DeSix Protocol

English

简体中文

English

简体中文

Appearance

5-Bucket Asset Reserve Isolation & Solvency Formulas

5-Bucket Reserve Isolation

To prevent the most common and fatal credit crises of traditional digital betting platforms—such as house defaults, liquidity pool runs, and platform rug pulls—DeSix designs a 5-Bucket isolated reserve accounting system in its smart contracts. This system divides all USDC assets inside the contract into five physically isolated buckets based on their business attributes and strictly enforces a solvency invariant via on-chain assertions during every state change.

1. Definition and Responsibilities of the 5 Buckets

All USDC balances accumulated in the contract are strictly segmented at the accounting layer into the following five sections, and no section may be used for other purposes without authorization:

┌────────────────────────────────────────────────────────┐
│                      Total USDC Balance                 │
│                                                        │
│  ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐   │
│  │    LP    │ │  Payout  │ │  Refund  │ │   Fee    │   │
│  │  Equity  │ │ Reserve  │ │ Reserve  │ │ Reserve  │   │
│  │(lpEquity)│ │(payout   │ │(refund   │ │(feeRes.) │   │
│  │          │ │ Reserve) │ │ Reserve) │ │          │   │
│  └──────────┘ └──────────┘ └──────────┘ └──────────┘   │
│                                                        │
│  ┌──────────┐                                          │
│  │  Mining  │                                          │
│  │ Reserve  │                                          │
│  │(realYield│                                          │
│  │ Accrued) │                                          │
│  └──────────┘                                          │
└────────────────────────────────────────────────────────┘
  1. LP Equity Bucket ($.lpEquity):
    • Represents the true net asset value of Liquidity Providers.
    • It contains the principal deposited by LPs plus accumulated market-making profits from lost bets, minus losses paid out to winning bets.
    • This is the exclusive property of market makers, and no protocol fees or player prizes can directly dilute this bucket.
  2. Payout Reserve Bucket ($.payoutReserve):
    • When an issue's betting closes and a winning proposal is consensus-approved, the system automatically transfers the "estimated maximum theoretical payout" for winning players from the LP equity bucket and locks it in the payout reserve.
    • When winning players claim rewards (claim), the funds are settled only from this bucket.
  3. Refund Reserve Bucket ($.refundReserve):
    • If an issue transitions to the Voided state due to oracle failures or disputes, the system transfers the total stake of all participants in that issue to the refund reserve bucket in a single transaction.
    • When players claim refunds (claimRefund), payouts are processed from this bucket.
  4. Fee Reserve Bucket ($.feeReserve):
    • Accumulates the 0.3% protocol fee on each bet.
    • This reserve is used solely for distributing fees (distributeProtocolFees) to the treasury, operations team, buybacks, and mining pool rewards, separated from player payouts.
  5. Mining Dividend Bucket ($.realYieldFeeAccrued):
    • Dedicated to accumulating the 25% cash flow dividend allocated to Miner from the protocol fee distribution, enabling users to claim USDC mining dividends with a single click.

2. Core Solvency Invariant

In the DeSixCore contract, every external call affecting USDC balances (such as placing bets, depositing liquidity, withdrawing liquidity, claiming rewards, and claiming refunds) must invoke _assertSolvency() before execution ends. The contract strictly enforces the following solvency invariant inequality:

$$\text{usdc.balanceOf}(\text{address(this)}) \ge \text{lpEquity} + \text{payoutReserve} + \text{refundReserve} + \text{feeReserve} + \text{realYieldFeeAccrued}$$

If any code exploit or external manipulation causes the accounting sum on the right side to exceed the actual USDC balance held by the contract, the transaction automatically reverts on-chain. This mathematically eliminates any possibility of "insolvency" or "excessive extraction."

3. P0-3 Asset Mismatch Vulnerability & Hardened Isolation

In the latest safety audit and Sprint 27 fixes, we patched a capital vulnerability in _voidIssueBatchInternal (voiding issues):

  • Previous Vulnerability: To prevent Gas DoS attacks, voiding issues used an O(1) complexity design (directly altering the issue state without traversing orders). However, in older versions, the contract failed to deduct the issue's total stake issue.totalStake from lpEquity and inject it into refundReserve at the moment of voiding. Consequently, subsequent refunds directly deducted from lpEquity, subjecting LP funds to direct runs and violating the isolation invariant.
  • Hardened Fix:
    • Following the refactoring, at the exact moment of voiding, the contract automatically deducts issue.totalStake from lpEquity and deposits it in full into refundReserve in a single transaction.
    • claimRefund was modified to be strictly and solely settled from refundReserve, no longer allowed to touch lpEquity.
  • Impact: Refund assets are physically isolated the moment voiding occurs, ensuring that getTVL() (which returns only lpEquity) reflects true LP net assets at all times, free of pending player refund principal.

Running on Base Sepolia Testnet. Decentralized, transparent, and verifiable.

© 2026 DeSix Protocol. All rights reserved.