Protocol Design

Diffusal is a decentralized options exchange where the protocol bears zero counterparty risk. This is achieved through a fundamental invariant: every option is created as a pair (long + short), and the sum of all longs equals the sum of all shorts system-wide.

Four-Instrument Model

Every trade creates four distinct positions, created in pairs:

Position Type	Balance Sign	Settlement Direction
Option Long	optionBalance > 0	RECEIVES intrinsic value
Option Short	optionBalance < 0	PAYS intrinsic value
Premium Receiver	premiumBalance > 0	RECEIVES premium at settlement
Premium Payer	premiumBalance < 0	PAYS premium at settlement

Paired Creation:

Option pair: Long (+) for buyer, Short (-) for seller
Premium pair: Payer (-) for buyer, Receiver (+) for seller

This structure enables capital efficiency: a long call can offset some risk from a short put, and premium receivables offset premium obligations. It also ensures conservation: the sum of all positions is always zero.

Margin Requirements by Instrument Type

The four-instrument model separates option positions from premium positions. Each has distinct margin implications:

Option Short = Obligation to Pay Intrinsic

Position Type	Obligation	Max Loss	Margin Required
Short Call	Pay max(0, spot - strike) at expiry	Unlimited (if spot → ∞)	Yes - equity must cover stressed scenarios
Short Put	Pay max(0, strike - spot) at expiry	Strike price (if spot → 0)	Yes - equity must cover stressed scenarios

Short positions create obligations. Users holding short options MUST maintain sufficient equity to cover their potential payout obligations, or they will be liquidated.

Option Long = Right to Receive Intrinsic

Position Type	Settlement	Max Gain	Margin Required
Long Call	Receive max(0, spot - strike) at expiry	Unlimited (if spot → ∞)	No - only receives
Long Put	Receive max(0, strike - spot) at expiry	Strike price (if spot → 0)	No - only receives

Long positions have no obligations. They only receive intrinsic value if ITM at expiry. An OTM long simply receives nothing.

Premium Positions (Separate Instruments)

Position Type	Settlement	Effect	Margin Required
Premium Payer (premiumBalance < 0)	Pay premium at expiry	Fixed obligation	No - reflected in equity, not margin
Premium Receiver (premiumBalance > 0)	Receive premium at expiry	Fixed receivable	No - only receives

Premium positions are separate from option positions. A typical buyer holds BOTH an option long AND a premium payer position, but these are distinct instruments. Premium is already reflected in equity (reducing equity when negative), so it's not separately added to margin.

How Margin and Liquidation Incentives Guarantee Settlement

The margin system ensures short holders maintain sufficient equity. When they don't, liquidators are incentivized to close their positions before they become deeply underwater. Consider a short put with strike = $3000:

At ETH $3000: $5,000 equity, healthy status, normal trading
At ETH $2700: $3,500 equity, healthy status, normal trading
At ETH $2400: $2,200 equity, warning zone
At ETH $2200: $1,800 equity, unhealthy status → liquidated
At ETH $1500: Would be insolvent, but never reached because already liquidated

Key insight: Liquidation triggers at 80% of initial margin, well before insolvency. Liquidators are incentivized with penalty profits (1-2%+) and bounties (5% of debt) to close undercollateralized positions promptly. This economic incentive ensures positions are closed before they become deeply underwater.

The Safety Layers

Layer	Protection
Initial Margin (IM)	User's post-trade equity must exceed margin requirements
Maintenance Margin (MM)	Liquidation triggers when equity falls below 80% of IM
Liquidation Penalty	1-2%+ penalty rewards liquidators for taking on risk and acting promptly
Insurance Fund	Covers any residual shortfall in extreme scenarios

What This Means in Practice

Opening a short: User's post-trade equity must exceed initial margin (can be funded by profitable longs)
Holding a short: If the option moves against the user, equity decreases
Approaching danger: When equity < Maintenance Margin, liquidation triggers
Liquidation: Liquidators close positions at penalized price, earning penalty profits + bounty
At settlement: Only healthy short holders remain → all have funds to pay

Liquidators are economically incentivized to close undercollateralized positions before settlement. The protocol creates the rules; liquidators enforce them through economic incentives.

