Security

Smart Contract, Oracle, and Admin-Key Questions for Perp DEX Users

Perp DEX risk is not limited to price movement. This question list is educational research only, not financial advice, not a recommendation, and not a substitute for independent security review.

Smart Contract Questions

Contract risk includes more than whether an audit exists. Researchers need to understand upgrade paths, permissions, emergency controls, dependency contracts, and how losses would be handled if an assumption fails.

  • Which contracts hold collateral, route orders, calculate margin, and trigger liquidation?
  • Are contracts upgradeable, and who can approve upgrades or emergency pauses?
  • Where are recent audits, known issues, bug bounty scope, and post-incident reports documented?
  • What happens to open positions and withdrawals if a contract, bridge, or dependency is paused?

Oracle And Price Source Questions

Perp DEX margin engines often depend on oracle, index, or mark-price logic. A visible chart price may not be the same input used for liquidation, funding, or account equity calculations.

  • Which price feeds control mark price, funding, liquidation, collateral valuation, and settlement?
  • How often are feeds updated, and what fallback process applies during stale or missing data?
  • Can thin liquidity, delayed sequencers, or external market disruption affect the reference price?
  • Where are oracle incidents, parameter changes, and emergency procedures recorded?

Admin-Key And Governance Questions

Governance and admin permissions can change the operating environment after a user deposits collateral. A review should capture who can change rules, how quickly changes can happen, and whether users receive notice.

  • Who controls market listings, risk parameters, liquidation fees, funding settings, and collateral policy?
  • Is there a timelock, multisig, council, token vote, or emergency role with faster permissions?
  • How are users notified about parameter changes that affect margin or withdrawal assumptions?
  • Which governance or admin records must be checked before publishing venue research?