Why Safe?
Extended Vision on safety
The goal of Extended is to establish a genuinely trustless exchange, where users can trade without relying on the integrity of the platform. We define a trustless exchange as one that technically prevents any false or manipulative transactions from occurring, and allows users to access their funds even if the exchange operator is unavailable.
Extended achieves this design through users retaining self-custody of their funds, all trading activity being verified on-chain via our smart contracts on Starknet, and liquidation mechanisms relying on external oracle price providers.
In this blog, we will explore each of these principles, beginning with how TradFi ensures the security of transactions through well-established safeguards. We will then examine why crypto CeFi, lacking many of these critical protections, can present an insecure option for crypto trading.
Trading ecosystem
Over the last century, traditional finance has evolved into a sophisticated ecosystem where multiple entities — brokers, exchanges, custodians, clearing houses and depositories — play distinct but interconnected roles. In this system, the trading process involves several coordinated steps to ensure secure transactions. It starts with trade execution, where an investor places a buy or sell order via a broker, who is authorized by the exchange. The exchange accumulates these orders, matches buyers with sellers, and confirms the trade. Once confirmed, the trade clearance phase begins, with the clearing house stepping in as a guarantor, ensuring both parties fulfill their obligations. The clearing house temporarily takes ownership of the trade and splits it into two legs (buyer-to-seller and seller-to-buyer) through a process called novation.
Next is trade settlement, where the clearing house nets all trades and provides final settlement instructions to custodians. These instructions specify the cash and securities to be exchanged. The custodian, acting on behalf of the investor, ensures that delivery versus payment occurs, meaning the simultaneous exchange of cash for the corresponding securities. Once the clearing house verifies that all instructions are correct, it facilitates the transfer of ownership of the securities from the seller to the buyer, completing the trade. The securities are then recorded electronically at a depository, securing the investor's position.
The whole process is demonstrated in the image below.
This clear separation of roles within the trading ecosystem is a key strategy for effectively managing various risks that can arise in financial markets. In this framework, exchanges primarily function as dynamic marketplaces for matching orders, facilitating price discovery and liquidity for market participants, while not holding any authoritative power over the transactions themselves.
What’s wrong with CeFi?
The primary concern with CeFi ,including major exchanges like Binance, Bybit, and Coinbase, is that they combine multiple functions that should be separated, within a single entity. This consolidation of power fundamentally leads to conflicts of interest and exposes the system to operational vulnerabilities.
Brokerage Risk
In TradFi, only certified brokers are allowed to trade on the exchange, and they have access only to their own and publicly available information. The exchange itself operates strictly as a service provider and is prohibited from engaging in trading. These regulations, enforced by the SEC and other regulatory bodies, are designed to safeguard market integrity and fairness.
In contrast, CeFi lacks this separation of roles — there are no brokers, and anyone, including the exchange itself, can trade on the platform. This creates significant risks, as the exchange has priority access to all order data, which becomes publicly available only after a small time lag. The exchange could potentially misuse this early access to information for its own benefit, often to the detriment of its customers. By leveraging not-yet-public information about upcoming transactions that are likely to impact asset prices, centralized exchanges could theoretically engage in front-running — executing their own trades ahead of others to profit from the anticipated market moves.
Clearing Risk
When there is no separate entity for clearing, the exchange itself acts as the clearing house, eliminating the independent checks and balances that are key for preventing unethical practices. This allows the exchange to match trades even when one party can’t meet their obligations. A clear example of this risk was the collapse of FTX, where the exchange failed to ensure that Alameda Research had adequate margin to execute trades, resulting in a breakdown of market integrity and unequal treatment of users.
In TradFi, such a scenario is prevented by the clearing house, which acts as a neutral third party. A trade only settles once the clearing house verifies that both parties have met their obligations, including maintaining the required margin and ensuring sufficient funds.
Custodian Risk
Lastly, centralized exchanges retain full custody of users' funds, as they act as the custodians themselves. This creates a single point of failure where customer deposits are vulnerable to mismanagement, fraud, or even theft. We can reference FTX again as an example, where user funds were reportedly misappropriated to cover the exchange's own losses. In cases of exchange insolvency, hacking, or internal malfeasance, investors may lose access to their funds with little to no recourse. The lack of an independent custodian also eliminates the additional layer of security and oversight that traditionally ensures the safekeeping of assets and prevents the misuse of client funds. This centralization of control over assets in CeFi heightens the risk to investors' capital.
The good thing is that all these risks can be eliminated in a trustless exchange.
How does Extended eliminate safety risks?
Extended eliminates custodian risk by allowing users complete self-custody of their funds, ensuring that the platform neither owns nor manages users' assets. Control and ownership remain entirely with the client. Clearing risk is eliminated and brokerage risk is minimized through on-chain validations of the trading logic, ensuring full transparency and security.
Self-custody
Unlike centralized exchanges, where users lose control of their funds upon deposit, Extended guarantees full self-custody. When a user connects their wallet, a STARK keypair is generated locally, derived directly from the wallet's private key. This keypair can always be regenerated using the same wallet and never leaves the browser or gets transmitted to Extended's servers or any external party.
All funds are held in smart contracts on Starknet, meaning Extended has no custodial access to user assets under any circumstances. Even if the exchange operator becomes unavailable, users can execute forced withdrawals directly through the smart contract, bypassing the exchange entirely. This ensures funds cannot be frozen or lost.
In essence, Extended's self-custody fully replaces the role of independent custodians found in TradFi.
On-chain verification of trading logic
On-chain verification of trading logic ensures the security and transparency of all transactions conducted through Extended. This verification completely eliminates clearing risk, as it guarantees that payments are always fulfilled. This is achieved by ensuring that every trade is fully collateralized and that all settlements occur directly on the blockchain, providing a trustless and secure trading environment.
Additionally, each transaction is signed by the user, meaning all key order parameters are explicitly confirmed during the signing process. When placing an order, users define both the maximum amount they are willing to spend and the minimum they are willing to receive. Extended is designed to strictly adhere to these constraints during settlement. Transactions are verified on-chain, and any mismatch between the signed data and the actual execution is automatically rejected. This eliminates the need for a traditional clearing house, as transaction integrity is enforced without relying on a third party.
While our current on-chain logic does not guarantee order book price-time priority, the risk is mitigated by the fact that users pre-approve the worst acceptable price. This means Extended cannot execute any trade at a worse price than what the user has signed, ensuring that trade conditions are always respected. To further support transparency, Extended provides a real-time stream of best bids, asks, and executed trades, allowing users to independently verify that their orders were filled at the best available prices at the time of execution.
Extended also enforces fair liquidation logic based on several key principles. Accounts eligible for liquidation are blocked from performing further transactions, and any liquidation attempt is automatically rejected if the user's equity exceeds margin requirements. Liquidations are triggered by independent external oracle mark prices, ensuring impartiality. On-chain logic also guarantees that liquidation improves the account's health—meaning the ratio of Total Value to Total Risk must increase as a result of the liquidation.
Audits
Extended's on-chain logic and smart contracts have undergone extensive audits by external security firms. The audit reports are available below: