Sequencer
Last updated
Last updated
The sequencer serves user requests efficiently, fairly, and deterministically. It can be further divided into smaller components, including a gateway to inspect user requests and filter out malicious traffic, a matching engine to process user orders and update the internal state, a data server to stream market data to the trader API, and a witness generator to produce witnesses used by the prover.
From a user’s perspective, the sequencer can generally be seen as a high-performance server that sequences user requests and responds with the correct state updates, which are expected to be proved later.
A well-behaved sequencer will accept user requests and process them fairly, delivering the promised results as quickly as possible.
Once users receive the results, such as balance increments, they can operate on the new state immediately without waiting for the proof generation and finalization steps. The only exception is a withdrawal request, where users request to transfer assets out of the on-chain vault. Such on-chain transactions can only be executed with a valid proof, requiring users to wait for a proof generation and finalization cycle before claiming their assets from the contract.
The lengthy wait for withdrawal requests can be optimized by a mechanism known as . In this scenario, the operator vouches for the withdrawal request and sends assets to the withdrawer on-chain using an insurance fund. Subsequently, a SNARK proof will deduct the same amount from the withdrawer's off-chain account to reimburse the insurance fund and nullify the fast withdrawal request. The insurance fund is maintained in isolated storage, ensuring that user assets in the vault remain untouched during this process.
Although a malicious sequencer cannot manipulate or steal on-chain assets, it can still cause some issues. Here are some typical actions a malicious sequencer can take:
Deny a user's valid request.
Reorder requests in favor of arbitragers.
Return incorrect responses to users.
Vessel is committed to operating a well-behaved sequencer, and there is no benefit in running a malicious one, as it would only result in a loss of reputation without the capability to steal funds from the contract. Nonetheless, it is important to note that users can still claim their assets safely, bypassing a malicious sequencer, through a .
A force withdrawal is executed by sending a withdrawal instruction to the contract and prompting the prover to commit a SNARK proof in response. The prover must either validate the instruction and transfer the asset to the user’s account or invalidate the instruction by presenting a Merkle proof on the latest state root showing the user doesn’t own the claimed amount. If the prover fails to respond in a timely manner, the entire vault will enter an irrecoverable exodus mode, allowing users to directly submit Merkle proofs of their balances to withdraw their assets, with assistance from the Data Availability mechanism discussed in the next section.