Skip to content

[PROPOSAL] RFP-013 — Reflexive Stablecoin Protocol #96

Description

@syafiqeil

RFP ID

RFP-013 — Reflexive Stablecoin Protocol


Your Project Name

Nomos


Team or Organization Name

Evice Labs


Primary Contact

Discord @supereil


Team Members

Member 1

  • Name: Syafiq Nabil Assirhindi
  • Social links: https://www.linkedin.com/in/syafiq-nabil-assirhindi/ | https://github.com/syafiqeil
  • Role: On-chain stablecoin program (SPEL): SAFE accounting, reflexive controller, rate accumulation engine, fixed-point math library; Rust SDK with C-ABI FFI; integration test suite.
  • LEZ Track Record: Delivered LP-0016: Anonymous Forum (submission complete, pending final prize evaluation) — a full-stack privacy-preserving protocol spanning SPEL on-chain programs, RISC Zero ZK circuits, a forum-agnostic Rust SDK with C-ABI FFI, and native Logos Basecamp module integration.
  • Status: Independent Developer Team.

Member 2

  • Name: Bristin Borah
  • Social links: https://www.linkedin.com/in/bristin-borah-739b63179/ | https://github.com/bristinWild
  • Role: Token program integration (mint/burn authority, ATA), LEZ event integration, price feed interface, CLI, and devnet/testnet deployment pipeline.
  • LEZ Track Record: Delivered LP-0012 — Structured Event System for LEZ Programs (Winner, Merged). Delivered LP-0013 — Token Program Improvements: Authorities (submission complete, pending final prize evaluation).
  • Status: Independent Developer Team.

Member 3

  • Name: Mladen Milankovic
  • Social links: https://www.linkedin.com/in/mladenmilankovic/ | https://github.com/mmlado
  • Role: Basecamp mini-app development: core module (universal interface, C++ backend) and QML UI module (position management, rate dashboard, health factor views); admin/freeze authority integration.
  • LEZ Track Record: RFP-001 — Admin Authority Library (Accepted, Development Phase). RFP-002 — Freeze Authority Library (Accepted, Development Phase).
  • Status: Independent Developer Team.

Project Summary

We propose to build the reflexive, non-pegged, over-collateralised stablecoin described in RFP-013: a CDP system (SAFEs) on the Logos Execution Zone whose floating redemption price is driven by an autonomous feedback controller rather than by governance. The protocol follows the RAI / Reflexer design — normalized debt with a continuously accumulating rate, a redemption price that drifts under a proportional-integral controller, and stability fees that accrue via rate accumulation — adapted to LEZ's tail-call execution model, public/private state separation, and SPEL tooling.

We are applying as Evice Labs, a Logos-native development studio. Our case for selection is concrete rather than aspirational: several of RFP-013's stated platform dependencies overlap directly with work we have already shipped or are actively building in the Logos ecosystem (token-authority primitives, structured events, admin/freeze authority libraries, and the on-chain clock primitive). The
dependency map below makes this explicit.

We scope this proposal to the CDP host and reflexive controller only. Liquidation, surplus/debt auctions, multi-collateral, private position state, and governance-token design are explicitly out of scope per the RFP (liquidation is RFP-014). Where the host must expose a seam for RFP-014, we define that interface but do not implement the auction engine.


Technical Approach

Program structure (SPEL)

A single LEZ program built with the SPEL framework, which generates the IDL and client code from the program definition. State is organised as:

  • Config PDA — controller gains, safety ratios, stability-fee rate, rate-update interval bounds, price-feed handle, admin/freeze authorities. All mutating fields are gated behind the admin authority (RFP-001).
  • Global accounting PDA — redemption price, redemption rate, the global debt rate accumulator, total normalized debt, total stablecoin minted, surplus buffer.
  • SAFE PDA (per position) — locked collateral, normalized debt, owner. Nominal debt is derived: nominal_debt = normalized_debt × rate_accumulator.

SAFE accounting (RAI-style normalized debt)

Stability fees accrue without touching every position by maintaining a single global rate accumulator. On any interaction we first lazily accrue: advance the accumulator by the stability fee over elapsed time, then read each SAFE's nominal debt as normalized_debt × accumulator. This keeps per-position operations O(1) and makes "total minted == Σ position debts" an invariant we can assert after every modifying op.

