Crossbook

Crossbook Architecture

Crossbook

Crossbook is a noncustodial hybrid decentralized exchange built around signed intents. A maker signs an EIP-712 order off-chain with no gas, the engine validates and crosses it in a pure, single-writer matching core, and a Solidity settlement contract independently rechecks the signature, expiry, fill accounting, and each maker's limit price before pulling and sending tokens in one atomic transaction. The contract never trusts the engine, so a buggy or malicious matcher can never move funds against a maker's signed limits. Funds stay in the maker's wallet behind a one-time ERC-20 allowance until execution, following the same signed-intent and allowance-pull model as CoW Protocol. The repo carries property tests, Foundry fuzz and invariant suites, a PoC-backed threat model, and a live dashboard that follows an order from signature to settlement.

GitHub Repository: https://github.com/frdrckj/crossbook

Features

Signed, Gasless Intents: Makers sign EIP-712 orders off-chain and grant a one-time ERC-20 allowance; the contract pulls tokens only at execution, so the venue stays fully noncustodial.
Pure Matching Core: A single-writer, deterministic price-then-time-priority matcher in Rust with no async, no I/O, and no clock. It rounds in the maker's favor, uses overflow-safe 512-bit price math, and runs the hot match path with zero heap allocation (asserted by a test), at about 165 nanoseconds per fill on an M4.
EIP-712 Parity Gate: The Rust and Solidity order digests are proven byte-identical by a cross-language test that gates all settlement work.
Settlement Contract: Re-verifies signatures, expiry, cumulative fills keyed by order hash, and each maker's limit price on-chain with a 512-bit cross-multiply, and requires every settlement to net to zero so it never holds inventory. It is hardened with a reentrancy guard, checks-effects-interactions, SafeERC20, owner pause, and solver rotation.
Adversarial Test Suite: Foundry unit, fuzz, and invariant tests cover every revert path, fee-on-transfer tokens, a reentrancy proof of concept, and a zero-inventory invariant over thousands of random settlements, plus a PoC-backed threat model that maps each threat to the test that proves it.
Engine Service: A Tokio service with a single-writer task, an Alloy chain client, a Postgres layer with compile-time-checked sqlx queries, an indexer that reads Trade events into Postgres and broadcasts them over WebSocket, and an axum REST and WebSocket API with a typed rejection reason per order, Prometheus metrics, and tracing.
End-to-End and CI: A full end-to-end test deploys the contracts and tokens on Anvil, posts two crossing signed orders over HTTP, and asserts the batch settles on-chain, lands in Postgres, is broadcast, and swaps balances. CI runs three jobs: the Rust suite, the Foundry suite, and an integration job with Postgres and Anvil.
Live Dashboard: A single page showing the order lifecycle (Sign, Match, Settle, Index, Feed), a live order book, and a trade tape. Sign and submit orders in the browser and watch them cross and settle in real time. The whole thing comes up with one command, just demo.

Stack

• Matching Core & Client

Rust - The matching core, engine, and CLI.
Alloy - Ethereum types, signing, providers, and EIP-712 hashing (not the deprecated ethers-rs).
proptest / criterion - Property tests and benchmarks for the matching core.

• Contracts

Solidity - 0.8.x settlement contract and order library.
Foundry - Build, fuzz, and invariant testing, plus the Anvil dev chain.
OpenZeppelin - ECDSA, EIP712, ReentrancyGuard, SafeERC20, Ownable, and Pausable.

• Engine

Tokio - Async runtime and the single-writer task.
axum - REST and WebSocket API.
sqlx - Compile-time-checked queries over PostgreSQL.
metrics / tracing - Prometheus metrics and structured tracing.

• Demo Dashboard

viem - In-browser EIP-712 signing.
A single static HTML page served by the engine, with no build step.

Crossbook

Features

Signed, Gasless Intents: Makers sign EIP-712 orders off-chain and grant a one-time ERC-20 allowance; the contract pulls tokens only at execution, so the venue stays fully noncustodial.

Pure Matching Core: A single-writer, deterministic price-then-time-priority matcher in Rust with no async, no I/O, and no clock. It rounds in the maker's favor, uses overflow-safe 512-bit price math, and runs the hot match path with zero heap allocation (asserted by a test), at about 165 nanoseconds per fill on an M4.

EIP-712 Parity Gate: The Rust and Solidity order digests are proven byte-identical by a cross-language test that gates all settlement work.

Settlement Contract: Re-verifies signatures, expiry, cumulative fills keyed by order hash, and each maker's limit price on-chain with a 512-bit cross-multiply, and requires every settlement to net to zero so it never holds inventory. It is hardened with a reentrancy guard, checks-effects-interactions, SafeERC20, owner pause, and solver rotation.

Adversarial Test Suite: Foundry unit, fuzz, and invariant tests cover every revert path, fee-on-transfer tokens, a reentrancy proof of concept, and a zero-inventory invariant over thousands of random settlements, plus a PoC-backed threat model that maps each threat to the test that proves it.

Engine Service: A Tokio service with a single-writer task, an Alloy chain client, a Postgres layer with compile-time-checked sqlx queries, an indexer that reads Trade events into Postgres and broadcasts them over WebSocket, and an axum REST and WebSocket API with a typed rejection reason per order, Prometheus metrics, and tracing.

End-to-End and CI: A full end-to-end test deploys the contracts and tokens on Anvil, posts two crossing signed orders over HTTP, and asserts the batch settles on-chain, lands in Postgres, is broadcast, and swaps balances. CI runs three jobs: the Rust suite, the Foundry suite, and an integration job with Postgres and Anvil.

Live Dashboard: A single page showing the order lifecycle (Sign, Match, Settle, Index, Feed), a live order book, and a trade tape. Sign and submit orders in the browser and watch them cross and settle in real time. The whole thing comes up with one command, just demo.

Stack

• Matching Core & Client

Rust - The matching core, engine, and CLI.

Alloy - Ethereum types, signing, providers, and EIP-712 hashing (not the deprecated ethers-rs).

proptest / criterion - Property tests and benchmarks for the matching core.

• Contracts

Solidity - 0.8.x settlement contract and order library.

Foundry - Build, fuzz, and invariant testing, plus the Anvil dev chain.

OpenZeppelin - ECDSA, EIP712, ReentrancyGuard, SafeERC20, Ownable, and Pausable.

• Engine

Tokio - Async runtime and the single-writer task.

axum - REST and WebSocket API.

sqlx - Compile-time-checked queries over PostgreSQL.

metrics / tracing - Prometheus metrics and structured tracing.

• Demo Dashboard

viem - In-browser EIP-712 signing.

A single static HTML page served by the engine, with no build step.