Withdrawal Protection
Operator and jurisdiction: BASIS is operated by BASIS DIGITAL INFRASTRUCTURE LTD, a Seychelles IBC (LEI: 254900IX2F2KCWNSSS64).
Overview
Withdrawal Protection adds an email verification step to secure withdrawal-related actions on your BASIS account. When enabled, a 6-digit verification code sent to your registered email address is required to complete the following actions:
Enabling Withdrawal Protection
Disabling Withdrawal Protection
Confirming a withdrawal request
The verification code is valid for 10 minutes. Protected actions are only completed after successful email verification. Withdrawal Protection is strongly recommended for every account with withdrawal privileges.
Withdrawal Protection materially improves resistance to unauthorized withdrawals, but its effectiveness depends on the security of the registered email account. If the mailbox is compromised, the protection boundary is weakened.
Feature Definition
Withdrawal Protection applies a 6-digit email verification requirement to the following actions:
Enable Withdrawal Protection
A 6-digit verification code is sent to the registered email address
The feature is enabled only after successful code verification
Disable Withdrawal Protection
A 6-digit verification code is sent to the registered email address
The feature remains enabled until successful code verification
Initiation of a withdrawal request
A 6-digit verification code is sent to the registered email address at the very first step of the withdrawal flow, before any withdrawal details are confirmed
The withdrawal process can only proceed after successful code verification at the first step
Key control behavior
The protected action is not completed at the moment the user clicks the initial confirmation button
BASIS holds the action in a pending verification state until a valid code is entered
If verification fails, expires, or is abandoned, the protected action is not completed
Activation Policy
To enable Withdrawal Protection, BASIS follows the process below:
The user navigates to Security Settings within the BASIS account.
The user selects the option to enable Withdrawal Protection.
BASIS generates and sends a 6-digit verification code to the account's registered email address.
The current feature state remains unchanged while verification is pending.
The user retrieves the code from the registered email account and enters it into the BASIS verification interface.
BASIS validates the code for correctness and validity period.
If the code is valid, Withdrawal Protection is activated and the status is updated to Enabled.
If the code is invalid or expired, activation does not complete and the feature remains in its prior state.
If needed, the user must request a new code and repeat the verification step.
Deactivation Policy
To disable Withdrawal Protection, BASIS follows the process below:
The user navigates to Security Settings within the BASIS account.
The user selects the option to disable Withdrawal Protection.
BASIS generates and sends a 6-digit verification code to the account's registered email address.
The current feature state remains unchanged while verification is pending.
The user retrieves the code from the registered email account and enters it into the BASIS verification interface.
BASIS validates the code for correctness and validity period.
If the code is valid, Withdrawal Protection is deactivated and the status is updated to Disabled.
If the code is invalid or expired, deactivation does not complete and the feature remains in its prior state.
If needed, the user must request a new code and repeat the verification step.
Withdrawal Authentication Flow
When Withdrawal Protection is enabled, email verification is required before withdrawal details can be submitted. The verification step appears immediately when the user initiates a withdrawal.
The user selects Withdraw for the relevant asset.
BASIS immediately presents a Verification Required modal before any withdrawal details are entered.
BASIS sends a 6-digit verification code to the registered email address associated with the account.
The user retrieves the code from their registered email and enters it into the verification prompt.
The user clicks Verify & Continue.
BASIS validates the code for correctness and validity period.
If the code is valid, the user proceeds to the withdrawal detail entry screen.
For non-BTC assets (ETH, SOL, PAXG), the user connects a Web3 wallet to provide the destination address and complete the withdrawal.
For BTC, no wallet connection is required. The user enters the destination address directly and submits the withdrawal.
If the code is invalid or expired, the withdrawal flow does not proceed.
If the code expires, the user must request a new code and repeat the verification step.
The email verification modal appears before withdrawal details are entered. For non-BTC assets, wallet connection occurs after successful verification, not before.
Verification Code Specifications
Code format
6 digits
Numeric only
Delivery channel
Registered email address
Sent only after a protected action is initiated
Validity period
10 minutes from issuance
Expired codes cannot authorize the action
Reissue requirement
New code required after expiry
The prior code cannot be reused after expiration
Maximum attempts
3 attempts per code
The code is invalidated after 3 failed attempts; a new code must be requested
Protected actions
Activation, deactivation, and withdrawal initiation
Applies only to supported protected workflows
Confidentiality requirement
Must not be shared with any third party
Treat the code as a confidential authorization factor
How Withdrawal Protection Defends You
Withdrawal Protection is designed to reduce the probability that a single point of failure can lead to unauthorized asset movement. It is particularly effective against common account takeover and operational abuse scenarios.
