The Three Building Blocks
Secure enclave
Order matching, margin, liquidations, and wallet logic all execute inside Intel SGX enclaves. Code is encrypted at runtime and invisible to the host OS, cloud provider, and Ondo Perps operators.
Attestor network
An independent quorum of third-party attestors verifies that the enclave is running the published codebase on genuine SGX hardware. Key material is split across the network, no single party can move funds.
On-chain custody
Each account has a permanent onchain deposit address. Deposits are swept into an exchange hot wallet, which initiates withdrawals on user request. All deposits and withdrawals are publicly observable onchain.
How It Works
Secure Enclave Execution
At the core of the architecture is Intel SGX (Software Guard Extensions), which runs the exchange’s critical components, order matching, margin calculations, wallet management, and liquidations, inside an encrypted, hardware-isolated environment. Code running inside the enclave cannot be accessed or modified by:- The operating system on the host machine.
- The infrastructure provider hosting the machine.
- The exchange operators themselves.
Decentralized Attestor Network
Integrity is enforced by a decentralized network of independent third-party attestors. Their job is to continuously verify that the enclave is running the correct, unmodified codebase on genuine SGX-enabled hardware.- Distributed key shares: Secret key material (including any key authorized to move user funds) is split across the attestor network. No single party can reconstruct the master secret or move funds unilaterally.
- Quorum-gated upgrades: Any modification to the codebase requires an independent majority of attestors to audit and approve before it takes effect.
Onchain Custody
User deposits do not live inside the enclave. The flow is:- Per-account deposit address: Each account provisions a permanent onchain deposit address. Any transfer of a supported asset to that address is credited to the account.
- Sweep into the hot wallet: Deposited funds are swept from deposit addresses into the exchange hot wallet.
- Withdrawals: When you request a withdrawal, the hot wallet initiates the onchain transfer back to your wallet.
Performance
Because critical operations execute inside the enclave rather than on-chain, the system does not carry the latency overhead typically associated with on-chain settlement. Order routing, margin updates, and liquidations are processed in real time, with execution speed comparable to a centralized exchange, including during periods of high volatility.What This Gives You
Compared with a traditional centralized exchange:- No operator front-running: Operators cannot read your orders before they match.
- No silent code changes: Codebase upgrades require independent attestor approval.
- Publicly observable custody: Every deposit and withdrawal moves through an onchain transfer, no hidden internal sub-ledgers.
- CEX-level latency: Matching, margin, and liquidations are real-time, not bound by block times.
- Richer order types: Limit, TP/SL, TWAP, reduce-only, and post-only are all native (Order types).
- Lower fees with the same trust: Offchain execution removes per-trade gas costs while preserving on-chain custody.
Learn More
Fund your account
Supported collateral, networks, and contract addresses for deposits.
Mark price protection
How external oracle prices keep liquidations fair and resistant to manipulation.
Liquidations and insurance
The multi-layered liquidation process and the insurance fund.
Pricing derivations
Where mark prices come from and how indices and futures are synthesized.