Invariant Summary

Signals v1 is specified as a set of deterministic state transitions. Invariants are the statements that must remain true across those transitions.

This page states the invariants in prose and in compact equations. The reference pages state them more formally.

Pricing invariants

Pricing is a state machine with a potential. Trades update one shared state, and marginal prices are read from that state.

Define:

$$w_i(q) = \exp(q_i/\alpha),\quad Z(q)=\sum_i w_i(q),\quad C(q)=\alpha\ln Z(q)$$ $$p_i(q)=\frac{w_i(q)}{Z(q)}$$

Three invariants are foundational:

Normalization:

$$\sum_i p_i(q) = 1$$

Gradient identity:

$$\frac{\partial C}{\partial q_i} = p_i(q)$$

Path independence:

$$\Delta C = C(q_{\text{after}}) - C(q_{\text{before}})$$

Path independence is a statement about the fee-free mechanism. A trade sequence can be split into different micro-orders, but the total base cashflow depends only on the start state and the end state.

The simplest algebraic form is the telescoping identity:

$$\sum_{t=0}^{k-1} \left(C(q_{t+1}) - C(q_t)\right) = C(q_k) - C(q_0)$$

It is a structural statement about the potential. If two sequences of trades produce the same final $q$, their fee-free total is equal.

Range trading inherits the same contract. A contiguous range $R$ is priced as mass under the tick distribution:

$$p(R; q) = \sum_{i \in R} p_i(q)$$

and a range buy is the structured update $q' = q + x\mathbf{1}_R$ with base cost $C(q') - C(q)$.

The same base cost can be written as an integral of range prices along the buy path:

$$\text{baseCost}(x; q, R) = \int_{0}^{x} p(R; q + t\mathbf{1}_R)\, dt$$

This identity pins down slippage as a mechanical consequence of state movement. It is not a negotiated feature of execution.

Monotonicity is the basic sanity constraint: increasing a position on a fixed state must not reduce marginal cost along that same direction. If monotonicity fails, a larger trade can be cheaper than a smaller trade on the same state, which breaks coherent pricing.

Rounding is also part of the pricing contract. CLMSR math is defined at high precision, but realized debits and credits must be expressed in token units. Two rounding direction invariants keep the system conservative:

• costs are rounded up toward the payer,
• proceeds are rounded down toward the protocol.

This asymmetry prevents a long-run leakage loop where an adversary can extract value by repeatedly entering and exiting at the unit boundary.

Numeric stability is part of the invariant surface. The implementation must not enter a state where exponentials overflow, underflow collapses normalization, or range pricing becomes non-monotone due to rounding artifacts.

Settlement and claim invariants

Settlement defines a discrete, time-gated mapping from an external value to one tick.

The tick mapping contract is:

• one settlement tick $\tau$ per market day,
• clamping into a bounded tick range,
• alignment down to tick spacing.

More explicitly, oracle settlement produces a scaled settlement value and then computes:

$$\text{tick}_0 = \left\lfloor \frac{\text{settlementValue}}{10^6} \right\rfloor$$

followed by clamping and spacing alignment. The alignment direction matters. Rounding down removes ambiguity and makes tick membership a simple integer rule.

Once a tick is finalized, it is immutable. Claims read exactly one tick and the half-open position rule.

Time ordering is also invariant. A market day has a fixed ordering around $T_\text{set}$:

• trading closes at $T_\text{set}$,
• oracle submission has a fixed window,
• finality is an explicit on-chain state transition,
• claims remain closed until finality and the claim gate.

The claim gate is pinned down by timestamps:

$$\text{claimOpen} = T_\text{set} + \Delta_\text{claim},\quad \Delta_\text{claim}=\Delta_\text{settle}+\Delta_\text{ops}$$

The claim surface must satisfy two invariants simultaneously:

• claims are never payable before finality, and
• claims are payable after finality and claimOpen, subject to token ownership.

