How Does Exolane 1-Click Trading Work?
1-Click Trading creates a lightweight session key using Privy embedded wallets. This session key can sign trade transactions (open, close, adjust positions) without a wallet popup. It cannot withdraw funds, transfer collateral, or change account permissions. It expires automatically after 24 hours and can be revoked at any time.
Think of it as a limited-access key card: it can open the door to trades, but it cannot open the safe. Your main wallet (MetaMask, Rabby, etc.) stays untouched — its private key is never shared with Exolane or Privy.
What the Session Key Can Do
| Action | Allowed? |
|---|---|
| Open a position | Yes |
| Close a position | Yes |
| Adjust collateral on a position | Yes |
| Place stop-loss / take-profit | Yes |
| Cancel pending orders | Yes |
| Withdraw funds | No |
| Transfer collateral to another address | No |
| Change account settings or permissions | No |
Technical Details
Key Generation
Privy generates a separate, purpose-built key pair. It is scoped to only call specific trading functions on Exolane's smart contracts. Your main wallet grants this key limited on-chain authorization.
Storage
The session key lives in Privy's secure, sandboxed iframe in your browser. It is not accessible to the parent page's JavaScript (isolated from XSS attacks on the main site).
Expiry
Sessions expire automatically after 24 hours. When expired, no further trades can be signed. You re-enable 1-Click Trading and a fresh key pair is generated — the old one is invalidated.
Revocation
You can revoke a session key anytime from the Exolane UI (Account → 1-Click Trading → Disable). For advanced users, you can also revoke directly on-chain via the AccountVerifier contract using the revoke function.
What Could Go Wrong
Stolen Session Key
An attacker could only place or close trades — never withdraw funds. You can revoke the key immediately from the UI or on-chain. The key also auto-expires within 24 hours.
Phishing Site
Always verify you are on exolane.com. A session key is scoped to Exolane's contract addresses, but a fake site could trick you into signing a malicious authorization with your main wallet.
Device Malware
If malware has full device access, it is a risk for any wallet or app. With 1-Click Trading, the damage is limited: the session key cannot withdraw funds. Keep your device secure.
With vs. Without 1-Click Trading
| Aspect | 1-Click On | 1-Click Off |
|---|---|---|
| Wallet popup per trade | No | Yes |
| Trade execution speed | ~1 second | ~5-10 seconds (popup + sign) |
| Max risk if key stolen | Bad trades (no withdrawals) | N/A (no session key) |
| Key expiry | 24 hours | N/A |
What You Should Verify Yourself
- Confirm you are on exolane.com before enabling 1-Click Trading.
- Review the permissions your wallet asks you to sign when enabling — it should only scope trading functions.
- Let sessions expire naturally (every 24 hours) rather than keeping one alive indefinitely.
- If you suspect compromise, revoke the session key from the UI immediately or on-chain via Arbiscan.