DefiTuna AMM Smart Contract — Anchor Implementation Guide

December 26, 2025 · 12 min read

Senior Software Engineer at Vitrifi

TL;DR

DefiTuna AMM combines concentrated liquidity, on-chain limit orders, and leveraged liquidity provision in a unique AMM design. This article focuses on the Anchor smart contract that implements this protocol, specifically examining:

Program Architecture: A hybrid AMM with integrated limit order book, implemented as a multi-instruction Anchor program
Key Instructions: initialize_pool, create_position, place_limit_order, swap, leverage_position
Account Structure: Complex PDA hierarchies for pools, positions, orders, and leveraged positions with proper rent management
Mathematical Core: Concentrated liquidity calculations with leverage multipliers
Security Patterns: Comprehensive validation, owner controls, and reentrancy protection through Solana's native constraints

Introduction

DefiTuna AMM represents an innovative approach to decentralized exchanges by integrating traditional AMM mechanics with orderbook-style limit orders and leverage capabilities. This Anchor smart contract implements the core on-chain logic that makes this possible, providing developers with a practical example of advanced Solana DeFi programming patterns.

The program follows a modular architecture with separate handlers for pool management, position creation, order placement, and swap execution. All state is managed through PDAs to ensure secure ownership and access control.

Architecture Diagrams

Account Relationships

Instruction Flow for Limit Order Execution

Account Structure

Account	Type	PDA Seeds	Purpose
`Pool`	State	`["pool", base_mint, quote_mint]`	Stores pool configuration and global state
`Position`	State	`["position", pool, owner, position_id]`	Tracks user's concentrated liquidity position
`LimitOrder`	State	`["order", pool, owner, order_id]`	Stores limit order parameters and status
`LeveragedPosition`	State	`["leverage", pool, owner, leverage_id]`	Manages leveraged liquidity positions
`ProtocolConfig`	State	`["config"]`	Global protocol parameters and fee accounts
`Tick`	State	`["tick", pool, tick_index]`	Stores liquidity data for specific price ticks

PDA Derivation Example

#[account]
#[derive(InitSpace)]
pub struct Pool {
    pub base_mint: Pubkey,
    pub quote_mint: Pubkey,
    pub fee_rate: u16, // basis points
    pub protocol_fee_rate: u16,
    pub tick_spacing: i32,
    pub current_tick_index: i32,
    pub liquidity: u128,
    pub sqrt_price: u128,
    pub fee_growth_global_0: u128,
    pub fee_growth_global_1: u128,
    pub protocol_fees_0: u64,
    pub protocol_fees_1: u64,
    pub bump: u8,
}

// PDA derivation for pool
let (pool_pda, pool_bump) = Pubkey::find_program_address(
    &[
        b"pool",
        base_mint.as_ref(),
        quote_mint.as_ref(),
    ],
    program_id
);

## Instruction Handlers Deep Dive

### 1. `initialize_pool` - Pool Creation

This instruction creates a new liquidity pool with specified parameters:

```rust
#[derive(Accounts)]
pub struct InitializePool<'info> {
    #[account(mut)]
    pub payer: Signer<'info>,
    
    #[account(
        init,
        payer = payer,
        space = 8 + Pool::INIT_SPACE,
        seeds = [
            b"pool",
            base_mint.key().as_ref(),
            quote_mint.key().as_ref()
        ],
        bump
    )]
    pub pool: Account<'info, Pool>,
    
    pub base_mint: Account<'info, Mint>,
    pub quote_mint: Account<'info, Mint>,
    
    pub system_program: Program<'info, System>,
}

pub fn initialize_pool(
    ctx: Context<InitializePool>,
    fee_rate: u16,
    tick_spacing: i32,
    initial_sqrt_price: u128,
) -> Result<()> {
    let pool = &mut ctx.accounts.pool;
    
    // Validate parameters
    require!(fee_rate <= MAX_FEE_RATE, ErrorCode::InvalidFeeRate);
    require!(tick_spacing > 0, ErrorCode::InvalidTickSpacing);
    
    // Initialize pool state
    pool.base_mint = ctx.accounts.base_mint.key();
    pool.quote_mint = ctx.accounts.quote_mint.key();
    pool.fee_rate = fee_rate;
    pool.tick_spacing = tick_spacing;
    pool.sqrt_price = initial_sqrt_price;
    pool.current_tick_index = calculate_tick_from_sqrt_price(initial_sqrt_price);
    pool.bump = ctx.bumps.pool;
    
    Ok(())
}

### 2. `create_position` - Concentrated Liquidity Position

Creates a position with liquidity concentrated between specified ticks:

```rust
#[derive(Accounts)]
#[instruction(position_id: u64)]
pub struct CreatePosition<'info> {
    #[account(mut)]
    pub owner: Signer<'info>,
    
    #[account(
        seeds = [
            b"pool",
            pool.base_mint.as_ref(),
            pool.quote_mint.as_ref()
        ],
        bump = pool.bump
    )]
    pub pool: Account<'info, Pool>,
    
    #[account(
        init,
        payer = owner,
        space = 8 + Position::INIT_SPACE,
        seeds = [
            b"position",
            pool.key().as_ref(),
            owner.key().as_ref(),
            &position_id.to_le_bytes()
        ],
        bump
    )]
    pub position: Account<'info, Position>,
    
    #[account(mut)]
    pub token_account_a: Account<'info, TokenAccount>,
    #[account(mut)]
    pub token_account_b: Account<'info, TokenAccount>,
    
    pub token_program: Program<'info, Token>,
    pub system_program: Program<'info, System>,
}

#[account]
#[derive(InitSpace)]
pub struct Position {
    pub pool: Pubkey,
    pub owner: Pubkey,
    pub liquidity: u128,
    pub tick_lower: i32,
    pub tick_upper: i32,
    pub fee_growth_inside_0_last: u128,
    pub fee_growth_inside_1_last: u128,
    pub tokens_owed_0: u64,
    pub tokens_owed_1: u64,
    pub bump: u8,
}

pub fn create_position(
    ctx: Context<CreatePosition>,
    position_id: u64,
    tick_lower: i32,
    tick_upper: i32,
    liquidity_delta: u128,
) -> Result<()> {
    let pool = &mut ctx.accounts.pool;
    let position = &mut ctx.accounts.position;
    
    // Validate tick bounds
    require!(tick_lower < tick_upper, ErrorCode::InvalidTickRange);
    require!(tick_lower % pool.tick_spacing == 0, ErrorCode::TickNotSpaced);
    require!(tick_upper % pool.tick_spacing == 0, ErrorCode::TickNotSpaced);
    
    // Calculate required token amounts
    let (amount_a, amount_b) = calculate_liquidity_amounts(
        pool.sqrt_price,
        tick_lower,
        tick_upper,
        liquidity_delta
    );
    
    // Transfer tokens from user
    transfer_tokens_in(
        &ctx.accounts.token_account_a,
        &ctx.accounts.token_account_b,
        amount_a,
        amount_b,
        &ctx.accounts.token_program,
        &ctx.accounts.owner
    )?;
    
    // Update position state
    position.pool = ctx.accounts.pool.key();
    position.owner = ctx.accounts.owner.key();
    position.liquidity = liquidity_delta;
    position.tick_lower = tick_lower;
    position.tick_upper = tick_upper;
    position.bump = ctx.bumps.position;
    
    // Update pool liquidity
    update_ticks_liquidity(pool, tick_lower, tick_upper, liquidity_delta, true)?;
    
    Ok(())
}

### 3. `place_limit_order` - Orderbook Integration

Creates a limit order that sits on the order book until matched:

```rust
#[derive(Accounts)]
#[instruction(order_id: u64)]
pub struct PlaceLimitOrder<'info> {
    #[account(mut)]
    pub owner: Signer<'info>,
    
    #[account(
        seeds = [
            b"pool",
            pool.base_mint.as_ref(),
            pool.quote_mint.as_ref()
        ],
        bump = pool.bump
    )]
    pub pool: Account<'info, Pool>,
    
    #[account(
        init,
        payer = owner,
        space = 8 + LimitOrder::INIT_SPACE,
        seeds = [
            b"order",
            pool.key().as_ref(),
            owner.key().as_ref(),
            &order_id.to_le_bytes()
        ],
        bump
    )]
    pub order: Account<'info, LimitOrder>,
    
    #[account(
        mut,
        token::mint = pool.base_mint,
        token::authority = owner
    )]
    pub user_token_account: Account<'info, TokenAccount>,
    
    #[account(
        init,
        payer = owner,
        token::mint = pool.base_mint,
        token::authority = order,
        seeds = [
            b"order_vault",
            order.key().as_ref()
        ],
        bump
    )]
    pub order_vault: Account<'info, TokenAccount>,
    
    pub token_program: Program<'info, Token>,
    pub system_program: Program<'info, System>,
}

#[account]
#[derive(InitSpace)]
pub struct LimitOrder {
    pub pool: Pubkey,
    pub owner: Pubkey,
    pub order_id: u64,
    pub tick: i32,
    pub amount: u64,
    pub is_bid: bool,
    pub filled_amount: u64,
    pub status: OrderStatus,
    pub bump: u8,
}

pub fn place_limit_order(
    ctx: Context<PlaceLimitOrder>,
    order_id: u64,
    tick: i32,
    amount: u64,
    is_bid: bool,
) -> Result<()> {
    let order = &mut ctx.accounts.order;
    
    // Validate tick alignment
    let pool = &ctx.accounts.pool;
    require!(tick % pool.tick_spacing == 0, ErrorCode::TickNotSpaced);
    
    // Transfer tokens to order vault
    let transfer_ctx = CpiContext::new(
        ctx.accounts.token_program.to_account_info(),
        Transfer {
            from: ctx.accounts.user_token_account.to_account_info(),
            to: ctx.accounts.order_vault.to_account_info(),
            authority: ctx.accounts.owner.to_account_info(),
        }
    );
    
    transfer(transfer_ctx, amount)?;
    
    // Initialize order
    order.pool = ctx.accounts.pool.key();
    order.owner = ctx.accounts.owner.key();
    order.order_id = order_id;
    order.tick = tick;
    order.amount = amount;
    order.is_bid = is_bid;
    order.filled_amount = 0;
    order.status = OrderStatus::Open;
    order.bump = ctx.bumps.order;
    
    // Emit order placed event
    emit!(OrderPlaced {
        pool: ctx.accounts.pool.key(),
        owner: ctx.accounts.owner.key(),
        order_id,
        tick,
        amount,
        is_bid,
        timestamp: Clock::get()?.unix_timestamp,
    });
    
    Ok(())
}

### 4. `swap` - Execution with Order Matching

Executes a swap, potentially matching against limit orders:

```rust
pub fn swap(
    ctx: Context<Swap>,
    amount: u64,
    sqrt_price_limit: u128,
    is_exact_input: bool,
) -> Result<()> {
    let pool = &mut ctx.accounts.pool;
    
    // Calculate swap amounts
    let (amount_in, amount_out, sqrt_price_new, liquidity) =
        compute_swap_step(
            pool.sqrt_price,
            sqrt_price_limit,
            pool.liquidity,
            amount,
            pool.fee_rate,
            is_exact_input
        )?;
    
    // Check against limit orders in this tick range
    let matched_orders = find_matching_orders(
        pool,
        pool.current_tick_index,
        get_tick_from_sqrt_price(sqrt_price_new),
        !is_exact_input // opposite side of trade
    );
    
    let mut total_matched = 0;
    for order_info in matched_orders {
        let order_account = &ctx.remaining_accounts[order_info.index];
        let mut order = Account::<LimitOrder>::try_from(order_account)?;
        
        let match_amount = min(order.amount - order.filled_amount, amount_out - total_matched);
        
        // Execute against limit order
        execute_against_limit_order(
            &mut order,
            match_amount,
            &ctx.accounts.token_program,
            &ctx.accounts.user_token_account,
            &ctx.accounts.order_vaults[order_info.vault_index]
        )?;
        
        total_matched += match_amount;
        if total_matched >= amount_out {
            break;
        }
    }
    
    // Update pool state
    pool.sqrt_price = sqrt_price_new;
    pool.liquidity = liquidity;
    
    // Apply fees
    let protocol_fee = amount_in
        .checked_mul(pool.protocol_fee_rate as u64)
        .unwrap()
        .checked_div(10_000)
        .unwrap();
    
    if is_exact_input {
        pool.protocol_fees_0 = pool.protocol_fees_0
            .checked_add(protocol_fee)
            .unwrap();
    } else {
        pool.protocol_fees_1 = pool.protocol_fees_1
            .checked_add(protocol_fee)
            .unwrap();
    }
    
    Ok(())
}

### 5. `leverage_position` - Leveraged Liquidity

Enables leveraged liquidity provision with up to 5x multiplier:

```rust
pub fn leverage_position(
    ctx: Context<LeveragePosition>,
    leverage_id: u64,
    position_key: Pubkey,
    leverage_multiplier: u8,
    collateral_amount: u64,
) -> Result<()> {
    require!(leverage_multiplier >= 1, ErrorCode::InvalidLeverage);
    require!(leverage_multiplier <= MAX_LEVERAGE, ErrorCode::ExceedsMaxLeverage);
    
    let position = &ctx.accounts.position;
    let leveraged_position = &mut ctx.accounts.leveraged_position;
    
    // Calculate borrowed amounts
    let total_liquidity_value = calculate_position_value(position, ctx.accounts.pool.sqrt_price);
    let collateral_value = calculate_token_value(collateral_amount, ctx.accounts.pool.sqrt_price);
    
    let max_borrow_value = collateral_value
        .checked_mul(leverage_multiplier as u64)
        .unwrap()
        .checked_sub(collateral_value)
        .unwrap();
    
    // Create leveraged position
    leveraged_position.position = position_key;
    leveraged_position.owner = ctx.accounts.owner.key();
    leveraged_position.leverage_multiplier = leverage_multiplier;
    leveraged_position.collateral_amount = collateral_amount;
    leveraged_position.borrowed_amount_0 = calculate_borrow_amount_0(total_liquidity_value, max_borrow_value);
    leveraged_position.borrowed_amount_1 = calculate_borrow_amount_1(total_liquidity_value, max_borrow_value);
    leveraged_position.bump = ctx.bumps.leveraged_position;
    
    // Health check: ensure position remains safe
    let health_ratio = calculate_health_ratio(leveraged_position, ctx.accounts.pool.sqrt_price);
    require!(health_ratio > MIN_HEALTH_RATIO, ErrorCode::InsufficientCollateral);
    
    Ok(())
}

## Mathematical Formulas

### Concentrated Liquidity Calculations

The amount of token X and Y required for a liquidity position between ticks $t_L$ and $t_U$ is given by:

$$
\Delta x = \Delta L \cdot \left( \frac{1}{\sqrt{P}} - \frac{1}{\sqrt{P_U}} \right)
$$

$$
\Delta y = \Delta L \cdot \left( \sqrt{P} - \sqrt{P_L} \right)
$$

Where:
- $\Delta L$ is the liquidity delta
- $\sqrt{P}$ is the current square root price
- $\sqrt{P_L}, \sqrt{P_U}$ are square root prices at lower and upper ticks

### Swap Computation

For a swap with fee $f$ (in basis points):

Effective amount in after fees:

$$
\Delta x_{eff} = \Delta x \cdot \left(1 - \frac{f}{10^4}\right)
$$

Output amount:

$$
\Delta y = \frac{y \cdot \Delta x_{eff}}{x + \Delta x_{eff}}
$$

### Leverage Health Ratio

$$
\text{Health Ratio} = \frac{\text{Position Value}}{\text{Borrowed Value} \cdot \text{Liquidation Threshold}}
$$

Positions are liquidated when:

$$
\text{Health Ratio} < 1
$$

## Solana & Anchor Best Practices

### 1. Account Validation Patterns

Always validate accounts using Anchor's type system:

```rust
#[account(
    constraint = token_account.mint == pool.base_mint,
    constraint = token_account.owner == owner.key()
)]
pub token_account: Account<'info, TokenAccount>,

### 2. Compute Unit Optimization

Use iteration limits and batch processing for order matching:

```rust
const MAX_ORDERS_PER_SWAP: usize = 10;

for i in 0..min(remaining_orders.len(), MAX_ORDERS_PER_SWAP) {
    // Process order
    if compute_units_remaining() < SAFE_COMPUTE_LIMIT {
        break;
    }
}

### 3. Token-2022 Compatibility

Handle transfer fees by checking received amounts:

```rust
let balance_before = token_account.amount;
transfer(transfer_ctx, amount)?;
let balance_after = token_account.reload()?.amount;
let received_amount = balance_after.checked_sub(balance_before).unwrap();

### 4. Event Emission for Indexers

Emit structured events for easy off-chain processing:

```rust
#[event]
pub struct SwapEvent {
    pub pool: Pubkey,
    pub trader: Pubkey,
    pub amount_in: u64,
    pub amount_out: u64,
    pub sqrt_price_before: u128,
    pub sqrt_price_after: u128,
    pub liquidity: u128,
    pub timestamp: i64,
}

## Security Considerations

### 1. Access Control

All critical operations use PDA-based authority:

```rust
#[account(
    seeds = [b"config"],
    bump = config.bump,
    constraint = config.admin == admin.key()
)]
pub config: Account<'info, ProtocolConfig>,

### 2. Input Validation

Validate all user inputs with appropriate bounds:

```rust
require!(tick_lower < tick_upper, ErrorCode::InvalidTickRange);
require!(fee_rate <= MAX_FEE_RATE, ErrorCode::InvalidFeeRate);
require!(amount > 0, ErrorCode::ZeroAmount);

### 3. Arithmetic Safety

Use checked arithmetic to prevent overflows:

```rust
let total = amount_a
    .checked_add(amount_b)
    .ok_or(ErrorCode::ArithmeticOverflow)?;

### 4. Reentrancy Protection

Solana's transaction model prevents reentrancy, but validate cross-program interactions:

```rust
// Ensure token accounts belong to the expected mints
require!(
    token_account_a.mint == pool.base_mint &&
    token_account_b.mint == pool.quote_mint,
    ErrorCode::InvalidTokenAccount
);

### 5. Oracle Manipulation Protection

Use time-weighted prices for sensitive operations:

```rust
let price = calculate_time_weighted_price(
    pool.sqrt_price_history,
    Clock::get()?.unix_timestamp
);

## How to Use This Contract

### Building and Deploying

```bash
# Build the program
anchor build

# Deploy to devnet
anchor deploy --provider.cluster devnet

# Verify deployment
solana program show --programs

### Example TypeScript Client

```typescript
import * as anchor from "@coral-xyz/anchor";
import { Program } from "@coral-xyz/anchor";
import { DefiTunaAmm } from "../target/types/defi_tuna_amm";

async function createPosition() {
  const provider = anchor.AnchorProvider.env();
  anchor.setProvider(provider);
  
  const program = anchor.workspace.DefiTunaAmm as Program<DefiTunaAmm>;
  
  const [poolPda] = anchor.web3.PublicKey.findProgramAddressSync(
    [
      Buffer.from("pool"),
      baseMint.toBuffer(),
      quoteMint.toBuffer()
    ],
    program.programId
  );
  
  const positionId = new anchor.BN(Date.now());
  const [positionPda] = anchor.web3.PublicKey.findProgramAddressSync(
    [
      Buffer.from("position"),
      poolPda.toBuffer(),
      provider.wallet.publicKey.toBuffer(),
      positionId.toArrayLike(Buffer, "le", 8)
    ],
    program.programId
  );
  
  const tx = await program.methods
    .createPosition(
      positionId,
      -6000, // tick_lower
      6000,  // tick_upper
      new anchor.BN(1000000) // liquidity
    )
    .accounts({
      pool: poolPda,
      position: positionPda,
      owner: provider.wallet.publicKey,
      tokenAccountA: tokenAccountA,
      tokenAccountB: tokenAccountB,
    })
    .rpc();
    
  console.log("Transaction signature:", tx);
}

### Required Pre-Instructions

For complex operations like leveraged positions, you may need to:

1. Create associated token accounts
2. Approve token transfers
3. Initialize required PDAs
4. Fund accounts with minimum rent

## Extending the Contract

### Adding New Instructions

1. Define new account structs in `#[derive(Accounts)]`
2. Implement handler function with proper validation
3. Add to the `lib.rs` module exports
4. Update IDL generation

### Customization Points

- **Fee Models**: Modify `compute_swap_step` for dynamic fees
- **Order Types**: Extend `LimitOrder` for different order types (FOK, IOC)
- **Leverage Models**: Add new collateral types or liquidation mechanisms
- **Oracle Integration**: Incorporate Pyth or Switchboard for price feeds

