Nabu technology
Pelagos and sequencing
- Block time target: \~250β360ms internal blocks, with optional centralized sequencing for specific performance modes.
- Consensus and consumption: validators run full nodes for external chains and confirm blocks/receipts in a Directed Acyclic Graph (DAG)-based consensus; applications consume state diffs and receipts as a stream.
Confidential strategy execution (high level)
- Strategy logic is encrypted to an epoch public key derived from the active validator set (via regular DKG). Strategies are decrypted and executed only inside allowlisted TEEs, and signing of external transactions and requests is performed via threshold protocols. Execution produces outbound transactions/orders without a public linkage between a specific strategy and a specific outbound action.
This allows creators to share performance and terms without exposing proprietary logic, enabling social trading and profit-sharing at scale.
Visibility and trust boundaries
| Artifact / Data | User | TEEs (confidential execution) | Validators (DKG + TSS) | Solvers (optional) | Public chain / mempool | CEX venue |
|---|---|---|---|---|---|---|
| Strategy logic (PSL) | Full | Full (decrypted & executed) | No (only epoch key material, no plaintext) | No (unless user explicitly shares) | No | No |
| Strategy parameters | Full | Full | No | No (unless shared) | No | No |
| Intents (if used) | Full | Produced/consumed (may be internal) | May see authorization-relevant parts only (via approvals), not full logic | May receive intent constraints to compute execution plan | No | No |
| Risk policy (loss cap, slippage, allowlists, kill switch) | Full | Enforced | May see policy-relevant approvals/limits | May see constraints needed for planning | No | No |
| Outbound chain transaction (payload) | Can reconstruct from own strategy + receipts; also visible on explorer | Constructs/sign-request; does not TSS-sign | TSS-signs + broadcasts, not connected to strategies | May generate tx plan (if intents path) | Yes (tx hash, calldata, state changes) | N/A |
| Outbound CEX order request | Visible to user (via receipts) | Final signing with user CEX key occurs here after validator approval | Approves via TSS (returns approval signature), does not submit to CEX | May generate order plan (if intents path) | No | Yes (to that CEX) |
| Sealed receipts (inputs + constraints + outcomes) | Full (private) | Produces / packages | Contributes signatures/approvals referenced by receipts | No by default | No | No |
| Performance metrics (PnL, drawdown, Sharpe, etc.) | Full | Computes/derives | No by default | No by default | Not inherently | Not inherently |
| Public performance envelope (selectively disclosed) | Optional publish | Can produce proof material | Not required (unless attestation scheme) | Not required | Optional (only what user publishes) | Optional |
CEX key model
This section describes how CEX credentials are handled within the trust and visibility boundaries defined in the table defining the visibility and trust boundaries.
- For venues that support key import/compatible models, users import a corresponding public key; signing occurs via distributed threshold signing among TEEs (e.g., GG20/FROST-style flows).
- For other venues, users encrypt their CEX API keys to the Pelagos epoch public key; execution uses enclave-only access and policy-bound usage.
Risk control catalog
Nabuβs policy model implements execution-grade risk controls across multiple layers β strategy, account, and venue β reflecting established best practices in automated trading. The controls listed below present the full policy surface the system is designed to support at v1 for the subset of controls explicitly marked as designated for the MVP launch of Nabu.
Trusted execution environments are relied on for confidentiality, integrity, and attestation, but are treated as fallible components rather than sources of availability guarantees.
- Core exposure limits:
- Max position size per asset; max gross/net exposure; concentration limits.
- Max leverage and margin utilization (derivatives).
- Pre-trade validations:
- Order size caps; notional caps; price collars / price band checks; fat-finger protection.
- Slippage ceilings; minimum liquidity checks; gas/fee ceilings (where applicable).
- Execution throttles and stability:
- Rate limits / order throttles; max open orders; cancel-on-disconnect equivalents.
- Cooldowns after repeated failures or consecutive losses.
- Latency watchdogs, heartbeat requirements, and timeouts.
- Data sanity and manipulation resistance:
- Oracle deviation guards; stale-data checks; cross-source consistency checks
- Venue status checks (halts, degraded mode), circuit breakers
- Operational controls:
- Kill switch (global and per-strategy); venue allowlists/denylists
- Key permission scoping; audit logs/receipts; emergency rotation procedures
These controls track established industry practice for automated trading risk management (pre-trade checks, throttles, kill-switches, and volatility controls).