#Security And Scam Response
Use this page if you saw a fake site, suspect an impersonator, exposed a wallet, or found a protocol vulnerability.
#Core Security Rules
- Only use the official links listed on Official Links.
- Exolane will never ask for your seed phrase or private key.
- Exolane will never DM you first with a recovery or support offer.
- No one can recover funds by asking you to send assets to another address.
#Before You Do Anything Else
- Open Official Links in a fresh tab.
- Compare the domain, social handle, and contract addresses against the official list.
- Save transaction hashes, wallet addresses, screenshots, and URLs before you close anything.
#What Exolane Can And Cannot Do
| Exolane can | Exolane cannot |
|---|---|
| Publish official warnings and incident notices | Reverse on-chain transactions |
Review vulnerability reports sent to [email protected] |
Recover funds from a compromised wallet |
| Help users verify the official domain, docs, and public contract addresses | Validate recovery offers sent through DMs or unofficial channels |
#I Opened A Suspicious Page But Did Not Sign Anything
- Disconnect from the page and close the tab.
- Clear any saved site connection for that domain in your wallet if you are unsure.
- Re-open Exolane only from Official Links.
- If the site impersonates Exolane, report it through the official channels on that page.
#I Think I Visited A Fake Exolane Site
- Stop interacting immediately.
- Do not sign any more messages or transactions.
- If you signed something suspicious from your main wallet, consider revoking permissions and moving remaining assets to a clean wallet.
- Verify the official domain and contract addresses on Official Links.
- Report impersonators or fake sites on x.com/exolanedex. If there is a serious security issue, also email [email protected].
#My Wallet Or Seed Phrase Is Compromised
- If your seed phrase or private key was exposed, assume the wallet is permanently compromised.
- Move remaining assets to a clean wallet if you still can.
- Revoke any active 1-Click Trading session from the official UI or on-chain.
- Exolane cannot reverse on-chain transactions or recover assets from a compromised wallet.
#I Think My 1-Click Trading Session Key Is Exposed
- A 1-Click Trading session key can place or close trades, but it cannot withdraw funds.
- Revoke it immediately from the UI or by using the on-chain revoke flow.
- Once revoked, create a fresh session only on the official site.
- If your main wallet is still secure, fund movements still require the main wallet.
See 1-Click Trading Security for the threat model and revoke steps.
#I Found A Protocol Vulnerability Or Serious Bug
- Do not publish exploit details first.
- Email [email protected] with a clear description, impact, reproduction steps, and any relevant hashes or screenshots.
- Wait for acknowledgment before public disclosure.
- Do not assume a public bounty or reward unless Exolane announces one through an official channel listed on Official Links.
#What To Include In A Security Report
| Detail | Why it matters |
|---|---|
| Affected URL, contract, or feature | Identifies the vulnerable surface |
| Wallet addresses and transaction hashes | Lets the team reproduce and verify the issue |
| Reproduction steps | Makes the report actionable |
| Estimated impact | Helps triage severity |
| Screenshots, logs, or videos | Preserves evidence |