Protocol Design

Diffusal is a decentralized options exchange where the protocol bears zero counterparty risk. This is achieved through a fundamental invariant: every option is minted as a pair (long + short), and the sum of all longs equals the sum of all shorts system-wide.

Collateral Requirement for Short Positions

Short positions create obligations. Users holding short positions MUST maintain sufficient USDC collateral to cover their potential payout obligations, or they will be liquidated.

Short Position = Obligation to Pay

Position Type	Obligation	Max Loss	Collateral Required
Short Call	Pay max(0, spot - strike) at expiry	Unlimited (if spot → ∞)	Yes - must cover stressed scenarios
Short Put	Pay max(0, strike - spot) at expiry	Strike price (if spot → 0)	Yes - must cover stressed scenarios
Long Position	None (right to receive payout)	Premium paid (already spent)	No ongoing requirement

How Collateral Guarantees Settlement

The margin system ensures short holders always have USDC to pay longs. Consider a short put with strike = $3000:

At ETH $3000:$ 5,000 equity, healthy status, normal trading
At ETH $2700:$ 3,500 equity, healthy status, normal trading
At ETH $2400:$ 2,200 equity, warning zone
At ETH $2200:$ 1,800 equity, unhealthy status → liquidated
At ETH $1500: Would be insolvent, but never reached because already liquidated

Key insight: Liquidation happens at ~80% of initial margin, well before insolvency. By settlement time, all remaining short holders have sufficient collateral.

The Safety Layers

Layer	Protection
Initial Margin (IM)	User cannot open short without sufficient USDC collateral
Maintenance Margin (MM)	Liquidation triggers when equity falls below 80% of IM
Liquidation Penalty	1-2%+ buffer compensates for execution slippage
Insurance Fund	Covers any residual shortfall in extreme scenarios

What This Means in Practice

Opening a short: User must deposit USDC collateral ≥ Initial Margin
Holding a short: If the option moves against the user, equity decreases
Approaching danger: When equity < Maintenance Margin, liquidation triggers
Liquidation: Keeper closes position at penalized price, collateral covers the loss
At settlement: Only healthy short holders remain → all have USDC to pay

The protocol never allows an undercollateralized short position to reach settlement.

Core Invariant: Paired Option Minting

Options are always minted in pairs. Calling mint(seriesId, amount) creates +amount long options (right to receive payout if ITM) and +amount short options (obligation to pay if ITM).

System-wide invariant:

\forall \text{ seriesId}: \sum(\text{long positions}) + \sum(\text{short positions}) = 0

Since positions are signed integers (positive = long, negative = short), this invariant is maintained automatically.

Self-Cancellation Property

If a user holds both +N long and -N short of the same series:

At expiry, they owe themselves the payout
Net obligation = 0
Net exposure = 0

This enables free minting: Anyone can mint unlimited pairs because holding both sides creates zero net exposure.

Position Lifecycle

1. Minting (Creating New Options)

Any user can mint option pairs. In practice, this is primarily done by the Main Market Maker. When the MMM mints 100 pairs, they hold +100 long and -100 short, resulting in net exposure of 0 and zero collateral required (since positions cancel).

2. Trading (Transferring Risk)

When the MMM sells one side of their minted pair:

Example: MMM sells longs via RFQ

MMM mints 100 pairs → holds +100 long, -100 short → net: 0
MMM sells 100 longs to Buyer for premium → MMM now holds 0 long, -100 short (net: -100, short exposure); Buyer holds +100 long (net: +100, long exposure)
Premium flows: Buyer pays MMM

Example: Transferring short obligation

MMM holds -100 short (obligation)
MMM "sells" the short to Taker (pays Taker to take obligation) → MMM now holds 0 short (no obligation); Taker holds -100 short (has obligation)
Premium flows: MMM pays Taker (compensation for taking risk)

3. Settlement at Expiry

At expiry, for each series, if the option expires ITM (in-the-money), the payout per contract equals the intrinsic value. For each user: if position > 0 (long), user receives payout; if position < 0 (short), user pays |payout|.

