What a Transaction Must Mean on a Derivatives Exchange

Published by · Jun 04, 2026

test

What a Transaction Must Mean on a Derivatives Exchange

Introduction

This treatise addresses a dispute that is usually argued one level too late. The question is not first whether derivatives trading should be onchain, offchain, or some hybrid of the two. The prior question is what a transaction in a derivatives market must mean before any architecture can be judged serious.

That question matters because both sides of the present debate use the same word while smuggling different claims into it. Crypto-native discourse often treats a transaction as a valid state transition against a public settlement layer. Market-structure discourse often treats a transaction as an exchange event whose seriousness is inherited from a familiar institutional form. Both views capture part of the matter. Neither is enough.

The crypto mistake is to treat public verifiability as though it already supplies market structure. The institutional mistake is to treat existing exchange form as though it were natural law. The first overstates what settlement proves. The second understates how much trust can be reduced without destroying the transaction logic serious traders need.

The practical use of the question is simple. Before asking whether a venue is onchain, permissioned, decentralized, institutional, or hybrid, ask what becomes authoritative when it says a transaction has occurred. If that question remains unanswered, the labels arrive too early.

So begin where the argument usually refuses to begin: when a derivatives venue says that a transaction has occurred, what exactly has been made authoritative?

Not one thing. At least seven.

  1. Admission: who was entitled to submit the act, and under what validity rules?
  2. Priority: where did it stand relative to rival acts aimed at the same market?
  3. Reference price: what authoritative price governed mark, margin, funding, and liquidation at that moment?
  4. Execution: was the act matched, rejected, canceled, or partially filled, and by what non-discretionary rule?
  5. Counterparty and risk: who bore the collateral, credit, and liquidation consequences once the act took effect?
  6. Finality: when could the parties prudently act as though the result were fixed?
  7. Recourse: what survives if the act is censored, reordered, rolled back, or later shown to rest on a false premise?

A derivatives transaction is therefore not merely a balance update. It is an authoritative market event. It binds priority, price authority, execution result, risk consequence, finality expectation, and recourse into one economically meaningful act. If those properties remain separate, the word transaction is doing work the architecture has not earned.

That framing also disciplines a familiar evasion. It is not enough to say that the operators were approved, that the signers were known, or that admission to validation was gated. Those facts may matter. But they answer who was allowed near the machinery, not whether the machinery made the right thing authoritative.

Validity is not yet a derivatives transaction

In blockchain systems, a transaction is commonly understood as an instruction that mutates shared state under adversarial consensus. The virtues of that model are plain: permissionless admission, public verifiability, censorship resistance, and eventual settlement against a canonical chain.12

But a professional derivatives market asks an additional question: not merely whether the state transition was valid, but whether the market event was executed under rules that let a trader know, at the moment of commitment, whether they were early enough, where they stood in line, what exposure they acquired, and what risk began with the fill.

This is the first place many architectural debates go astray. If the transaction still reaches the trader as a delayed, mediated, or only partially specified event, if they see an acknowledgment before they know whether the queue place was theirs, the venue may have changed the governance of the machinery without yet defining the market event.

On a regulated central limit order book, matching is not a general condition of the market. It is a rule. CME describes all-to-all order books in those terms, and where FIFO priority is used, priority is determined by price and then time, without discretion or preference.34

That distinction is not cosmetic. In a leveraged market, queue position is part of the economic substance of the trade. A trader is not asking only whether the system will eventually agree that some state change occurred. They are asking whether the venue can say who reached the resting quote first, who took it, and who arrived a breath too late and was left to trade at a worse price.

The same seriousness governs the life of the trade after the match. Clearing, novation, and margining turn a fill into bounded counterparty exposure rather than an open-ended credit event.56 Finality is treated just as severely. The PFMI does not treat finality as a branding term. It requires a financial market infrastructure to provide clear and certain final settlement and, where appropriate, intraday or real-time final settlement.7

A blockchain can prove that a state update was validly included. A derivatives venue must prove more. It must specify the priority rule, the execution rule, the acknowledgment semantics, and the risk consequences that attach when the trade occurs.

