Whitepaper / ACCESS CONTROL, GOVERNANCE, AND SAFETY RAILS
Dexter whitepaper

CONTROLS AND PERMISSIONS

Every dollar that leaves a Dexter vault passes through a threshold signed by multiple keys, posted as a Base transaction, and visible on Basescan. This page lists the permission tiers that govern those movements: which surfaces are anonymous, which are wallet-authenticated, which are operator-only, and which require multi-sig consensus. The thresholds are fixed parameters, not policy. Operations multi-sig is 2-of-3 for any treasury movement above $10K; governance and insurance multi-sig is 3-of-5 with at least one external signer for parameter changes, reserve rebalancing, and guardian role rotation. Nothing privileged ships under a single key.

Page last sync: May 24, 2026
Sections 2 Read 1 min Whitepaper chapter

Six tiers, each with a distinct credential type, a distinct blast radius, and a distinct threshold. A token issued for one tier never authorizes an action on another.

Control layer Credential and threshold Scope
Public venue surface None — anonymous read Order books, mark prices, funding history, leaderboard standings, challenge stats
Wallet-authenticated routes SIWE signature against the connected wallet Account balances, position state, fills, withdrawal requests, KYC submission
Signed trading flow EIP-712 typed order signature per intent New orders, cancels, margin-mode changes, stop and limit updates
Operator telemetry Server-side allowlist plus rotating API key Runtime health endpoints, queue depth, internal reconciliation views
Operations multi-sig 2-of-3 threshold above $10K per movement Routine treasury rebalancing, fee sweeps, manual-review payouts, podium top-three releases
Governance and insurance multi-sig 3-of-5 with at least one external signer Parameter changes, fee tier updates, insurance reserve moves, guardian rotation, contract upgrades

#How authority is segmented

The operations multi-sig is the workhorse signer. It holds three keys — held by the founding team, the on-call engineering lead, and the head of operations — and signs every treasury movement above $10K. That includes routine rebalancing between the operating wallet and the deep-cold vault, the weekly fee sweep, every manually reviewed funded-trader payout, and every podium top-three release on the seasonal leaderboard. Movements below $10K to whitelisted destinations (gas top-ups, on-ramp reconciliation, recurring infrastructure spend) can clear with a single key on a rate-limited automation account, but only against destinations pre-approved by the same 2-of-3.

The governance and insurance multi-sig is deliberately slower and broader. Five keys, three required to sign, and at least one of those three must be an external party — currently a partner from an independent security firm with no operational role at Dexter. Anything that changes how the venue behaves passes through this signer set: fee tiers, insurance-reserve rebalancing, disputeWindowSec adjustments, guardian-role rotation, oracle source promotion or demotion, and any contract upgrade. The external signer is the structural reason a unanimous Dexter team still cannot change protocol parameters unilaterally.

Guardian authority sits underneath both multi-sigs. Any of three guardians can pause deposits, withdrawals, or the full settlement pipeline within a single transaction, on its own key, with no threshold required. Pausing is one-way — only the 3-of-5 governance multi-sig can unpause, which is intentional: the cost of an unjustified pause is short downtime; the cost of an unjustified unpause is a bad withdrawal.

TEXT
 anonymous read   -> market data only
 wallet-signed    -> account state, withdraw request
 EIP-712 order    -> trade intent, never balance change
 operator key     -> telemetry, no on-chain authority
 ops 2-of-3       -> treasury movement > $10K
 governance 3-of-5 -> parameter, reserve, upgrade
 guardian (1)     -> pause only, unpause needs 3-of-5

#What segmented controls achieve

The threshold design exists to make specific compromise scenarios survivable. A stolen wallet signature reaches at most one user's account state — never another user's, never the treasury, never a parameter. A stolen operator API key surfaces telemetry but cannot move USDC, sign a withdrawal, or alter a fee tier. A single compromised operations key cannot release funds because the second signer reviews the destination, the amount, and the queue context before co-signing. A compromised majority of operations keys still cannot change protocol parameters because that path is governance-only and requires the external signer to sign as well.

Every multi-sig transaction is posted to Base with the destination address, amount, calldata, and signer set visible in the Basescan transaction log. Users with Basescan watch alerts on the operating wallet and treasury vault receive notification within seconds of every signed payout. Governance proposals are published with the proposed calldata 24 hours before the 3-of-5 quorum is requested, so any community member can independently simulate the call before it lands. There is no off-chain consent layer that supersedes what the Base ledger shows.

Back to top
Previous OPERATIONS, MONITORING, AND SECURITY Next WITHDRAWAL PROOFS, DISPUTES, AND ROOT CHALLENGES