Settlement Readiness: Ensuring Cash Before Expiry

There's an important distinction between equity (used for ongoing margin) and cash (needed for settlement):

Equity = Deposit + Option Value + Premium Balance (includes paper profits)
Cash = Deposited USDC only

A user can have high equity from profitable long positions but minimal actual cash. When their positions expire, they need actual cash to pay obligations—paper profits won't settle the bill.

Example Problem:

Item	Value
Deposited USDC	$2,000
Long calls (paper value, non-expiring)	+$50,000
Short puts expiring tomorrow (ITM)	-$10,000 worst-case obligation
Premium balance (payer, expiring tomorrow)	-$3,000 obligation
Portfolio Equity	$39,000 (looks healthy!)

The margin system sees a healthy portfolio (equity >> MM). But at settlement, the user needs $13,000 cash ($10,000 intrinsic + $3,000 premium) but only has $2,000.

Solution: Settlement Readiness Liquidation

One day before expiry, the protocol checks if users with expiring obligations have enough deposited cash to cover their worst-case settlement amounts. If not, liquidators are incentivized to acquire the user's liquidatable assets to raise cash using a waterfall approach:

Trigger: Positions expiring within 1 day with net obligations AND deposited cash < worst-case obligation
Waterfall Action:
- Step 1: Liquidate non-expiring LONG option positions at penalized mark price
- Step 2: If shortfall remains, liquidate premium receivables at a discount (default 5%, max 20%)
Result: User's paper profits convert to actual cash for settlement
Incentive: Liquidators earn penalty discount + 5% bounty on cash shortfall

Key constraints:

Long positions liquidated first — highest-value positions first to efficiently raise cash
Premium receivables liquidated second — deterministic value at discount rate
Only LONG option positions can be liquidated (shorts are obligations, not value)
Only non-expiring positions can be liquidated (expiring positions must settle)

This ensures that by settlement time, users with obligations have actual USDC to pay.

See also: Liquidation - Settlement Readiness for detailed mechanics.

Core Invariants: Option and Premium Conservation

Option Balance Conservation

Options are always created in pairs. Every trade creates +amount long options (right to receive intrinsic value if ITM) for the buyer and +amount short options (obligation to pay intrinsic value if ITM) for the seller.

System-wide invariant:

\forall \text{ seriesId}: \sum(\text{optionBalance}) = 0

Since option balances are signed integers (positive = long, negative = short), this invariant is maintained automatically.

Premium Balance Conservation

Premium obligations and receivables are always created in pairs. When a trade executes at price P for size S:

Buyer: premiumBalance -= P × S (obligation to pay at settlement)
Seller: premiumBalance += P × S (receivable at settlement)

System-wide invariant:

\forall \text{ seriesId}: \sum(\text{premiumBalance}) = 0

What one party owes, another party is owed. The system is always zero-sum.

Self-Cancellation Property

If a user holds both +N long and -N short of the same series:

At expiry, intrinsic payouts cancel (they owe themselves)
Premium balances also cancel (obligation = receivable)
Net settlement = 0
Net exposure = 0

This enables free creation: Anyone can create unlimited pairs because holding both sides creates zero net exposure.

Position Lifecycle

1. Creating New Options

Any user can create option pairs. In practice, this is primarily done by the Main Market Maker. When the MMM creates 100 pairs, they hold +100 long and -100 short, resulting in net exposure of 0 and zero collateral required (since positions cancel).

2. Trading (Deferred Settlement Model)

When a trade executes, no premium is exchanged (only fees). Instead:

Option balances are updated
Premium obligations/receivables are recorded
All cash flows happen at settlement

Key insight: Each trade ADDS to the user's premium balance. When closing at a better price, profit is locked in as a positive premium balance receivable.

See also: MMM Position Lifecycle Example for a complete walkthrough of trading, closing positions, and settlement.

3. Settlement at Expiry (Net Settlement Model)

At expiry, settlement combines intrinsic value AND premium balance in a single event:

\text{netSettlement} = (\text{intrinsic} \times \text{optionBalance}) + \text{premiumBalance}

If netSettlement > 0: party receives funds
If netSettlement < 0: party pays funds

Key insight: The net settlement combines option and premium settlements (two separate instruments):

Option Long (ITM): receives intrinsic payout (Option Long has no obligations)
Option Long (OTM): receives nothing (Option Long still has no obligations)
Option Short (ITM): pays intrinsic obligation
Option Short (OTM): pays nothing
Premium Payer: pays fixed premium (separate from option position)
Premium Receiver: receives fixed premium (separate from option position)
Net result: User pays or receives based on combined option + premium settlements

Conservation of value:

\sum(\text{all netSettlements}) = 0

What one party pays, another receives. The protocol moves no funds of its own.