The ordering problem shows why this gap is structural. On a blockchain or rollup, ordering rights are endogenous to block production. Someone proposes, sequences, or relays transactions into an ordering mechanism whose incentives are themselves part of the system. In onchain trading environments, that ordering power predictably becomes monetizable. Flash Boys 2.0 documented the point directly: bots bid for priority, exploit ordering dependence, and turn the front of the queue into something bought, defended, and stolen in real time.8

That result is not a local scandal. It is the predictable consequence of confusing valid inclusion with fair execution. A professional market does not treat selective order handling and queue abuse as tolerable side effects. It treats them as attacks on the market. The trade is a place in a queue, under a rule, against counterparties, under leverage, and against an authoritative reference price.

The same divergence appears in finality. Rollup and chain systems routinely distinguish provisional, safe, and finalized states. Optimism, for example, distinguishes unsafe, safe, and finalized blocks, with finality inherited from Ethereum rather than created at the moment the sequencer first acknowledges the transaction. Its standard bridge still preserves a seven-day challenge window for canonical L2-to-L1 withdrawal completion.910 The trader may therefore receive one signal from the venue's first acknowledgment, another from the sequencer's later safety, and a still later answer from the chain on which final settlement ultimately depends.

None of that makes such systems useless. It does mean their transaction semantics are layered. They permit several answers to the question, Has it happened yet? For many applications, that is acceptable. In a leveraged market, it means the acknowledgment problem is not solved merely because a valid state transition exists.

If the trader still cannot tell which acknowledgment is safe to trade on, who had priority, or when risk attached, the transaction remains underdefined. The market design is already inside the thing being called a transaction.

The oracle is not a sidecar

Once that much is clear, the next question becomes unavoidable: on a derivatives venue, what actually liquidates the trader?

Not the chain in the abstract. Not decentralization in the abstract. A price.

If mark price moves, collateral sufficiency changes. If collateral sufficiency changes, liquidation status changes. If funding depends on premium, the venue must know not merely that a state update is valid, but which price was authoritative when the state update was made. In derivatives, price authority is not metadata. It is the number on which the position remains open or is forced shut.

That is why the standard architecture story in crypto is often less coherent than it sounds. A venue may emphasize onchain settlement while treating the oracle as an implementation detail. But if liquidation, funding, and collateral valuation depend on the oracle, the oracle is not a sidecar. It is a sovereign input.

The same point holds even when the surrounding authority is more curated. If price authority remains external, delayed, or weakly coupled to execution, the decisive premise of the transaction still lies outside the thing being praised.

Chainlink's own documentation states the point more candidly than many protocols do. Its Data Feeds are not streaming feeds. They update when a deviation threshold is crossed or when a heartbeat timer expires, and Chainlink explicitly tells integrators to monitor stale timestamps, extreme market events, delays, and outages.11 The same documentation now identifies Oracle Extractable Value as a distinct form of MEV, observed especially around liquidations.12 The market moves continuously; the decisive price arrives by interval, threshold, and exception.

If the economically decisive event is liquidation against a reference price, what exactly is secured by insisting that matching or settlement live on a maximally decentralized chain while the reference price governing liquidation is heartbeat-driven, threshold-triggered, and externally sourced?

Something is secured. Public settlement and public replay are not trivial. But they do not secure the whole derivatives transaction. Security reasoning is only as strong as the weakest authoritative input. If the oracle can be stale, manipulated, halted, or badly formed, then the transaction is weak at the point where the trader is most exposed. A public chain can write the judgment down perfectly and still write down the wrong judgment.

The history of onchain trading makes the point repeatedly.

Synthetix's 2019 oracle incident did not occur because Ethereum forgot how to settle. It occurred because one FX API intermittently reported KRW at 1000x the correct rate, redundancy had already degraded to two sources, the averaging logic accepted the bad premise, and a bot exploited the resulting price error before the system was halted.13 Later, Synthetix described the broader problem directly: under L1 constraints, traders could profit by trading before oracle updates, and the ratio between oracle deviation thresholds and trading fees determined whether that flow was exploitable.14

Venus's 2022 LUNA incident makes the same point from another angle. Venus reported that Chainlink's LUNA price feed hit a floor threshold and was suspended at $0.107 while spot price continued collapsing; roughly four hours later, suspicious accounts deposited large quantities of LUNA against that stale value, and the resulting shortfall reached about $14.2 million before the protocol was paused.15

Mango Markets made the point most brutally. According to the CFTC complaint, Mango's oracle averaged prices from three exchanges. Eisenberg established large MNGO-USDC swap positions, bought MNGO aggressively on the oracle exchanges over less than thirty minutes, pushed the oracle input high enough to drive Mango's MNGO price from about $0.04 to $0.54, and then borrowed roughly $114 million against the inflated collateral.16

The common element is not merely that something went wrong. It is that the wrong thing sat in the seat of authority long enough for the market to obey it. Distort the authoritative price long enough and a trader can put on a profitable position, seize collateral, force liquidation, or borrow against a fictitious mark. The catastrophic event is not that the base chain failed to order bytes. It is that the market acted on a false price in time for collateral logic to execute.

