#1-Click Trading Security
1-Click Trading lets you place trades instantly without approving every transaction in your wallet. This page explains exactly how it works, what it can and can't do, and how to stay in control.
#How It Works (Plain English)
When you enable 1-Click Trading, Exolane creates a lightweight session key using Privy embedded wallets. Think of it as a limited-access key card for your trading account:
- It can open the door to trades (place orders, adjust positions).
- It cannot open the safe (withdraw funds, move collateral out).
The session key lives in your browser. It signs trade transactions on your behalf so you don't see a wallet popup for every click. Your main wallet (MetaMask, Rabby, etc.) stays untouched in the background.
#Why Privy?
Privy is an embedded-wallet provider trusted by many DeFi protocols. Instead of asking you to hand over your private key, Privy generates a separate, purpose-built key that is:
- Scoped — it can only call specific trading functions on the Exolane smart contracts.
- Temporary — it expires automatically after a set period.
- Revocable — you can kill it at any time from the UI or directly on-chain.
Your real wallet never shares its private key with Exolane or Privy. The session key is a completely separate key pair that has been granted limited permissions by your wallet through an on-chain authorization.
#What the Session Key Can Do
| Action | Allowed? |
|---|---|
| Open a position | ✅ Yes |
| Close a position | ✅ Yes |
| Adjust collateral on a position | ✅ Yes |
| Place stop-loss / take-profit | ✅ Yes |
| Cancel pending orders | ✅ Yes |
| Withdraw funds from your account | ❌ No |
| Transfer collateral to another address | ❌ No |
| Change account settings or permissions | ❌ No |
In short: the session key is trade-only. Even if someone obtained it, they could not move your money out of the protocol.
#Session Duration & Expiry
| Detail | Value |
|---|---|
| Default session length | 24 hours |
| Auto-renewal | You'll be prompted to re-authorize when the session expires |
| Early termination | You can revoke anytime (see below) |
When a session expires, no further trades can be signed with that key. You simply re-enable 1-Click Trading and a fresh key is created.
#Rotating Your Key
Good hygiene is to let sessions expire naturally (every 24 hours) rather than keeping one alive indefinitely. Each time you re-enable 1-Click Trading, a brand-new key pair is generated and the old one is invalidated.
#How to Revoke a Session Key
#From the Exolane UI
- Open the Account or Settings panel (top-right).
- Find 1-Click Trading.
- Click Disable or Revoke Session.
- The session key is immediately invalidated — no further trades can be signed with it.
#On-Chain (Advanced)
If you want to revoke access directly on the smart contract (for example, if you can't reach the UI):
- Go to the AccountVerifier contract on Arbiscan.
- Connect your main wallet.
- Call the
revokefunction, passing the session key address. - Once the transaction confirms, the key is permanently invalid.
Tip: Even without revoking, a session key becomes useless once it expires. The on-chain method is a safety net for worst-case scenarios.
#Threat Model (What Could Go Wrong?)
We want to be transparent about risks so you can make informed decisions.
#Phishing / Fake Sites
| Threat | A fake website pretends to be Exolane and asks you to sign a message. |
|---|---|
| Mitigation | Always check you're on exolane.com. Bookmark it. A session key is scoped to Exolane's contract addresses. However, if you sign a malicious authorization on a fake site, your main wallet could be at risk. Only sign messages on the official site. |
#Cross-Site Scripting (XSS)
| Threat | Malicious code injected into a website tries to read your session key from the browser. |
|---|---|
| Mitigation | Session keys are stored in Privy's secure, sandboxed iframe — they are not accessible to the parent page's JavaScript. Even if a page were compromised, the key is isolated. |
#Device Malware / Keyloggers
| Threat | Malware on your computer could try to extract the session key from browser storage. |
|---|---|
| Mitigation | If malware has full access to your device, it's a risk for any wallet or app. With Exolane, the worst-case damage is limited: the session key cannot withdraw funds. An attacker could only place or close trades — they can't steal your collateral. Keep your device secure with standard practices (OS updates, don't install untrusted software). |
#Stolen Session Key
| Threat | Someone gets a copy of the raw session key. |
|---|---|
| Mitigation | They can only submit trades — never withdrawals. You can revoke the key immediately from the UI or on-chain. The key also expires automatically within 24 hours. |
#Comparison: With vs. Without 1-Click Trading
| Without 1-Click | With 1-Click | |
|---|---|---|
| Trade signing | Wallet popup every time | Instant, no popups |
| Key access | Main wallet signs everything | Separate session key signs trades only |
| Withdraw access | Main wallet required | Main wallet required (unchanged) |
| If key is compromised | Full wallet at risk | Only trade actions exposed; funds safe |
| Expiry | N/A | 24 hours, auto-expires |
#FAQ
#Is my main wallet's private key ever shared?
No. Your main wallet only signs an authorization message that grants the session key limited permissions. Your private key never leaves your wallet.
#What happens if I clear my browser data?
The session key is lost. You'll need to re-enable 1-Click Trading, which creates a fresh key. No funds are affected.
#Can Exolane or Privy access my funds?
No. Neither Exolane nor Privy can initiate withdrawals or move your collateral. The session key is trade-only, and your main wallet is required for all fund movements.
#Does 1-Click Trading work across devices?
No. The session key is specific to the browser and device where it was created. If you switch devices, you'll need to enable it again.
#Is this the same as "trading bot" access?
Similar concept, but much more restricted. A session key can only interact with Exolane's trading functions and expires automatically. It cannot be used on other protocols or for any non-trading action.
#Summary
| Aspect | Detail |
|---|---|
| Technology | Privy embedded wallet (session key delegation) |
| Scope | Trade-only — open, close, adjust positions |
| Cannot do | Withdraw funds, transfer collateral, change settings |
| Duration | 24 hours, auto-expires |
| Revocation | UI toggle or on-chain revoke call |
| Key storage | Browser-local, sandboxed by Privy |
| Main wallet exposure | None — private key is never shared |
Summary: 1-Click Trading is designed so that even if a session key is compromised, the attacker can only place or close trades — they cannot withdraw funds from the protocol. The key expires automatically within 24 hours and can be revoked at any time.