4. Closing Positions (Trading Out)

A user can close their option balance by trading out on the orderbook. Key insight: Closing a position does NOT trigger settlement. It:

Sets optionBalance → 0
Accumulates the closing trade into premiumBalance

The closed position's premium balance is settled at expiry along with everyone else.

5. Closing Positions (Pair Netting)

Users can close positions by acquiring the opposite side of the same option series. This is the mechanism for removing positions from your portfolio entirely.

How it works:

To Close	Action	Result
Short position	Buy a long of the same series	Net long + short together
Long position	Sell (acquire a short) of the same series	Net long + short together

Key constraint: Positions must be netted in equal amounts. You cannot net 2 longs with 1 short—each long cancels exactly one short.

Example: You hold -50 short ETH-3500-CALL. To close:

Buy 50 longs of ETH-3500-CALL on the orderbook or via RFQ
Your optionBalance changes: -50 (short) + 50 (long) = 0
Premium balances from both trades remain and settle at expiry

What happens to premium balances:

When you buy the long, you incur a premium obligation (premiumBalance decreases)
The original short sale gave you a premium receivable (premiumBalance increased)
Your net premiumBalance (original receivable + new obligation) settles at expiry
If you closed profitably (bought cheaper than you sold), you receive the difference at settlement

This mechanism, combined with the Self-Cancellation Property, ensures positions can always be exited as long as counterparty liquidity exists.

Pricing: Theoretical vs Market

There are two distinct pricing concepts in the protocol:

Mark Price (for Margin Calculations)

The mark price uses Black-Scholes as a theoretical reference for:

Calculating unrealized PnL
Determining margin requirements
Triggering liquidations
Computing stress scenarios

C = S \cdot N(d_1) - K \cdot e^{-rT} \cdot N(d_2)

where:

$d_1 = \frac{\ln(S/K) + (r + \sigma^2/2)T}{\sigma\sqrt{T}}$
$d_2 = d_1 - \sigma\sqrt{T}$

Trade Price (Actual Premium)

The trade price is what users actually pay—determined by market forces, not Black-Scholes:

Source	Price Determined By
Limit Orders	Price set by order maker
RFQ	Price quoted by Main Market Maker

Why Trade Prices Differ from Black-Scholes:

Factor	Impact
Bid-Ask Spread	MMs quote wider to profit
Supply/Demand	High demand → higher prices
MM Risk Premium	MMs add margin for taking risk
Inventory Management	MMs adjust quotes based on exposure

Example: If Black-Scholes theoretical price is $50.00, the MMM might quote an ask of $51.50 (selling price, includes spread) and a bid of $48.50 (buying price). The spread represents the MMM's profit margin.

Portfolio Margin System

Cross-Margin Architecture

Users do not collateralize individual positions. Instead, all positions share a single collateral pool with deposited USDC and multiple option positions across different series. Using the four-instrument model, this enables capital efficiency through position netting.

Portfolio Equity Calculation

\text{Portfolio Equity} = \text{Deposited Collateral} + \text{Option Value} + \text{Premium Balance}

Option Value:

\text{Option Value} = \sum(\text{current\_mark} \times \text{optionBalance})

Positive if long (optionBalance > 0)
Negative if short (optionBalance < 0)

Premium Balance (obligation/receivable):

premiumBalance > 0 → user is OWED at settlement (increases equity)
premiumBalance < 0 → user OWES at settlement (decreases equity)

Key insight: At trade time (when mark ≈ trade price), equity doesn't change because option value and premium balance offset. As mark moves, equity changes.

Stress Testing

We test the corners of the risk space (4 scenarios combining ±30% spot moves with ±50%/−30% IV changes) to find worst-case portfolio loss. Only option positions are stressed; premium balances are deterministic.