### Testing Strategies

```rust
#[tokio::test]
async fn test_swap_with_limit_order_match() {
    let mut test = ProgramTest::new(
        "defi_tuna_amm",
        id(),
        processor!(processor::Processor::process)
    );
    
    // Add accounts and mints
    test.add_account(mint_pubkey, mint_account);
    
    let (mut banks_client, payer, recent_blockhash) = test.start().await;
    
    // Create and place limit order
    let place_order_ix = Instruction {
        program_id: id(),
        accounts: place_order_accounts,
        data: place_order_data,
    };
    
    // Execute swap that should match
    let swap_ix = Instruction {
        program_id: id(),
        accounts: swap_accounts,
        data: swap_data,
    };
    
    let transaction = Transaction::new_signed_with_payer(
        &[place_order_ix, swap_ix],
        Some(&payer.pubkey()),
        &[&payer],
        recent_blockhash
    );
    
    banks_client.process_transaction(transaction).await.unwrap();
}

## Conclusion

The DefiTuna AMM smart contract demonstrates advanced Anchor patterns for building sophisticated DeFi protocols on Solana. By combining concentrated liquidity, limit orders, and leverage in a single program, it showcases how to manage complex state relationships while maintaining security and efficiency.

Key takeaways for developers:
1. Use PDA hierarchies for secure ownership and access control
2. Implement mathematical operations with overflow protection
3. Design for composability with other Solana programs
4. Emit comprehensive events for off-chain indexing
5. Optimize for compute units in iteration-heavy operations

This contract serves as a foundation for building next-generation AMMs that bridge the gap between traditional order books and automated market makers.

Kamino Lend Smart Contract — Anchor Implementation Guide

December 26, 2025 · 17 min read

Vadim Nicolai

Senior Software Engineer at Vitrifi

TL;DR

Kamino Lend is a high-performance lending protocol on Solana with over $2.68B TVL, using a peer-to-pool model for capital efficiency
This Anchor smart contract implements core lending functionality: reserve management, borrowing, collateralization, and liquidations via CPI integration
Key Instructions: init_reserve, deposit, withdraw, borrow, repay, liquidate with Anchor CPI to SPL token program
Account Architecture: Extensive use of PDAs for reserve state, obligation tracking, and interest rate calculations with proper rent management
Anchor Patterns: Comprehensive use of #[account] macros, #[derive(Accounts)] structs, and init_if_needed for gas-efficient deployments
Mathematical Core: Utilization-based interest rates with compound interest accrual using exponential formulas and health factor calculations

Introduction

Kamino Lend represents the cutting edge of Solana lending infrastructure, implementing a sophisticated peer-to-pool model that balances capital efficiency with risk management. With over $2.68B in Total Value Locked, the protocol's architecture has proven its robustness at scale, making it an essential case study for understanding production-grade DeFi systems on Solana.

Architectural Philosophy

The protocol's design is built on three foundational principles:

Capital Efficiency Through Pooling: Unlike peer-to-peer lending models, Kamino aggregates liquidity into shared pools, maximizing utilization and providing instant liquidity for borrowers and lenders.
Risk Isolation via Reserve Architecture: Each asset operates as an independent reserve with its own risk parameters, interest rate models, and collateralization ratios, preventing contagion across markets.
Composability First: The contract is designed as a building block for higher-order DeFi primitives, enabling strategies like leveraged yield farming, delta-neutral positions, and automated portfolio management.

This guide examines the architectural patterns and design decisions that enable Kamino Lend to operate at scale, focusing on account structures, state management, mathematical models, and system invariants rather than implementation details.

Architecture Diagrams

Account Relationships and PDA Hierarchy

Deposit Instruction Flow

Account Structure Table

Account Name	Type	PDA Seeds	Purpose	Fields (Simplified)
`LendingMarket`	Program State	`[b"lending-market", market_id]`	Global configuration	`owner`, `quote_currency`, `bump`, `reserves_list`
`Reserve`	Program State	`[b"reserve", lending_market, mint]`	Per-asset liquidity pool	`liquidity`, `collateral`, `config`, `last_update`, `cumulative_borrow_rate`
`Obligation`	User State	`[b"obligation", lending_market, user]`	User's borrowing position	`deposits[]`, `borrows[]`, `repayments[]`, `health_factor`
`ReserveLiquidity`	PDA	`[b"liquidity", reserve]`	Token vault for deposits	SPL token account (owned by program)
`ReserveCollateral`	PDA	`[b"collateral", reserve]`	cToken mint for the reserve	SPL mint (cToken representation)
`FeeReceiver`	PDA	`[b"fees", reserve]`	Protocol fee accumulation	SPL token account for fees

Core Lending Primitives

1. Reserve Initialization Architecture

Reserve initialization establishes the fundamental infrastructure for a lending market. Each reserve represents an isolated pool for a single asset type, with its own economic parameters and risk profile.

Account Hierarchy:

Reserve PDA: Central state account storing liquidity metrics, interest rates, and configuration
Liquidity Vault: Token account holding deposited assets, controlled by the reserve PDA
Collateral Token Mint: Represents depositor shares (similar to LP tokens in AMMs)
Fee Receiver: Accumulates protocol revenue from interest spread
Oracle Account: External price feed for collateral valuation

Design Decisions:

PDA-Based Authority: The reserve PDA acts as the authority for all token operations, eliminating the need for separate signer management and ensuring atomic operations.
Idempotent Initialization: Using init_if_needed patterns allows for graceful handling of concurrent initialization attempts, critical for permissionless market creation.
Parametric Risk Models: Each reserve stores its own loan-to-value ratio, liquidation threshold, and interest rate curve, enabling fine-tuned risk management per asset.

Economic Configuration:

Optimal utilization target (typically 80%)
Base and slope interest rate parameters
Liquidation bonus and close factor
Reserve factor for protocol revenue

The deposit system implements a share-based accounting model where depositors receive collateral tokens (cTokens) representing their proportional ownership of the reserve's assets.

Mechanism Flow:

Interest Accrual: Before any operation, the reserve accrues accumulated interest, ensuring all depositors benefit proportionally from lending activity.
Exchange Rate Calculation: The system calculates how many cTokens to mint based on the current ratio of total deposits to outstanding cTokens. This rate increases over time as interest accrues.
Atomic Token Operations: User assets transfer to the reserve vault and cTokens mint to the user in a single transaction, preventing partial execution.
State Updates: Reserve metrics update atomically, maintaining invariants around total supply and collateral.

Mathematical Core: The exchange rate between underlying tokens and cTokens uses compound interest:

\text{exchangeRate} = \frac{\text{collateralMintSupply}}{\text{liquidityTotalSupply}}

Where both numerator and denominator grow with interest accrual. For deposit amount $A$ :

\text{cTokens} = A \times \frac{\text{collateralMintSupply}}{\text{liquidityTotalSupply}}

3. Borrowing Architecture: Multi-Collateral Risk Management

The borrowing system enables users to take loans against deposited collateral while maintaining solvency through a health factor mechanism.

Obligation Structure:

Each user has a single Obligation account per lending market that tracks:

Deposits: Array of collateral positions across multiple reserves
Borrows: Array of loan positions with accrued interest
Health Factor: Real-time solvency metric
Last Update: Timestamp for interest calculation

Risk Management Layers:

Per-Asset LTV Ratios: Each collateral type has a maximum loan-to-value ratio (e.g., SOL at 80%, meme coins at 50%), determining borrowing power.
Cross-Collateral Aggregation: Users can borrow against multiple collateral types simultaneously, with total borrowing power calculated across all deposits.
Utilization Caps: Each reserve has maximum utilization limits to ensure liquidity for withdrawals.
Dynamic Health Checks: Before and after each borrow, the system validates that the user's health factor remains above the minimum threshold.

Borrow Operation Flow:

Accrue interest on both reserve (to update rates) and obligation (to account for existing debt growth)
Validate borrowing power exceeds requested amount
Check reserve hasn't exceeded utilization limits
Execute token transfer from reserve to user
Update obligation's debt tracking with current cumulative borrow rate
Recalculate and validate health factor post-operation

Health Factor Calculation: The health factor determines liquidation risk:

\text{healthFactor} = \frac{\text{collateralValue} \times \text{ltvRatio}}{\text{borrowedValue}}

Where:

$\text{collateralValue} = \sum (\text{collateralAmount}_i \times \text{price}_i)$
$\text{borrowedValue} = \sum (\text{borrowedAmount}_j \times \text{price}_j)$
$\text{ltvRatio} = \text{loan-to-value ratio per asset (0-1)}$

4. Liquidation System: Incentive-Driven Solvency

Liquidation is the protocol's self-healing mechanism, allowing third-party actors to restore under-collateralized positions to health by repaying debt in exchange for discounted collateral.

Trigger Conditions:

Health factor falls below 1.0 (typically triggered by collateral price drops or borrow rate increases)
Position becomes mathematically insolvent when debt value exceeds collateral value adjusted for LTV

Economic Incentive Structure:

Liquidation Bonus: Liquidators receive a percentage bonus (e.g., 5-10%) on the collateral value they seize, compensating for gas costs, price execution risk, and market making.
Partial Liquidations: Most protocols limit single liquidation amounts (close factor of 50%) to prevent excessive slippage and give borrowers a chance to add collateral.
Dutch Auction Potential: Some implementations use declining bonuses over time to optimize protocol value capture.

System Protection Mechanisms:

Oracle Validation: Multiple price sources prevent manipulation-based fake liquidations
Slippage Bounds: Maximum collateral withdrawal per transaction prevents reserve depletion
Reserve Insurance: Protocol retains a portion of liquidation proceeds as bad debt insurance

Liquidation Flow:

External actor identifies under-collateralized position
Liquidator repays portion of user's debt to the reserve
System calculates collateral owed based on repayment amount, asset prices, and liquidation bonus
Collateral transfers to liquidator at discount
Obligation updates with reduced debt and collateral
If health factor restored above threshold, position remains open; otherwise, additional liquidations possible

Interest Rate Architecture

Utilization-Based Rate Model

Kamino implements a kinked interest rate curve that dynamically adjusts based on capital utilization, balancing supply and demand while preventing excessive leverage.

Rate Curve Design:

Borrow Rate |
            |              /
   Max      |            /
            |          /  (Steep slope)
            |        /
   Optimal  |------/
            |    /  (Gradual slope)
   Min      |  /
            |/________________
            0%    80%    100%  Utilization

Economic Rationale:

Below Optimal Utilization (0-80%):
- Gradual rate increase encourages borrowing
- Low rates attract borrowers when liquidity is abundant
- Prevents capital from sitting idle
Above Optimal Utilization (80-100%):
- Steep rate increase protects lender liquidity
- High rates incentivize debt repayment
- Discourages excessive leverage during high utilization

Compound Interest Accrual:

The protocol uses continuous compound interest with per-slot precision:

C_t = C_0 \times (1 + r)^{\Delta t}

Where:

$C_t$ = cumulative borrow rate at time $t$
$C_0$ = cumulative borrow rate at time $0$
$r$ = periodic rate (borrow rate per slot)
$\Delta t$ = slots elapsed

Each user's debt grows proportionally to the cumulative rate, ensuring fair interest distribution across all borrowers regardless of when they entered positions.

State Management Architecture

Obligation Account Design

The Obligation account represents a user's complete position across the lending protocol, aggregating all collateral deposits and outstanding loans.

Account Structure Philosophy:

Single Account Per User: One obligation account per lending market simplifies account management and enables atomic cross-collateral operations
Dynamic Arrays: Variable-length vectors for deposits and borrows allow users to interact with multiple reserves without account reallocation
Cached Computations: Health factor and market values cached with timestamps to avoid redundant oracle reads

State Transitions:

┌─────────────────────┐
│  Obligation Created │
│  (Empty)            │
└──────────┬──────────┘
           │
           ▼
   ┌───────────────┐
   │  Add Deposit  │ ──────┐
   └───────┬───────┘       │
           │               │
           ▼               │
   ┌───────────────┐       │
   │  Borrow Asset │       │
   └───────┬───────┘       │
           │               │
     ┌─────▼────────┐      │
     │  Monitoring  │◄─────┘
     │  (Active)    │
     └──┬───────┬───┘
        │       │
        │       └──────────┐
        │                  ▼
        │         ┌────────────────┐
        │         │  Liquidation   │
        │         │  (if HF < 1.0) │
        │         └────────┬───────┘
        │                  │
        ▼                  ▼
 ┌──────────────┐   ┌─────────────┐
 │ Repay + Exit │   │  Restored   │
 └──────────────┘   └─────────────┘

Health Factor Calculation Architecture:

The health factor aggregates risk across all positions:

Collateral Valuation: Each deposit multiplied by its asset price and LTV ratio
Debt Valuation: Each borrow multiplied by its asset price and accrued interest
Risk-Adjusted Ratio: Total weighted collateral divided by total debt

\text{healthFactor} = \frac{\sum (\text{collateral}_i \times \text{price}_i \times \text{ltv}_i)}{\sum (\text{debt}_j \times \text{price}_j)}

A health factor below 1.0 indicates technical insolvency and triggers liquidation eligibility.

Solana-Specific Design Patterns

Account Model Optimization

Fixed-Size Account Design:

Kamino optimizes for Solana's account-based model by using predictable account sizes:

Reserve Accounts: ~400 bytes with fixed-size configuration structs
Obligation Accounts: Dynamic sizing with capacity limits (max 10 deposits, 5 borrows)
Market Accounts: Global configuration with reserve registry

Benefits:

Predictable rent costs
Efficient reallocation patterns
Reduced compute units for account validation

Compute Unit Management

The protocol implements several strategies to minimize compute consumption:

Early Returns: Simple validation checks before expensive operations
Batched Operations: Combine multiple token transfers in single CPI calls
Lazy Interest Accrual: Only update rates when users interact, not globally
Cached Oracle Reads: Store price data with timestamps to avoid redundant oracle calls within the same slot

Cross-Program Invocation Architecture

Token Program Abstraction:

Supports both SPL Token and Token-2022 programs through a unified interface:

Dynamic Program Detection: Checks token mint's owner to determine program version
Fee Handling: Token-2022 transfer fees automatically calculated and accounted
Extension Support: Compatible with interest-bearing tokens and other Token-2022 features

Authority Patterns:

PDA Signers: All token operations use PDAs as signers, eliminating private key management
Seed Derivation: Deterministic PDA generation enables permissionless interactions
Authority Hierarchy: Multi-tier access control with admin, operator, and user roles

Security Architecture

Multi-Layer Access Control

The protocol implements defense-in-depth with hierarchical permissions:

Authority Tiers:

Protocol Owner: Can update global parameters, add new reserves, emergency pause
Market Authority: Manages individual market configurations and risk parameters
Reserve Manager: Adjusts interest rate models and asset-specific settings
Emergency Guardian: Limited to circuit breaker activation only

Time-Locked Operations:

Critical parameter changes require a multi-step process:

Proposal Creation: Admin proposes parameter change
Timelock Period: Mandatory waiting period (e.g., 24-48 hours)
Execution Window: Limited window after timelock to execute
Cancellation Rights: Separate guardian can veto dangerous changes

This prevents malicious or accidental instant changes to critical parameters like liquidation thresholds or interest rate curves.

Oracle Security Framework

Multi-Oracle Support:

The architecture supports multiple oracle providers (Pyth, Switchboard, Chainlink) with:

Primary/Secondary Validation: Cross-check prices between two independent sources
Deviation Thresholds: Reject prices that differ by more than acceptable bounds
Staleness Checks: Enforce maximum age for price data
Confidence Intervals: Validate oracle-reported confidence levels

Price Manipulation Protection:

TWAP Integration: Time-weighted average prices smooth out flash crashes
Circuit Breakers: Halt operations if price volatility exceeds thresholds
Reserve-Level Config: Each asset has its own oracle security parameters

Economic Security Mechanisms

Circuit Breakers:

Automatic safeguards trigger during extreme conditions:

High Volatility: Restrict borrowing when asset prices fluctuate rapidly
Critical Utilization: Limit withdrawals when reserves approach depletion
Oracle Failure: Gracefully degrade to safe state if price feeds unavailable
Bad Debt Accumulation: Emergency shutdown if protocol becomes insolvent

Gradual Limits:

Rather than hard cutoffs, the protocol implements smooth degradation:

Borrowing limits decrease proportionally as utilization approaches maximum
Liquidation bonuses increase as health factors deteriorate
Interest rates accelerate non-linearly at extreme utilization

This prevents sudden state changes and gaming around threshold boundaries.

Integration Architecture

Client-Side Design Patterns

PDA Derivation Strategy:

Clients must derive the same PDAs as the on-chain program to construct transactions:

Deterministic Address Generation: Seeds must match exactly (lending market ID, mint address, user wallet)
Bump Seed Caching: Store bump seeds after first derivation to avoid recomputation
Account Validation: Always verify derived PDAs match expected program-owned accounts

Transaction Construction:

Typical interaction flow:

Fetch On-Chain State: Read current reserve and obligation data
Compute Off-Chain: Calculate expected outcomes (cTokens minted, health factor after borrow)
Derive Accounts: Generate all required PDAs
Build Instruction: Construct transaction with correct account order
Simulate First: Always simulate before sending to detect issues
Send and Confirm: Submit transaction and wait for confirmation

Health Factor Monitoring

Continuous Position Monitoring:

Applications should implement:

WebSocket Subscriptions: Listen for obligation account changes
Oracle Price Tracking: Monitor collateral price movements
Alert Thresholds: Warn users when health factor approaches liquidation
Auto-Rebalancing: Optionally implement automated deleveraging

Risk Management Integration:

Display health factor prominently in UI
Show liquidation price for each collateral asset
Provide safety margins (e.g., recommend 150%+ health factor)
Enable one-click position closing during volatility

Extensibility and Composability

Extension Points

The architecture provides several extension mechanisms:

1. New Collateral Types

Adding support for new assets requires:

Initializing a new reserve with appropriate risk parameters
Configuring oracle integration for price feeds
Setting LTV ratios, liquidation thresholds, and interest models
Optional: Custom logic for exotic token types (rebase tokens, yield-bearing assets)

2. Advanced Financial Primitives

Flash Loans: Atomically borrow without collateral within a single transaction:

Borrow assets from reserve
Execute arbitrary logic (arbitrage, collateral swaps, etc.)
Repay loan + fee before transaction completes
If repayment fails, entire transaction reverts

Key Design:

Callback mechanism allows user-defined operations
Fee structure incentivizes liquidity provision
Atomicity guarantees protocol safety

Isolated Markets: Create separate lending markets with different risk profiles:

Blue-chip assets with conservative parameters
Experimental tokens with higher collateral requirements
Stablecoin-only markets for capital efficiency

3. Strategy Integrations

Higher-order protocols can build on lending primitives:

Leveraged Yield Farming: Loop deposits and borrows for amplified yields
Delta-Neutral Strategies: Short via borrowing while holding spot positions
Automated Vaults: Manage user positions with algorithmic rebalancing
Portfolio Optimization: Automatically adjust allocations based on rates

System Validation Strategies

Testing Dimensions:

1. Economic Correctness:

Interest accrual over extended periods
Exchange rate calculations under various utilization levels
Health factor updates with multiple collateral/borrow positions
Liquidation math verification

2. State Invariants:

Total cTokens supply equals sum of user balances
Reserve liquidity matches vault balance minus borrowed amount
Sum of all health factors remains non-negative
Interest never decreases over time

3. Edge Cases:

Maximum utilization scenarios
Oracle price extremes (sudden crashes, stale data)
Concurrent operations on same obligation
Token account edge cases (zero balance, closed accounts)

4. Security Scenarios:

Unauthorized access attempts
Manipulation via price oracle gaming
Flash loan attack vectors
Reentrancy patterns

Simulation-Based Testing:

Monte Carlo simulations with random market conditions
Stress testing with historical volatility data
Fuzz testing with random input combinations
Long-running scenarios (millions of slots)

Conclusion

The Kamino Lend architecture exemplifies production-grade DeFi protocol design on Solana, demonstrating how to build secure, scalable, and composable financial infrastructure. Its success managing over $2.68B in TVL validates the architectural decisions across multiple dimensions.

Key Architectural Principles

Risk Isolation Through Reserve Design: Each asset operates independently with its own parameters, preventing systemic contagion while enabling tailored risk management.
Share-Based Accounting: The cToken model elegantly handles proportional interest distribution and enables composability with other DeFi protocols.
Health Factor as Central Invariant: A single, continuously monitored metric ensures system solvency while providing users with clear risk visibility.
Incentive Alignment: Liquidators, lenders, and borrowers all have economic incentives that maintain protocol stability without relying on centralized actors.
Defensive Design: Multiple layers of validation, circuit breakers, time-locks, and oracle security create resilience against edge cases and attacks.

Architectural Lessons for Builders

For Protocol Developers:

Design account structures for predictable costs and efficient operations
Build mathematical models with fixed-point arithmetic precision
Implement gradual degradation rather than hard cutoffs
Create extension points for future features without compromising core security

For Integrators:

Understand PDA derivation patterns for reliable transaction construction
Monitor on-chain state continuously for position management
Implement robust error handling for network instability
Design UIs that make risk transparent to end users

For Auditors:

Verify mathematical correctness of interest and health calculations
Test state invariants under extreme market conditions
Validate oracle security and manipulation resistance
Check access control at every privilege boundary

Future Evolution

The architecture is designed to evolve:

Support for new collateral types (LSTs, yield-bearing assets, RWAs)
Cross-chain integration via bridges and messaging protocols
Advanced rate models incorporating external market signals
Governance-driven parameter optimization based on empirical data

Kamino Lend demonstrates that Solana's account model, when properly architected, can support complex financial logic at scale. The protocol serves as both a critical infrastructure piece for Solana DeFi and a reference implementation for builders creating the next generation of on-chain financial systems.

This architectural analysis focuses on design patterns and system structure. For implementation details and deployment instructions, consult the official Kamino documentation and audited source code.

Raydium AMM Smart Contract — Anchor Implementation Guide

December 26, 2025 · 14 min read

Vadim Nicolai

Senior Software Engineer at Vitrifi

TL;DR

Raydium AMM is a hybrid decentralized exchange combining AMM liquidity pools with Serum's central limit order book (CLOB) for deeper liquidity and tighter spreads
This Anchor-based adapter smart contract enables seamless interaction with Raydium's non-Anchor programs using Cross-Program Invocations (CPI)
Core implementation focuses on swap functionality through CPI to Raydium's main AMM program, handling complex account validation and state transitions
Account architecture utilizes PDAs for routing, token vault management, and fee collection with deterministic address derivation
Key Anchor patterns demonstrated include: CPI with non-Anchor programs, complex account validation, PDA-based routing, and token account management

Introduction

Raydium AMM represents a sophisticated evolution of decentralized exchange design on Solana, merging traditional automated market maker (AMM) liquidity pools with Serum's central limit order book. This hybrid model enables both passive liquidity provision and active market making strategies, creating deeper liquidity and tighter spreads than pure AMM designs.

This article focuses on an Anchor-based adapter smart contract that interfaces with Raydium's native (non-Anchor) programs. The adapter implements essential DeFi primitives—primarily swap operations—through cross-program invocations (CPI), managing complex account relationships and state validation. While Raydium's core programs are written in raw Rust, this adapter demonstrates how to build maintainable, secure interfaces using Anchor's framework.

Architecture Overview

Raydium's architecture follows a modular design where the Anchor adapter serves as an entry point, delegating core logic to Raydium's optimized non-Anchor programs. This separation allows:

Adapter Layer: User-friendly Anchor interface with simplified account management
Core AMM Logic: High-performance swap execution in Raydium's native program
Order Book Integration: Real-time price discovery through Serum DEX

Account Structure Diagram

Account Structure

The adapter manages complex account relationships, validating each account's constraints before delegating to Raydium's core program.

Primary Accounts Table

|---------|------|---------|------------|

Adapter State PDA Structure

#[account]
#[derive(Default)]
pub struct AdapterState {
    /// Bump seed for PDA derivation
    pub bump: u8,
    /// Total swap volume processed through adapter
    pub total_volume: u64,
    /// Fee basis points collected by adapter (0-10000)
    pub fee_bps: u16,
    /// Total fees collected
    pub fees_collected: u64,
    /// Owner with upgrade privileges
    pub owner: Pubkey,
    /// Whether adapter is paused
    pub is_paused: bool,
}

impl AdapterState {
    pub const LEN: usize = 8 + // discriminator
        1 + // bump
        8 + // total_volume
        2 + // fee_bps
        8 + // fees_collected
        32 + // owner
        1; // is_paused
}

## Instruction Handlers Deep Dive

### Core Swap Instruction

The swap instruction implements the primary trading functionality, validating all accounts and delegating to Raydium via CPI.

```rust
#[derive(Accounts)]
pub struct Swap<'info> {
    #[account(mut)]
    pub user: Signer<'info>,
    
    #[account(
        mut,
        seeds = [b"adapter", program_id.as_ref()],
        bump = adapter_state.bump,
        constraint = !adapter_state.is_paused @ AdapterError::AdapterPaused
    )]
    pub adapter_state: Account<'info, AdapterState>,
    
    /// CHECK: Validated by constraint against known Raydium program ID
    #[account(address = RAYDIUM_AMM_ID)]
    pub raydium_program: AccountInfo<'info>,
    
    #[account(mut)]
    /// CHECK: Raydium validates this account
    pub pool: AccountInfo<'info>,
    
    #[account(
        seeds = [pool.key().as_ref(), b"authority"],
        bump
    )]
    /// CHECK: PDA authority for pool vaults
    pub pool_authority: AccountInfo<'info>,
    
    #[account(mut)]
    /// CHECK: Validated by Raydium program
    pub token_vault_a: AccountInfo<'info>,
    
    #[account(mut)]
    /// CHECK: Validated by Raydium program
    pub token_vault_b: AccountInfo<'info>,
    
    #[account(
        mut,
        constraint = user_token_a.owner == user.key() @ AdapterError::InvalidTokenOwner
    )]
    pub user_token_a: Account<'info, TokenAccount>,
    
    #[account(mut)]
    pub user_token_b: Account<'info, TokenAccount>,
    
    pub token_program: Program<'info, Token>,
    pub system_program: Program<'info, System>,
    
    /// CHECK: Serum market account for price reference
    #[account(mut)]
    pub serum_market: AccountInfo<'info>,
}

#[derive(AnchorSerialize, AnchorDeserialize)]
pub struct SwapArgs {
    /// Amount of token A to swap (max to spend)
    pub amount_in: u64,
    /// Minimum amount of token B to receive (slippage protection)
    pub min_amount_out: u64,
    /// Referral fee destination (optional)
    pub referral_account: Option<Pubkey>,
}

The swap execution involves several key mathematical operations for fee calculation and slippage protection:

**Effective Input Amount Calculation** (after adapter fees):
```latex
$$dx_{eff} = dx \cdot (1 - f_{adapter})$$

Where $dx$ is the input amount and $f_{adapter}$ is the adapter fee in basis points.

**Raydium's Swap Formula** (simplified constant product with order book integration):
```latex
$$dy = \begin{cases} 
\frac{y \cdot dx_{eff}}{x + dx_{eff}} & \text{if AMM only} \\
\text{CLOB\_FILL} + \text{AMM\_FILL} & \text{hybrid execution}
\end{cases}$$

**Slippage Validation**:
```latex
$$dy_{actual} \ge dy_{min}$$

Where $dy_{min}$ is the user-specified minimum output.

### Implementation Details

```rust
pub fn swap(ctx: Context<Swap>, args: SwapArgs) -> Result<()> {
    let adapter_state = &mut ctx.accounts.adapter_state;
    