Conservation of value:

\sum(\text{all user payouts}) = 0

What longs receive = what shorts pay. The protocol moves no funds of its own.

Pricing: Theoretical vs Market

There are two distinct pricing concepts in the protocol:

Mark Price (for Margin Calculations)

The mark price uses Black-Scholes as a theoretical reference for:

Calculating unrealized PnL
Determining margin requirements
Triggering liquidations
Computing stress scenarios

C = S \cdot N(d_1) - K \cdot e^{-rT} \cdot N(d_2)

where:

$d_1 = \frac{\ln(S/K) + (r + \sigma^2/2)T}{\sigma\sqrt{T}}$
$d_2 = d_1 - \sigma\sqrt{T}$

Trade Price (Actual Premium)

The trade price is what users actually pay—determined by market forces, not Black-Scholes:

Source	Price Determined By
Limit Orders	Price set by order maker
RFQ	Price quoted by Main Market Maker

Why Trade Prices Differ from Black-Scholes:

Factor	Impact
Bid-Ask Spread	MMs quote wider to profit
Supply/Demand	High demand → higher prices
MM Risk Premium	MMs add margin for taking risk
Inventory Management	MMs adjust quotes based on exposure

Example: If Black-Scholes theoretical price is $50.00, the MMM might quote an ask of$ 51.50 (selling price, includes spread) and a bid of $48.50 (buying price). The spread represents the MMM's profit margin.

Portfolio Margin System

Cross-Margin Architecture

Users do not collateralize individual positions. Instead, all positions share a single collateral pool with deposited USDC and multiple option positions across different series.

Portfolio Equity Calculation

\text{Portfolio Equity} = \text{Deposited Collateral} + \text{Unrealized PnL}

For long positions (size > 0):

\text{PnL} = (\text{current\_premium} - \text{entry\_premium}) \times \text{size}

For short positions (size < 0):

\text{PnL} = (\text{entry\_premium} - \text{current\_premium}) \times |\text{size}|

Stress Testing

We test the corners of the risk space (4 scenarios combining ±30% spot moves with ±50%/−30% IV changes) to find worst-case portfolio loss. See Margin System: Stress Scenarios for the complete scenario table and rationale.

Margin Thresholds

\text{Initial Margin (IM)} = \text{Stress Loss} + \text{Adverse PnL Buffer} + \text{Notional Buffer}

\text{Maintenance Margin (MM)} = \text{IM} \times 0.80

State	Condition
Healthy	Equity ≥ MM
Liquidatable	Equity < MM

See also: Margin System for detailed margin calculations and worked examples.

Liquidation Mechanics

Trigger

A user becomes liquidatable when:

\text{Portfolio Equity} < \text{Maintenance Margin}

This can happen to any user regardless of position type:

Long holders: Option values drop significantly
Short holders: Option values rise significantly
Mixed portfolios: Net losses exceed collateral buffer

Debt Calculation

\text{Debt} = \text{Initial Margin} - \text{Portfolio Equity}

If Debt > 0 and Equity < MM, the user is underwater and liquidation is triggered.

Process

Trigger: Keeper detects Equity < MM
Calculate: Determine debt and positions to close
Close Positions at penalized mark price: Long (size > 0) liquidator buys at mark × (1 - 1%); Short (size < 0) liquidator buys back at mark × (1 + 1%)
Settle: Proceeds applied to user's collateral, liquidator receives 5% bounty, and if shortfall, insurance fund covers

Mark Price Liquidation (No Orderbook/RFQ)

Liquidations use the mark price (Black-Scholes theoretical price) directly—they do not go through the orderbook or RFQ system. This ensures liquidations can always execute regardless of market liquidity.

