System Architecture

Overview & Component Diagram

Origin is a hybrid on-chain/off-chain system. Latency-sensitive components (matching, risk evaluation, oracle ingestion) run off-chain. Custody, settlement, and the economic state of record run on-chain on Arc as smart contracts. The two layers are bound together by a settlement protocol that batches off-chain state transitions and commits them atomically.

Users always retain on-chain ownership of their collateral. The off-chain components have authority to update positions and balances only within constraints enforced by the on-chain margin contract: they cannot move collateral out of the system, increase a user's debt beyond posted collateral, or override the asset registry.

                  ┌─────────────────────────────────────────┐
                  │              CLIENT (REST/WS)           │
                  └────────────────────┬────────────────────┘
                                       │
                  ┌────────────────────▼────────────────────┐
                  │               API Gateway               │
                  └────────────────────┬────────────────────┘
                                       │
       ┌──────────────┬────────────────┼────────────────┬──────────────┐
       │              │                │                │              │
┌──────▼──────┐ ┌─────▼──────┐ ┌───────▼──────┐ ┌───────▼──────┐ ┌─────▼──────┐
│  Matching   │ │   Risk     │ │   Oracle     │ │ Liquidation  │ │ Settlement │
│   Engine    │ │   Engine   │ │  Ingestion   │ │   Engine     │ │ Submitter  │
└──────┬──────┘ └─────┬──────┘ └───────┬──────┘ └───────┬──────┘ └─────┬──────┘
       │              │                │                │              │
       └──────────────┴────────────────┴────────────────┴──────────────┘
                                       │ batched commits
                                       ▼
                ┌──────────────────────────────────────────┐
                │              ARC (on-chain)              │
                │                                          │
                │  Margin   Settlement   Insurance   ADL   │
                │  Vault    Contract     Fund        Coord │
                │                                          │
                │              Asset Registry              │
                └──────────────────────────────────────────┘

On-Chain Components

The on-chain footprint is a small, audited contract set:

Contract	Responsibility
Margin Vault	Custody of all user collateral. Enforces solvency invariants on every state transition.
Settlement	Receives signed batches of fills from the matching engine and atomically applies them to user positions and balances.
Insurance Fund	Holds reserve capital. Pays keeper fees and absorbs liquidation shortfalls.
Asset Registry	Records accepted collateral, haircuts, oracle bindings, and listed markets. Updated only by governance.
ADL Coordinator	Records ADL events and applies them to selected counterparty positions.

All contracts are upgradeable only through the published governance flow with a timelock.

Off-Chain Components

The off-chain components are operated by Origin and are designed for low-latency execution:

Matching Engine. Maintains the order book per market, applies price-time priority, produces fills.
Risk Engine. Evaluates each account's margin ratio on every mark-price update and every fill. Detects liquidation conditions.
Oracle Ingestion. Pulls Pyth feeds for index prices. Polls configured external venues for the CEX price set used in mark price (Section 8.2).
Liquidation Engine. Routes flagged accounts to the internal closeout flow first, then to public keepers if necessary.
API Gateway. REST + WebSocket endpoints for clients. Authenticates, rate-limits, forwards.
Settlement Submitter. Batches fills, funding payments, liquidations, and ADL events; submits them to the on-chain Settlement contract.

Order Flow

A typical limit order flows through the system as follows:

Submission. Client signs and submits via REST or WebSocket to the API Gateway.
Pre-trade checks. Gateway verifies authentication, rate limits, and order validity (symbol, side, size, price, flags).
Risk check. Risk Engine confirms the account has sufficient initial margin to support the order if it fills.
Book entry. Matching Engine accepts the order onto the book and assigns it a sequence number.
Match. When a counterparty order arrives that crosses the resting order, the engine produces one or more fills.
Mark-to-market. Risk Engine updates both accounts' positions and balances in working state.
Batch. Settlement Submitter accumulates fills into the next on-chain batch.
Commit. Batch is submitted to Arc; on finality (sub-second), on-chain state matches off-chain state.
Confirmation. Client receives a fill notification via WebSocket and a settlement event when the batch finalizes on-chain.

Steps 1 through 7 happen in the off-chain hot path within single-digit milliseconds in the typical case. Steps 8 and 9 add Arc finality (sub-second). The full state machine governing order transitions is specified in Section 5.3.

Trust & Authority Model

The off-chain operator can:

Match orders and produce fills.
Compute funding rates and liquidation eligibility.
Submit settlement batches.

The off-chain operator cannot:

Move user collateral to addresses outside the Margin Vault.
Take a user's balance below zero (the Margin Vault rejects any settlement that would).
Modify the asset registry or any market parameter.
Pause withdrawals of free collateral via the on-chain emergency exit path (Section 9.4).

This split means the worst-case impact of off-chain operator failure or compromise is bounded: trading halts, but funds remain in the user's control on-chain.

Failure Modes

Origin is designed to fail safely. The following table summarizes the system's response to each major failure class. System-wide states and their transitions are specified in Section 10.

Failure	System Response
Matching Engine outage	New orders rejected. Existing positions unaffected. Withdrawals of free collateral remain available.
Oracle feed stale	Affected market enters per-market `HALTED`; existing positions not liquidated until feed recovers (Section 8.3).
Settlement Submitter outage	Trading continues briefly using the last committed state; if outage exceeds threshold, new fills paused until commitment resumes.
Insurance fund depleted	ADL triggers (Section 7.6).
Arc network outage	Origin halts new deposits and withdrawals; existing positions continue marking; new fills paused.
Operator unresponsive past threshold	System auto-transitions to `EMERGENCY_EXIT`; users withdraw via on-chain path (Section 10.1).

Settlement Batching

Off-chain state changes are committed to Arc through batched settlement (Section 9.3 specifies the batch structure). Each batch is signed by the Settlement Submitter and validated by the on-chain Settlement contract against the invariants of the Margin Vault. A batch that would violate solvency for any account is rejected atomically; no partial application.