RFP ID
RFP-013 — Reflexive Stablecoin Protocol
Your Project Name
Nomos
Team or Organization Name
Evice Labs
Primary Contact
Discord @supereil
Team Members
Member 1
- Name: Syafiq Nabil Assirhindi
- Social links: https://www.linkedin.com/in/syafiq-nabil-assirhindi/ | https://github.com/syafiqeil
- Role: On-chain stablecoin program (SPEL): SAFE accounting, reflexive controller, rate accumulation engine, fixed-point math library; Rust SDK with C-ABI FFI; integration test suite.
- LEZ Track Record: Delivered LP-0016: Anonymous Forum (submission complete, pending final prize evaluation) — a full-stack privacy-preserving protocol spanning SPEL on-chain programs, RISC Zero ZK circuits, a forum-agnostic Rust SDK with C-ABI FFI, and native Logos Basecamp module integration.
- Status: Independent Developer Team.
Member 2
- Name: Bristin Borah
- Social links: https://www.linkedin.com/in/bristin-borah-739b63179/ | https://github.com/bristinWild
- Role: Token program integration (mint/burn authority, ATA), LEZ event integration, price feed interface, CLI, and devnet/testnet deployment pipeline.
- LEZ Track Record: Delivered LP-0012 — Structured Event System for LEZ Programs (Winner, Merged). Delivered LP-0013 — Token Program Improvements: Authorities (submission complete, pending final prize evaluation).
- Status: Independent Developer Team.
Member 3
- Name: Mladen Milankovic
- Social links: https://www.linkedin.com/in/mladenmilankovic/ | https://github.com/mmlado
- Role: Basecamp mini-app development: core module (universal interface, C++ backend) and QML UI module (position management, rate dashboard, health factor views); admin/freeze authority integration.
- LEZ Track Record: RFP-001 — Admin Authority Library (Accepted, Development Phase). RFP-002 — Freeze Authority Library (Accepted, Development Phase).
- Status: Independent Developer Team.
Project Summary
We propose to build the reflexive, non-pegged, over-collateralised stablecoin described in RFP-013: a CDP system (SAFEs) on the Logos Execution Zone whose floating redemption price is driven by an autonomous feedback controller rather than by governance. The protocol follows the RAI / Reflexer design — normalized debt with a continuously accumulating rate, a redemption price that drifts under a proportional-integral controller, and stability fees that accrue via rate accumulation — adapted to LEZ's tail-call execution model, public/private state separation, and SPEL tooling.
We are applying as Evice Labs, a Logos-native development studio. Our case for selection is concrete rather than aspirational: several of RFP-013's stated platform dependencies overlap directly with work we have already shipped or are actively building in the Logos ecosystem (token-authority primitives, structured events, admin/freeze authority libraries, and the on-chain clock primitive). The
dependency map below makes this explicit.
We scope this proposal to the CDP host and reflexive controller only. Liquidation, surplus/debt auctions, multi-collateral, private position state, and governance-token design are explicitly out of scope per the RFP (liquidation is RFP-014). Where the host must expose a seam for RFP-014, we define that interface but do not implement the auction engine.
Technical Approach
Program structure (SPEL)
A single LEZ program built with the SPEL framework, which generates the IDL and client code from the program definition. State is organised as:
- Config PDA — controller gains, safety ratios, stability-fee rate, rate-update interval bounds, price-feed handle, admin/freeze authorities. All mutating fields are gated behind the admin authority (RFP-001).
- Global accounting PDA — redemption price, redemption rate, the global debt rate accumulator, total normalized debt, total stablecoin minted, surplus buffer.
- SAFE PDA (per position) — locked collateral, normalized debt, owner. Nominal debt is derived:
nominal_debt = normalized_debt × rate_accumulator.
SAFE accounting (RAI-style normalized debt)
Stability fees accrue without touching every position by maintaining a single global rate accumulator. On any interaction we first lazily accrue: advance the accumulator by the stability fee over elapsed time, then read each SAFE's nominal debt as normalized_debt × accumulator. This keeps per-position operations O(1) and makes "total minted == Σ position debts" an invariant we can assert after every modifying op.