The strongest settlement layer in the world cannot rescue a venue whose decisive price input is weaker than the settlement layer that records it.

Eventual correction is not restitution

The usual defense of an optimistic system is intelligible. Invalid proposals can be challenged, bad withdrawal claims can be filtered out, and only the canonical state can cash out on L1.179 The implicit welfare model is that catching the fraud in time is enough. The system does not require every provisional appearance to be true at first sight, only that false claims be denied before final settlement. For a bridge, that picture is coherent: the bad withdrawal is stopped at the gate, and the assets stay where they were. Under that model, there is no rational reason to submit a false claim unless the challenge game is expected to fail.

That premise assumes that what matters can be repaired by replaying state.

A derivatives venue is not like that. Its decisive events depend on time-bound facts that do not live wholly inside replayable state: mark price, index price, funding clocks, liquidation queues, hedge inventory, and the external venues on which firms lay off risk. If a false premise governs the venue even briefly, the damage runs outward through liquidations, hedges, and external books. It does not remain contained inside a ledger waiting to be corrected.

Imagine a whale or attacker who can induce a temporary false mark through oracle distortion, thin-market manipulation, or any execution path that lets a bad premise stand long enough to matter. They force liquidations on the venue while knowing the premise will later be rejected or corrected. During that window, they can buy distressed inventory elsewhere, short correlated perps on another venue ahead of the liquidation cascade, or take the other side of hedges traders place precisely because they believe the venue event has occurred. When the false premise is later removed, the ledger may be repaired. The market is not. External hedges have executed, queue priority has been consumed, funding time has elapsed, and counterparties have already traded on that premise.

The incident record shows why this incentive arises. Synthetix showed the delayed mark that can be traded against as a recurring edge.14 Venus showed the frozen mark that can hold fictitious collateral upright for hours.15 Mango showed the manipulated mark: force the venue's oracle to print an inflated price on a leveraged position, then withdraw assets before the number returns to market.16

Derivatives magnify the temptation because they magnify the payoff. Leverage turns even a brief distortion in price, queue position, or liquidation status into a much larger transfer. To make the victims whole, one would have to replay not only state but also market time, oracle history, and the external positions entered in response. One would have to restore the market conditions under which those positions were taken, not just the rollup state. No fraud-proof system can do that.

In a leveraged market, public replay of a wrong decision is not the same as economic repair. Recourse matters. It does not undo a false market event once it has propagated through real positions, real hedges, and real time.

Once price authority is restored to the definition of transaction, the architecture question changes shape. If a venue already depends on offchain price formation, it no longer makes sense to treat onchain matching as self-justifying merely because settlement is onchain. The harder question is what, exactly, is gained by placing a slower public consensus path between the price that decides the trade and the machinery that must immediately match, margin, and liquidate by it.

One gains public replay and public settlement of a decision whose economically decisive premise may already have been stale, manipulated, or delayed. That is valuable. It is not the same as securing the transaction in the full derivatives sense.

Trust is comparative, not absolute

Once the transaction is defined correctly, the question is no longer whether trust exists in the abstract, but what must be trusted, for what purpose, and at which layer.

That shift matters because the word trust is often used as though it ended the inquiry. In fact it begins one. A derivatives venue cannot be judged by asking whether it has eliminated trust altogether. It must be judged by asking whether the trust that remains attaches to the right functions, whether it is narrower than the alternatives, and whether it can be inspected rather than merely presumed.

This is where the common opposition between crypto maximalism and institutional habit becomes less helpful than it sounds. One side treats market structure as though sufficiently clever mechanism design could replace every inherited form of authority. The other treats existing institutional arrangements as though the trust they carry were simply part of the ordinary structure of trading. Both views obscure the comparative question.

Some trust is necessary. Matching, risk management, operational continuity, and legal accountability are not fictions. But necessary trust and inherited trust are not the same thing. The design task is to ask which parts of the transaction still require entrusted judgment, and which can be pushed outward to a more public and less discretionary boundary without breaking the event itself.

