UltraLiquid's security model is built around one principle: a user should be able to recover their margin against Bitcoin L1 without trusting the exchange. Here's how that works.
Trader funds live in Utexo state channels anchored to Bitcoin L1. Margin is locked client-side via RGB validation; the exchange holds spending conditions, not unilateral custody. To go to zero, both the trader and the venue must co-sign the closing state.
Every N minutes, the matching engine commits a Merkleized state root to Bitcoin via Utexo. A trader can always force-close their channel using the latest mutually-signed state — even if the exchange is fully offline.
The risk engine evaluates portfolios continuously against mark price (oracle-anchored for crypto, Backed/Chainlink for RWA). Positions are liquidated when account margin falls below the maintenance-margin rate for that leverage tier. There is no insurance-fund socialized loss model — losses are realized against the liquidating position only.
Crypto marks use a median of Pyth, Chainlink, and a TWAP from the internal book. RWA marks use Backed's published attestation prices with a max-deviation circuit breaker. If the oracle stalls or diverges, new orders for that market are paused.
Cold-key storage for venue treasury. Multisig for all parameter changes. Independent audits of the matching engine, risk module, and Utexo integration before mainnet.