    // Calculate adapter fee (if any)
    let fee_amount = if adapter_state.fee_bps > 0 {
        args.amount_in
            .checked_mul(adapter_state.fee_bps as u64)
            .ok_or(AdapterError::MathOverflow)?
            .checked_div(10000)
            .ok_or(AdapterError::MathOverflow)?
    } else {
        0
    };
    
    let effective_amount_in = args.amount_in
        .checked_sub(fee_amount)
        .ok_or(AdapterError::InvalidFeeCalculation)?;
    
    // Update adapter statistics
    adapter_state.total_volume = adapter_state.total_volume
        .checked_add(args.amount_in)
        .ok_or(AdapterError::MathOverflow)?;
    
    adapter_state.fees_collected = adapter_state.fees_collected
        .checked_add(fee_amount)
        .ok_or(AdapterError::MathOverflow)?;
    
    // Prepare CPI to Raydium
    let raydium_program = ctx.accounts.raydium_program.to_account_info();
    let cpi_accounts = raydium::cpi::accounts::Swap {
        pool: ctx.accounts.pool.clone(),
        pool_authority: ctx.accounts.pool_authority.clone(),
        token_vault_a: ctx.accounts.token_vault_a.clone(),
        token_vault_b: ctx.accounts.token_vault_b.clone(),
        user_token_a: ctx.accounts.user_token_a.to_account_info(),
        user_token_b: ctx.accounts.user_token_b.to_account_info(),
        serum_market: ctx.accounts.serum_market.clone(),
        token_program: ctx.accounts.token_program.to_account_info(),
    };
    
    let cpi_args = raydium::instruction::Swap {
        amount_in: effective_amount_in,
        min_amount_out: args.min_amount_out,
    };
    
    // Execute CPI to Raydium
    let cpi_ctx = CpiContext::new(raydium_program, cpi_accounts);
    raydium::cpi::swap(cpi_ctx, cpi_args)?;
    
    emit!(SwapEvent {
        user: ctx.accounts.user.key(),
        amount_in: args.amount_in,
        fee_amount,
        timestamp: Clock::get()?.unix_timestamp,
    });
    
    Ok(())
}

### Instruction Flow Diagram

```mermaid
sequenceDiagram
    participant U as User
    participant A as Anchor Adapter
    participant R as Raydium AMM
    participant T as Token Program
    participant S as Serum

    U->>A: swap(amount_in, min_amount_out)
    Note over A: Validate all accounts
    Note over A: Calculate adapter fees
    Note over A: Update adapter state
    
    A->>R: CPI: swap(effective_amount_in, min_amount_out)
    R->>S: Query order book for best price
    S-->>R: Return available liquidity
    
    alt Order book has liquidity
        R->>T: Transfer from Serum vaults
    else Use AMM liquidity
        R->>T: Transfer from AMM vaults
    end
    
    Note over R: Execute hybrid swap logic
    R->>T: Transfer tokens to user
    T-->>R: Confirm transfer success
    R-->>A: Return swap result
    A->>A: Emit SwapEvent
    A-->>U: Transaction complete

Code Walkthrough

Raydium CPI Module Definition

To interface with Raydium's non-Anchor program, we define a CPI module with the exact instruction and account structures:

pub mod raydium {
    use anchor_lang::prelude::*;
    use anchor_lang::solana_program::instruction::Instruction;
    
    pub const RAYDIUM_AMM_ID: Pubkey = pubkey!("675kPX9MHTjS2zt1qfr1NYHuzeLXfQM9H24wFSUt1Mp8");
    
    #[derive(Accounts)]
    pub struct Swap<'info> {
        // Account definitions matching Raydium's expectations
        #[account(mut)]
        pub pool: AccountInfo<'info>,
        pub pool_authority: AccountInfo<'info>,
        #[account(mut)]
        pub token_vault_a: AccountInfo<'info>,
        #[account(mut)]
        pub token_vault_b: AccountInfo<'info>,
        #[account(mut)]
        pub user_token_a: AccountInfo<'info>,
        #[account(mut)]
        pub user_token_b: AccountInfo<'info>,
        #[account(mut)]
        pub serum_market: AccountInfo<'info>,
        pub token_program: AccountInfo<'info>,
    }
    
    #[derive(AnchorSerialize, AnchorDeserialize)]
    pub struct SwapArgs {
        pub amount_in: u64,
        pub min_amount_out: u64,
    }
    
    pub fn swap<'info>(
        ctx: CpiContext<'_, '_, '_, 'info, Swap<'info>>,
        args: SwapArgs,
    ) -> Result<()> {
        let ix = Instruction {
            program_id: RAYDIUM_AMM_ID,
            accounts: vec![
                AccountMeta::new(ctx.accounts.pool.key(), false),
                AccountMeta::new_readonly(ctx.accounts.pool_authority.key(), false),
                AccountMeta::new(ctx.accounts.token_vault_a.key(), false),
                AccountMeta::new(ctx.accounts.token_vault_b.key(), false),
                AccountMeta::new(ctx.accounts.user_token_a.key(), false),
                AccountMeta::new(ctx.accounts.user_token_b.key(), false),
                AccountMeta::new(ctx.accounts.serum_market.key(), false),
                AccountMeta::new_readonly(ctx.accounts.token_program.key(), false),
            ],
            data: encode_swap_instruction(args),
        };
        
        anchor_lang::solana_program::program::invoke(
            &ix,
            &[
                ctx.accounts.pool.clone(),
                ctx.accounts.pool_authority.clone(),
                ctx.accounts.token_vault_a.clone(),
                ctx.accounts.token_vault_b.clone(),
                ctx.accounts.user_token_a.clone(),
                ctx.accounts.user_token_b.clone(),
                ctx.accounts.serum_market.clone(),
                ctx.accounts.token_program.clone(),
            ],
        )?;
        
        Ok(())
    }
    
    fn encode_swap_instruction(args: SwapArgs) -> Vec<u8> {
        // Raydium uses a specific instruction discriminator for swap
        let mut data = vec![0x07]; // Swap instruction discriminator
        data.extend_from_slice(&args.amount_in.to_le_bytes());
        data.extend_from_slice(&args.min_amount_out.to_le_bytes());
        data
    }
}

### Event Emission Structure

Proper event emission is crucial for indexers and frontends:

```rust
#[event]
pub struct SwapEvent {
    #[index]
    pub user: Pubkey,
    pub amount_in: u64,
    pub fee_amount: u64,
    pub timestamp: i64,
}

#[event]
pub struct PoolCreatedEvent {
    pub pool: Pubkey,
    pub token_a: Pubkey,
    pub token_b: Pubkey,
    pub creator: Pubkey,
    pub timestamp: i64,
}

## Solana & Anchor Best Practices

### 1. Account Model Optimization

**Hot Account Mitigation**: Raydium's design minimizes account contention by separating:
- **Read-only accounts**: Pool configuration, token metadata
- **Mutable accounts**: Token vaults (high contention)
- **PDA authorities**: Derived addresses for access control

```rust
// Good: Separating read-only from mutable accounts
#[derive(Accounts)]
pub struct OptimizedSwap<'info> {
    // Read-only accounts (no write locks)
    pub pool_config: Account<'info, PoolConfig>,
    
    // Mutable accounts (write locks, potential contention)
    #[account(mut)]
    pub token_vault_a: Account<'info, TokenAccount>,
    #[account(mut)]
    pub token_vault_b: Account<'info, TokenAccount>,
}

### 2. Compute Unit Management

Raydium operations can be compute-intensive. Implement proper budgeting:

```rust
// Set appropriate compute budget for complex swaps
#[instruction]
pub fn complex_swap(ctx: Context<ComplexSwap>, args: SwapArgs) -> Result<()> {
    // Request additional compute units for order book integration
    let compute_budget = ComputeBudgetInstruction::set_compute_unit_limit(200_000);
    let compute_price = ComputeBudgetInstruction::set_compute_unit_price(10_000);
    
    // These would be added to transaction elsewhere
    Ok(())
}

### 3. Token-2022 Compatibility

Handle token extensions correctly:

```rust
pub fn transfer_tokens_2022_compatible(
    source: &AccountInfo,
    destination: &AccountInfo,
    authority: &AccountInfo,
    amount: u64,
    token_program: &AccountInfo,
) -> Result<()> {
    // Check if it's Token-2022
    if token_program.key() == token_2022::ID {
        // Handle transfer fees and hooks
        let transfer_args = token_2022::instruction::transfer_checked(
            token_program.key,
            source.key,
            destination.key,
            authority.key,
            &[],
            amount,
            9, // decimals
        )?;
        // ... invoke
    } else {
        // Standard SPL Token transfer
        let transfer_args = spl_token::instruction::transfer(
            token_program.key,
            source.key,
            destination.key,
            authority.key,
            &[],
            amount,
        )?;
        // ... invoke
    }
    Ok(())
}

## Security Considerations

### 1. Access Control Patterns

Implement multi-level access control:

```rust
pub fn admin_only(ctx: &Context<AdminAction>) -> Result<()> {
    // PDA-based admin verification
    let (expected_admin_pda, bump) = Pubkey::find_program_address(
        &[b"admin", ctx.accounts.adapter_state.key().as_ref()],
        ctx.program_id
    );
    
    require!(
        ctx.accounts.admin.key() == expected_admin_pda,
        AdapterError::Unauthorized
    );
    
    Ok(())
}

pub fn timelock_emergency_pause(ctx: &Context<EmergencyPause>) -> Result<()> {
    // Require multisig or timelock for critical actions
    let clock = Clock::get()?;
    let last_pause = ctx.accounts.adapter_state.last_pause_timestamp;
    
    require!(
        clock.unix_timestamp - last_pause > 86400, // 24-hour cooldown
        AdapterError::PauseCooldownActive
    );
    
    Ok(())
}

### 2. Input Validation

Comprehensive input validation prevents exploitation:

```rust
pub fn validate_swap_args(args: &SwapArgs) -> Result<()> {
    // Prevent zero-value swaps
    require!(args.amount_in > 0, AdapterError::ZeroAmount);
    
    // Prevent dust attacks
    require!(args.amount_in >= 1000, AdapterError::AmountTooSmall);
    
    // Validate slippage tolerance (max 50%)
    let max_slippage = args.min_amount_out
        .checked_mul(2)
        .ok_or(AdapterError::MathOverflow)?;
    
    require!(
        args.min_amount_out > 0 && max_slippage > args.amount_in,
        AdapterError::InvalidSlippage
    );
    
    Ok(())
}

### 3. Reentrancy Protection

While Solana's parallel execution model reduces reentrancy risk, implement protection for CPI calls:

```rust
pub struct Swap<'info> {
    #[account(
        mut,
        constraint = !swap_in_progress @ AdapterError::ReentrancyDetected
    )]
    pub adapter_state: Account<'info, AdapterState>,
    // ...
}

// Set flag before CPI, clear after
adapter_state.swap_in_progress = true;
// ... CPI to Raydium
adapter_state.swap_in_progress = false;

### 4. Audit Checklist for AMM Adapters

1. **✓** Validate all program IDs against known addresses
2. **✓** Check token account ownership matches expected users
3. **✓** Implement slippage protection with reasonable bounds
4. **✓** Use PDAs for authority where possible
5. **✓** Handle arithmetic overflow with checked math
6. **✓** Emit events for all state changes
7. **✓** Implement emergency pause functionality
8. **✓** Test with Token-2022 extensions
9. **✓** Validate pool authority PDAs match pool accounts
10. **✓** Implement proper fee accounting and distribution

## How to Use This Contract

### Building and Deployment

```bash
# Clone and build
git clone <repository>
cd raydium-adapter
anchor build

# Deploy to mainnet
anchor deploy --provider.cluster mainnet \
  --program-name raydium_adapter \
  --program-id <YOUR_PROGRAM_ID>

### TypeScript Client Example

```typescript
import * as anchor from "@coral-xyz/anchor";
import { Program } from "@coral-xyz/anchor";
import { RaydiumAdapter } from "./target/types/raydium_adapter";

const provider = anchor.AnchorProvider.env();
anchor.setProvider(provider);

const program = anchor.workspace.RaydiumAdapter as Program<RaydiumAdapter>;

async function swapTokens(
  poolAddress: anchor.web3.PublicKey,
  amountIn: anchor.BN,
  minAmountOut: anchor.BN
) {
  // Derive adapter state PDA
  const [adapterState] = anchor.web3.PublicKey.findProgramAddressSync(
    [Buffer.from("adapter"), program.programId.toBuffer()],
    program.programId
  );

  // Fetch pool data to get vault addresses
  const poolData = await program.account.pool.fetch(poolAddress);
  
  const tx = await program.methods
    .swap({
      amountIn,
      minAmountOut,
      referralAccount: null,
    })
    .accounts({
      user: provider.wallet.publicKey,
      adapterState,
      pool: poolAddress,
      tokenVaultA: poolData.tokenVaultA,
      tokenVaultB: poolData.tokenVaultB,
      userTokenA: userTokenAAccount,
      userTokenB: userTokenBAccount,
      serumMarket: poolData.serumMarket,
    })
    .rpc();

  console.log("Swap transaction:", tx);
}

### Required Pre-flight Checks

```typescript
async function validateSwap(
  program: Program<RaydiumAdapter>,
  accounts: any
): Promise<boolean> {
  // 1. Verify pool is active
  const pool = await program.account.pool.fetch(accounts.pool);
  if (pool.isPaused) throw new Error("Pool paused");
  
  // 2. Check adapter status
  const adapterState = await program.account.adapterState
    .fetch(accounts.adapterState);
  if (adapterState.isPaused) throw new Error("Adapter paused");
  
  // 3. Verify token accounts
  const tokenAccountA = await getTokenAccount(accounts.userTokenA);
  if (tokenAccountA.amount < amountIn) {
    throw new Error("Insufficient balance");
  }
  
  // 4. Simulate swap for slippage
  const simulatedOut = await simulateRaydiumSwap(
    poolAddress,
    amountIn,
    serumMarket
  );
  
  if (simulatedOut.lt(minAmountOut)) {
    throw new Error(`Insufficient output: ${simulatedOut} < ${minAmountOut}`);
  }
  
  return true;
}

## Extending the Contract

### Adding New Instructions

To add liquidity provision functionality:

```rust
#[derive(Accounts)]
pub struct AddLiquidity<'info> {
    // Reuse existing accounts
    #[account(mut)]
    pub user: Signer<'info>,
    pub pool: AccountInfo<'info>,
    
    // Add liquidity-specific accounts
    #[account(mut)]
    pub lp_token_mint: Account<'info, Mint>,
    #[account(mut)]
    pub user_lp_token_account: Account<'info, TokenAccount>,
    
    // ... other accounts
}

pub fn add_liquidity(
    ctx: Context<AddLiquidity>,
    amount_a: u64,
    amount_b: u64,
) -> Result<()> {
    // Validate ratio matches pool reserves
    let pool_data = deserialize_pool_data(&ctx.accounts.pool.data.borrow())?;
    
    let ratio_a = amount_a
        .checked_mul(pool_data.reserve_b)
        .ok_or(AdapterError::MathOverflow)?;
    
    let ratio_b = amount_b
        .checked_mul(pool_data.reserve_a)
        .ok_or(AdapterError::MathOverflow)?;
    
    // Allow 1% deviation for pool deposits
    let deviation = ratio_a.abs_diff(ratio_b)
        .checked_mul(100)
        .ok_or(AdapterError::MathOverflow)?
        .checked_div(ratio_a.min(ratio_b))
        .ok_or(AdapterError::MathOverflow)?;
    
    require!(deviation <= 1, AdapterError::InvalidRatio);
    
    // CPI to Raydium's add_liquidity instruction
    // ...
    