So make the comparison concrete. Suppose an exchange reaches practical speed by relying on a small validator committee, whether twelve, twenty-one, or some other low double-digit number.18 What exactly is being trusted there? Not an abstraction. A class of operators who control the machines, the software boundary, the sequencing path, and in Hyperliquid's case the validator-weighted oracle from which the venue derives price authority.1920 If half that committee decided to collude, what law of nature would stop them? Which physical barrier prevents six operators from sharing order-flow information, coordinating queue position, leaning on oracle formation, or delaying an adverse update long enough to trade around it elsewhere? None. One may answer that they would be punished later, or that collusion is improbable, or that reputation is expensive to lose. Perhaps. But those are deterrents after the fact. They are not a hard constraint on what the validator class is able to do while it still controls the decisive path.

Nor is the relevant temptation fanciful. A small performance-critical validator set tends, by selection, to become a small circle: operators with the capital, hardware, connectivity, and market relationships needed to stay near the top of the stake and latency table.2120 What follows when that circle also contains firms, funds, market makers, or their close counterparties, all of whom can profit outside the venue from knowing who will be liquidated, which queue will move first, or when an authoritative price read will change? Very little in the architecture forbids profitable coordination. One need not allege a standing conspiracy to see the point. It is enough to admit how many forms a profitable understanding could take, and how few structural barriers stand against it.

Now set beside that a different kind of burden. A venue whose nodes must satisfy attested code identity, host admission policy, and operating controls does not merely ask operators to behave better; it changes the conditions under which collusion can take effect. If several operators chose to collude, they could no longer rely on authority already in hand. They would have to enter a guarded physical estate, pass the watched thresholds of serious datacenter infrastructure, and alter what is measured without disturbing the measurement across independent sites.2223 The conspirators cease to be a club of validators reaching an understanding; they become sophisticated physical intruders. Their task is to compromise SGX-backed execution deeply enough to counterfeit enclave trust at the point of quote and execution, while preserving the appearance of an intact measured image under independent audit. This is not a marginal increase in difficulty. It is a different class of risk.

The question, then, is not whether trust can be denied, but whether it can be compressed into defined, auditable boundaries, and where that residual trust is forced to reside. If collusion can proceed through the ordinary powers already entrusted to the operator class, the boundary remains broad. If it must cross into overt, detectable breach, the boundary has been materially constrained. That is the comparison that matters.

Why the execution path cannot be a generic consensus path

Once the transaction is defined and the trust question becomes comparative, the design problem sharpens. At this point the debate often degenerates into an exchange of benchmarks: one camp cites throughput and block times; the other cites exchange latency, proximity hosting, and matching-engine internals. Neither has yet answered the governing question.

The decisive issue is not that one architecture is vaguely faster. It is that the two architectures answer the ordering question by different principles.

The latency-critical exchange answers it through deterministic queue priority under extremely small time differentials. Budish, Cramton, and Shim showed why even a 100-microsecond advantage matters in a continuous limit order book: serial message processing lets tiny speed differences decide who captures stale quotes.24 IEX altered market design around a 350-microsecond speed bump because that interval is already economically meaningful for execution quality.25 Nasdaq markets matching infrastructure in the tens of microseconds.26 The practical scene is simple: two orders reach for the same resting liquidity, and a sliver of time decides who owns the price and who chases it.

That is the relevant scale of the problem.

A replicated consensus path answers the same question differently. Its authoritative ordering depends on quorum communication under synchrony assumptions. Dwork, Lynch, and Stockmeyer showed why consensus cannot simply be assumed away in an asynchronous setting. PBFT made Byzantine replication practical, but through a replicated multi-stage protocol, not by abolishing the cost of agreement. What the exchange decides in one breath, consensus must still carry through rounds of agreement.

This distinction matters more than any benchmark chart. Better protocols can reduce overhead. Better hardware can shrink constants. Neither changes the form of the event. Wide-area adversarial consensus is one kind of authority. Exchange-style priority over price, queue, and risk is another.

But now ask the practical question. What happens when a venue insists on keeping the public-consensus form while still wanting centralized-exchange speed?

It usually begins shaving away the very decentralization it claims as its governing virtue. The active set compresses. The hardware bar rises. The geography concentrates in low-latency hubs. Operators become increasingly specialized. The validating public hardens into a validator class, drawn toward the same racks, the same network corridors, and often the same counterparties. Trust reappears, not as a single exchange operator, but as a smaller and more operationally demanding committee.

