very good questions.
First of all, the matching engine/nodes do not store funds, they can only trigger a set transaction or not. So if there would be a hack, the only thing that can be done is executing the trade. The funds in trading are simply put on smart contracts. The team is working on a tool to extract these funds back even in the case of Nash as a exchange being unreachable.
I already said a few times in the telegram group and this forum that i find it very important that nash makes haste with these tools, as i find them just as important as bitcoin implementation or perhaps even more important. To be fully non-custodial, people need access to their funds no matter from where, without the need to use Nash. The same problem goes for the Pas phrase that nash gives you, there isn’t a good trustable tool out there that can extract individual eth/btc/neo private keys from the nash pass phrase. I hope this also arrives soon.
With access to those two tools, the exchange becomes fully non-custodial.
When you have no open trades, the funds are stored on your own keys/own wallets. Those funds can be seen using Nash, but you can also export the private key per blockchain (neo/eth/btc) and import those keys in other wallets of your choice.
Unfortunately i have not seen any code to verify the claims of Nash to be non-custodial. However since they praise their matching engine to heavens and claimed to wanting to be the fastest exchange ever, i dont know if they would give access to that code, to prevent copycats. In that case, perhaps a audit can be considered with the report made public, by a trustworthy third party business with a good reputation.