    Ok(())
}

### Customization Points

1. **Fee Structure Modification**:
```rust
pub struct DynamicFeeConfig {
    pub base_fee_bps: u16,
    pub volume_tiers: Vec<(u64, u16)>, // (volume_threshold, fee_bps)
    pub time_based_discounts: Vec<(i64, u16)>, // (timestamp, discount_bps)
}

impl DynamicFeeConfig {
    pub fn calculate_fee(&self, volume: u64, timestamp: i64) -> u16 {
        // Implement tiered fee logic
        // ...
    }
}

2. **Cross-Chain Integration**:
```rust
pub struct CrossChainSwap<'info> {
    // Add Wormhole or LayerZero accounts
    pub wormhole_bridge: AccountInfo<'info>,
    pub foreign_chain_token: AccountInfo<'info>,
    // ...
}

### Testing Strategies

```rust
#[cfg(test)]
mod tests {
    use super::*;
    use anchor_lang::solana_program_test::*;
    use anchor_lang::InstructionData;
    
    #[tokio::test]
    async fn test_swap_with_slippage() {
        // Setup test environment
        let mut program_test = ProgramTest::new(
            "raydium_adapter",
            program_id(),
            processor!(processor),
        );
        
        // Add Raydium mock program
        program_test.add_program(
            "raydium_mock",
            raydium_mock::id(),
            processor!(raydium_mock::processor),
        );
        
        // Test slippage protection
        let (mut banks_client, payer, recent_blockhash) = 
            program_test.start().await;
        
        // Execute swap with high slippage
        let tx = Transaction::new_signed_with_payer(
            &[Instruction {
                program_id: program_id(),
                accounts: vec![/* ... */],
                data: SwapArgs {
                    amount_in: 1_000_000,
                    min_amount_out: 999_999, // Unrealistic expectation
                }.data(),
            }],
            Some(&payer.pubkey()),
            &[&payer],
            recent_blockhash,
        );
        
        // Should fail due to slippage
        let result = banks_client.process_transaction(tx).await;
        assert!(result.is_err());
    }
}

## Conclusion

This Raydium AMM adapter demonstrates sophisticated Anchor patterns for interacting with non-Anchor programs on Solana. Key takeaways for developers:

1. **CPI Architecture**: Properly structured CPI calls enable seamless integration with optimized native programs
2. **Account Validation**: Comprehensive account constraints prevent common exploits
3. **PDA Management**: Deterministic address derivation simplifies account relationships
4. **Hybrid Execution**: Supporting both AMM and order book liquidity requires careful state management
5. **Extensibility**: The adapter pattern allows adding new features without modifying core protocols

The contract exemplifies production-ready DeFi development on Solana, balancing security, performance, and maintainability through Anchor's framework while leveraging the raw performance of native Solana programs for core operations.

---

*Note: This implementation is a simplified educational example. Production Raydium integration requires thorough testing, security audits, and consideration of protocol-specific nuances. Always refer to official Raydium documentation for the most up-to-date integration patterns.*

AMM vs CPAMM on Solana — constant product vs CLMM, DLMM, PMM, and order books

December 20, 2025 · 15 min read

Vadim Nicolai

Senior Software Engineer at Vitrifi

Solana runtime constraints: accounts, locks, and contention

TL;DR

AMM is the category: any on-chain venue that computes prices algorithmically from state (reserves, parameters, or inventory).
CPAMM / CPMM is one specific AMM family: constant product with invariant x · y = k (Uniswap v2-style).
The useful comparison is CPAMM vs other liquidity designs:
- StableSwap (stable/correlated assets),
- CLMM (concentrated liquidity / ticks),
- DLMM (bin-based liquidity + often dynamic fees),
- PMM / oracle-anchored (proactive quoting around a “fair price”),
- CLOB (order books),
- TWAMM (time-sliced execution),
- bonding-curve launch mechanisms (virtual reserves → migration).
On Solana, the tradeoffs are heavily shaped by:
- account write locks / hot accounts (parallelism vs contention),
- Token-2022 extensions (transfer fees/hooks can break naive “amount_in == amount_received” math),
- router-first distribution (aggregator integration matters),
- MEV & atomic execution tooling (bundles / private routes / quote freshness).

AMM vs CPAMM (and why the wording matters)

AMM (the umbrella)

An AMM is any on-chain market maker that:

holds on-chain state (reserves, inventory, parameters),
updates price algorithmically,
executes swaps against that state.

An on-chain order book can be fully on-chain too, but it’s not an AMM: it matches explicit bids/asks, not a curve/invariant rule.

CPAMM / CPMM (the subtype)

A CPAMM is a constant-function AMM where:

x \cdot y = k

x and y are pool reserves.

So:

all CPAMMs are AMMs
not all AMMs are CPAMMs

CPAMM mechanics in one screen (math + semantics)

Let reserves be (x, y) and you swap dx of X for Y.

Fee model (input fee)

If fee is f (e.g. 0.003 for 30 bps):

dx' = dx \cdot (1 - f)

Output

dy = \frac{y \cdot dx'}{x + dx'}

Reserve update

x := x + dx
y := y - dy

Observed vault delta (Token-2022-safe input amount):

dx_{eff} = vault_{after} - vault_{before}

Price intuition (useful when comparing designs)

Spot price (ignoring fees): p ≈ y/x (direction depends on quote convention)
For small trades, slippage is roughly proportional to trade size / liquidity depth.
Fees retained in the pool tend to increase k over time (LPs get paid via reserve growth).

Comparison tables

Taxonomy and “what is being compared?”

Term / design	Category?	Core idea	Typical on-chain state	Who provides liquidity?	Quote source
AMM	Yes	Algorithmic pricing vs state	varies	varies	curve/parameters/inventory
CFAMM (constant-function AMM)	Yes	Trades move along an invariant	reserves + params	LPs or protocol	invariant
CPAMM / CPMM	Yes	`x*y=k`	2 vaults + pool state (+ LP mint)	passive LPs	reserves ratio
StableSwap	Yes	hybrid curve (sum-like near peg)	vaults + params (A, etc.)	passive LPs	curve + params
CLMM	Yes	liquidity concentrated in ranges/ticks	vaults + tick arrays + position accounts	active LPs	ticks + reserves
DLMM (bins)	Yes	discrete bins + liquidity distribution	vaults + bin arrays + position state	active/semi-active LPs	bins + params
PMM / oracle-anchored	Yes	price anchored to oracle fair value	inventory + params + oracle feeds	market maker / protocol	oracle + model
CLOB (order book)	No (not AMM)	match bids/asks	market + order state	makers	limit orders
TWAMM	No (mechanism)	execute large order over time	long-term order state	trader orders	schedule
Bonding curve launch	Yes (often)	virtual reserves / issuance curve	curve params + reserves	launch pool	curve

Trader view: execution quality & UX

Design	Typical spread / slippage (for same TVL)	“Always liquid”?	Best for	Pain points (trader)	Router friendliness
CPAMM	worst for tight markets	Yes	long-tail discovery, simple swaps	high price impact without huge TVL	high (simple routes)
StableSwap	excellent near peg	Yes (until extreme imbalance)	stable/stable, correlated assets	parameter risk; off-peg behavior	high
CLMM	best near spot	No (can be out-of-range)	majors, low slippage	depth depends on LP ranges	high (but more accounts)
DLMM	very good when bins are well-set	mostly	structured liquidity & dynamic fees	bin distribution matters	high (but more accounts)
PMM	potentially excellent	depends on MM inventory	majors & flow-driven quoting	oracle/model risk; opaque behavior	high if integrated (RFQ-like)
CLOB	best when book is thick	n/a	pro trading, limit orders	needs makers & incentives	medium/high (depends on infra)
TWAMM	optimized for large orders	n/a	size execution	not instant	routed as a strategy leg
Bonding curve	deterministic but can be harsh	curve-dependent	launches	can be gamed / MEV-heavy	usually “launch-only”

LP view: risk, complexity, and who wins when

Design	LP position type	Capital efficiency	IL profile	Operational complexity	Who tends to outperform?
CPAMM	fungible LP token	low	classic IL (full range)	low	passive LPs in long-tail / high fees
StableSwap	often fungible LP	high near peg	smaller IL near peg	medium	LPs in correlated pairs
CLMM	tokenized/NFT-like position	very high	can be worse if misranged	high	sophisticated LPs / managed vaults
DLMM	bin/strategy position state	high (configurable)	strategy-dependent	medium/high	strategy LPs; can be “MM-like”
PMM	usually MM-managed inventory	high	model-controlled	high	market makers (not passive LPs)
CLOB	maker orders	n/a	inventory risk, not IL	high	professional makers
Bonding curve	not traditional LP	n/a	n/a	medium	launch designers + snipers (unless mitigated)

Solana runtime view: contention, accounts, compute

This is the table people skip, but it often determines what scales.

Design	What gets written per swap?	Hot-account tendency	Parallelism shape	Tx/account footprint	Notes
CPAMM	same pool state + both vaults	high	many swaps serialize on same pool	low/medium	simplest, but hotspot-prone
StableSwap	same as CP-ish + params	high	similar to CP contention	medium	more compute than CP
CLMM	vaults + tick arrays + position-related state	medium	can shard via tick arrays	higher	more accounts; better scaling shape
DLMM	vaults + active bin(s) + params	medium	can shard by bins	higher	depends on bin layout
PMM	inventory + oracle state + params	low/medium	depends on design	medium	quote updates may dominate
CLOB	market state + order matching state	varies	depends on matching engine design	high	crankless helps UX
TWAMM	long-term order state + execution legs	n/a	time-sliced	medium/high	often pairs with CLOB/AMM legs

Parameter surface area (“knobs you must ship and maintain”)

Design	Parameters you can’t ignore	Tuning difficulty	Common footguns
CPAMM	fee bps, min liquidity lock, rounding rules	low	overflow in `x*y`, wrong deposit proportionality
StableSwap	amplification A, fee(s), admin fees, ramping	medium/high	bad A → fragility near peg/off-peg
CLMM	tick spacing, fee tier(s), init price, range UX	high	tick array provisioning, out-of-range UX
DLMM	bin step, dynamic fee curve, rebalancing rules	medium/high	bin skew → bad execution; edge-bin depletion
PMM	oracle choice, spread model, inventory/risk limits	very high	stale oracle, model blowups, adversarial flow
CLOB	tick size, lot size, maker/taker fees, risk limits	high	dust orders, spam, maker incentives
Bonding curve	virtual reserves, slope, caps, migration rules	high	sniping, MEV extraction, mispriced curve

Token-2022 / “non-standard token semantics” compatibility

Token-2022 extensions change what “amount in” means.

Token feature	What breaks in naive AMMs	Safe pattern	Designs most sensitive
Transfer fee	`amount_in` ≠ vault delta	compute `dx = vault_after - vault_before`	all curve AMMs
Transfer hook	extra logic executed on transfer	strict account lists; avoid re-entrancy assumptions	all; especially CPI-heavy
Confidential transfers	you can’t observe amounts easily	often incompatible without special support	most AMMs
Interest-bearing	balances drift over time	use observed balances; avoid cached reserves	all pool AMMs
Memo/metadata ext	usually fine	no-op	none

Rule of thumb: if you don’t base math on observed vault deltas, you’re designing for 2019 SPL Token semantics.

MEV & adversarial flow profile

Design	Sandwich susceptibility	“Pick-off” risk	Mitigations that actually work	Notes
CPAMM	high	high	private routing, tighter fees, better routing, smaller hops	passive curve is easy to arb
StableSwap	medium	medium	similar; parameter robustness	off-peg events get brutal
CLMM	medium	high (LPs)	managed LP vaults; dynamic fees	LPs can get wrecked by volatility
DLMM	medium	medium/high	dynamic fees, bin strategy	depends on fee model
PMM	low/medium	medium	oracle + inventory + RFQ-style routing	“MM-like” behavior
CLOB	medium	medium	maker protections, anti-spam, risk controls	depends on market design
Bonding curve	very high	very high	anti-bot design + fair launch mechanics	launch is an MEV magnet

“Which one should I choose?” (builder POV)

If your goal is…	Pick	Because	But be honest about…
ship fastest + minimal state	CPAMM	simplest accounts & math	contention + worse execution unless TVL is high
best majors execution with public LPs	CLMM	capital efficiency near spot	position UX + account explosion
stable pairs / correlated assets	StableSwap	low slippage near peg	parameter tuning & off-peg behavior
strategy-friendly liquidity	DLMM	bins + dynamic fees can match volatility	bin UX + more moving parts
tight quotes controlled by MM logic	PMM	can beat passive curves	oracle/model risk is the product
limit orders + pro features	CLOB	explicit bids/asks	maker bootstrapping + ops complexity
reduce impact of whale flow	TWAMM (+ a venue)	time-slicing	needs execution infra
token launch discovery path	Bonding curve → migrate	deterministic launch → deep liquidity later	launch MEV + migration design

A “migration path” table (how protocols evolve in practice)

Phase	Typical mechanism	Why it fits	What you usually add next
launch / discovery	bonding curve / small CP pool	simple, deterministic	anti-bot + migration
early liquidity	CPAMM	easy integrations	multiple fee tiers / incentives
scaling majors	CLMM or DLMM	better execution	managed LP vaults
pro trading	CLOB	limit orders	cross-margin/perps
flow optimization	PMM / RFQ-like	best execution for routed flow	private routing + inventory mgmt
large order UX	TWAMM	reduces impact	bundle/atomic strategies

Anchor CPAMM: the “don’t ship this” checklist (most common bugs)

1) Proportional deposits are ratios, not products

If you want users to deposit proportionally, you preserve:

amount_a / amount_b ≈ reserve_a / reserve_b

A clamp-style approach:

\Delta b = \Delta a \cdot \frac{reserve_b}{reserve_a}

and then you clamp the other side if user supplies less.

2) LP minting: `sqrt(Δa·Δb)` is bootstrap-only

For subsequent deposits, use proportional minting:

liquidity = \min\left( \frac{\Delta a \cdot supply}{reserve_a}, \frac{\Delta b \cdot supply}{reserve_b} \right)

Otherwise LP shares drift and you can mint unfairly.

3) Invariant checks must be `A·B` and must use `u128`

If you verify k, do:

new_x * new_y >= old_k (often allowing rounding to favor LPs)
compute with u128 intermediates.

4) Token-2022: do not trust `amount_in`

For fee-on-transfer tokens:

the only safe dx is vault_after - vault_before.

Minimal “correct CPAMM math” snippet (overflow-safe, vault-delta friendly)

/// Compute CPAMM output (dy) from reserves (x, y) and effective input (dx_eff),
/// using u128 intermediates to avoid u64 overflow.
///
/// IMPORTANT (Token-2022):
/// - If the token can take a transfer fee, compute dx_eff from observed vault delta:
///   dx_eff = vault_x_after - vault_x_before
pub fn cpamm_out_amount(x: u64, y: u64, dx_eff: u64) -> u64 {
    let x = x as u128;
    let y = y as u128;
    let dx = dx_eff as u128;

    // dy = (y * dx) / (x + dx)
    let den = x + dx;
    if den == 0 {
        return 0;
    }

    let dy = (y * dx) / den;
    dy.min(u64::MAX as u128) as u64
}

Extra comparison tables (for the “systems” view)

Public API ergonomics: what you expose to integrators

Design	“Simple swap” interface	Quote interface	Common integration shape	Gotcha
CPAMM	`swap(amount_in, min_out)`	deterministic from reserves	direct CPI	need observed deltas for Token-2022
CLMM	same, but more accounts	tick-dependent	SDK computes accounts	account list errors are common
DLMM	similar	bin-dependent + dynamic fee	SDK required	bin selection correctness matters
PMM	often RFQ-like	oracle + MM params	router integration is key	“quote freshness” is the product
CLOB	order placement	book data	off-chain client + on-chain settle	maker ops are non-trivial

Testing strategy: what to property-test per design

Design	Invariants to test	Edge cases	Suggested approach