At that point a simple question becomes unavoidable. If the economic reality already depends on a small governed set of actors, what exactly is being purchased by keeping the public-consensus form? If the answer is not a stronger transaction, a stronger custody boundary, or a stronger verification boundary, the remaining complexity is not obviously buying security.

Hyperliquid's public documentation is instructive here. Its active validator set consists of the top N validators by total stake, currently described as N=21 and increasing over time.18 Its oracle is formed by validators, weighted by stake.19 Its staking model tells delegators to choose "trusted validators," and its node setup pushes operators toward validator-class hardware, low-latency placement, and direct control over the surrounding stack.2120

None of that is a scandal. It is a tradeoff. It shows what happens when a consensus system is pushed toward exchange-like latency: the operator set tends to contract, harden, and concentrate. The irony is architectural: a system may begin in the language of open validation and, under performance pressure, drift toward a smaller and more infrastructurally privileged set of actors. And once trust is compressed that way, the security question becomes harsher, not softer. Ronin's bridge was drained after an attacker gained control of five of nine validator keys; Harmony's Horizon bridge was drained after at least two of four bridge-validator keys were compromised.2728 Those were bridge systems, not matching engines. But the architectural lesson carries. When the trust threshold contracts to a small committee for the sake of performance or operability, the attack surface begins to look less like a public network than like a handful of doors, machines, and operators.

If 100 microseconds is enough to distort execution, and if stale or manipulable price inputs can already destroy the market before settlement arrives, then the difference between exchange-style transaction authority and blockchain-style transaction authority is categorical.

The DerivaDEX Thesis

The inquiry returns, then, to its proper object. If a derivatives transaction must remain intelligible when leverage, liquidation, and competition for time all begin to press at once, where can such a transaction coherently reside?

The inquiry has already ruled out the easier answers. It is not enough to secure the ledger after the fact, and it is not enough to distribute execution across a validating class if the market event itself still arrives in pieces. If a venue wishes to be non-custodial where assets are held, publicly auditable where settlement commitments are made, and yet intelligible as an exchange where the trade itself is formed, then the whole of execution should not be sent through a generic public-consensus path and called solved. Nor is it enough to place that path in somewhat better-governed hands if the decisive event is still mediated by an authority too slow or too divided for the use case.

What follows is simply the partition that those burdens require. Let Ethereum bear the functions that benefit from public settlement and independent recourse, namely custody boundaries, checkpoints, settlement commitments, verification, and forced withdrawal. Let one attested low-latency execution boundary bear the functions that must remain coherent while the market is moving, namely confidential order intake, deterministic sequencing, price authority, matching, margin, and liquidation.2930 That is the balance DerivaDEX proposes: public recourse where public recourse is strongest, and confined execution authority where price, priority, execution, and risk must become authoritative together.

Under such a partition, acknowledgment no longer arrives layered across incompatible authorities. Near-immediate finality becomes intelligible in the only sense that matters here. A sequenced request may be treated as final for trading purposes because confidential intake, deterministic ordering, authoritative pricing, attested code identity, and later checkpoint recourse are joined on one execution path. The trader can hedge, reprice, and manage risk because the elements that make the trade what it is have already been bound together before later recourse is handed to the chain. Yet that finality is not absolute, and it should not be described as though it were. It remains defeasible under enclave compromise, implementation failure, governance failure, or other faults. But that concession weakens nothing essential. Traders do not operate under categorical certainty; they operate under bounded confidence. The real burden is therefore not to promise impossibility of failure, but to make the grounds of confidence prudent, legible, and proportionate to the speed and leverage of the market in view.

The trust comparison also sharpens here. SGX is not trustless. Its side-channel history is established, and any argument that passes over that history with decorative language has already failed. Intel's own guidance assumes careful enclave design, and Foreshadow alone is enough to make careless confidence intellectually unserious.3132 But the objection still does not finish the comparison, because the alternatives are not a realm beyond trust. They are rival trust allocations. A venue that constrains execution to attested code identity, governed host policy, and independent withdrawal recourse does not ask for the same kind of trust as a venue in which admission to validation, machine control, software control, sequencing power, and oracle formation remain distributed across a validator or operator class. In one case the operator may misuse powers already at hand. In the other they must subvert the machinery that proves what is running.

