System Architecture

NEXUS-120Engine

A deterministic evaluation engine that reads live chain state, runs sovereignty pillar logic, and produces cryptographically hashed execution records. Every output is reproducible. Every record is independently verifiable.

ARBITRUM SEPOLIA · AUD_001 · SHA-256 · OPEN SOURCE
Execution Model

The evaluation cycle

Each engine run follows five deterministic steps. The same chain state always produces the same verdict. There is no configurable behavior, no manual override, and no hidden state.

01READ CHAIN STATE

ArbitrumAdapter calls the deployed contracts via Arbitrum Sepolia RPC.

OracleModule.getPrice() — returns ETH/USD price. Reverts if the feed is outside the maxDelay freshness window. On revert, the engine falls back to AggregatorV3Interface.latestRoundData() directly on the Chainlink feed and sets oracle_stale: true.

VaultManager.collateralOf() and debtOf() are called via multicall for every known vault owner. Vault owner addresses are derived from Deposit event logs. NXUSDToken.totalSupply() returns total outstanding protocol debt. Protocol thresholds (minCollateralRatioBps, liquidationRatioBps) are read from VaultManager. The result is a complete chain state snapshot anchored to a specific block number.

02COMPUTE DERIVED METRICS

From the raw chain reads, the engine computes protocol-wide and per-vault metrics. Protocol CR: (total_collateral_eth × eth_price_usd) / total_debt_nxusd. Per-vault CR computed identically for each position. Oracle state is set to stale if OracleModule reverted, with price sourced from Chainlink fallback. All derived values are deterministic — no rounding ambiguity, no randomness.

03EVALUATE PILLAR LOGIC

Pillar runners execute sequentially against the computed metrics. SOV_001 checks: CR > 100% AND VaultManager.paused() === false under distress. SOV_003 checks: CR > 130% AND oracle_stale === false. SOV_003 failures are classified into economic, structural, or testnet_env categories. SOV_005 runs a 5-year forward stress lattice across 5,000+ scenarios on five axes. Each pillar runner is stateless — it reads inputs, evaluates conditions, and returns a verdict. No shared state between runners.

04AGGREGATE VERDICT

The overall verdict is derived deterministically from pillar results. The aggregation logic is non-configurable and has no exceptions: SOV_001 FAIL → overall_verdict: "FAIL" regardless of other pillars. SOV_001 PASS + SOV_003 FAIL → overall_verdict: "WARN". All passing → overall_verdict: "PASS". SOV_005 result is recorded in the AUD_001 package but does not affect overall_verdict. A WARN verdict is degraded, not insolvent — SOV_001 passing means the primary solvency invariant is intact.

05WRITE AUD_001 PACKAGE

The engine assembles the canonical AuditPackage JSON containing all chain state inputs and all pillar outputs. SHA-256 is computed over the complete canonical JSON. Both the package and the hash are committed atomically to NEXUS120-Official/nexus-receipts/packages/ via GitHub Actions. Once committed, the package cannot be modified without producing a detectable hash mismatch. The package is then accessible via /receipts and the /api/receipts endpoint.

Signal Production

Three output surfaces

Engine outputs are exposed through three distinct surfaces. Each has a different source of truth, freshness model, and trust profile. All are independently accessible without authentication.

LAYER 1 · LIVE · /api/status
Observable State
SourceFresh RPC call to Arbitrum Sepolia on each cache miss
ContentsBlock number, ETH/USD, oracle state, protocol CR, pillar verdicts, overall verdict, timestamp
Freshnesss-maxage=30, stale-while-revalidate=60
Trust modelMutable — derived from live chain on each request. Not an evidence surface. See Protocol Intelligence Layer →
LAYER 2 · DERIVED · /api/vaults
Per-Vault Metrics
SourceDeposit event log scan + multicall for collateral/debt per vault owner
ContentsPer-vault CR, liquidation status classification, summary counts
Freshnesss-maxage=30, stale-while-revalidate=60
Trust modelServer-computed. isLiquidatable() not called — avoids oracle revert. Status derived from CR thresholds only.
LAYER 3 · IMMUTABLE · /api/receipts
Canonical Evidence
SourceGitHub API → NEXUS120-Official/nexus-receipts/packages/
ContentsAUD_001 packages: all inputs + pillar outputs + fail classification + SHA-256 hash
Freshnesss-maxage=60 · packages generated hourly
Trust modelImmutable after commit. Hash-verifiable. Independent of this API. See Audit Evidence Layer →
Receipt Generation

