Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Running an offer auction

audience: operators

Offer is the sealed-bid auction organism. It admits searcher bids over the slot’s UnsealedPool content, runs a threshold- encrypted auction inside its own state machine, and commits one AuctionOutcome per slot.

Role in the lattice

Offer subscribes to unseal::UnsealedPool to know when a slot’s order flow is ready for bidding, accepts sealed bids on its Bid<Bundle> stream during the auction window, and commits the winning bundle to AuctionOutcome before the atelier organism picks up the pool for building.

Committee sizing

Majority-honest trust model. A majority of committee members can commit a wrong winner; bid confidentiality is threshold- protected by a separate DKG (the offer DKG) from unseal’s.

Recommended sizes:

  • 3 members for development / testnet lattices.
  • 5 members for production.

Changing size after deployment changes the offer fingerprint; retire-and-replace, not in-place.

Hardware

  • Modest cloud. 2 vCPU / 4 GiB RAM per committee member is enough.
  • TDX optional in v1; a TDX-gated variant lands when the lattice’s threat model requires it.
  • Stable peer identity per member.

systemd unit example

# /etc/builder/offer-member.env
LATTICE_INSTANCE=acme.ethereum.mainnet
LATTICE_CHAIN_ID=1
LATTICE_CONFIG_HEX=7f3a9b1c...

OFFER_COMMITTEE_SECRET_FILE=/etc/builder/secrets/acme.ethereum.mainnet.offer.secret
OFFER_SHARE_SECRET_FILE=/etc/builder/secrets/acme.ethereum.mainnet.offer.member-02.share
OFFER_SECRET_FILE=/etc/builder/secrets/acme.ethereum.mainnet.offer.member-02.peer

# Auction window size — soft ceiling before the organism closes
# the auction regardless of outstanding bids.
OFFER_AUCTION_WINDOW_MS=800

OFFER_AUCTION_WINDOW_MS is a per-lattice parameter pinned in the offer::Config. Changing it changes the fingerprint.

Searcher admission

Searchers write to Bid<Bundle> via a ticket. Three options:

  • Open permissionless: any peer on the universe can bid. Not recommended for production — expose the lattice to trivial bid spam.
  • JWT-gated: issue JWTs out of band to onboarded searchers; the ticket validator pins the issuer key. Standard mosaik ticket shape.
  • TDX-gated: require attested searchers only. Rarely appropriate for offer (searchers are usually trusted under a commercial agreement rather than technically attested).

The choice folds into the offer::Config.acl field and into the fingerprint.

What this organism does not do

  • It does not decrypt the unsealed pool. unseal does.
  • It does not order the winning bundle’s txs inside the block. atelier does.
  • It does not pay out refunds to the losing searchers. tally does, according to the lattice’s refund policy.

Observing

  • offer_bids_received_total{slot=...} — bid rate per slot.
  • offer_auction_commit_latency_seconds — time from auction window open to commit.
  • offer_winner_bid_wei — distribution of winning bids.