Trust & Security

Sign-in uses your self-custodial Ethereum wallet. To establish a session, our server issues a one-time random nonce, your wallet signs a human-readable message that embeds that nonce, and the server verifies the signature against your wallet address before issuing a short-lived, HttpOnly session cookie.

We never receive, store, or have access to your wallet's seed phrase or private keys. Signing in does not authorize any on-chain transaction. You can sign out from the account menu at any time, which clears the session cookie.

All authenticated trading and deposit endpoints derive your wallet identity from the verified session cookie on the server. Requests cannot specify which wallet to act on — the server uses the wallet bound to your session.

Administrative endpoints additionally require the calling wallet to be on a server-managed allowlist; this allowlist is never exposed to the client.

Access to the public beta is invite-only. Invite codes and the list of approved wallets are stored server-side. Each code has a configurable usage cap and can be disabled by the team. Code redemption only succeeds after a wallet has completed signature-based sign-in.

Deposits are made by sending a supported ERC-20 token on Ethereum mainnet to the treasury address displayed in the deposit dialog. After your transaction confirms, our server fetches the on-chain receipt, verifies that the transfer originated from your authenticated wallet and matches a supported token and the published treasury address, requires at least two confirmations, and credits your trading balance. Crediting is idempotent per transaction hash.

Withdrawals back to your wallet are not yet enabled during the public beta. Funds held on the platform are tracked in our database as a virtual trading balance and are not collateralized or insured.

We store the minimum information needed to operate the platform:

• Your wallet address (used as your account identifier).
• Your trading balance, positions, orders, fills, ledger entries, and funding history.
• Recorded deposit transactions (tx hash, amount, token, chain).
• Short-lived sign-in nonces, used once and then marked consumed.
• If you join the waitlist, the email address you submit, kept locally in your browser.

We do not request or store names, government IDs, KYC documents, or seed phrases.

The application is hosted on Lovable Cloud and uses a managed Postgres database. The service-role database key, session signing secret, and admin allowlist are stored as server-side secrets and are never shipped to the browser.

We set a single HttpOnly, SameSite=Lax session cookie after a successful wallet sign-in. It contains your wallet address, an expiry timestamp, and an HMAC computed with a server-only secret so that the value cannot be tampered with. We do not set advertising or third-party tracking cookies.

Ondo Perps is in public beta. We make no representations about uptime guarantees, regulatory licensing, formal audits, SOC 2 / ISO certification, GDPR/HIPAA/PCI compliance, end-to-end encryption of all data at rest, or insurance of user balances. Use the platform with funds you can afford to lose.

If you believe you have found a security vulnerability, please contact the team via our Telegram or on X and we will respond as quickly as we can. Please do not publicly disclose the issue until we have had a reasonable chance to investigate.