AUD_001 package pipeline

A receipt is not a log entry. It is a deterministic execution snapshot: inputs the engine received, outputs it produced, and a hash that binds both together. The same inputs always produce the same hash.

Package Contents
block_numberArbitrum Sepolia block at time of engine run
eth_price_usdETH/USD from OracleModule or Chainlink fallback
oracle_staletrue when OracleModule reverted — fallback active
total_collateral_ethWETH held by VaultManager at this block
total_debt_nxusdNXUSDToken.totalSupply() at this block
collateral_ratio_pctDerived CR% from chain inputs
sov_001_verdictPASS or FAIL — Economic Constitution gate
sov_003_verdictPASS or FAIL with fail classification breakdown
sov_003_fail_counteconomic / structural / testnet_env counts
sov_005_verdictPASS or FAIL — 5-year stress lattice result
overall_verdictPASS / WARN / FAIL — deterministic aggregation
verdict_rationaleEngine-generated explanation of the verdict
package_hashSHA-256 of canonical package JSON
Generation Pipeline
1 · ASSEMBLEEngine collects all chain state inputs and pillar runner outputs into a single canonical JSON object. Field order is deterministic.
2 · HASHSHA-256 is computed over the complete canonical JSON: sha256(JSON.stringify(package)). Result is prefixed "sha256:" and stored as package_hash.
3 · COMMITPackage file (AUD_001_PACKAGE_{timestamp}.json) and hash are written atomically to nexus-receipts/packages/ via GitHub Actions. Commit is append-only.
4 · PUBLISHPackage is immediately accessible on GitHub. The /api/receipts endpoint proxies the GitHub API and serves the latest 10 packages with a 60s cache.
5 · VERIFYAny party can download the raw package, recompute SHA-256 over the raw field, and compare against package_hash. A match confirms the package has not been modified.

The canonical source of truth is the GitHub repository — not this API. Any discrepancy between this interface and the repository is detectable via hash comparison. Audit Evidence Layer →

Sovereignty Pillars

Five rules. No exceptions.

Each pillar is a stateless runner: it receives chain state, evaluates conditions, and returns a verdict. No runner can modify the chain state it reads. No runner can influence another runner's inputs.

SOV_001
ECONOMIC CONSTITUTION

The primary solvency invariant. Evaluates whether the protocol is in a solvent operating state. A SOV_001 failure is a protocol emergency — integrations that depend on protocol solvency must halt immediately.

CHECKS: CR > 100%CHECKS: vault not paused under distressFAIL → overall_verdict: FAILOUTPUT: pass/fail + rationale in AUD_001
● ACTIVE
SOV_002
ADVERSARIAL SUITE

Six hardened attack scenarios evaluated on a separate cycle. Each scenario produces a signed rejection record if the attack vector is active or unmitigated. Designed to detect governance capture, oracle manipulation, and replay vectors before they reach execution.

VECTOR: tamper detectionVECTOR: replay protectionVECTOR: double-finalization guardVECTOR: oracle manipulationVECTOR: governance captureVECTOR: parameter injectionOUTPUT: per-vector signed rejection receipt
● ACTIVE
SOV_003
CAPITAL ADEQUACY LAW

Capital buffer enforcement. Requires CR above the liquidation threshold and a live oracle. Failures are classified into three categories so that environmental conditions on testnet do not mask real economic risk. Only economic failures indicate actual protocol stress.