Reflexive controller

  • Redemption price drift. On each bounded, permissionless update_rate call, redemption_price *= (1 + redemption_rate)^elapsed, computed in high-precision fixed point.
  • Redemption rate. A proportional-integral controller on the deviation (market_price − redemption_price): proportional term opposes the instantaneous deviation; integral term accumulates persistent deviation over a bounded window. Output is clamped to [r_min, r_max] and the integrator uses hard anti-windup clamping so a stuck or stale feed cannot wind the rate to an explosive value.
  • Permissionless, bounded updates. Anyone may trigger a rate update, but it only applies once a minimum interval has elapsed; the delta uses measured elapsed time. This is the "rate updates occur at bounded intervals with permissionless triggers" requirement (F2).

Fixed-point & compute budget

Redemption price, rate, and the debt accumulator use a high-precision fixed-point representation (RAY-style, e.g. 1e27 over u128/i128) with overflow-safe arithmetic. Per-second compounding (rpow-equivalent) is the most compute-heavy operation; we benchmark it against the LEZ per-transaction budget early (M1) and, if needed, bound iteration count or compound over the update interval rather than per
second. Compute figures for each operation go in the README per the Performance requirements.

Token mint/burn integration

The protocol custodies reference-token collateral and is the mint authority for the stablecoin, minting on generate_debt and burning on repay, via the LEZ Token Program. This is where LP-0013's transfer/mint-authority primitives are load-bearing.

Tail-call composition (LP-0015)

A "lock collateral and mint" operation is two logical steps: (1) transfer collateral into the position via the token program, then (2) continue into a capability- protected internal continuation that updates SAFE state and mints. LEZ's tail-call model hands off control entirely (no return), so the continuation is an internal-only entrypoint protected by an unforgeable capability — it cannot be called directly to bypass the collateral transfer. This is exactly LP-0015's continuation model.

Price feed interface (F6, R3)

A configurable price-feed handle exposing market price with staleness detection. If the feed is stale or unavailable, rate updates pause; existing positions stay operational but new debt generation may be restricted. The interface is implementation-agnostic; our intended provider is the Aperture TWAP oracle (RFP-019), whose TWAP + staleness-window design is precisely the hardening the appendix recommends. Multi-oracle redundancy with fallback is a soft requirement.

On-chain elapsed time

Rate drift and fee accrual need elapsed time between interactions. We consume a monotonic on-chain time source exposed by LEZ (block/slot timestamp). Where a trustless wall-clock is not directly available inside the zkVM, we apply validity-window time-binding: each rate/accrual update asserts a time window that the proof commits to, bounding the elapsed-time delta rather than trusting an ambient
clock. The exact mechanism depends on what LEZ exposes; we resolve this in M0 and document the trust assumption.

Atomic privacy pattern (SDK level)

The SDK orchestrates the deshield→interact→re-shield flow as a single, indivisible operation for every protocol interaction (lock collateral, mint, repay, withdraw). The atomic deshield transfers both the operation token and gas to a freshly generated ephemeral account; the protocol operation executes; outputs are re-shielded to the user's validated private account. If any step fails, the entire transaction reverts. The SDK enforces that the re-shield target is a private (shielded) account and hard-blocks any transaction where the shielded balance cannot cover both operation amount and gas.

Logos Basecamp mini-app

The mini-app follows the current Logos module architecture (tutorial-v3):

  • A core module (type: core, interface: universal) built with mkLogosModule, wrapping the Nomos Rust SDK via C-ABI FFI. All SAFE lifecycle and rate query methods are exposed as public methods on the impl class, auto-generated by logos-cpp-generator.
  • A UI module (type: ui_qml with C++ backend) built with mkLogosQmlModule. Views include: Position management (open/modify/close SAFEs, view collateralization ratio, projected outcomes), Rate dashboard (current redemption rate, redemption price, stability fee, projected debt growth), and Health factor preview (before/after state for operations). Privacy disclosure rendered before each operation from a private account.
  • Both modules distributed as .lgx packages, installable via lgpm.

Liquidation seam (out of scope, interface only)

F4 requires that positions cannot be modified below the liquidation threshold, but the liquidation engine is RFP-014. We expose a clean, well-defined interface (position health query, seize hook) that an RFP-014 instance can integrate against, and enforce the min-CR / liquidation-threshold check on every modifying op — without implementing auctions here.


