Why sealed-bid batching kills front-running
ONYX bets are committed as a hash, revealed after the window closes, and matched in one deterministic batch at a single uniform price. There is nothing to observe before the match, and nothing to gain from ordering — this page shows the mechanism and the real devnet transactions that prove it.
1 · The problem: a visible order is an invitation
illustration — not live dataOn a public book, a pending order sits in plain sight before it executes. A searcher who sees a large order can buy in front of it and sell right after — the classic sandwich. The victim pays the spread the attacker created.
- searcherBUYfront-run
- 0xc3 · pendingYES900 — visible to everyone
- searcherSELLback-run
2 · How ONYX removes both — on L1, no new trust
shipped · devnet- open_market_sealed
Market opens in a commit phase with fixed commit and reveal windows.
- submit_sealed_order
Only a 32-byte keccak-256 commitment plus locked collateral lands on-chain. Side, size, and limit price are not derivable from any on-chain state. Nothing to see.
- reveal_order
After the commit window closes, each bettor reveals; the program recomputes the hash and rejects any mismatch.
- run_batch_match
Permissionless. All revealed orders clear in one pass at a single uniform price. Nothing to get in line around.
Order-independent by construction
Take the same three revealed orders — A₁ buys 100 @ 70, A₂ buys 200 @ 60, B₁ sells 90 @ 50 — and feed them to the matcher in any order. The program's own unit test (matching::tests::order_independence) asserts the result is bit-exact identical:
Same price, same fills, every permutation. When submission order cannot change your outcome, being first — the entire business model of front-running and copy-trading — is worth nothing.
3 · Proven on devnet, not claimed
public RPC · verify without trusting this UIOne full sealed-order lifecycle on market 2VGU78vk…kHdHG4. Every signature is real; open it on the explorer or run solana confirm -v <sig> --url devnet — none of it needs this UI to be trusted.
- Sealed commitsubmit_sealed_order52VkeMw5eiV3xnnAPWkm…L9SKvsP2vn ↗
Fetch the resulting SealedOrder account: the side and size bytes read back as zero. Only the 32-byte commitment hash and locked collateral are on-chain.
- Batch matchrun_batch_matchJMUsrZCwhQh9TswLTqV5…CyrwXrHHGJ ↗
Market.phase flips to Matched and clearing_price is set — one uniform price for every filled order.
- Settlement (oracle CPI)settle_market5tLRuV7XPCsRsGddA962…BdTsxXi6rF ↗
Program logs show the live CPI into TxLINE's validate_stat and its boolean return value — that alone sets the outcome.
- Claimclaim2XZr6xuPH4L15SXZcHbL…wxT4xtTxDm ↗
Payout computed on-chain: 1,000,000 stake in, 1,990,000 out — matches the parimutuel formula exactly.
4 · What about TEEs? Roadmap, not shipped
de-risk spike · held backA MagicBlock ephemeral-rollup / TEE execution path (sealed orders matched inside an attested enclave, ~10ms latency) was proven end-to-end as a de-risk spike — including a live DCAP-verified attestation — and then deliberately not built into this product. Everything above runs on plain Solana L1 devnet, because moving matching into a TEE would reintroduce a hardware and operator trust dependency this design exists to avoid. The spike is logged in BUILD_STATE.md; it is roadmap material, not part of what you just verified.