Oracle selection is deterministic. A set of admissible signed samples submitted during SettlementOpen induces one selected candidate by closest timestamp to $T_\text{set}$, with a tie-breaker to the past. That tie-breaker matters at the boundary. It defines which sample wins when two samples are equally distant around $T_\text{set}$.

Failure routing preserves meaning. A failure-marked day may finalize through the secondary settlement path, but the result is still exactly one tick and the same claim semantics. The path changes the source of the settlement value, not the payout rule.

Accounting invariants

Accounting is discrete. Trading moves the pricing state continuously during the day, but maker-side results are realized at one batch boundary per day.

Three invariants define the vault boundary.

Single batch update:

• exactly one batch update realizes maker-side PnL and fees for a day,
• batch processing reverts if the day is not ready.

Conservation:

• realized maker PnL and gross fees are accounted for exactly once,
• allocation sums match the day inputs under explicit ordering.

Escrow and claim funding:

• finality escrows a payout reserve for open positions,
• claims draw only from that reserve after claimOpen.

Share accounting uses a boundary price derived from vault value and total shares:

$$\text{sharePrice} = \frac{\text{vaultValue}}{\text{totalShares}}$$

Requests for deposits and withdrawals are boundary objects. They become eligible at future batch boundaries and cannot execute mid-day. This is a fairness invariant. It prevents the accounting layer from becoming a timing game.

The fee waterfall is also an invariant surface. It enforces fixed ordering and fixed rounding semantics, including:

• loss compensation using fees before residual splitting,
• a NAV floor and backstop grant that either fits inside tail budget or reverts,
• a backstop coverage fill target,
• and residual split weights that sum to one.

The waterfall constraints can be stated as explicit inequalities. If $L_t$ is signed daily PnL and $F^{\text{tot}}_t$ is gross fees, define:

$$L^-_t = \max(0, -L_t),\quad F^{\text{loss}}_t = \min(F^{\text{tot}}_t, L^-_t)$$

and the post-compensation NAV:

$$N^{\text{raw}}_t = N_{t-1} + L_t + F^{\text{loss}}_t$$

Define a NAV floor derived from prior NAV:

$$N^{\text{floor}}_t = \left\lceil N_{t-1}\cdot(1+\text{pdd}) \right\rceil$$

The grant need is the shortfall:

$$G^{\text{need}}_t = \max(0, N^{\text{floor}}_t - N^{\text{raw}}_t)$$

Two safety invariants are enforced as hard reverts:

$$G^{\text{need}}_t \le \Delta E_t,\quad G^{\text{need}}_t \le B_{t-1}$$

Residual fee weights satisfy:

$$\phi_{LP} + \phi_{BS} + \phi_{TR} = 1$$

and any residual rounding dust in the split is assigned deterministically.

If any of these properties drift, maker accounting becomes ambiguous and depth becomes non-interpretable across time.

Regimes and upgrades

Signals v1 is upgradeable. Some statements are mechanism invariants and should remain true across upgrades. Other facts are regime facts and can change via upgrades or configuration.

Mechanism invariants include:

• range base cost as a cost-function difference,
• one-tick finality and half-open claim semantics,
• one accounting boundary per day.

Regime facts include:

• exact fee policy addresses used by new markets,
• exact depth settings chosen at market creation,
• oracle feed configuration and admissible sample constraints.

Historical analysis should segment regimes at the on-chain boundaries that changed bytecode or configuration.

One concrete consequence is that identical-looking actions can be different objects across regimes. The proxy entrypoint address can remain stable while:

• the pricing implementation changes the exact rounding boundary,
• the settlement window configuration changes the meaning of "late submission,"
• the vault configuration changes the residual fee split.

The invariants above define what must remain true even when those regime facts shift.

Related reading

• CLMSR Invariants
• Risk Invariants
• Vault Invariants

Whitepaper appendix:

• Invariants