RFP-013 Hard Requirements Coverage

Functionality

# Requirement Milestone Notes
F1 Lock collateral, mint stablecoin, maintain min CR, add/remove collateral, repay debt M1 SAFE PDA per position; normalized debt × global accumulator; CR enforced on every modifying op
F2 Feedback controller: redemption rate from market/redemption price deviation; continuous drift; bounded permissionless triggers M2 PI controller with anti-windup clamping; lazy evaluation from on-chain timestamp
F3 Stability fee: continuous accrual via rate accumulation; governance-adjustable rate M1 Global rate accumulator pattern (RAI-style); fee rate gated by admin authority (RFP-001)
F4 Safety enforcement: positions cannot go below liquidation threshold; read-only queries always permitted M1 Pre-mutation CR check; liquidation interface exposed for RFP-014 integration
F5 Stablecoin as standard fungible token: mint/burn via LEZ Token Program M1 Protocol is mint authority; LP-0013 transfer/mint-authority primitives
F6 Configurable price feed with staleness detection M2 Implementation-agnostic interface; staleness → rate updates pause, new debt restricted

Usability

# Requirement Milestone Notes
U1 SPEL framework program with IDL M1 IDL auto-generated from program definition
U2 Logos mini-app GUI (Basecamp) M4 Core module (universal interface) + UI module (ui_qml with C++ backend), .lgx packages
U3 CLI covering core functionality M4 SAFE lifecycle + rate queries for both operators and users
U4 View CR, min safe ratio, projected outcomes before execution M3, M4 SDK pre-simulation; mini-app renders before/after state
U5 View redemption rate, redemption price, projected debt growth M3, M4 SDK rate queries; mini-app rate dashboard
U6 SDK: public + private account operations (deshield→interact→re-shield) M3 Atomic privacy pattern enforced at SDK level
U7 Actionable error messages M3, M4 SDK surfaces typed errors; mini-app renders human-readable messages

Reliability

# Requirement Milestone Notes
R1 Sufficient precision; total minted = sum of position debts; CR enforced M1 RAY-precision (1e27) fixed-point; invariant asserted after every modifying op
R2 Controller safeguards: integral windup prevention, rate explosion prevention M2 Hard anti-windup clamping on integrator; output clamped to [r_min, r_max]
R3 Stale/unavailable feed → pause rate updates; restrict new debt M2 Staleness check on price feed timestamp; graceful degradation
R4 Parameter updates gated through admin authority M1 RFP-001 admin authority (Mladen is building this)
R5 Emergency circuit breaker via freeze authority M1 RFP-002 freeze authority (Mladen is building this)

Performance

# Requirement Milestone Notes
P1 Position ops and rate updates within LEZ compute limits M1, M2 CU benchmarked per operation; rpow iteration bounded
P2 Thousands of concurrent positions without exceeding compute M1 O(1) per-position ops via normalized debt pattern; no global iteration
P3 Rate updates within few blocks; position ops within one block M2 Confirmed — each is a single atomic instruction

Supportability

# Requirement Milestone Notes
S1 Deployed and tested on LEZ devnet/testnet M5
S2 E2E tests with RISC0_DEV_MODE=0; CI green M4 Real ZK proofs in CI
S3 Every hard requirement has at least one corresponding test M4 Full coverage mapped to requirements
S4 README with deployment steps, program addresses, step-by-step usage M5 Covers SAFE lifecycle via CLI and mini-app

Privacy

# Requirement Milestone Notes
PV1 SDK and mini-app support both public and deshield→interact→re-shield paths; re-shield not skippable M3, M4 Hard-enforced at SDK level
PV2 SDK validates re-shield target is a private account M3 Rejects with explicit error if not
PV3 Ephemeral account never reused across operations M3 Fresh account per operation; reuse architecturally impossible

Soft Requirements

# Requirement Milestone Notes
Soft1 Multi-oracle redundancy with fallback M2 Implemented if multiple feeds available
Soft2 Health factor preview (before/after state) M4 Rendered in mini-app before user confirms
Soft3 Historical data display (redemption price, market price, rate over time) M4 Consumes LP-0012 structured events via RPC

Out of Scope — Acknowledged

Item Reason
Liquidation mechanism RFP-014 (interface exposed, engine not implemented)
Surplus/debt management auctions RFP-014
Multi-collateral positions Explicitly excluded by RFP-013
Private state positions Privacy via UX layer only per RFP-013
Governance token design Explicitly excluded by RFP-013
Formal verification of invariants Soft requirement; can be addressed as follow-up

