System Overview
Request flow from entry to execution. Every box is a real module in the backend.
User / Agent
→
API Gateway (FastAPI)
→
Router
Swap Engine
→
Jupiter V6 (Solana)
/
0x API (6 EVM)
Price Oracle
→
Helius DAS
→
CoinGecko
→
Static cache
Escrow
→
On-chain PDA (Anchor)
→
AI Dispute (Groq)
GPU Rental
→
RunPod GraphQL
→
Pod Monitor
→
Auto-terminate
Stocks
→
Pyth Hermes Oracle
→
Jupiter / 0x routing
DeFi Scanner
→
DeFiLlama API (14 chains)
Database
→
PostgreSQL (prod)
/
SQLite (dev)
RPC Failover Logic
Every chain has multiple RPC endpoints with sequential failover. If the primary fails, the next one is tried automatically. 15-second timeout per attempt.
Solana
1. Helius (primary)
2. Custom RPC
3. api.mainnet-beta.solana.com
4. solana.rpc.extrnode.com
5. rpc.ankr.com/solana
Base
1. mainnet.base.org
2. base.llamarpc.com
3. blastapi.io/base-mainnet
Ethereum
1. Infura / Alchemy
2. eth.llamarpc.com
3. rpc.ankr.com/eth
All EVM Chains
1. Chain-specific primary
2. LlamaRPC fallback
3. Ankr public endpoint
Polygon, Arbitrum, Avalanche, BNB each follow this pattern.
# Simplified failover pattern (actual code in each verifier module)
async def call_rpc_with_failover(endpoints, payload, timeout=15):
"""Try each RPC endpoint sequentially. 15s timeout per attempt."""
for url in endpoints:
try:
resp = await httpx.post(url, json=payload, timeout=15.0)
if resp.status_code == 200:
return resp.json()
except (httpx.TimeoutException, httpx.ConnectError):
continue # next endpoint
raise RPCError("All RPC endpoints exhausted")
Cross-Chain Failure Handling
What happens when things go wrong. Every failure mode has an explicit recovery path.
| Scenario | What happens | User impact |
|---|---|---|
| Swap failure | Transaction reverts on-chain. No funds leave the wallet. Error returned with revert reason. | No funds lost |
| Bridge failure (Li.Fi) | Funds held on source chain. Li.Fi auto-refund triggers after 30-minute timeout. Status tracked via bridge ID. | Delayed, auto-refund |
| RPC failure | Transparent failover to next endpoint in the chain. Request retried automatically. User sees slightly higher latency. | Transparent |
| Oracle failure | Circuit breaker trips after 3 consecutive failures. 60-second cooldown. Falls back to CoinGecko API. If CoinGecko also fails, returns cached price with staleness warning. | Fallback price |
| Price staleness | If cached price is older than 60 seconds AND all APIs are down, swap is rejected. We never execute a swap on stale data. | Swap blocked |
| GPU pod crash | RunPod pod monitor detects failure. New pod auto-provisioned on same tier. Unused rental time credited. | Brief interruption |
| Escrow dispute | Funds remain locked in on-chain PDA. AI dispute resolver (Groq LLM) evaluates evidence. Admin can manually resolve within 48h. | Funds safe in PDA |
Settlement Guarantees
Finality times and verification methods for each operation type.
Solana Swap
- Finality: ~400ms (single slot)
- Verification:
getTransactionRPC call - Confirmation level:
confirmed - Router: Jupiter V6 aggregator
EVM Swap
- Finality: 2-12s depending on chain
- Base: ~2s | Ethereum: ~12s | Polygon: ~2s
- Verification:
eth_getTransactionReceipt - Router: 0x Protocol aggregator
Escrow Settlement
- Funds locked in Solana PDA (Program Derived Address)
- Release: buyer confirmation OR admin dispute resolution
- Timelock: 48h on admin/treasury parameter changes
- Contract: Anchor framework, audited
GPU Rental
- Payment: prepaid USDC escrow before pod start
- Auto-terminate: pod killed at expiry timestamp
- Refund: unused time refunded proportionally
- Monitor: health check every 60s
Cross-Chain Bridge
- Provider: Li.Fi aggregator
- Verification: arrival confirmed on destination chain
- Timeout: 30 minutes, then auto-refund on source
- Status: tracked via bridge transaction ID
Tokenized Stocks
- Oracle: Pyth Hermes (sub-second updates)
- Settlement: on-chain via xStocks / Ondo / Dinari
- Chains: Solana, Ethereum, Arbitrum
- Price validation: reject if oracle confidence < 95%
Security Stack
Defense-in-depth across every layer.
OFAC Screening
- Chainalysis Oracle on EVM chains (on-chain check)
- 55 locally-maintained sanctioned addresses
- Checked on every swap and escrow operation
- Blocked wallets cannot interact with the platform
Rate Limiting
- 100 requests/minute per IP (sliding window)
- Per-wallet rate limits on financial operations
- Redis-backed counters (in-memory fallback)
- 429 response with
Retry-Afterheader
Authentication
- Solana ed25519 wallet signature verification
- Nonce-based anti-replay (each nonce single-use)
- JWT tokens with 24h expiry
- Public endpoints: no auth required (read-only)
Content Safety (Art.1)
- Blocked words and regex pattern matching
- All user inputs sanitized before processing
- Agent service descriptions filtered
- Configurable severity levels
Escrow Timelock
- 48-hour delay on admin parameter changes
- Treasury address changes require timelock
- Commission rate changes require timelock
- Prevents rug-pull scenarios
Infrastructure
- CORS: strict origin whitelist
- HTTPS everywhere (Cloudflare edge)
- No secrets in code (all via env vars)
- Multipart upload size limits (10MB)
Tech Stack
Production stack. Everything is async.
Backend
Python 3.12
FastAPI
async/await
uvicorn
Database
PostgreSQL (prod)
SQLite (dev)
aiosqlite
Redis (cache)
Blockchain
solders
solana-py
web3 (EVM)
httpx
Anchor
LLM
Groq
Llama 3.3 70B
Ollama local
Qwen 3 14B
Automation
Playwright
browser-use
17 sub-agents
Protocols
MCP (46 tools)
A2A (Google)
x402
REST
WebSocket
SSE
Module Count
91
Backend modules
15
Blockchains
46
MCP tools
17
AI sub-agents
5
Protocols