CPAMM	`k` non-decrease (fee), no negative reserves	rounding, overflow, zero-liquidity	property tests with random swaps
StableSwap	monotonicity near peg, conservation	extreme imbalance, A ramps	fuzz + numerical bounds
CLMM	tick crossing correctness, fee growth	boundary ticks, out-of-range	differential tests vs reference
DLMM	bin transitions, dynamic fee function	bin depletion, fee spikes	fuzz + scenario sims
PMM	oracle staleness handling, risk limits	oracle outages, adversarial flow	simulation + kill-switch tests
CLOB	matching engine correctness	self-trade, partial fills	deterministic replay tests

References (URLs)

Uniswap v2 constant product (conceptual): https://docs.uniswap.org/contracts/v2/concepts/protocol-overview/how-uniswap-works
SPL Token Swap constant product curve (Solana reference implementation notes): https://github.com/solana-labs/solana-program-library/blob/master/docs/src/token-swap.md
Curve StableSwap overview (hybrid curve intuition): https://docs.curve.finance/stableswap-exchange/overview/
Orca Whirlpools (CLMM/CLAMM on Solana): https://dev.orca.so/ https://github.com/orca-so/whirlpools
Raydium constant product pool creation (CP/CPMM program docs): https://docs.raydium.io/raydium/pool-creation/creating-a-constant-product-pool https://docs.raydium.io/raydium/protocol/developers/addresses
Meteora (DLMM + enhanced constant product families): https://docs.meteora.ag/developer-guide/home https://docs.meteora.ag/user-guide/guides/how-to-use-dlmm https://docs.meteora.ag/overview/products/damm-v2/what-is-damm-v2 https://docs.meteora.ag/overview/products/dbc/what-is-dbc https://github.com/MeteoraAg/dynamic-bonding-curve
Lifinity (PMM / oracle-anchored market making on Solana): https://docs.lifinity.io/
Phoenix (crankless on-chain order book infra): https://github.com/Ellipsis-Labs/phoenix-v1
OpenBook v2 (CLOB program): https://github.com/openbook-dex/openbook-v2
Solana TWAMM: https://github.com/solana-labs/twamm
Token-2022 extensions (transfer fees / transfer hooks): https://solana.com/docs/tokens/extensions https://solana.com/docs/tokens/extensions/transfer-fees https://solana.com/developers/guides/token-extensions/transfer-hook
Jupiter routing (what venues get routed): https://support.jup.ag/hc/en-us/articles/22627174618780-Which-AMMs-does-Jupiter-route-through

Tokio vs tokio-stream in WebSocket adapters - stream-first vs select!

September 5, 2025 · 6 min read

Vadim Nicolai

Senior Software Engineer at Vitrifi

TL;DR

Tokio is the runtime and low-level primitives (tasks, I/O, timers, channels, tokio::select!).
tokio-stream is an optional companion that:
- wraps Tokio primitives into Streams (e.g., ReceiverStream, BroadcastStream, IntervalStream);
- provides combinators (map, filter, merge, timeout, throttle, chunks_timeout, StreamMap) for declarative event pipelines.
If your adapter pulls from channels with recv().await and coordinates with select!, you usually don’t need tokio-stream.
If your adapter exposes or composes Streams (fan-in, time windows, per-item timeouts, etc.), you do.

What each crate gives you

Tokio (runtime + primitives)

#[tokio::main], tokio::spawn, tokio::select!
Channels: tokio::sync::{mpsc, broadcast, watch, oneshot}
Time: tokio::time::{sleep, interval, timeout}
Signals: tokio::signal
Typical style: “manual pump” with recv().await inside a select! loop.

`tokio-stream` (adapters + combinators)

Wrappers (Tokio → Stream):
- wrappers::ReceiverStream<T> ← mpsc::Receiver<T>
- wrappers::UnboundedReceiverStream<T>
- wrappers::BroadcastStream<T> ← broadcast::Receiver<T>
- wrappers::WatchStream<T> ← watch::Receiver<T>
- wrappers::IntervalStream ← tokio::time::Interval
Combinators via StreamExt: next, map, filter, merge (with SelectAll), StreamMap (keyed fan-in), and time-aware ops (timeout, throttle, chunks_timeout) when the crate’s time feature is enabled.

Two idioms for adapters (with complete snippets)

1) Channel + `select!` (“manual pump”) — no `tokio-stream` needed

use tokio::{select, signal, sync::mpsc};

#[tokio::main]
async fn main() -> anyhow::Result<()> {
    let (tx, mut rx) = mpsc::channel::<String>(1024);

    // Example producer
    tokio::spawn(async move {
        let _ = tx.send("hello".to_string()).await;
    });

    let mut sigint = signal::ctrl_c();

    loop {
        select! {
            maybe = rx.recv() => {
                match maybe {
                    Some(msg) => { tracing::info!("msg: {msg}"); }
                    None => break, // channel closed
                }
            }
            _ = &mut sigint => {
                tracing::info!("shutting down");
                break;
            }
            else => break,
        }
    }

    Ok(())
}

Pros

Minimal dependencies, explicit control and shutdown.
Clear backpressure semantics via channel capacity.

Cons

Fan-in across many/dynamic sources is verbose.
Transformations (map/filter/batch) are hand-rolled.

2) Stream-first (wrap & compose) — `tokio-stream` recommended

use std::time::Duration;
use tokio::sync::mpsc;
use tokio_stream::{
    wrappers::{ReceiverStream, IntervalStream},
    StreamExt, // for .next() and combinators
};

enum AdapterEvent { User(String), Order(String), Heartbeat }

#[tokio::main]
async fn main() -> anyhow::Result<()> {
    let (tx_user, rx_user)   = mpsc::channel::<String>(1024);
    let (tx_order, rx_order) = mpsc::channel::<String>(1024);

    // Example producers
    tokio::spawn(async move { let _ = tx_user.send("u1".into()).await; });
    tokio::spawn(async move { let _ = tx_order.send("o1".into()).await; });

    let ticker  = tokio::time::interval(Duration::from_secs(1));

    let users   = ReceiverStream::new(rx_user).map(AdapterEvent::User);
    let orders  = ReceiverStream::new(rx_order).map(AdapterEvent::Order);
    let beats   = IntervalStream::new(ticker).map(|_| AdapterEvent::Heartbeat);

    // Compose: merge multiple sources and shape the flow
    let mut events =
        users.merge(orders)
             .merge(beats)
             .throttle(Duration::from_millis(20));

    while let Some(ev) = events.next().await {
        match ev {
            AdapterEvent::User(v)      => tracing::info!("user: {v}"),
            AdapterEvent::Order(v)     => tracing::info!("order: {v}"),
            AdapterEvent::Heartbeat    => tracing::debug!("tick"),
        }
    }

    Ok(())
}

Pros

Concise fan-in and transforms (filter/map/batch/timeout).
Natural fit when returning impl Stream<Item = Event> to consumers.

Cons

Adds one dependency; slightly different ownership/lifetimes vs bare Receiver.

Side-by-side: when to use which

Aspect	Channel + `tokio::select!` (no `tokio-stream`)	Stream-first (uses `tokio-stream`)	What the dependency implies
Why it’s used	Pull from channels via `recv().await`, coordinate with `select!`.	Wrap Tokio primitives as `Stream`s and/or use combinators.	Presence of `tokio-stream` signals a stream-centric composition.
Primary abstraction	Futures + channels + `select!`.	`Stream<Item = T>` + wrappers + `StreamExt`.	Stream API → extra crate.
Typical code	`while let Some(x) = rx.recv().await {}`, `select! { ... }`	`ReceiverStream::new(rx).map(...).merge(...).next().await`	Wrappers/combinators imply `tokio-stream`.
Fan-in / merging	Manual `select!` arms; verbose for many/dynamic sources.	`merge`, `SelectAll`, or `StreamMap` for succinct fan-in.	`tokio-stream` buys tools for multiplexing.
Timers / heartbeats	`interval()` polled in loops.	`IntervalStream` + `timeout`/`throttle`/`chunks_timeout`.	Time-aware ops rely on `tokio-stream` + features.
Public API shape	Pull: `async fn next_event() -> Option<T>`.	Stream: `fn into_stream(self) -> impl Stream<Item = T>`.	Exposing a stream often requires the crate.
Composability	Hand-rolled transforms.	One-liners with `StreamExt` (map/filter/batch).	Enables declarative pipelines.
Backpressure	Channel capacity governs it; explicit.	Same channels underneath; wrappers don’t change capacity.	Neutral; it’s about ergonomics.
Fairness/ordering	`select!` randomizes fairness per iteration.	Per-stream order preserved; cross-stream order depends on combinator.	Document semantics either way.
Testability	Manual harnesses around loops.	`.take(n)`, `.collect::<Vec<_>>()`, etc.	Stream APIs are often easier to test.
Cost / deps	Lean; no extra crate.	Adds `tokio-stream`; thin adapter overhead.	Main cost is dependency surface.

Design recipes (complete, paste-ready)

A) Channel-first everywhere (leanest; drop `tokio-stream`)

Keep a pull API like next_event().
Use tokio::time::timeout for per-item deadlines.

use std::time::Duration;
use tokio::{sync::mpsc, time::timeout};

pub async fn pump_with_timeout(mut rx: mpsc::Receiver<String>) -> anyhow::Result<()> {
    loop {
        match timeout(Duration::from_secs(5), rx.recv()).await {
            Ok(Some(msg)) => tracing::info!("msg: {msg}"),
            Ok(None)      => break,  // channel closed
            Err(_)        => tracing::warn!("no event within 5s"),
        }
    }
    Ok(())
}

B) Offer both (feature-gated Stream API)

Cargo.toml

[features]
default = []
stream-api = ["tokio-stream"]

[dependencies]
tokio = { version = "1", features = ["rt-multi-thread","macros","sync","time","signal"] }
tokio-stream = { version = "0.1", optional = true }

Client

#[cfg(feature = "stream-api")]
use tokio_stream::wrappers::ReceiverStream;

pub struct Client {
    rx_inbound: tokio::sync::mpsc::Receiver<MyEvent>,
}

impl Client {
    pub async fn next_event(&mut self) -> Option<MyEvent> {
        self.rx_inbound.recv().await
    }

    #[cfg(feature = "stream-api")]
    pub fn into_stream(self) -> ReceiverStream<MyEvent> {
        ReceiverStream::new(self.rx_inbound)
    }
}

C) Stream-first everywhere (plus pull convenience)

Internally fan-out via broadcast so multiple consumers can subscribe.

use tokio::sync::{mpsc, broadcast};
use tokio_stream::wrappers::BroadcastStream;

pub struct Client {
    rx_inbound: mpsc::Receiver<Event>,     // pull path
    bus:        broadcast::Sender<Event>,  // stream path
    _reader:    tokio::task::JoinHandle<()>,
}

impl Client {
    pub async fn next_event(&mut self) -> Option<Event> {
        self.rx_inbound.recv().await
    }

    pub fn event_stream(&self) -> BroadcastStream<Event> {
        BroadcastStream::new(self.bus.subscribe())
    }
}

D) Expose a `Stream` without `tokio-stream`

Implement Stream directly over mpsc::Receiver via poll_recv.

use futures_core::Stream;
use pin_project_lite::pin_project;
use std::{pin::Pin, task::{Context, Poll}};
use tokio::sync::mpsc;

pin_project! {
    pub struct EventStream<T> {
        #[pin]
        rx: mpsc::Receiver<T>,
    }
}

impl<T> EventStream<T> {
    pub fn new(rx: mpsc::Receiver<T>) -> Self { Self { rx } }
}

impl<T> Stream for EventStream<T> {
    type Item = T;
    fn poll_next(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Option<Self::Item>> {
        self.project().rx.poll_recv(cx)
    }
}

Performance, backpressure, ordering

Overhead: ReceiverStream is a thin adapter; hot-path costs are typically parsing/allocations, not the wrapper.
Backpressure: unchanged—governed by channel boundedness and consumer speed.
Ordering: per-stream order is preserved; merged streams don’t guarantee global order—timestamp if strict ordering matters.
Fairness: tokio::select! randomizes branch polling; stream fan-in fairness depends on the specific combinator (merge, SelectAll, StreamMap).

A quick decision checklist

Need to return impl Stream<Item = Event> or use stream combinators? → Use tokio-stream.
Only need a single event loop with recv().await and select!? → Tokio alone is fine.
Want both ergonomics and lean defaults? → Feature-gate a stream view (stream-api).

References (URLs)

Tokio crate (runtime & primitives): https://docs.rs/tokio/latest/tokio/
tokio::select! macro: https://docs.rs/tokio/latest/tokio/macro.select.html
tokio::sync::mpsc::Receiver: https://docs.rs/tokio/latest/tokio/sync/mpsc/struct.Receiver.html
Tokio tutorial — Channels: https://tokio.rs/tokio/tutorial/channels
Tokio tutorial — Streams (overview of the pattern): https://tokio.rs/tokio/tutorial/streams
tokio-stream (overview): https://docs.rs/tokio-stream
ReceiverStream: https://docs.rs/tokio-stream/latest/tokio_stream/wrappers/struct.ReceiverStream.html
StreamMap: https://docs.rs/tokio-stream/latest/tokio_stream/struct.StreamMap.html
Futures Stream trait: https://docs.rs/futures-core/latest/futures_core/stream/trait.Stream.html
tokio-tungstenite WebSocketStream (Stream + Sink): https://docs.rs/tokio-tungstenite/latest/tokio_tungstenite/struct.WebSocketStream.html

Hyperliquid Gasless Trading – Deep Comparison, Fees, and 20 Optimized Strategies

September 4, 2025 · 6 min read

Vadim Nicolai

Senior Software Engineer at Vitrifi

TL;DR Hyperliquid runs its own Layer-1 with two execution domains:

HyperCore — native on-chain central limit order book (CLOB), margin, funding, liquidations.

HyperEVM — standard EVM runtime (gas metered, paid in HYPE).

Trading on HyperCore is gasless: orders, cancels, TP/SL, TWAP, Scale ladders, etc. are signed actions included in consensus, not EVM transactions.

You don’t need HYPE to place/cancel orders.

You pay maker/taker fees and funding, not gas.

Spam is mitigated with address budgets, rate limits, open-order caps.

If you need more throughput: buy request weight at $0.0005 per action.

The design enables CEX-style strategies (dense ladders, queue dancing, rebates, hourly hedging) without the friction of gas.

Official GitHub repos:

Python SDK → https://github.com/hyperliquid-dex/hyperliquid-python-sdk

Rust SDK → https://github.com/hyperliquid-dex/hyperliquid-rust-sdk

Node → https://github.com/hyperliquid-dex/node

Order Book Server (example) → https://github.com/hyperliquid-dex/order_book_server

1. How “gasless” works

Order lifecycle

Wallet signs payload  →  Exchange endpoint → Node → Validators (HyperBFT)
                        ↘ deterministic inclusion into HyperCore state

Signatures, not transactions. Your wallet signs payloads (EIP-712 style). These are posted to the Exchange endpoint, gossiped to validators, ordered in consensus, and applied to HyperCore. → No gas, just signature.
Onboarding. Enable trading = sign once. Withdrawals = flat $1 fee, not a gas auction. Docs → Onboarding
Spam protection.
- Address budgets: 10k starter buffer, then 1 action per 1 USDC lifetime fills.
- Open-order cap: base 1,000 → scales to 5,000.
- Congestion fairness: max 2× maker-share per block.
- ReserveRequestWeight: buy capacity at $0.0005/action. Docs → Rate limits
Safety rails.
- scheduleCancel (dead-man’s switch)
- expiresAfter (time-box an action)
- noop (nonce invalidation)
Order types. Market, Limit, ALO (post-only), IOC, GTC, TWAP, Scale, TP/SL (market or limit), OCO. Docs → Order types
Self-trade prevention. Expire-maker: cancels resting maker side instead of self-fill. Docs → STP

2. Fees: Hyperliquid vs DEXes & CEXes

Perps (base tiers)

Venue	Maker	Taker	Notes
Hyperliquid	0.015%	0.045%	Gasless actions; staking discounts up to 40%; rebates up to –0.003%
dYdX v4	0.01%	0.05%	Gasless submits/cancels; fills only
GMX v2 (perps)	0.04–0.06%	0.04–0.06%	Round-trip 0.08–0.12% + funding/borrow + L2 gas
Binance Futures	~0.018%	~0.045%	VIP/BNB discounts; USDC-M can hit 0% maker
Bybit Perps	0.020%	0.055%	Tiered; VIP reductions
OKX Futures	0.020%	0.050%	VIP can reach –0.005% / 0.015%
Kraken Futures	0.020%	0.050%	Down to 0% / 0.01% at scale

Spot

Venue	Maker	Taker	Gas
Hyperliquid	0.040%	0.070%	Gasless actions; $1 withdraw
Uniswap v3	0.01–1%	0.01–1%	User pays gas; or solver embeds in price
Bybit Spot	0.15%	0.10–0.20%	CEX; no gas
OKX Spot	0.08%	0.10%	VIP/OKB discounts

3. Funding models

Hyperliquid: 8h rate paid hourly (1/8 each hour). Hyperps use EMA mark (oracle-light).
dYdX v4: hourly funding; standard premium/interest.
GMX v2: continuous borrow vs pool imbalance.

4. What gasless enables (tactically)