The proper standard is comparative prudence. One must ask not whether trust has disappeared, but whether it has been confined to the functions that require it, and whether those functions have been made inspectable and governable. Trusted execution matters here not because it abolishes trust, but because it compresses execution trust into a form that remote attestation can make inspectable.33

On this view, the residual trust in DerivaDEX has to be made governable. Operator admission must be restricted to major industrial cloud providers or to operators meeting equivalent confidential-computing standards. Participation must be gated by quote-verified code identity, not by informal assurance that the right binary is probably running. Firmware, OS, and hardware hardening must be treated as a standing obligation, because the security claim fails at the first unguarded layer beneath the enclave. Operator access must be governed as critical infrastructure, because operational compromise defeats an otherwise sound design.3435363738394028

Must one be making too much of it to care whether an institutional-grade exchange is made less dependent on inherited trust? If centralized form is already accepted, is there real value to capture?

The better answer is to look at what markets already pay for. As of March 31, 2026, Vanguard reported roughly $817.5 billion in net assets for VOO, while BlackRock reported roughly $720.5 billion for IVV—about $1.54 trillion concentrated in two near-identical S&P 500 index products, each charging three basis points.41 These are unsophisticated instruments. Customers are not buying exotic exposure or managerial genius here. They are buying trust.

Grant even the possibility that trust-minimized market primitives can become credible, and the implication follows. Trust already commands immense demand as the core product financial institutions sell. If that premium can be supplied by construction rather than inherited infrastructure, it becomes a basis to displace incumbents whose advantage was once taken as irreducible.

And the comparative judgment is plainer still. If the transaction serious traders need can be preserved in its essentials, then all else equal no rational participant should prefer a venue that asks them to keep paying for thicker inherited intermediation.

The classification follows of itself. To call DerivaDEX a rollup, an L2, or a generic DeFi venue is to begin from outward form rather than from the act itself. The more exact description is that it is a non-custodial derivatives exchange with an attested low-latency execution boundary and Ethereum-based recourse. That description states the thesis in operational terms: where the trade is formed, where assets remain bounded, and where recourse survives if the execution path later fails.