Session hijacking
If an attacker obtains access to an active BASIS session through a stolen browser cookie, compromised workstation, or unattended terminal, the attacker may appear authenticated within the platform. Withdrawal Protection adds a separate verification requirement through the registered email account before withdrawal submission or feature state changes can be completed. This reduces the likelihood that session access alone is sufficient to authorize asset movement.
Phishing
In phishing scenarios, a user may be tricked into disclosing account credentials or interacting with a fraudulent login page. Even if credentials are exposed, Withdrawal Protection creates an additional barrier by requiring access to the registered email account to complete the protected action. This does not eliminate phishing risk, but it narrows the attacker's path to successful withdrawal execution.
Credential theft
Credentials can be compromised through password reuse, malware, endpoint compromise, or exposure in third-party breaches. Withdrawal Protection helps contain the impact of stolen credentials by introducing a second approval step that is separate from the login secret used to access the BASIS account.
Unauthorized access
Unauthorized access can arise from shared devices, weak operational controls, or misuse of delegated account access. Withdrawal Protection requires explicit verification through the registered email account before high-risk actions are completed, which helps reduce the risk of accidental or malicious withdrawal submission by an unauthorized party.
Withdrawal Protection is a compensating control, not a substitute for secure email operations, endpoint hardening, credential hygiene, and internal approval processes. Institutions should treat the registered email account as part of the custody control perimeter.
Security Best Practices
Secure the registered email account
Use a unique, high-entropy password for the registered email account
Store credentials in an approved password manager rather than in browsers or unsecured notes
Enable multi-factor authentication on the email account, preferably with phishing-resistant methods where available
Review mailbox forwarding rules, recovery addresses, delegated access, and sign-in history on a regular basis
Remove obsolete recovery methods and revoke access for former personnel or unused devices
For institutional deployments, use a controlled corporate mailbox with clear ownership, access logging, and monitored security alerts
Secure access to BASIS
Enable all available BASIS security controls that are applicable to your account model
Access BASIS only from trusted devices that are patched, encrypted, and protected by endpoint security controls
Avoid shared browsers, unmanaged devices, and public networks for withdrawal-related activity
Verify that you are using the correct BASIS domain before signing in or entering verification codes
Maintain strict internal approval procedures for wallet changes and withdrawal execution
Verify every withdrawal deliberately
Review the destination address, network, asset, amount, and beneficiary context before entering a verification code
Confirm that the withdrawal matches internal authorization records and treasury instructions
Do not rely on email links alone to access the platform. Prefer direct navigation through a trusted bookmark or approved internal access path
If you receive an unexpected verification code
Do not share the code
Do not enter the code anywhere unless you personally initiated the protected action
Log in to BASIS through a trusted path and review recent account activity
Review the security of the registered email account immediately
Change account credentials and rotate email credentials if compromise is suspected
Escalate the event through your internal security process and contact BASIS support if unauthorized activity is suspected
An unexpected withdrawal verification email should be treated as a potential security event. If you did not initiate the action, assume that account credentials, an authenticated session, or the registered email account may have been targeted until proven otherwise.
User Responsibilities
Users are responsible for the secure operation of Withdrawal Protection and for protecting the channels on which it depends.
You must maintain secure and exclusive control over the registered email account.
You must not disclose verification codes to any third party under any circumstance.
You must verify the legitimacy of each protected action before entering a code.
You must investigate unexpected verification emails immediately.
You must keep the registered email address current, accessible, and protected by appropriate security controls.
You must ensure that personnel with withdrawal authority understand that a verification code is an authorization factor and must be handled as confidential security data.
You must follow your internal incident response process if you suspect phishing, credential compromise, mailbox compromise, or unauthorized access.
Successful entry of a valid verification code is treated as authorization for the pending protected action. Failure to secure the registered email account can materially reduce the effectiveness of this control.
UI Reference
Withdrawal Protection
Applies email verification to enabling the feature, disabling the feature, and the initiation of withdrawal requests
Enabled, Disabled
UI behavior note
During activation or deactivation, the displayed status does not change until the verification code is successfully validated
During withdrawal initiation, the withdrawal flow cannot proceed until the verification step is completed successfully
Last updated