Dense ladders + queue dancing: cheap to modify/cancel 1000s of levels.
Granular hedging: rebalance perps/spot hedges hourly without friction.
CEX-style STP + ALO: protect queue priority.
Deterministic inclusion: HyperBFT ensures one global order sequence.
Predictable scaling: buy request weight explicitly instead of gas auction.

5. Ten core strategies

Passive Maker Ladder (ALO + STP) Build dense post-only ladders, earn spread + rebates, cancel/repost gas-free.
Rebate Farming (maker-share) Hit ≥0.5%, 1.5%, 3% maker volume shares to unlock –0.001%/–0.002%/–0.003%.
Funding-Arb / Cash-and-Carry Long spot vs short perp; rebalance hourly gas-free.
TWAP Execution Use native 30s slice TWAP with slippage caps; gasless param tweaks.
Scale Order Grids Deploy wide grids with up to 5k resting orders; adjust spacing by ATR.
Latency-Aware MM Run node, use noop for stale nonces.
OCO Risk-Boxing (TP/SL) Parent-linked stops/targets; frequent adjustment gasless.
Hyperps Momentum/Fade Trade EMA-based hyperps; funding skew stabilizes. Turnkey repo
Dead-Man’s Switch Hygiene Always use scheduleCancel; pair with expiresAfter.
Throughput Budgeting Add logic to purchase reserveRequestWeight at spikes.

6. Ten advanced strategies

Maker-Skewed Basis Harvest Hedge legs passively, collect rebates + funding.
Adaptive Spread Ladder Contract/expand quotes with realized vol; keep order count fixed.
Queue-Position Arbitrage Gasless modify to overtake by 1 tick; requires local queue estimation.
Stale-Quote Punisher Flip passive→taker when off-chain anchors are stale.
Rebate-Neutral Market Impact Hedger Pre-compute edge ≈ (S/2 − A − f_m); trade only when ≥0.
Funding Skew Swing-Trader Switch between mean-revert & trend based on funding drift.
Dead-Man Sessioner Each session starts with scheduleCancel(t) to avoid zombie orders.
Liquidity Layer Splitter Spread ladders across accounts; use STP to avoid self-trades.
Cross-Venue Micro-Arb HL vs CEX/DEX; taker on mispriced side, maker on the other.
Event-Mode Capacity Burst Pre-buy request weight pre-CPI/FOMC; change ladder parameters.

7. Cost sanity check ($100k notional)

Hyperliquid: 0.015% maker ($15) + 0.045% taker ($45) = $60 (+ funding).
dYdX v4: 0.01% + 0.05% = $60.
GMX v2: 0.04–0.06% open + 0.04–0.06% close = $80–120 (+ borrow + gas).
Binance Futures: 0.018% + 0.045% ≈ $63 (base VIP).

8. Implementation gotchas

Budgets & caps: track in code; cancels have higher allowance; throttling needed.
Min sizes: perps $10 notional; spot 10 quote units.
ExpiresAfter: avoid triggering (5× budget cost).
Node ops: run Linux, open ports 4001/4002, colocate in Tokyo.
Nonces: prefer modify; use noop if stuck.

9. Comparison snapshot

Hyperliquid & dYdX v4 — gasless trading actions, on-chain CLOB, deterministic finality.
UniswapX / CoW — user-gasless via solver; solver pays gas, embeds in your price.
Uniswap v3/v4, GMX — user pays gas + pool fee; MEV & slippage dominate costs.
CEXes — no gas, lowest fees at VIP, fiat rails; but centralized custody.

10. GitHub Index

Org: https://github.com/hyperliquid-dex
Python SDK: https://github.com/hyperliquid-dex/hyperliquid-python-sdk
Rust SDK: https://github.com/hyperliquid-dex/hyperliquid-rust-sdk
Node: https://github.com/hyperliquid-dex/node
Order-book server: https://github.com/hyperliquid-dex/order_book_server
TypeScript SDKs: https://github.com/nktkas/hyperliquid, https://github.com/nomeida/hyperliquid
Go SDK: https://github.com/sonirico/go-hyperliquid
.NET client: https://github.com/JKorf/HyperLiquid.Net
Turnkey TS fork: https://github.com/elkadro/hyperliquid-turnkey
MCP servers: https://github.com/kukapay/hyperliquid-info-mcp, https://github.com/mektigboy/server-hyperliquid
Stats starter: https://github.com/thunderhead-labs/hyperliquid-stats

Bottom Line

Hyperliquid takes gas out of the trading loop, letting traders focus on fees, funding, latency, and inventory control. The result: a CEX-like experience with on-chain transparency.

Best use cases:

High-frequency maker strategies (queue-dancing, rebates).
Funding arbitrage with fine-grained rebalancing.
Event-driven hedging.
Developers who want to build bots in Python/Rust/TS/Go without juggling gas balances.

Slaying Bullish Bias - A Market Wizards Playbook

May 19, 2025 · 8 min read

Vadim Nicolai

Senior Software Engineer at Vitrifi

“The markets are never wrong; opinions often are.”
—Jesse Livermore (quoted by Bruce Kovner in Market Wizards)

2025 is a cognitive trap for equity bulls. The Ukraine front barely moves, President Trump’s blanket 10 % tariff rattles importers, and German GDP just printed –0.6 % QoQ—yet the S&P 500 hovers north of 5 500.
If that disconnect feels comfortable, your built-in bullish bias (the reflex that “prices should rise”) is probably steering the wheel.

Below you’ll find the fully annotated 30-question audit that the original Market Wizards might run if they sat at your terminal today. Each line now includes:

Wizard Insight – the lesson Schwager’s interviewees hammered home.
2025 Angle – why the trap is live right now.
Real-World Example – an actual 2025 tape or trade vignette.

Paste the checklist into your trading journal, sprint through one block per week, and watch your P/L detach from hope-fuelled drift.

1 Self-Diagnosis & Mind-Set

#	Question	Wizard Insight	2025 Angle	Real-World Example
1	Do you scan for longs first?	Mark Cook forced students to open a bearish filter before coffee.	All major U.S. broker dashboards open on “Top Gainers.”	11 Mar 2025: NVDA +6 % headlined your grid; bottom losers list showed LUMN –13 % (a better 2-R short you never saw).
2	5 % drop—curiosity or dip euphoria?	Paul Tudor Jones cut leverage 50 % within minutes on 19 Oct 1987.	15 Mar 2025: SPX –5.1 %, VIX 34 → index kept sliding another –2 % before basing.	You felt “great entry” and bought QQQ, stopped out –1 R next day.
3	Does shorting feel “un-American”?	Tom Baldwin joked “The pits only cheer the upside.”	Media framed every 2024 sell-off as “unpatriotic betting.”	You posted a bearish tweet on Apple and got piled-on for “fighting innovation.”
4	Dips = noise, rallies = trends?	Ed Seykota logged only % risk and ATR multiples—no adjectives.	CNBC still calls –2 % a “slump” but +2 % a “rally.”	23 Apr 2025 journal: “just a blip lower” (SPX –1.8 %), “solid up-trend” (+1.6 %).
5	Is self-worth tied to rising curves?	Seykota kept family money in T-Bills.	Real college costs +6 % YoY; equity drift no longer guarantees coverage.	You increased size after your kid’s tuition invoice hit inbox.

2 Historical Perspective & Narrative Traps

#	Question	Wizard Insight	2025 Angle	Real-World Example
6	How did you fare in each mini-crash?	Jones was green in ’87; Raschke flat in ’98.	2022 bear (–27 %) still on broker statement.	Your 2022 curve: –18 % vs CTA index +13 %.
7	Tested your edge with drift = 0?	Seykota’s systems worked on pork bellies—no drift.	Forward SPX drift est. < 4 %.	Your momentum back-test Sharpe fell from 1.2 ➜ 0.48.
8	Rely on “Don’t bet against America”?	Kovner warns empires rotate.	Proposed 2 % buy-back tax in House bill HR-1735.	Removing buy-backs in DCF knocked 7 turns off Apple PE.
9	Ignoring survivorship in Wizard lore?	Schwager himself says thousands blew up.	TikTok “profit porn” hides losers.	Your Telegram group shares only green screenshots.
10	Studied markets that never bounced?	Japanese believers held Nikkei bags for 34 yrs.	Greek ASE –85 % from ’07 peak even now.	Your Europe ETF overweight assumes 7 % CAGR.

3 Quantitative Evidence

#	Question	Wizard Insight	2025 Angle	Real-World Example
11	Shorts share of tickets & P/L?	Cook: “Trade both sides or half your vision is gone.”	Q1-25 had strongest 3-day down-impulse since Covid lows.	9 shorts out of 112 trades; net P/L –2 R.
12	Invert your long signal—result?	Seykota’s “whipsaw song” works both ways.	High-short-interest anomaly revived with expensive rates.	Inverted signal on same universe scored Sharpe 0.32.
13	Price vs log-return testing?	Wizards think in % risk.	Nasdaq 100 raw-point rise masks compounding.	Strategy CAGR fell from 18 % ➜ 11 % in log mode.
14	Stop symmetry?	Raschke: 2 ATR both sides.	Meme squeezes tempt 1 ATR shorts, 3 ATR longs.	Last month: 6 short stop-outs at –1 ATR, 2 long at –3 ATR.
15	Monte-Carlo μ = 0 survival?	Jones funds vol desks to weather drift drought.	Commodity volatility doubles path risk now.	10 000 paths: median curve flatlines by month 22.

4 Risk & Capital Allocation

#	Question	Wizard Insight	2025 Angle	Real-World Example
16	Exposure cap symmetric?	Seykota could flip net ±200 %.	Short borrow fees sub-1 % for 80 % of S&P names.	You allow +150 % long, –25 % short.
17	Averaging down losers?	Kovner: “Losers average losers.”	AI chip names drop 18 % intraday regularly.	Added twice to AMD at –3 % and –6 %; closed –2 R.
18	Cover shorts first in vol spikes?	Tudor held shorts through crash until vol bled.	Post-VIX-34 drift negative for 12 sessions.	Closed TSLA short on spike, kept long tech—lost 1.4 R.
19	Put hedge value?	Jones buys vol only when skew cheap.	1-month ATM put cost 1.8 % in Mar 2025.	Last year: spent 3.4 R in premium, saved 1.1 R in crashes.
20	Squeezes breach worst-case loss?	Baldwin sized by dollar vol.	Feb 2025 GME +40 % gap.	Short lost 2.3 R overnight.

5 Process & Decision Architecture

#	Question	Wizard Insight	2025 Angle	Real-World Example
21	UI bias toward gainers?	Seykota coded neutral dash.	Broker UIs show green first.	Missed FSLY –12 % fail because list buried.
22	Short checklist depth?	Raschke rehearses shorts like longs.	Easier borrows post-reg changes.	Long checklist 12 items; short only 5.
23	Narrative only for shorts?	Wizards trust price.	News calls every dip an “overreaction.”	Skipped META short for lack of “fundamental story”; missed –8 %.
24	Post-mortem balance?	Cook logs every miss.	Feb 2025: three perfect failed-break short signals unreviewed.	Reviewed 7 missed longs, 0 shorts.
25	Auto-flip after failed breakout?	“Failed move = fast move” —Soros.	AI names fake breakouts weekly.	Long NVDA fake-out –1 R, no flip; price dropped another 4 %.

6 Psychology & Continuous Improvement

#	Question	Wizard Insight	2025 Angle	Real-World Example
26	Bias tags clustering on longs?	Jones hired risk coach.	AI tools auto-tag sentiment now.	65 % optimism tags on long entries, 15 % on shorts.
27	Real-time beta alerts?	Tudor’s board lit red at β > 0.7.	Slack webhooks trivial.	Hit 0.78 beta on 9 Apr, noticed next day.
28	Gap-down rehearsal?	Basso ran crash sims monthly.	Turkey ETF gap –12 % overnight, Feb 2025.	Panicked exit + slippage –1 R; never rehearsed scenario.
29	Forced-flat longs feeling?	Seykota welcomes dry powder.	Broker outage flushed longs 14 Jan.	Felt panic → identity fusion with bull thesis.
30	Preparing for lower drift?	Wizards add new edges.	Demographics & reshoring compress margins.	Equity CAGR model still at 8 %.

7 Wrap-Up

Bullish bias survives because it pays most of the time—until it erases years of gains in a single macro grenade.
The Market Wizards neutralised the bias through symmetry: equal screens, stops, reviews, and above all, equal respect for up and down tape.

Run this playbook once per quarter:

Audit each question honestly.
Patch the weakest habit or policy.
Re-test your edge in a zero-drift simulation.

Do that, and the next tariff volley, energy spike, or AI bubble unwind becomes just another tradeable regime—not a career-ending ambush.

Happy (bias-free) trading!

Contributing a Safer MarketIfTouchedOrder to Nautilus Trader — Hardening Conditional Orders in Rust

May 3, 2025 · 3 min read

Vadim Nicolai

Senior Software Engineer at Vitrifi

TL;DR – PR #2577 introduces a fallible constructor, complete domain-level checks, and four focussed tests for MarketIfTouchedOrder, thereby closing long-standing Issue #2529 on order-validation consistency.

1 Background

MarketIfTouchedOrder (MIT) is effectively the reverse of a stop-market order: it lies dormant until price touches a trigger, then fires as an immediate market order.
Because a latent trigger feeds straight into an instant fill path, robust validation is non-negotiable—any silent mismatch becomes a live trade.

2 Why the Change Was Necessary

Problem	Impact
Partial positivity checks on `quantity`, `trigger_price`, `display_qty`	Invalid values propagated deep into matching engines before exploding
`TimeInForce::Gtd` accepted `expire_time = None`	Programmer thought they had “good-til-date”; engine treated it as GTC
No check that `display_qty ≤ quantity`	Iceberg slice could exceed total size, leaking full inventory
Legacy `new` API only panicked	Call-site couldn’t surface errors cleanly

Issue #2529 demanded uniform, fail-fast checks across all order types; MIT was first in line.

3 What PR #2577 Delivers

Area	Before (`v0`)	After (`v1`)
Constructor	`new` → panic on error	`new_checked` → `anyhow::Result<Self>`; `new` now wraps it
Positivity checks	Partial	Guaranteed for `quantity`, `trigger_price`, (optional) `display_qty`
GTD orders	`expire_time` optional	Required when `TIF == GTD`
Iceberg rule	None	`display_qty ≤ quantity`
Error channel	Opaque panics	Precise `anyhow::Error` variants
Tests	0	4 rstest cases (happy-path + 3 failure modes)

Diff stats: +159 / −13 – one file crates/model/src/orders/market_if_touched.rs.

4 File Walkthrough Highlights

new_checked – all domain guards live here; returns Result.
Guard helpers – re-uses check_positive_quantity, check_positive_price, check_predicate_false.
Legacy compatibility – new() simply calls Self::new_checked(...).expect(FAILED).
apply() tweak – slippage is recomputed immediately after a fill event.
Tests – ok, quantity_zero, gtd_without_expire, display_qty_gt_quantity.

6 Order-Lifecycle Diagram

7 Using the New API

let mit = MarketIfTouchedOrder::new_checked(
    trader_id,
    strategy_id,
    instrument_id,
    client_order_id,
    OrderSide::Sell,
    qty,
    trigger_price,
    TriggerType::LastPrice,
    TimeInForce::Gtc,
    None,          // expire_time
    false, false,  // reduce_only, quote_quantity
    None, None,    // display_qty, emulation_trigger
    None, None,    // trigger_instrument_id, contingency_type
    None, None,    // order_list_id, linked_order_ids
    None,          // parent_order_id
    None, None,    // exec_algorithm_id, params
    None,          // exec_spawn_id
    None,          // tags
    init_id,
    ts_init,
)?;

Prefer new_checked in production code; if you stick with new, you’ll still get clearer panic messages.

8 Impact & Next Steps

Fail-fast safety – all invariants enforced before the order leaves your code.
Granular error reporting – propagate Result outward instead of catching panics.
Zero breaking changes – legacy code continues to compile.

Action items: migrate to new_checked, bubble the Result, and sleep better during live trading.

9 References

Type	Link
Pull Request #2577	https://github.com/nautechsystems/nautilus_trader/pull/2577
Issue #2529	https://github.com/nautechsystems/nautilus_trader/issues/2529

Happy (and safer) trading!

Contributing a Safer LimitIfTouchedOrder to Nautilus Trader — A Small Open-Source Win for Rust Trading

May 3, 2025 · 3 min read

Vadim Nicolai

Senior Software Engineer at Vitrifi

Introduction

LimitIfTouchedOrder (LIT) is a conditional order that sits between a simple limit order and a stop-limit order: it rests inactive until a trigger price is touched, then converts into a plain limit at the specified limit price. Because it straddles two distinct price levels and multiple conditional flags, robust validation is critical—any silent mismatch can manifest as unwanted executions in live trading.

Pull Request #2533 standardises and hardens the validation logic for LIT orders, bringing it up to the same quality bar as MarketOrder and LimitOrder. The PR was merged into develop on May 1 2025 by @cjdsellers (+207 / −9 across one file). (GitHub, [GitHub][2])

Why the Change Was Needed

