How to Tell if a Perpetual DEX Is Safe
Before depositing funds into any decentralized perpetual futures exchange, there are specific things you should check. This is a practical checklist — not a guarantee of safety, but a framework for doing your own due diligence.
The Checklist
1. Are the contracts audited?
Check for independent security audits from recognized firms (Sherlock, Trail of Bits, OpenZeppelin, Zellic, etc.). Look for:
- How many audits were conducted?
- When were they done relative to the deployed code?
- Were critical findings fixed and verified?
- Are the audit reports publicly available?
Remember: audits reduce risk but do not eliminate it. See How to Read a DeFi Audit.
2. Is it custodial or non-custodial?
Where are your funds held?
- Non-custodial: Funds in smart contracts, only you can withdraw
- Custodial: Funds held by the exchange team — counterparty risk
- Hybrid: Some combination — check what exactly is on-chain vs off-chain
Non-custodial is generally safer, but smart contract risk replaces custody risk.
3. What admin powers exist?
Every protocol has some admin capabilities. The key questions:
- Can admins drain user funds? (This should never be possible)
- Can admins pause withdrawals?
- Are contracts upgradeable? If so, through what mechanism?
- Is there a timelock on parameter changes?
- Who controls the multisig? How many signatures are needed?
4. What oracle does it use?
Price feeds are critical for perpetual exchanges:
- Is it a recognized oracle (Pyth, Chainlink)?
- What happens when the oracle goes stale?
- Can the exchange settle at arbitrary prices?
- Is there staleness protection built in?
5. Are contracts verified on a block explorer?
Verified contracts on Etherscan/Arbiscan mean you can read the source code yourself. If contracts are unverified, you cannot independently confirm what the code does.
6. What is the fee structure?
Look beyond trading fees:
- Are funding rates capped or uncapped?
- What is the liquidation penalty?
- Does the protocol take a share of funding?
- Are there hidden withdrawal fees?
See Why Funding Rates Matter and What Traders Should Know About Liquidation Penalties.
7. What is the track record?
- How long has the protocol been live?
- Has it ever been exploited?
- Is there a bug bounty program?
- Is the team publicly known?
8. What chain does it run on?
- Is the chain battle-tested (Ethereum, Arbitrum)?
- What are the trust assumptions (L2 sequencer, bridges)?
- What happens if the sequencer goes down?
Red Flags
- No audits or audits from unknown firms
- Unverified contracts on the block explorer
- Admin can drain user funds
- No timelock on parameter changes
- Unclear fee structure or hidden costs
- Anonymous team with no track record
- Promises of "no risk" or guaranteed returns
How Exolane Measures Up
For transparency, here is how Exolane performs against this checklist:
| Criteria | Exolane |
|---|---|
| Audits | 7 audits (6 Sherlock, 1 Zellic) |
| Custody | Non-custodial |
| Admin fund access | No admin function can transfer user collateral |
| Pause capability | Yes — multisig can pause operations |
| Upgradeable contracts | Yes — via proxy pattern |
| Timelock | 7-day delay on protocol changes |
| Oracle | Pyth Network, 40s staleness protection |
| Contracts verified | Yes — all on Arbiscan |
| Funding cap | ±15% APR |
| Liquidation penalty | 0% |
Verify all of this yourself on Arbiscan.