CRXDocs
Get StartedLearnBuildCurateTools
  • Overview
  • Roles
  • Liquidity
  • Security
  • Set Up a Desk
  • Configure Roles
  • Sentinel

Security Considerations for Makers

What risks does a maker carry?

Four: your key, your exposure, the session, and settlement. None of them is counterparty credit — CRX removes a taker at the margin line and pays you from its own estate before a loss reaches you. What is left to manage is the risk you bring yourself.

The contract takes care of the default. You take care of the key, the size, the timing, and the close-out.

How do I protect the key?

The signing wallet is the desk. Whoever holds it can price, sign Terms, and move your funded balance. Treat it as a trading key, not a vault key.

  • Separate the maker identity from the signer if you can. Onboarding binds the desk to the signing wallet, but a desk can rotate to a fresh signer. See Configure Desk Roles (~4 min).
  • The operator cannot bail you out of a lost key. It can ban or terminate the firm, but it holds no key that moves your collateral against the on-chain proof. A stolen signer is a stolen desk.
  • Custody the key as a market maker would. A hardware signer or a multisig for the funded wallet; a hot wallet only for the quoting JWT, which expires hourly and moves nothing on-chain.

A compromised signer can bind positions and withdraw your general balance. The same wallet that quotes also signs withdraw. Scope it accordingly.

How do I bound my exposure?

By the margin you require and the notional you sign. Each is yours to set, RFQ by RFQ.

  • Margin is your lever. You write imLongBps/imShortBps into every quote — collateral, per client, never credit. A riskier client or a gappy pair carries a higher rate; a client you trust carries a tighter one.
  • Keep your general balance funded. Variation margin debits your loss from your general balance, and the daily IM re-true tops up your SCA from it. If general cannot cover the re-true, the top-up is partial and the gap surfaces to the cascade — against you. Fund ahead of the move.
  • There is no venue cap on your book. You can hold many agreements at once. Sum your open notional yourself; the contract will not stop you from over-committing.

Size the margin to one thing: how far the price can move before a defaulter's collateral runs out during close-out.

Pair characterClose-out riskRate to set
Calm, continuously markedliquidates in hours on the Pyth EMA~1–2%
Gappy or managed currencycan devalue in one stephigher — e.g. USD/PHP ~12%, USD/INR ~8%

What is session risk?

The risk that a pair gaps while its FX session is closed and no liquidation can run.

CRX trades FX, so it respects the FX calendar. Three LatAm pairs (USD/CLP, USD/COP, USD/PEN) publish a live price only during their local bank session; the majors and Asia NDFs close nights and weekends. While a session is shut, the cascade marks against the last trusted rate — a default still resolves — but a managed currency can jump in one step when the session reopens.

Therefore: size the margin on a session-windowed or managed pair to the move that can happen across the closed window, not the calm you see intraday. See Liquidity & Quoting (~5 min) and Calendar & Sessions (~3 min).

How does settlement and default protect me?

By segregating the taker's collateral and moving it only on proof — and by paying you first from the taker's own estate if it fails.

  • Collateral is segregated and non-rehypothecable. Each taker's margin sits in its own SCA. CRX does not lend it, pool it, or net it against another counterparty. It moves only on a validated price and position set.
  • Variation margin clears P&L continuously. As the rate moves against the taker, its loss is debited from its general balance every cycle. There is no margin call to ignore. See Variation Margin (~5 min).
  • Default pays you in full from the taker's estate. If the taker runs short, the cascade nets its book, takes its SCA, then its general balance, then the guarantee fund — never your collateral. See Liquidation & Default Waterfall (~5 min).
  • Settlement is one Pyth EMA. The same moving average marks the trade and settles it; a single print cannot move it. There is no EMTA fixing to dispute.
The risk waterfall1The taker's deposittheir posted collateral, taken first2The taker's general balancetheir free margin across every position3CRX guarantee fundCRX's own capital — $1 seed in the MVPCRX capital

The contracts are under formal review by two independent security firms; the audit is not yet closed. Until those reviews complete, treat every guarantee here as a stated property, not an audited one.

Next: Set Up a Desk (~6 min) — onboard and make your first inbox call.

PreviousCurate · 4 min readLiquidityNextCurate · 3 min readSet Up a Desk
CRX
DocsDeskLaunch app
On-chain FX hedging. Confidential.