  1. Ethereum documentation, Gasper: https://ethereum.org/developers/docs/consensus-mechanisms/pos/gasper/.
  2. Ethereum documentation, Zero-knowledge rollups: https://ethereum.org/developers/docs/scaling/zk-rollups/.
  3. CME Group, Does a regulated FX marketplace bring tangible benefits for customers?: https://www.cmegroup.com/education/articles-and-reports/does-a-regulated-fx-marketplace-bring-tangible-benefits-for-customers.
  4. CME Group, How CME Group Ag Markets Operate: https://www.cmegroup.com/education/articles-and-reports/overview-what-makes-ags-markets-work.
  5. CME Securities Clearing rulebook: https://www.cmegroup.com/rulebook/CMESC/CMESC%20Rulebook.pdf.
  6. CME Group, Clearing House Risk Management: https://www.cmegroup.com/education/courses/clearing/clearing-house-risk-management.
  7. Bank for International Settlements and IOSCO, Principles for Financial Market Infrastructures: https://www.bis.org/cpmi/publ/d101a.pdf.
  8. Philip Daian et al., Flash Boys 2.0: Frontrunning, Transaction Reordering, and Consensus Instability in Decentralized Exchanges: https://arxiv.org/abs/1904.05234.
  9. Optimism documentation, Transaction finality: https://docs.optimism.io/op-stack/transactions/transaction-finality.
  10. Optimism documentation, Using the Standard Bridge: https://docs.optimism.io/app-developers/guides/bridging/standard-bridge.
  11. Chainlink documentation, Data Feeds: https://docs.chain.link/data-feeds.
  12. Chainlink documentation, Data Feeds (SVR/OEV overview): https://docs.chain.link/data-feeds.
  13. Synthetix, Response to Oracle Incident: https://blog.synthetix.io/response-to-oracle-incident/.
  14. Synthetix, Frontrunning Synthetix: a history: https://blog.synthetix.io/frontrunning-synthetix-a-history/.
  15. Venus Protocol, LUNA Incident Update 2: https://community.venus.io/t/venus-protocol-luna-incident-update-2/2654.
  16. Commodity Futures Trading Commission, Complaint: Avraham Eisenberg: https://www.cftc.gov/media/8046/enfeisenbergcomplaint010923/download.
  17. Optimism documentation, Fault proofs explainer: https://docs.optimism.io/op-stack/fault-proofs/explainer.
  18. Hyperliquid documentation, Validator: https://hyperliquid-co.gitbook.io/wiki/architecture/hyperbft/validator.
  19. Hyperliquid documentation, Oracle: https://hyperliquid.gitbook.io/hyperliquid-docs/hypercore/oracle.
  20. Hyperliquid node repository README: https://github.com/hyperliquid-dex/node.
  21. Hyperliquid documentation, Staking: https://hyperliquid.gitbook.io/hyperliquid-docs/hypercore/staking.
  22. DataBank, How do colocation providers ensure physical security?: https://www.databank.com/faq/how-do-colocation-providers-ensure-physical-security/. See also DataBank, How secure are DataBank's Plano data centers?: https://www.databank.com/faq/how-secure-are-databanks-plano-data-centers/.
  23. Switch, Switch VAULT: https://www.switch.com/switch-vault/.
  24. Eric Budish, Peter Cramton, and John Shim, The High-Frequency Trading Arms Race: Frequent Batch Auctions as a Market Design Response: https://academic.oup.com/qje/article/130/4/1547/1916146.
  25. IEX, Updating the IEX Exchange Architecture for 2021: https://www.iex.io/article/updating-the-iex-exchange-architecture-for-2021.
  26. Nasdaq, Exchange Matching Engine: https://www.nasdaq.com/solutions/fintech/nasdaq-eqlipse/trading-technology/exchange-matching.
  27. Ronin Network, Back to Building: Ronin Security Breach Postmortem: https://roninchain.com/blog/posts/back-to-building-ronin-security-breach-6513cc78a5edc1001b03c364.
  28. Harmony, Summary of the Horizon Bridge Incident: https://talk.harmony.one/t/summary-of-the-horizon-bridge-incident/20990.
  29. DerivaDEX docs, Price feed: https://docs.derivadex.io/platform-features/price-feed.
  30. DerivaDEX docs, Checkpoints: https://docs.derivadex.io/platform-features/checkpoints.
  31. Intel SGX guidance and developer documentation: https://download.01.org/intel-sgx/latest/linux-latest/docs/Intel_SGX_Developer_Guide.pdf.
  32. Jo Van Bulck et al., Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution: https://www.usenix.org/conference/usenixsecurity18/presentation/bulck.
  33. Intel® Trust Authority documentation, Introduction: https://docs.trustauthority.intel.com/main/articles/articles/ita/introduction.html.
  34. Microsoft Learn, Establish trust on Azure confidential ledger: https://learn.microsoft.com/en-us/azure/confidential-ledger/verify-node-quotes.
  35. Microsoft Learn, Azure Kubernetes Service plugin for confidential VMs: https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-nodes-aks-addon.
  36. Microsoft Learn, Guidance for mitigating silicon based micro-architectural and speculative execution side-channel vulnerabilities: https://learn.microsoft.com/en-us/azure/virtual-machines/mitigate-se.
  37. Intel, Speculative Execution Side Channel Mitigations: https://www.intel.com/content/dam/develop/external/us/en/documents/336996-speculative-execution-side-channel-mitigations.pdf.
  38. Intel Product Security Center: https://www.intel.com/content/www/us/en/security-center/default.html.
  39. Oleksii Oleksenko et al., Varys: Protecting SGX Enclaves from Practical Side-Channel Attacks: https://www.usenix.org/conference/atc18/presentation/oleksenko.
  40. Fan Sang et al., PRIDWEN: Universally Hardening SGX Programs via Load-Time Synthesis: https://www.usenix.org/conference/atc22/presentation/sang.
  41. Vanguard, Vanguard Personal Advisor Select: https://investor.vanguard.com/advice/personal-financial-advisor. BlackRock, BlackRock Hosts 2025 Investor Day: https://www.blackrock.com/corporate/newsroom/press-releases/announcement/blackrock-host-investor-day. Vanguard, Vanguard S&P 500 ETF fact sheet, as of March 31, 2026: https://fund-docs.vanguard.com/F0968.pdf. BlackRock iShares, iShares Core S&P 500 ETF fact sheet, as of March 31, 2026: https://www.ishares.com/us/literature/fact-sheet/ivv-ishares-core-s-p-500-etf-fund-fact-sheet-en-us.pdf.

Disclaimer DerivaDEX is not available in all jurisdictions, including the US. Users should be aware that there is a risk of financial loss whenever trading derivatives and margin products. Information found in these articles is not financial advice.