Can Exolane Admins Move User Funds?
No. There is no admin function in Exolane's smart contracts that can transfer user collateral to another address. Your funds are held in market contracts, and only you (through your wallet) can withdraw your free collateral. This is verifiable by reading the contract source code on Arbiscan.
However, admins do have meaningful powers: the multisig can pause all trading operations instantly in emergencies, the coordinator can adjust risk parameters per market, and protocol parameters are configurable through governance. Withdrawals cannot be admin-paused. These powers exist for legitimate operational reasons — but you should understand them before depositing funds.
What Admins Cannot Do
| Action | Detail |
|---|---|
| Transfer user funds directly | No admin function exists for this in the contract code |
| Bypass oracle settlement | Settlement logic is enforced by market contracts — admins cannot override it |
| Selectively target user accounts | Admin actions are protocol-wide, not per-user |
What Admins Can Do
| Action | Who | Delay | Risk |
|---|---|---|---|
| Pause all trading operations | Multisig | Instant | Temporary loss of trading access; withdrawals are not affected |
| Update risk parameters | Coordinator | Instant | Margins, fees, funding caps per market. Bounded by protocol limits. |
| Update protocol-level bounds | Timelock (owner) | 7 days | Fee ranges, market creation, extension registration |
On-Chain Governance Addresses
You can verify all governance actions on Arbiscan:
TimelockController (7-day delay)
0xA7cd243e09c57aC194f8e7338ec244137346A368Multisig (Emergency pause)
0xD6CA5eEf21915c1336c9CBB1373bD1aFF3C4ce68Why These Powers Exist
- Emergency pause: If a critical vulnerability is discovered, pausing prevents further damage while a fix is prepared.
- Risk parameter updates: Markets need tuning as volatility and liquidity conditions change. Instant updates prevent situations where outdated parameters create systemic risk.
- Upgradeable contracts: Allows fixing bugs and adding features without requiring all users to migrate to a new system.
- Timelock: The 7-day delay on protocol changes gives users time to review and exit if they disagree with a change.
What You Should Verify Yourself
- Read the MarketFactory contract on Arbiscan — look for any function that could drain user collateral (there is none).
- Check the TimelockController — call
getMinDelay()to confirm the 7-day delay. - Monitor the TimelockController's transaction history for any queued changes.
- Compare the deployer/owner addresses against the multisig and timelock to understand the trust chain.