/withdrawal-whitelist. 2FA verification is required. - 3
Add your Quiver deposit address
Paste the address from step 1. Select Currency: USDT, Network: Tron (TRX). Bitfinex requires email confirmation + 2FA. - 4
Turn on "Only allow whitelisted addresses"
This is the most important step. Once enabled, any withdrawal API call to a non-whitelisted destination is rejected by Bitfinex. - 5
To change your Quiver address later, re-run the whitelist flow
Adding any new whitelist address requires email confirmation + 2FA + a 24-72h cooldown. Even with the API key, an attacker cannot add their own address.
How Quiver stores your API key
- AES-GCM + envelope encryption. Key and secret are encrypted by a sub-key derived from a master seed. The database stores only ciphertext + key version.
- Secret is never shown in the admin UI. Even Quiver team members only see the API key prefix (e.g.
aBcDeF…). The secret is never decrypted to any UI. - Master seed is separated from the database. The seed is injected as an environment variable; it is not in source code, not in the database, and not in backups. Even a full DB dump can't decrypt keys.
- Decrypted at call time, then immediately discarded. We decrypt per-call and drop the value after the Bitfinex request returns. No long-lived in-memory key cache.
Revoke any time — no need to ask Quiver
To stop using Quiver you don’t need to contact support. Go to Bitfinex’s API settings page, find the key you issued to Quiver, click “Revoke”, and it takes effect immediately. All subsequent Quiver API calls are rejected by Bitfinex. Your principal and already-lent credit are unaffected — Bitfinex auto-settles back to your wallet at the original maturity.
Quiver team internal controls
- Admin actions (viewing funding offers, changing user tiers, settling perf fee) require 2FA and leave an audit log.
- Only founder Tommy holds production SSH access.
- Source code lives in a private GitHub repo; every change goes through code review + merge protection.
FAQ
If Quiver is breached or its team goes rogue, how much can I lose?
It depends entirely on whether you set the withdrawal whitelist. If set: attackers can at most return funds to your own Quiver account, then still face Quiver's email + 2FA + KYC before extracting. If not set: an attacker with the API key can withdraw your principal — strongly recommend setting the whitelist.
Why does Quiver need withdrawal permission?
Two technical reasons: (1) Bitfinex classifies internal wallet transfers (exchange ↔ funding) under withdrawal permission, which we need to move USDT to USD before lending on fUSD; (2) D-3 redeems send your principal back to your Quiver deposit address, which requires the real withdraw API.
How can I verify Quiver can only send to whitelisted addresses?
Two ways: (1) Bitfinex enforces it server-side; Quiver simply cannot send to a non-whitelisted destination. (2) You can inspect the API key audit log inside Bitfinex any time to see exactly what Quiver did with the key.
What if Bitfinex itself fails?
That's platform risk, not something Quiver can underwrite. Bitfinex is operated by iFinex, founded in 2012, in the same group as Tether (USDT issuer). If you're worried about Bitfinex platform risk, deposit only what you can afford to lose. Quiver does not insure the Bitfinex platform itself.
Can I use Quiver alongside other Bitfinex tools?
Yes. Quiver uses its own API key for funding offers, independent of your trading or any other automation. We recommend issuing a separate key for Quiver to simplify revocation later.
Still have questions? Reach out on Telegram @quiver_support.
Get started with Quiver