Milestones, Payout and Timeline

Milestone Payout Duration Owner Deliverables
M0 — Research & Architecture $10,000 2 weeks All RAI codebase study and controller parameter specification; fixed-point math library design (WAD/RAY/rpow); system architecture document; on-chain time-binding mechanism resolution; SAFE state machine spec; mini-app UX wireframes (Figma); price feed interface spec
M1 — Core Program: SAFEs & Accounting $22,000 4 weeks Syafiq (program), Bristin (token integration), Mladen (authority integration) SAFE accounting engine (create, modify, close, CR enforcement); global rate accumulator with stability fee accrual; stablecoin mint/burn via Token Program (LP-0013); admin authority (RFP-001) and freeze authority (RFP-002) integration; fixed-point math library (WAD/RAY/rpow); SPEL IDL; CU usage report per SAFE operation; devnet deployment
M2 — Reflexive Controller & Oracle $22,000 4 weeks Syafiq (controller), Bristin (price feed, events) PI feedback controller with anti-windup clamping and rate bounding; redemption price drift engine; price feed interface with staleness detection and graceful degradation; permissionless bounded rate updates; event emission for all state transitions (LP-0012); CU usage report for controller operations
M3 — SDK & Privacy Layer $18,000 3 weeks Syafiq (SDK), Bristin (CLI foundation) Fully functional developer SDK: SAFE lifecycle, rate queries, pre-simulation API, health factor computation; deshield→interact→re-shield atomic privacy pattern; SDK API documentation; developer integration doc packet
M4 — Client Interfaces & E2E Testing $20,000 4 weeks Mladen (mini-app), Bristin (CLI, deployment), Syafiq (E2E tests) Basecamp mini-app: core module (universal interface) + UI module (ui_qml with C++ backend), .lgx packages; position management, rate dashboard, health factor preview views; CLI with CLI doc packet; Figma mockups; E2E test suite with RISC0_DEV_MODE=0; CI green on default branch
M5 — Documentation & Deployment $8,000 1 week All Final README with deployment steps and program addresses; setup guides for users and operators; code formatting/linting; LEZ testnet deployment; liquidation interface documentation for RFP-014 integration
Total $100,000 18 weeks

Total Requested Budget (USD)

$100,000


Relevant Experience

Syafiq Nabil Assirhindi — hands-on experience building privacy-preserving cryptographic systems natively on the Logos Execution Zone. Recent completion of LP-0016 demonstrates end-to-end capability across the full Logos stack.

  • LP-0016 — Anonymous Forum with Threshold Moderation (Logos):

    Delivered a complete privacy-preserving forum protocol:
    • SPEL framework guest program with 4 instructions and per-instance PDA accounts
    • RISC Zero ZK circuit for anonymous membership proofs (Merkle tree inclusion + non-revocation + tag integrity)
    • Two-tier Shamir Secret Sharing for N-of-M threshold moderation with Schnorr-signed certificates
    • Forum-agnostic Rust SDK compiled as both WASM and C-ABI shared library (cbindgen)
    • Native Logos Basecamp integration: core module + QML UI module, with metadata.json, Nix flakes, and standalone app via nix run

  • ZK-AppChain: https://github.com/evice-labs/e-zkappchain
    A sovereign ZK rollup integrating an intent-centric execution engine with a CLOB matching engine (Velocity-DEX) and MEV protection infrastructure (Rust-MEV-Builder). Architecture: ZK prover (Winterfell AIR), sequencer node, settlement engine (Alloy-rs), and user client — demonstrating full-stack blockchain and DeFi engineering from L1 settlement to ZK proof generation.

Bristin Borah — hands-on experience building core LEZ infrastructure primitives. Winner of LP-0012 and deliverer of LP-0013, covering the exact event system and token authority model that this RFP depends on.

  • LP-0012 — Structured Event System for LEZ Programs (Winner, Merged):

    • Repo: https://github.com/bristinWild/logos-execution-zone
    • Delivered the complete event system now used by all LEZ programs:
      • Guest SDK (emit_event(), EventRecord, Borsh-encoded payloads) in the lez-events crate
      • Event persistence on both success and failure paths (via FAILURE_SENTINEL pattern)
      getTransactionReceipt RPC method for event retrieval
      • CLI decoder for human-readable event rendering
      • 167 tests passing across all crates; merged into upstream LEZ
      • This is a direct platform dependency of RFP-013 — position events and rate updates are consumed by the analytics layer
  • LP-0013 — Token Program Improvements: Authorities (Submitted):

    • Repo: https://github.com/bristinWild/logos-execution-zone
    • Demo: https://www.youtube.com/watch?v=fJWbhobNIFM
    • Delivered mint authority model for the LEZ Token Program:
      AuthoritySlot — reusable authority primitive in standalone lez-authority crate (RFP-001)
      NewFungibleDefinitionWithAuthority, updated Mint (authority-gated), and SetAuthority (rotation + permanent revocation) instructions
      • Wallet SDK facade methods (send_set_authority, send_new_definition_with_authority)
      • 49 tests (42 token program + 7 authority unit tests); all CI green
      • Deep knowledge of LEZ token program internals — LP-0013 is a hard dependency of RFP-013 for stablecoin mint/burn operations

Mladen Milankovic — 19 years of professional software development experience, with recent focus on Logos ecosystem infrastructure and cryptographic protocol engineering.

  • RFP-001 — Admin Authority Library (LEZ, Accepted):
    Standardised admin authority library for LEZ programs, delivered as a proc macro contribution to the SPEL framework. Implements authority assignment (admin_initialize), transfer (admin_transfer), and revocation (admin_renounce) as first-class SPEL annotations (#[admin_authority], #[require_admin]), with correct signer validation and PDA derivation. Directly applicable to the stablecoin protocol's governance-gated parameter updates (R4).

  • RFP-002 — Freeze Authority Library (LEZ, Accepted):
    Emergency circuit breaker library for LEZ programs, extending the admin authority model with two gating modes: manual opt-in per instruction (#[require_not_frozen]) and auto mode with explicit exemptions (#[freeze_exempt]). Supports both program-wide freeze and per-account freeze via multi-seed PDAs. Directly applicable to the stablecoin protocol's emergency circuit breaker (R5).

  • LP-0009 — Keycard NIP-46 Nostr Signer Proxy (Logos Ecosystem):

    • Repo: https://github.com/mmlado/nip46-keycard
    • NIP-46 remote signer daemon in Nim bridging Nostr signing requests to Status Keycard hardware wallet:
      • NIP-44 v2 encryption implemented from scratch with full spec vector test coverage
      • WebSocket relay management with exponential backoff reconnect
      • Configurable event approval policy engine
      • Demonstrates cryptographic protocol engineering, hardware integration, and secure key management
  • LP-0010 — Shell dApp Integration Proof of Concept (Logos Ecosystem):

    • Repo: https://github.com/mmlado/shell_dapp_prototype
    • Live demo: https://shelldappprototype.vercel.app/
    • QR-based airgapped signer web dApp for Shell hardware wallet:
      • Full ERC-4527 / Uniform Resources protocol implementation (TypeScript)
      • Multi-derivation-path address display with animated multipart QR encoding
      • Browser-safe Bitcoin signature verification
      • 56 unit tests covering CBOR, address derivation, signing, and verification
      • Demonstrates frontend development, UI/UX design, and browser-safe cryptographic engineering

(Note: LP-0009 and LP-0010 are contributions to the broader Logos ecosystem, covering Keycard and Shell hardware wallet integrations respectively. RFP-001 and RFP-002 represent Mladen's current active development on LEZ-native infrastructure.)


Post-Delivery Plan

Post-delivery, Evice Labs will maintain the repository asynchronously. This includes monitoring the open-source codebase, reviewing community Pull Requests, patching potential bugs, and ensuring ongoing compatibility with future updates to the Logos Basecamp and LEZ environment.

Engineering Standards & Continuity: Nomos enforces strict engineering standards: comprehensive test coverage for all program invariants (including the critical "total minted == Σ position debts" invariant), thorough Rustdoc documentation for the SDK, and automated CI/CD pipelines for E2E integration tests with RISC0_DEV_MODE=0 against the standalone LEZ sequencer. The three-person team structure ensures knowledge is shared across all components from day one — no single point of failure in the on-chain program, client interfaces, or deployment pipeline.

RFP-014 Integration Path: The liquidation seam (position health query, seize hook) is documented and tested as part of M5. Once RFP-014 is delivered, we will coordinate with the implementing team to verify end-to-end integration.


Permissions and Consent

  • I confirm Logos may contact me using the primary contact information provided above for follow-ups and next steps.
  • I consent to Logos using information from this proposal publicly such as blogs case studies social posts or analytical reporting. Redactions can be requested at any time.

Program Requirements

  • We understand this project must be open-sourced under the MIT and Apache 2.0 Licenses unless explicitly approved otherwise.
  • We are prepared to deliver milestone-based outcomes.

Metadata

Metadata

Assignees

Labels

RFP-013Proposals for RFP-013proposalProposal submitted for an RFP

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions