Operations

The console behind the exchange.

Reconciliation drift bands, the freeze switch, the audit log hash chain, and the on-call runbook.

Last updated: May 18, 2026
01

Admin console overview

The operator console at /admin is the single surface for human-in-the-loop platform operations. Access is gated by operator role plus a hardware-backed WebAuthn step-up — TOTP alone is not sufficient for admin scope.

The console exposes five sub-surfaces: withdrawal queue, freeze controls, reconciliation board, operator flags, and the audit stream. Every action taken through the console is written to the hash-chained audit log before the side effect is allowed to commit.

02

Withdrawal approval queue

Withdrawals above the per-asset auto-cap land in the operator queue. The queue shows the requesting account, KYC tier, all gating signals (address screening verdict, velocity baseline, 2FA method used), and a one-click approve / reject affordance.

Approvals require two-operator sign-off above the “dual control” threshold (default $50,000 per request). The second operator cannot be the same identity as the first, enforced via the audit chain — the audit row records both operator IDs and the signed-off payload hash.

The full gate chain that precedes the queue is documented under Custody & withdrawals → Withdrawal gates.

03

Platform freeze (emergency)

A single switch — platform.freeze — halts all balance-changing writes. Deposits continue to be observed (the watcher keeps running), but no withdrawal signs, no order matches, no convert commits. The freeze is intentionally large-hammer; it buys time during an incident at the cost of trading downtime.

  • Setting the flag requires two operator sign-offs and writes a dedicated freeze.enable audit row with the reason payload.
  • Releasing the flag also requires two sign-offs and writes afreeze.release row, including the named all-clear from the incident commander.
  • While frozen, every API write returns 503 platform_frozen with the public incident URL.
04

Reconciliation drift thresholds

The reconciliation job runs hourly. It sums on-chain custody plus the hot-wallet float, sums the user-balance ledger, and computes the difference per asset in basis points relative to total liabilities. The band determines the response:

BandDriftAction
OK< 1 bpNo action
DRIFT1 – 100 bpPage on-call, investigate
CRITICAL> 100 bpAuto-freeze, all-hands

The CRITICAL band invokes the freeze automatically — no human in the loop. The freeze release still requires the dual sign-off described above, so the auto-freeze cannot be silently undone.

The reconciliation board surfaces the per-asset drift history, which makes slow leaks (gas float draining, dust-sweep noise) visible long before they trip a threshold.

05

Operator flags

Cooud carries a small, well-named flag layer. Flags are key-value rows with optional cohort bands and per-environment scopes; reads go through a versioned cache so a flag flip is effective within 5 seconds globally.

  • platform.freeze — emergency halt (described above).
  • withdrawals.enabled.<chain> — per-chain withdrawal kill-switch for chain-specific incidents.
  • smart_wallet.cohort — the active cohort percentage for self-custody. See Smart wallet → Cohort gating.
  • trading.maintenance.<symbol> — pause a single symbol without taking down the whole engine.

Every flag flip is audited. The audit row contains the operator, the old value, the new value, and the reason string supplied at the time of the change.

06

Audit log hash chain

The audit log is append-only and hash-chained. Each row carries a SHA-256 of its own payload plus the previous row's hash, giving us tamper-evidence across the whole history. The latest chain head is published hourly to two independent witnesses so any mid-stream rewrite is detectable externally.

row_n.payload_hash = SHA256(canonical_json(row_n))
row_n.chain_hash   = SHA256(row_{n-1}.chain_hash || row_n.payload_hash)

The chain covers every balance-changing write (orders, fills, convert, deposits, withdrawals) and every privileged operator action (queue approvals, freeze toggles, flag changes). Audit rows carry the request_id from the originating HTTP call, which closes the loop with API error reporting.

07

Incident response runbook

The runbook is intentionally short. The full playbook is held internally, but the public-facing shape:

  1. Triage. First on-call confirms the alert, opens the incident channel, names an incident commander.
  2. Containment. If the alert is reconciliation CRITICAL or any class of balance anomaly, invoke platform.freeze. The freeze is cheaper than a leak.
  3. Communication. Status page updated within 15 minutes. Public root-cause within five business days for any user-impacting event.
  4. Recovery. Reconciliation must return to OK for two consecutive runs before the freeze is released. Dual operator sign-off on release.
  5. Postmortem. Blameless write-up, action items with owners, retro within seven days. Action items tracked to closure in the engineering board.
Exchange — Premium Crypto Trading