Penalized pricing:

Position Type	Liquidation Price	Effect
Long (size > 0)	mark × (1 - penalty%)	Liquidator buys at discount, user receives less
Short (size < 0)	mark × (1 + penalty%)	Liquidator buys back obligation at premium, user pays more

Proceeds calculation:

For longs: Proceeds = size × mark × (1 - penalty)
For shorts: Proceeds = |size| × mark × (1 + penalty)

Volatility-Adjusted Liquidation Penalty

The liquidation penalty scales with implied volatility to properly incentivize liquidators during market stress. Higher IV means faster position movement and more liquidator risk, so higher penalties ensure liquidators remain incentivized during stress.

See Liquidation: Volatility-Adjusted Penalty for the penalty formula and rate table.

Partial vs Full Liquidation

The protocol supports partial liquidation to give users a chance to recover.

Key insight: Margin requirements use stressed scenarios (±30% spot, +50% IV), but liquidation executes at current mark prices. This means:

Selling positions at current mark barely reduces equity (just the penalty)
But it dramatically reduces the margin requirement (which was stress-based)
So partial liquidation often restores health without destroying the user

Liquidation Process:

Trigger: Equity < MM
First Attempt: Close 50% of positions (partial liquidation) — liquidator acquires 50% at penalized mark price, user's margin requirement drops significantly
Re-check: Is user now healthy? (Equity ≥ MM) — If yes, stop and user retains remaining 50%; if no, proceed to full liquidation (close remaining 50%)

After liquidation, the user retains any remaining equity and positions (if partial).

Liquidator Incentives

\text{Bounty} = \min(\text{Debt} \times 5\%, \text{Proceeds})

Liquidators receive:

1-2%+ profit on positions (via penalized mark price, scales with IV)
5% bounty on debt covered (from user's collateral)

Total profit = penalty (1-2%+) + 5% bounty

After liquidation, the liquidator owns the acquired positions and can:

Sell via limit orders on the orderbook
Sell via RFQ to the Main Market Maker
Hold the positions

This incentivizes keepers to monitor and liquidate promptly.

Insurance Fund

The insurance fund provides bad debt coverage, covering shortfall if liquidation proceeds are less than debt. It is funded by protocol fees and liquidation penalties.

When liquidation proceeds are insufficient to cover the debt (bad debt scenario):

\text{Shortfall} = \text{Debt} - \text{Proceeds}

The insurance fund covers this shortfall to prevent protocol insolvency.

See also: Liquidation for worked examples and penalty calculations.

Main Market Maker (MMM)

The Main Market Maker is a privileged, non-liquidatable entity that serves as the backbone of protocol liquidity.

Why MMM is Non-Liquidatable

The liquidation check must:

First check if the user is the MMM address
If yes, always return false (not liquidatable)
If no, proceed with normal margin checks (equity vs maintenance margin)

This means anyone can call the liquidation function on the MMM, but it will always be rejected.

MMM Responsibilities

Responsibility	Description
RFQ Response	Always respond to RFQ requests with quotes
On-Demand Minting	Mint pairs when filling RFQ orders
Risk Management	Offload shorts via limit orders when needed

RFQ Flow

User/Liquidator sends RFQ request to MMM
MMM checks inventory, calculates quote, mints if needed
MMM sends quote response back to user
User accepts quote
On-chain settlement: MMM mints pairs and sells longs, positions transferred, premium settled in USDC, both parties' portfolios updated

MMM Position Lifecycle Example

Day 1: Fresh MMM with no positions.

Trade 1: User buys 100 ETH-3500-CALL via RFQ. MMM mints 100 pairs (+100 long, -100 short), sells 100 longs, receives $5,000 premium. Portfolio: -100 short, +$ 5,000 cash.

Trade 2: Another user buys 50 ETH-3500-CALL via RFQ. MMM mints 50 pairs, sells 50 longs, receives $2,500 premium. Portfolio: -150 short, +$ 7,500 cash.

Trade 3: MMM offloads risk via limit order. MMM sells 80 shorts, pays $2,000 to takers. Portfolio: -70 short, +$ 5,500 cash.

At Expiry: ETH = $3,600 (options ITM by$ 100). MMM owes 70 × $100 =$ 7,000. MMM has $5,500 cash. MMM injects$ 1,500 additional capital (external, injected before expiry).

Settlement: MMM pays $7,000 to long holders. Protocol balanced: longs receive what shorts pay.

Why MMM Must Never Go Underwater

Critical: If MMM becomes insolvent, protocol breaks.

Failure Cascade:

MMM can't fulfill settlement obligations
Long holders can't get paid (MMM holds shorts)
RFQ stops working (MMM has no capital)
Bad debt accumulates across all users
Protocol insolvency

Prevention:

MMM operator continuously monitors portfolio
Rebalancing before risk thresholds hit
External capital injection if needed (insurance fund)

Trust Assumptions

Aspect	Trustless (Protocol-Enforced)	Trusted (Operational)
Position conservation	✓
User margin requirements	✓
User liquidation triggers	✓
Settlement calculations	✓
MMM solvency management		✓
MMM RFQ availability		✓
Oracle price feeds		✓

See also: RFQ Flow for detailed quote mechanics and Options Settlement for expiry settlement.

Risk Parameters

Parameter	Default	Description
`INITIAL_MARGIN_RATE`	15%	% of notional for IM buffer
`MAINTENANCE_MARGIN_RATE`	80%	MM as % of IM
`PARTIAL_LIQUIDATION_RATIO`	50%	% of positions to close in first liquidation attempt
`LIQUIDATION_PENALTY_BASE`	1%	Base price penalty on liquidation
`LIQUIDATION_PENALTY_IV_BASELINE`	50%	IV threshold for penalty scaling
`LIQUIDATOR_BOUNTY`	5%	% of debt paid to liquidator
`STRESS_SPOT_DOWN`	-30%	Spot down shock
`STRESS_SPOT_UP`	+30%	Spot up shock
`STRESS_IV_UP`	+50%	IV up shock
`STRESS_IV_DOWN`	-30%	IV down shock
`MAX_PRICE_AGE`	60s	Oracle staleness threshold

Protocol Fee System

The protocol collects fees on all trades to fund operations and the insurance fund. Fees are denominated in basis points (BPS) where 1 BPS = 0.01%.

Fee Types

Fee Type	Description	Can Be Negative?
Maker Fee	Charged to order creators (limit order makers)	Yes (rebates)
Taker Fee	Charged to order fillers (market takers)	No
RFQ Fee	Charged on RFQ trades with the MMM	No

Maker Rebates

The maker fee can be negative, creating a rebate system that incentivizes liquidity provision:

Positive makerFeeBps: Maker pays fee to protocol
Negative makerFeeBps: Protocol pays rebate to maker

Example with makerFeeBps = -5 (0.05% rebate), takerFeeBps = 10 (0.10%):
  Trade premium: $1,000
  Maker receives: $1,000 + $0.50 rebate = $1,000.50
  Taker pays: $1,000 + $1.00 fee = $1,001.00
  Protocol receives: $1.00 - $0.50 = $0.50 net

Fee Invariant

Maker rebates are possible, but takerFeeBps + makerFeeBps > 0 is enforced to ensure net positive protocol revenue. See Order Book: Fee Invariant for details.

Fee Calculation

For each trade:

\text{premium} = \frac{\text{price} \times \text{fillAmount}}{10^{18}}

\text{makerFee} = \frac{\text{premium} \times \text{makerFeeBps}}{10000}

\text{takerFee} = \frac{\text{premium} \times \text{takerFeeBps}}{10000}

Fee Flow

Taker Fee (always positive): Taker pays feeRecipient.

Maker Fee (can be negative): If positive, maker pays feeRecipient. If negative, feeRecipient pays maker (rebate).