CHECKS: CR > 130%CHECKS: oracle_stale === falseFAIL → overall_verdict: WARN (if SOV_001 passing)CATEGORY: economic — real risk signalCATEGORY: structural — parameter constraintCATEGORY: testnet_env — expected on Arbitrum SepoliaOUTPUT: fail_count breakdown in AUD_001
● ACTIVE
SOV_004
TREASURY CONSTITUTION

4-tranche waterfall integrity check: OPERATING, LIQUID, CORE, BACKSTOP. Evaluates treasury health and outflow eligibility. An outflow freeze is triggered automatically on treasury failure — no redemption is permitted during an active freeze.

EVALUATES: 4-tranche waterfall integrityFAIL → outflow freeze triggeredFAIL → redemption suspendedOUTPUT: treasury audit receipt
● ACTIVE
SOV_005
RISK LATTICE

5-year forward stress simulation run against live protocol state on each evaluation cycle. Evaluates protocol survival across 5,000+ scenario combinations on five stress axes simultaneously. A PASS means the protocol survives all simulated scenarios above the defined safety threshold.

AXIS: liquidity shockAXIS: peg deviationAXIS: NAV haircutAXIS: leverage spikeAXIS: correlation breakdownHORIZON: 5 years · 5,000+ scenariosOUTPUT: sov_005_verdict in AUD_001 (non-blocking)
● ACTIVE
AUD_001
AUDIT PACKAGE GENERATOR

Presentation layer above all pillar runners. Reads the latest SOV_001, SOV_003, and SOV_005 outputs, assembles the canonical AuditPackage JSON, computes the SHA-256 hash, and commits to the public repository. AUD_001 never modifies runner output — it assembles and hashes what the runners produced.

READS: SOV_001 / SOV_003 / SOV_005 outputCLASSIFIES: fail reasons into economic / structural / testnet_envHASHES: SHA-256 over canonical JSONCOMMITS: to nexus-receipts/packages/NEVER modifies runner outputOUTPUT: AUD_001_PACKAGE_{timestamp}.json
● ACTIVE
Determinism

Same inputs. Same outputs. Always.

REPLAY
Every verdict can be reproduced from public chain data and the open-source engine. The same block state, oracle price, and protocol parameters will always produce the same verdict and the same SHA-256 hash.
NO STATE
Pillar runners are stateless. Each evaluation reads fresh chain data and produces an independent output. No in-memory state carries over between cycles. No side effects. No drift.
OPEN
Chain state is readable from any Arbitrum Sepolia RPC. Engine source is public on GitHub. Pillar logic is documented here. No external dependency or trust in a centralized party is required to verify any verdict.
On-Chain Layer

Four contracts. One read surface.

The engine reads these contracts on every evaluation cycle. All are deployed on Arbitrum Sepolia and callable directly via eth_call — no wallet or auth required. Verified source and ABI on Contracts →

READ · WRITE
VAULTMANAGER

Manages vault lifecycle: collateral deposits, NXUSD minting, debt tracking, liquidation execution. Engine reads collateralOf(), debtOf(), minCollateralRatioBps(), liquidationRatioBps(), paused() on each cycle. Min CR: 150%. Liquidation threshold: 130%.

ERC-20 · READ
NXUSDTOKEN

Overcollateralized on-chain credit asset. Mint and burn restricted to VaultManager via MINTER_ROLE and BURNER_ROLE. Engine reads totalSupply() on each cycle to determine total outstanding protocol debt.

KEEPER_ROLE · WRITE
LIQUIDATIONENGINE

Executes liquidations when vault CR falls below 130%. 5% collateral bonus to the keeper. KEEPER_ROLE enforced — unauthorized liquidation calls are rejected. Engine reads paused() and closeFactorBps() to assess engine state.

CHAINLINK · READ
ORACLEMODULE

Protocol-managed Chainlink wrapper with freshness enforcement via maxDelay(). Reverts if the feed is outside the allowed window. On testnet, the Arbitrum Sepolia Chainlink feed does not update at the required frequency — OracleModule consistently reverts, setting oracle_stale: true and activating the Chainlink fallback.

The code is public. The receipts are real.

Live chain state visible via Protocol Intelligence Layer. Every evaluation persisted as a verifiable AUD_001 package.

Protocol Intelligence Layer →Audit Evidence Layer →Source Code →