Security Model
Ollo's security model has to be read across both protocol and service layers.
Contract Layer
At the core protocol layer:
- Margin and positions live in dedicated
FxAccountcontracts - Market execution happens through onchain
Marketcontracts - Settlement, funding, and liquidation logic are coordinated by
FxEngine
This makes the trading lifecycle legible at the contract level rather than hiding it behind opaque venue logic.
Service Perimeter
The current backend stack adds a clear perimeter:
- The Gateway is the public entry point
X-API-Keyauthentication is enforced at the Gateway- Internal services are intended to remain private behind the VPC boundary
That perimeter matters because the current closed beta write path routes through services, not only through direct user-signed protocol calls.
Beta Custody Nuance
The present Broadcast service signs transactions for registered users in the closed beta. That custodial flow is an operational layer around the protocol, not the full definition of the protocol's security model. Counterparty or custody analysis should evaluate the relay model separately from the core smart-contract account model.
Oracle And Keeper Permissions
Funding and mark-price logic rely on privileged actors:
- Authorized price updaters push prices
- Authorized keepers update funding
- Stale-price limits protect the oracle from using old inputs indefinitely
Deterministic Auditability
One of Ollo's core design goals is that trade handling, margin accounting, funding, and liquidation remain inspectable. That does not remove all risk, but it does reduce how much the user must trust discretionary venue behavior.