Net Result: Protocol always receives positive net fees (guaranteed by the takerFee + makerFee > 0 invariant).

Fee Recipient

The feeRecipient address receives all collected fees. This is the address of the insurance fund contract.

Default Fee Parameters

Parameter	Default	Description
`makerFeeBps`	0	Maker fee in BPS (can be negative)
`takerFeeBps`	10	Taker fee in BPS (0.10%)
`rfqFeeBps`	10	RFQ fee in BPS (0.10%)

See also: Order Book and RFQ Flow for trading fee examples.

Security Invariants

Protocol-Level

Position Conservation: For every seriesId, sum of all positions = 0
No Protocol Obligation: Protocol never owes users from its own funds
Collateral Sufficiency: All healthy users have Equity ≥ MM
Settlement Balance: At expiry, payouts to longs = payments from shorts

User-Level

Position Updates: Only via trade execution or liquidation
Collateral Access: Withdrawable only if post-withdrawal Equity ≥ IM
Entry Premium: Weighted average, updated atomically with position

Summary

The Diffusal protocol achieves zero counterparty risk through:

Paired minting — Options always created as long + short pairs
Short positions require USDC collateral — Users holding shorts must maintain sufficient collateral or be liquidated
Portfolio margin — Users collateralize net exposure, not individual positions
Proactive liquidation — Positions closed before insolvency, guaranteeing USDC is available at settlement
Penalty pricing — Liquidated users pay a premium, incentivizing prompt liquidation
Insurance fund — Backstop for any remaining bad debt
MMM as backbone — Non-liquidatable entity ensures RFQ always available
Theoretical vs Market pricing — Black-Scholes for margin/liquidation, market forces for trading

Participant Summary

Regular Users: Trade via limit orders or RFQ; subject to margin requirements; liquidatable if equity < maintenance margin; pay/receive market prices (not Black-Scholes).

Third-Party Market Makers: Provide limit order liquidity; subject to same margin/liquidation rules; compete with MMM on pricing.

Main Market Maker (MMM): Receives all RFQ requests; mints pairs on-demand to fulfill orders; NOT liquidatable by protocol; managed operationally (external risk management); can offload shorts to other users.

Keepers: Monitor user health; execute liquidations; receive bounty for successful liquidations.

The Trust Model

Trustless (Protocol-Enforced):

Position conservation (longs = shorts)
User margin requirements
User liquidation triggers
Settlement calculations
Premium/collateral flows

Trusted (Operational):

MMM solvency management
MMM RFQ availability
Oracle price feeds (Pyth/Chainlink)

The protocol is purely administrative: track positions, enforce margins, coordinate liquidations. All value transfer happens between users (including MMM). The protocol itself holds no option positions and bears no payout obligations.

Contract Implementation

The protocol is implemented across several smart contracts:

Contract	Role
DiffusalOptionsQuoter	Black-Scholes pricing with Greeks
DiffusalOracle	Price feeds, volatility, and risk-free rate
DiffusalOptionsOrderBook	Limit order trading
DiffusalOptionsRFQ	Request-for-quote trading with MMM
DiffusalOptionsPositionManager	Position tracking and MMM management
DiffusalOptionsSeriesRegistry	Series lifecycle and settlement prices
DiffusalCollateralVault	Collateral deposits and margin enforcement
DiffusalLiquidationEngine	Liquidation mechanics
DiffusalSettlementEngine	Expiry settlement
DiffusalInsuranceFund	Fee collection and shortfall coverage
DiffusalPriceHistory	TWAP price snapshots

Margin System — Detailed margin calculations and stress testing
Liquidation — Liquidation mechanics and penalty calculations
Options Creation — Series creation via lazy registration
Options Settlement — TWAP settlement at expiry
Order Book — Limit order trading mechanics
RFQ Flow — Request-for-quote trading with MMM
Black-Scholes Model — Pricing formulas and Greeks
Margin Calculations — Mathematical stress testing formulas

Protocol Design

On this page