Scenario	Spot	IV	Primary Risk For
1	-30%	+50%	Short puts
2	-30%	-30%	Long calls
3	+30%	+50%	Short calls
4	+30%	-30%	Long puts

See also: Margin System: Stress Scenarios for detailed scenario analysis.

Margin Thresholds

\text{Initial Margin (IM)} = \text{Stress Loss} + \text{Adverse PnL Buffer} + \text{Notional Buffer}

where:

Stress Loss = Maximum option loss across all 4 stress scenarios
Adverse PnL Buffer = Stress Loss × 0.05
Notional Buffer = Total Notional × 15%

Key insight: Premium balance is NOT included in margin—it's already reflected in equity. Premium obligations are deterministic (fixed at trade time), and negative premium already reduces equity. Only option positions are stressed.

\text{Maintenance Margin (MM)} = \text{IM} \times 0.80

State	Condition
Healthy	Equity ≥ MM
Liquidatable	Equity < MM

See also: Margin System for detailed margin calculations and worked examples.

Open Interest Tracking

Open Interest (OI) is tracked at the pair level (not per-series) to manage aggregate protocol exposure.

Key Concepts

Separate Buckets: Calls and puts tracked independently per pair
Long Positions Only: Only positive option balances count toward OI
Conservation Law: Long OI = Short OI (every long has a counterparty short)
Configurable Caps: Owner can set max OI per pair (0 = unlimited)

OI Caps

Caps prevent unbounded exposure from P2P trading:

Cap	Effect
`maxCallOI = 0`	Unlimited call OI
`maxCallOI = 1000e18`	Max 1000 call contracts
Trade exceeds cap	Reverts with `OpenInterestCapExceeded`

Integration

User executes trade via OrderBook/RFQ
PositionManager updates user position
PositionManager calls seriesRegistry.updateOpenInterest(pairId, isCall, delta)
SeriesRegistry validates cap and updates aggregate OI
Emits OpenInterestUpdated(pairId, isCall, oldOI, newOI)

See also: DiffusalOptionsSeriesRegistry for implementation details.

Liquidation Mechanics

Trigger

A user becomes liquidatable when:

\text{Portfolio Equity} < \text{Maintenance Margin}

This can happen to any user regardless of position type:

Long holders: Option values drop significantly
Short holders: Option values rise significantly
Mixed portfolios: Net losses exceed collateral buffer

Debt Calculation

\text{Debt} = \text{Initial Margin} - \text{Portfolio Equity}

If Debt > 0 and Equity < MM, the user is underwater and liquidation is triggered.

Process

Trigger: Keeper detects Equity < MM
Calculate: Determine debt and positions to close
Transfer Positions at penalized mark price:
- Long positions: Liquidator pays user at mark × (1 - penalty%) and acquires the position
- Short positions: User pays liquidator at mark × (1 + penalty%) to transfer the obligation
Pay Bounty: Liquidator receives 5% of debt (insurance fund covers any shortfall)

Mark Price Liquidation (No Orderbook/RFQ)

Liquidations use the mark price (Black-Scholes theoretical price) directly—they do not go through the orderbook or RFQ system. This ensures liquidations can always execute regardless of market liquidity.

Position transfer model:

Position Type	Cash Flow	Effect
Long (optionBalance > 0)	Liquidator → User: mark × (1 - penalty%)	Liquidator acquires position at discount
Short (optionBalance < 0)	User → Liquidator: mark × (1 + penalty%)	Liquidator takes obligation for premium

Cash flows:

For longs: Liquidator pays = size × mark × (1 - penalty) (user receives cash)
For shorts: User pays = |size| × mark × (1 + penalty) (liquidator receives cash for taking obligation)

Volatility-Adjusted Liquidation Penalty

The liquidation penalty scales with implied volatility to properly incentivize liquidators during market stress. Higher IV means faster position movement and more liquidator risk, so higher penalties ensure liquidators remain incentivized during stress.

See Liquidation: Volatility-Adjusted Penalty for the penalty formula and rate table.

Partial vs Full Liquidation

The protocol supports partial liquidation to give users a chance to recover.

Key insight: Margin requirements use stressed scenarios (±30% spot, +50% IV), but liquidation executes at current mark prices. This means:

Transferring positions at current mark barely reduces equity (just the penalty)
But it dramatically reduces the margin requirement (which was stress-based)
So partial liquidation often restores health without destroying the user

Position Selection: Positions are sorted by expiry (longest-dated first) to prioritize positions furthest from expiry (most liquid, easiest for liquidators to hedge).

Notional-Based Liquidation:

\text{Target Notional} = \text{Total Notional} \times \frac{\text{Debt}}{\text{Initial Margin}}

The protocol supports partial position liquidation — a single position can be partially liquidated to hit the exact target notional (e.g., 4.9 of 10 contracts). This is more capital-efficient than rounding up to whole positions.

Process:

Trigger: Equity < MM
Sort: Order positions by expiry (longest-dated first)
First Attempt: Liquidate positions until target notional is reached, starting from longest-dated. Supports partial liquidation within a single position.
Re-check: Is user now healthy? (Equity ≥ MM) — If yes, stop and user retains remaining positions; if no, proceed to full liquidation (close all remaining positions)

After liquidation, the user retains any remaining equity and positions (if partial).

Liquidator Incentives

\text{Bounty} = \text{Debt} \times 5\%

The bounty is always paid to incentivize liquidators:

First drawn from user's collateral (after position transfers)
Any shortfall is covered by the insurance fund

Liquidators receive:

1-2%+ profit on positions (via penalized mark price, scales with IV)
5% bounty on debt (guaranteed by insurance fund)

Total profit = penalty profit + bounty

After liquidation, the liquidator owns the acquired positions and can:

Sell via limit orders on the orderbook
Sell via RFQ to the Main Market Maker
Hold the positions

Important: Liquidators must have deposited collateral and remain healthy (Equity ≥ MM) after acquiring positions.

This incentivizes keepers to monitor and liquidate promptly.

Insurance Fund

The insurance fund provides two types of coverage:

Bounty Guarantee: The 5% bounty is always paid to liquidators (insurance covers any shortfall)
Bad Debt Coverage: When user equity is still negative after all transfers

\text{Bad Debt} = \max(0, -\text{User Equity after transfers})

The insurance fund is funded by protocol trading fees and covers shortfalls to prevent protocol insolvency.

See also: Liquidation for worked examples and penalty calculations.

Main Market Maker (MMM)

The Main Market Maker is a privileged, non-liquidatable entity that serves as the backbone of protocol liquidity.

Why MMM is Non-Liquidatable

The liquidation check must:

First check if the user is the MMM address
If yes, always return false (not liquidatable)
If no, proceed with normal margin checks (equity vs maintenance margin)

This means even if an approved liquidator attempts to liquidate the MMM, it will always be rejected.

MMM Responsibilities

Responsibility	Description
RFQ Response	Always respond to RFQ requests with quotes
On-Demand Creation	Create pairs when filling RFQ orders
Risk Management	Offload shorts via limit orders when needed

RFQ Flow

User/Liquidator sends RFQ request to MMM
MMM checks inventory, calculates quote, creates pairs if needed
MMM sends quote response back to user
User accepts quote
On-chain execution: MMM creates pairs, option balances and premium balances updated (no premium exchange; only fees)

MMM Position Lifecycle Example

The following diagram illustrates how positions flow between participants as trades execute:

┌───────────────────────────────────────────────────────────────────────┐
│                           Participants                                │
├─────────────┬─────────────┬─────────────┬─────────────┬───────────────┤
│     MMM     │    Alice    │     Bob     │    Carol    │     Dave      │
│   (Market   │             │             │             │               │
│    Maker)   │             │             │             │               │
└──────┬──────┴──────┬──────┴──────┬──────┴──────┬──────┴───────────────┘
       │             │             │             │
       │ Trade 1     │             │             │
       │ 100 longs   │             │             │
       │ @ $50       │             │             │
       ├────────────►│             │             │
       │             │             │             │
       │ Trade 2     │             │             │
       │ 50 longs    │             │             │
       │ @ $50       │             │             │
       ├─────────────┼────────────►│             │
       │             │             │             │
       │             │ Trade 3     │             │
       │             │ 100 longs   │             │
       │             │ @ $70       │             │
       │             ├─────────────┼────────────►│
       │             │             │             │
       │ Trade 4     │             │             │
       │ 80 shorts   │             │             │
       │ @ $25       │             │             │
       ├─────────────┼─────────────┼─────────────┼───────────► Dave
       │             │             │             │

Day 1: Fresh MMM with no positions and $50,000 USDC deposited.