Inconsistent invariants – quantity, price, and trigger_price were not always checked for positivity.
Edge-case foot-guns – TimeInForce::Gtd could be set with a zero expire_time, silently turning a “good-til-date” order into “good-til-cancel”.
Side/trigger mismatch – A BUY order with a trigger above the limit price (or SELL with trigger below limit) yielded undefined behaviour.
Developer frustration – Consumers of the SDK had to replicate guard clauses externally; a single canonical constructor removes that burden.

Key Enhancements

Area	Before	After
Constructor API	`new` (panic-on-error)	`new_checked` (returns `Result`) + `new` now wraps it
Positivity checks	Only partial	Guaranteed for `quantity`, `price`, `trigger_price`, and optional `display_qty`
Display quantity	Not validated	Must be ≤ `quantity`
GTD orders	No expire validation	Must supply `expire_time` when `TimeInForce::Gtd`
Side/trigger rule	Undefined	`BUY ⇒ trigger ≤ price`, `SELL ⇒ trigger ≥ price`
Unit-tests	0 dedicated tests	5 focused tests (happy-path + 4 failure modes)

Implementation Highlights

new_checked – a fallible constructor returning anyhow::Result<Self>. All invariants live here.
Guard helpers – leverages check_positive_quantity, check_positive_price, and check_predicate_false from nautilus_core::correctness.
Legacy behaviour preserved – the original new now calls new_checked().expect("FAILED"), so downstream crates that relied on panics keep working.
Concise Display impl – human-readable string that shows side, quantity, instrument, prices, trigger type, TIF, and status for quick debugging.
Test suite – written with rstest; covers ok, quantity_zero, gtd_without_expire, buy_trigger_gt_price, and sell_trigger_lt_price.

Code diff stats: 207 additions, 9 deletions, affecting crates/model/src/orders/limit_if_touched.rs. ([GitHub][2])

Impact on Integrators

If you only called LimitIfTouchedOrder::new nothing breaks—you’ll merely enjoy better error messages if you misuse the API. For stricter compile-time safety, switch to the new new_checked constructor and handle Result<T> explicitly.

let order = LimitIfTouchedOrder::new_checked(
    trader_id,
    strategy_id,
    instrument_id,
    client_order_id,
    OrderSide::Buy,
    qty,
    limit_price,
    trigger_price,
    TriggerType::LastPrice,
    TimeInForce::Gtc,
    None,          // expire_time
    false, false,  // post_only, reduce_only
    false, None,   // quote_qty, display_qty
    None, None,    // emulation_trigger, trigger_instrument_id
    None, None,    // contingency_type, order_list_id
    None,          // linked_order_ids
    None,          // parent_order_id
    None, None,    // exec_algorithm_id, params
    None,          // exec_spawn_id
    None,          // tags
    init_id,
    ts_init,
)?;

Conclusion

PR [#2533] dramatically reduces the surface area for invalid LIT orders by centralising all domain rules in a single, auditable place. Whether you’re building discretionary tooling or a fully automated strategy on top of Nautilus Trader, you now get fail-fast behaviour with precise error semantics—no more mystery fills in production.

Next steps: adopt new_checked, make your own wrappers return Result, and enjoy safer trading.

How to Integrate OpenAI TTS with FFmpeg in a FastAPI Service

March 6, 2025 · 5 min read

Vadim Nicolai

Senior Software Engineer at Vitrifi

Introduction

OpenAI offers powerful text-to-speech capabilities, enabling developers to generate spoken audio from raw text. Meanwhile, FFmpeg is the de facto standard tool for audio/video processing—used heavily for tasks like merging audio files, converting formats, and applying filters. Combining these two in a FastAPI application can produce a scalable, production-ready text-to-speech (TTS) workflow that merges and manipulates audio via FFmpeg under the hood.

This article demonstrates how to:

Accept text input through a FastAPI endpoint
Chunk text and use OpenAI to generate MP3 segments
Merge generated segments with FFmpeg (through the pydub interface)
Return or store a final MP3 file, ideal for streamlined TTS pipelines

By the end, you’ll understand how to build a simple but effective text-to-speech microservice that leverages the power of OpenAI and FFmpeg.

1. Why Combine OpenAI and FFmpeg

Chunked Processing: Long text might exceed certain API limits or timeouts. Splitting into smaller parts ensures each piece is handled reliably.
Post-processing: Merging segments, adding intros or outros, or applying custom filters (such as volume adjustments) becomes trivial with FFmpeg.
Scalability: A background task system (like FastAPI’s BackgroundTasks) can handle requests without blocking the main thread.
Automation: Minimizes manual involvement—one endpoint can receive text and produce a final merged MP3.

2. FastAPI Endpoint and Background Tasks

Below is the FastAPI code that implements a TTS service using the OpenAI API and pydub (which uses FFmpeg internally). It splits the input text into manageable chunks, generates MP3 files per chunk, then merges them:

import os
import time
import logging
from pathlib import Path

from dotenv import load_dotenv
from fastapi import APIRouter, HTTPException, Request, BackgroundTasks
from fastapi.responses import JSONResponse
from pydantic import BaseModel
from openai import OpenAI
from pydub import AudioSegment

load_dotenv(".env.local")

OPENAI_API_KEY = os.environ.get("OPENAI_API_KEY")
client = OpenAI(api_key=OPENAI_API_KEY)

router = APIRouter()

logging.basicConfig(
    level=logging.DEBUG,  # Set root logger to debug level
    format='%(levelname)s | %(name)s | %(message)s'
)
logger = logging.getLogger(__name__)
logger.setLevel(logging.DEBUG)

class AudioRequest(BaseModel):
    input: str

def chunk_text(text: str, chunk_size: int = 4096):
    """
    Generator that yields `text` in chunks of `chunk_size`.
    """
    for i in range(0, len(text), chunk_size):
        yield text[i:i + chunk_size]

@router.post("/speech")
async def generate_speech(request: Request, body: AudioRequest, background_tasks: BackgroundTasks):
    """
    Fires off the TTS request in the background (fire-and-forget).
    Logs are added to track progress. No zip file is created.
    """
    model = "tts-1"
    voice = "onyx"

    if not body.input:
        raise HTTPException(
            status_code=400,
            detail="Missing required field: input"
        )

    # Current time for folder naming or logging
    timestamp = int(time.time() * 1000)

    # Create a folder for storing output
    output_folder = Path(".") / f"speech_{timestamp}"
    output_folder.mkdir(exist_ok=True)

    # Split the input into chunks
    chunks = list(chunk_text(body.input, 4096))

    # Schedule the actual speech generation in the background
    background_tasks.add_task(
        generate_audio_files,
        chunks=chunks,
        output_folder=output_folder,
        model=model,
        voice=voice,
        timestamp=timestamp
    )

    # Log and return immediately
    logger.info(f"Speech generation task started at {timestamp} with {len(chunks)} chunks.")
    return JSONResponse({"detail": f"Speech generation started. Timestamp: {timestamp}"})

def generate_audio_files(chunks, output_folder, model, voice, timestamp):
    """
    Generates audio files for each chunk. Runs in the background.
    After all chunks are created, merges them into a single MP3 file.
    """
    try:
        # Generate individual chunk MP3s
        for index, chunk in enumerate(chunks):
            speech_filename = f"speech-chunk-{index + 1}.mp3"
            speech_file_path = output_folder / speech_filename

            logger.info(f"Generating audio for chunk {index + 1}/{len(chunks)}...")

            response = client.audio.speech.create(
                model=model,
                voice=voice,
                input=chunk,
                response_format="mp3",
            )

            response.stream_to_file(speech_file_path)
            logger.info(f"Chunk {index + 1} audio saved to {speech_file_path}")

        # Merge all generated MP3 files into a single file
        logger.info("Merging all audio chunks into one file...")
        merged_audio = AudioSegment.empty()

        def file_index(file_path: Path):
            # Expects file names like 'speech-chunk-1.mp3'
            return int(file_path.stem.split('-')[-1])

        sorted_audio_files = sorted(output_folder.glob("speech-chunk-*.mp3"), key=file_index)
        for audio_file in sorted_audio_files:
            chunk_audio = AudioSegment.from_file(audio_file, format="mp3")
            merged_audio += chunk_audio

        merged_output_file = output_folder / f"speech-merged-{timestamp}.mp3"
        merged_audio.export(merged_output_file, format="mp3")
        logger.info(f"Merged audio saved to {merged_output_file}")

        logger.info(f"All speech chunks generated and merged for timestamp {timestamp}.")
    except Exception as e:
        logger.error(f"OpenAI error (timestamp {timestamp}): {e}")

Key Takeaways

AudioRequest model enforces the presence of an input field.
chunk_text ensures no chunk exceeds 4096 characters (you can adjust this size).
BackgroundTasks offloads the TTS generation so the API can respond promptly.
pydub merges MP3 files (which in turn calls FFmpeg).

3. Using FFmpeg Under the Hood

Installing pydub requires FFmpeg on your system. Ensure FFmpeg is in your PATH—otherwise you’ll get errors when merging or saving MP3 files. For Linux (Ubuntu/Debian):

sudo apt-get update
sudo apt-get install ffmpeg

For macOS (using Homebrew):

brew install ffmpeg

If you’re on Windows, install FFmpeg from FFmpeg’s official site or use a package manager like chocolatey or scoop.

4. Mermaid JS Diagram

Below is a Mermaid sequence diagram illustrating the workflow:

Explanation:

User sends a POST request with text data.
FastAPI quickly acknowledges the request, then spawns a background task.
Chunks of text are processed via OpenAI TTS, saving individual MP3 files.
pydub merges them (calling FFmpeg behind the scenes).
Final merged file is ready in your output directory.

5. Conclusion

Integrating OpenAI text-to-speech with FFmpeg via pydub in a FastAPI application provides a robust, scalable way to automate TTS pipelines:

Reliability: Chunk-based processing handles large inputs without overloading the API.
Versatility: FFmpeg’s audio manipulation potential is nearly limitless.
Speed: Background tasks ensure the main API remains responsive.

With the sample code above, you can adapt chunk sizes, add authentication, or expand the pipeline to include more sophisticated post-processing (like watermarking, crossfading, or mixing in music). Enjoy building richer audio capabilities into your apps—OpenAI and FFmpeg make a powerful duo.

TL;DR​

Introduction​

Architecture Diagrams​

Account Relationships​

Instruction Flow for Limit Order Execution​

Account Structure​

PDA Derivation Example​

TL;DR​

Introduction​

Architectural Philosophy​

Architecture Diagrams​

Account Relationships and PDA Hierarchy​

Deposit Instruction Flow​

Account Structure Table​

Core Lending Primitives​

1. Reserve Initialization Architecture​

2. Deposit Mechanism: Share-Based Accounting​

3. Borrowing Architecture: Multi-Collateral Risk Management​

4. Liquidation System: Incentive-Driven Solvency​

Interest Rate Architecture​

Utilization-Based Rate Model​

State Management Architecture​

Obligation Account Design​

Solana-Specific Design Patterns​

Account Model Optimization​

Compute Unit Management​

Cross-Program Invocation Architecture​

Security Architecture​

Multi-Layer Access Control​

Oracle Security Framework​

Economic Security Mechanisms​

Integration Architecture​

Client-Side Design Patterns​

Health Factor Monitoring​

Extensibility and Composability​

Extension Points​

System Validation Strategies​

Conclusion​

Key Architectural Principles​

Architectural Lessons for Builders​

Future Evolution​

TL;DR​

Introduction​

Architecture Overview​

Account Structure Diagram​

Account Structure​

Primary Accounts Table​

Adapter State PDA Structure​

Code Walkthrough​

Raydium CPI Module Definition​

TL;DR​

AMM vs CPAMM (and why the wording matters)​

AMM (the umbrella)​

CPAMM / CPMM (the subtype)​

CPAMM mechanics in one screen (math + semantics)​

Fee model (input fee)​

Output​

Reserve update​

Price intuition (useful when comparing designs)​

Comparison tables​

Taxonomy and “what is being compared?”​

Trader view: execution quality & UX​

LP view: risk, complexity, and who wins when​

Solana runtime view: contention, accounts, compute​

Parameter surface area (“knobs you must ship and maintain”)​

Token-2022 / “non-standard token semantics” compatibility​

MEV & adversarial flow profile​

“Which one should I choose?” (builder POV)​

A “migration path” table (how protocols evolve in practice)​

Anchor CPAMM: the “don’t ship this” checklist (most common bugs)​

1) Proportional deposits are ratios, not products​

2) LP minting: sqrt(Δa·Δb) is bootstrap-only​

3) Invariant checks must be A·B and must use u128​

4) Token-2022: do not trust amount_in​

Minimal “correct CPAMM math” snippet (overflow-safe, vault-delta friendly)​

Extra comparison tables (for the “systems” view)​

Public API ergonomics: what you expose to integrators​

Testing strategy: what to property-test per design​

References (URLs)​

TL;DR​

TL;DR

Introduction

Architecture Diagrams

Account Relationships

Instruction Flow for Limit Order Execution

Account Structure

PDA Derivation Example

TL;DR

Introduction

Architectural Philosophy

Architecture Diagrams

Account Relationships and PDA Hierarchy

Deposit Instruction Flow

Account Structure Table

Core Lending Primitives

1. Reserve Initialization Architecture

2. Deposit Mechanism: Share-Based Accounting

3. Borrowing Architecture: Multi-Collateral Risk Management

4. Liquidation System: Incentive-Driven Solvency

Interest Rate Architecture

Utilization-Based Rate Model

State Management Architecture

Obligation Account Design

Solana-Specific Design Patterns

Account Model Optimization

Compute Unit Management

Cross-Program Invocation Architecture

Security Architecture

Multi-Layer Access Control

Oracle Security Framework

Economic Security Mechanisms

Integration Architecture

Client-Side Design Patterns

Health Factor Monitoring

Extensibility and Composability

Extension Points

System Validation Strategies

Conclusion

Key Architectural Principles

Architectural Lessons for Builders

Future Evolution

TL;DR

Introduction

Architecture Overview

Account Structure Diagram

Account Structure

Primary Accounts Table

Adapter State PDA Structure

Code Walkthrough

Raydium CPI Module Definition

TL;DR

AMM vs CPAMM (and why the wording matters)

AMM (the umbrella)

CPAMM / CPMM (the subtype)

CPAMM mechanics in one screen (math + semantics)

Fee model (input fee)

Output

Reserve update

Price intuition (useful when comparing designs)

Comparison tables

Taxonomy and “what is being compared?”

Trader view: execution quality & UX

LP view: risk, complexity, and who wins when

Solana runtime view: contention, accounts, compute

Parameter surface area (“knobs you must ship and maintain”)

Token-2022 / “non-standard token semantics” compatibility

MEV & adversarial flow profile

“Which one should I choose?” (builder POV)

A “migration path” table (how protocols evolve in practice)

Anchor CPAMM: the “don’t ship this” checklist (most common bugs)

1) Proportional deposits are ratios, not products

2) LP minting: `sqrt(Δa·Δb)` is bootstrap-only

3) Invariant checks must be `A·B` and must use `u128`

4) Token-2022: do not trust `amount_in`

Minimal “correct CPAMM math” snippet (overflow-safe, vault-delta friendly)

Extra comparison tables (for the “systems” view)

Public API ergonomics: what you expose to integrators

Testing strategy: what to property-test per design

References (URLs)

TL;DR