Trade 1: Alice buys 100 ETH-3500-CALL via RFQ at $50/contract.

MMM creates 100 pairs (+100 long, -100 short), transfers 100 longs to Alice
Alice: optionBalance = +100, premiumBalance = -$5,000 (owes at settlement)
MMM: optionBalance = -100, premiumBalance = +$5,000 (owed at settlement)

Trade 2: Bob buys 50 ETH-3500-CALL via RFQ at $50/contract.

MMM creates 50 pairs, transfers 50 longs to Bob
Bob: optionBalance = +50, premiumBalance = -$2,500
MMM: optionBalance = -150, premiumBalance = +$7,500

Trade 3: Price rises. Alice closes by selling 100 longs to Carol at $70/contract.

Alice: optionBalance = 0 (closed), premiumBalance = -$5,000 + $7,000 = +$2,000 (locked profit)
Carol: optionBalance = +100, premiumBalance = -$7,000

Trade 4: MMM offloads risk via limit order at $25/contract. Dave buys 80 shorts from MMM.

Dave: optionBalance = -80, premiumBalance = +$2,000 (receive at settlement)
MMM: optionBalance = -70, premiumBalance = +$7,500 - $2,000 = +$5,500

At Expiry: ETH = $3,600 (options ITM, intrinsic = $100).

Party	optionBalance	premiumBalance	netSettlement
Alice (closed)	0	+$2,000	+$2,000 (profit)
Bob (50 long)	+50	-$2,500	($100×50) - $2,500 = +$2,500
Carol (100 long)	+100	-$7,000	($100×100) - $7,000 = +$3,000
Dave (80 short)	-80	+$2,000	($100×-80) + $2,000 = -$6,000
MMM (70 short)	-70	+$5,500	($100×-70) + $5,500 = -$1,500
Total	0	0	0

Key insights:

Alice locked in $2,000 profit by closing at a higher price (premium accumulation)
Net settlements sum to zero (conservation)
Closed positions settle via premium balance only (no intrinsic exposure)

Why MMM Must Never Go Underwater

Critical: If MMM becomes insolvent, protocol breaks.

Failure Cascade:

MMM can't fulfill settlement obligations
Long holders can't get paid (MMM holds shorts)
RFQ stops working (MMM has no capital)
Bad debt accumulates across all users
Protocol insolvency

Prevention:

MMM operator continuously monitors portfolio
Rebalancing before risk thresholds hit
External capital injection if needed (insurance fund)

Trust Assumptions

Aspect	Trustless (Protocol-Enforced)	Trusted (Operational)
Position conservation	✓
User margin requirements	✓
User liquidation triggers	✓
Settlement calculations	✓
MMM solvency management		✓
MMM RFQ availability		✓
Oracle price feeds		✓

See also: RFQ Flow for detailed quote mechanics and Options Settlement for expiry settlement.

Risk Parameters

Parameter	Default	Description
`INITIAL_MARGIN_RATE`	15%	% of option notional for Notional Buffer
`MAINTENANCE_MARGIN_RATE`	80%	MM as % of IM
`ADVERSE_PNL_BUFFER`	0.05	Buffer rate on stress loss
`PARTIAL_LIQUIDATION_RATIO`	debt/IM	Proportional fraction of positions to close in first liquidation attempt
`LIQUIDATION_PENALTY_BASE`	1%	Base price penalty on liquidation
`LIQUIDATION_PENALTY_IV_BASELINE`	50%	IV threshold for penalty scaling
`LIQUIDATOR_BOUNTY`	5%	% of debt paid to liquidator
`SETTLEMENT_READINESS_WINDOW`	1 day	Time before expiry for settlement readiness checks
`STRESS_SPOT_DOWN`	-30%	Spot down shock
`STRESS_SPOT_UP`	+30%	Spot up shock
`STRESS_IV_UP`	+50%	IV up shock
`STRESS_IV_DOWN`	-30%	IV down shock
`MAX_PRICE_AGE`	60s	Oracle staleness threshold

Protocol Fee System

Trading fees fund the insurance fund and incentivize liquidity provision through maker rebates. Fees are collected on all trades executed through the order book and RFQ system.

See Fee Structure for fee types, calculations, and examples.

Security Invariants

Protocol-Level

Option Balance Conservation: For every seriesId, sum of all optionBalance = 0
Premium Balance Conservation: For every seriesId, sum of all premiumBalance = 0
No Protocol Obligation: Protocol never owes users from its own funds
Collateral Sufficiency: All healthy users have Equity ≥ MM
Settlement Balance: At expiry, sum of all netSettlements = 0

User-Level

Position Updates: Only via trade execution, liquidation, or settlement
Collateral Access: Withdrawable only if post-withdrawal Equity ≥ IM
Premium Accumulation: Premium balance updated atomically with option balance on each trade

Summary

The Diffusal protocol achieves zero counterparty risk through:

Paired creation — Options always created as long + short pairs; premium as payer + receiver pairs
Deferred settlement — Only fees exchanged at trade time; premium settles at expiry
Four-instrument model — Option long, option short, premium payer, premium receiver
Premium accumulation — Users set their own prices; profit locks in via premium balance
Portfolio margin — Users collateralize net exposure, not individual positions
Incentive-driven liquidation — Liquidators are rewarded with penalty profits + bounties to close undercollateralized positions
Settlement readiness — Pre-settlement check ensures users have actual cash before expiry (waterfall: non-expiring LONG option positions first, then premium receivables)
Insurance fund — Backstop for any remaining bad debt
MMM as backbone — Non-liquidatable entity ensures RFQ always available
Theoretical vs Market pricing — Black-Scholes for margin/liquidation, market forces for trading

Participant Summary

Regular Users: Trade via limit orders or RFQ; subject to margin requirements; liquidatable if equity < maintenance margin; pay/receive market prices (not Black-Scholes).

Third-Party Market Makers: Provide limit order liquidity; subject to same margin/liquidation rules; compete with MMM on pricing.

Main Market Maker (MMM): Receives all RFQ requests; creates pairs on-demand to fulfill orders; NOT liquidatable by protocol; managed operationally (external risk management); can offload shorts to other users.

Keepers: Monitor user health; execute liquidations; receive bounty for successful liquidations.

The Trust Model

Trustless (Protocol-Enforced):

Option balance conservation (longs = shorts)
Premium balance conservation (payers = receivers)
User margin requirements
User liquidation triggers
Settlement calculations (net settlements sum to zero)
Collateral flows via vault

Trusted (Operational):

MMM solvency management
MMM RFQ availability
Oracle price feeds (Pyth/Chainlink)

The protocol is purely administrative: track positions, enforce margins, coordinate liquidations. All value transfer happens between users (including MMM). The protocol itself holds no option positions and bears no payout obligations.

Contract Implementation

The protocol is implemented across several smart contracts:

Contract	Role
DiffusalOptionsQuoter	Black-Scholes pricing with Greeks
DiffusalOracle	Price feeds, volatility, and risk-free rate
DiffusalOptionsOrderBook	Limit order trading
DiffusalOptionsRFQ	Request-for-quote trading with MMM
DiffusalOptionsPositionManager	Position tracking and MMM management
DiffusalOptionsSeriesRegistry	Series lifecycle and settlement prices
DiffusalCollateralVault	Collateral deposits and margin enforcement
DiffusalLiquidationEngine	Liquidation mechanics
DiffusalSettlementEngine	Expiry settlement
DiffusalInsuranceFund	Fee collection and shortfall coverage
DiffusalPriceHistory	TWAP price snapshots

Protocol Documentation

Margin System — Detailed margin calculations and stress testing
Liquidation — Liquidation mechanics and penalty calculations
Options Creation — Series creation via lazy registration
Options Settlement — TWAP settlement at expiry
Order Book — Limit order trading mechanics
RFQ Flow — Request-for-quote trading with MMM

Math Documentation

Black-Scholes Model — Pricing formulas and Greeks
Margin Calculations — Mathematical stress testing formulas

Contract Documentation

DiffusalOptionsQuoter — Main pricing entry point
DiffusalOracle — Unified oracle for price and volatility
DiffusalOptionsPositionManager — Position tracking and MMM management
DiffusalCollateralVault — Collateral deposits and margin enforcement

Protocol Design

On this page