Reflexive controller
- Redemption price drift. On each bounded, permissionless
update_rate call, redemption_price *= (1 + redemption_rate)^elapsed, computed in high-precision fixed point.
- Redemption rate. A proportional-integral controller on the deviation
(market_price − redemption_price): proportional term opposes the instantaneous deviation; integral term accumulates persistent deviation over a bounded window. Output is clamped to [r_min, r_max] and the integrator uses hard anti-windup clamping so a stuck or stale feed cannot wind the rate to an explosive value.
- Permissionless, bounded updates. Anyone may trigger a rate update, but it only applies once a minimum interval has elapsed; the delta uses measured elapsed time. This is the "rate updates occur at bounded intervals with permissionless triggers" requirement (F2).
Fixed-point & compute budget
Redemption price, rate, and the debt accumulator use a high-precision fixed-point representation (RAY-style, e.g. 1e27 over u128/i128) with overflow-safe arithmetic. Per-second compounding (rpow-equivalent) is the most compute-heavy operation; we benchmark it against the LEZ per-transaction budget early (M1) and, if needed, bound iteration count or compound over the update interval rather than per
second. Compute figures for each operation go in the README per the Performance requirements.
Token mint/burn integration
The protocol custodies reference-token collateral and is the mint authority for the stablecoin, minting on generate_debt and burning on repay, via the LEZ Token Program. This is where LP-0013's transfer/mint-authority primitives are load-bearing.
Tail-call composition (LP-0015)
A "lock collateral and mint" operation is two logical steps: (1) transfer collateral into the position via the token program, then (2) continue into a capability- protected internal continuation that updates SAFE state and mints. LEZ's tail-call model hands off control entirely (no return), so the continuation is an internal-only entrypoint protected by an unforgeable capability — it cannot be called directly to bypass the collateral transfer. This is exactly LP-0015's continuation model.
Price feed interface (F6, R3)
A configurable price-feed handle exposing market price with staleness detection. If the feed is stale or unavailable, rate updates pause; existing positions stay operational but new debt generation may be restricted. The interface is implementation-agnostic; our intended provider is the Aperture TWAP oracle (RFP-019), whose TWAP + staleness-window design is precisely the hardening the appendix recommends. Multi-oracle redundancy with fallback is a soft requirement.
On-chain elapsed time
Rate drift and fee accrual need elapsed time between interactions. We consume a monotonic on-chain time source exposed by LEZ (block/slot timestamp). Where a trustless wall-clock is not directly available inside the zkVM, we apply validity-window time-binding: each rate/accrual update asserts a time window that the proof commits to, bounding the elapsed-time delta rather than trusting an ambient
clock. The exact mechanism depends on what LEZ exposes; we resolve this in M0 and document the trust assumption.
Atomic privacy pattern (SDK level)
The SDK orchestrates the deshield→interact→re-shield flow as a single, indivisible operation for every protocol interaction (lock collateral, mint, repay, withdraw). The atomic deshield transfers both the operation token and gas to a freshly generated ephemeral account; the protocol operation executes; outputs are re-shielded to the user's validated private account. If any step fails, the entire transaction reverts. The SDK enforces that the re-shield target is a private (shielded) account and hard-blocks any transaction where the shielded balance cannot cover both operation amount and gas.
Logos Basecamp mini-app
The mini-app follows the current Logos module architecture (tutorial-v3):
- A core module (
type: core, interface: universal) built with mkLogosModule, wrapping the Nomos Rust SDK via C-ABI FFI. All SAFE lifecycle and rate query methods are exposed as public methods on the impl class, auto-generated by logos-cpp-generator.
- A UI module (
type: ui_qml with C++ backend) built with mkLogosQmlModule. Views include: Position management (open/modify/close SAFEs, view collateralization ratio, projected outcomes), Rate dashboard (current redemption rate, redemption price, stability fee, projected debt growth), and Health factor preview (before/after state for operations). Privacy disclosure rendered before each operation from a private account.
- Both modules distributed as
.lgx packages, installable via lgpm.
Liquidation seam (out of scope, interface only)
F4 requires that positions cannot be modified below the liquidation threshold, but the liquidation engine is RFP-014. We expose a clean, well-defined interface (position health query, seize hook) that an RFP-014 instance can integrate against, and enforce the min-CR / liquidation-threshold check on every modifying op — without implementing auctions here.
RFP-013 Hard Requirements Coverage
Functionality
| # |
Requirement |
Milestone |
Notes |
| F1 |
Lock collateral, mint stablecoin, maintain min CR, add/remove collateral, repay debt |
M1 |
SAFE PDA per position; normalized debt × global accumulator; CR enforced on every modifying op |
| F2 |
Feedback controller: redemption rate from market/redemption price deviation; continuous drift; bounded permissionless triggers |
M2 |
PI controller with anti-windup clamping; lazy evaluation from on-chain timestamp |
| F3 |
Stability fee: continuous accrual via rate accumulation; governance-adjustable rate |
M1 |
Global rate accumulator pattern (RAI-style); fee rate gated by admin authority (RFP-001) |
| F4 |
Safety enforcement: positions cannot go below liquidation threshold; read-only queries always permitted |
M1 |
Pre-mutation CR check; liquidation interface exposed for RFP-014 integration |
| F5 |
Stablecoin as standard fungible token: mint/burn via LEZ Token Program |
M1 |
Protocol is mint authority; LP-0013 transfer/mint-authority primitives |
| F6 |
Configurable price feed with staleness detection |
M2 |
Implementation-agnostic interface; staleness → rate updates pause, new debt restricted |
Usability
| # |
Requirement |
Milestone |
Notes |
| U1 |
SPEL framework program with IDL |
M1 |
IDL auto-generated from program definition |
| U2 |
Logos mini-app GUI (Basecamp) |
M4 |
Core module (universal interface) + UI module (ui_qml with C++ backend), .lgx packages |
| U3 |
CLI covering core functionality |
M4 |
SAFE lifecycle + rate queries for both operators and users |
| U4 |
View CR, min safe ratio, projected outcomes before execution |
M3, M4 |
SDK pre-simulation; mini-app renders before/after state |
| U5 |
View redemption rate, redemption price, projected debt growth |
M3, M4 |
SDK rate queries; mini-app rate dashboard |
| U6 |
SDK: public + private account operations (deshield→interact→re-shield) |
M3 |
Atomic privacy pattern enforced at SDK level |
| U7 |
Actionable error messages |
M3, M4 |
SDK surfaces typed errors; mini-app renders human-readable messages |
Reliability
| # |
Requirement |
Milestone |
Notes |
| R1 |
Sufficient precision; total minted = sum of position debts; CR enforced |
M1 |
RAY-precision (1e27) fixed-point; invariant asserted after every modifying op |
| R2 |
Controller safeguards: integral windup prevention, rate explosion prevention |
M2 |
Hard anti-windup clamping on integrator; output clamped to [r_min, r_max] |
| R3 |
Stale/unavailable feed → pause rate updates; restrict new debt |
M2 |
Staleness check on price feed timestamp; graceful degradation |
| R4 |
Parameter updates gated through admin authority |
M1 |
RFP-001 admin authority (Mladen is building this) |
| R5 |
Emergency circuit breaker via freeze authority |
M1 |
RFP-002 freeze authority (Mladen is building this) |
Performance
| # |
Requirement |
Milestone |
Notes |
| P1 |
Position ops and rate updates within LEZ compute limits |
M1, M2 |
CU benchmarked per operation; rpow iteration bounded |
| P2 |
Thousands of concurrent positions without exceeding compute |
M1 |
O(1) per-position ops via normalized debt pattern; no global iteration |
| P3 |
Rate updates within few blocks; position ops within one block |
M2 |
Confirmed — each is a single atomic instruction |
Supportability
| # |
Requirement |
Milestone |
Notes |
| S1 |
Deployed and tested on LEZ devnet/testnet |
M5 |
|
| S2 |
E2E tests with RISC0_DEV_MODE=0; CI green |
M4 |
Real ZK proofs in CI |
| S3 |
Every hard requirement has at least one corresponding test |
M4 |
Full coverage mapped to requirements |
| S4 |
README with deployment steps, program addresses, step-by-step usage |
M5 |
Covers SAFE lifecycle via CLI and mini-app |
Privacy
| # |
Requirement |
Milestone |
Notes |
| PV1 |
SDK and mini-app support both public and deshield→interact→re-shield paths; re-shield not skippable |
M3, M4 |
Hard-enforced at SDK level |
| PV2 |
SDK validates re-shield target is a private account |
M3 |
Rejects with explicit error if not |
| PV3 |
Ephemeral account never reused across operations |
M3 |
Fresh account per operation; reuse architecturally impossible |
Soft Requirements
| # |
Requirement |
Milestone |
Notes |
| Soft1 |
Multi-oracle redundancy with fallback |
M2 |
Implemented if multiple feeds available |
| Soft2 |
Health factor preview (before/after state) |
M4 |
Rendered in mini-app before user confirms |
| Soft3 |
Historical data display (redemption price, market price, rate over time) |
M4 |
Consumes LP-0012 structured events via RPC |
Out of Scope — Acknowledged
| Item |
Reason |
| Liquidation mechanism |
RFP-014 (interface exposed, engine not implemented) |
| Surplus/debt management auctions |
RFP-014 |
| Multi-collateral positions |
Explicitly excluded by RFP-013 |
| Private state positions |
Privacy via UX layer only per RFP-013 |
| Governance token design |
Explicitly excluded by RFP-013 |
| Formal verification of invariants |
Soft requirement; can be addressed as follow-up |
Milestones, Payout and Timeline
| Milestone |
Payout |
Duration |
Owner |
Deliverables |
| M0 — Research & Architecture |
$10,000 |
2 weeks |
All |
RAI codebase study and controller parameter specification; fixed-point math library design (WAD/RAY/rpow); system architecture document; on-chain time-binding mechanism resolution; SAFE state machine spec; mini-app UX wireframes (Figma); price feed interface spec |
| M1 — Core Program: SAFEs & Accounting |
$22,000 |
4 weeks |
Syafiq (program), Bristin (token integration), Mladen (authority integration) |
SAFE accounting engine (create, modify, close, CR enforcement); global rate accumulator with stability fee accrual; stablecoin mint/burn via Token Program (LP-0013); admin authority (RFP-001) and freeze authority (RFP-002) integration; fixed-point math library (WAD/RAY/rpow); SPEL IDL; CU usage report per SAFE operation; devnet deployment |
| M2 — Reflexive Controller & Oracle |
$22,000 |
4 weeks |
Syafiq (controller), Bristin (price feed, events) |
PI feedback controller with anti-windup clamping and rate bounding; redemption price drift engine; price feed interface with staleness detection and graceful degradation; permissionless bounded rate updates; event emission for all state transitions (LP-0012); CU usage report for controller operations |
| M3 — SDK & Privacy Layer |
$18,000 |
3 weeks |
Syafiq (SDK), Bristin (CLI foundation) |
Fully functional developer SDK: SAFE lifecycle, rate queries, pre-simulation API, health factor computation; deshield→interact→re-shield atomic privacy pattern; SDK API documentation; developer integration doc packet |
| M4 — Client Interfaces & E2E Testing |
$20,000 |
4 weeks |
Mladen (mini-app), Bristin (CLI, deployment), Syafiq (E2E tests) |
Basecamp mini-app: core module (universal interface) + UI module (ui_qml with C++ backend), .lgx packages; position management, rate dashboard, health factor preview views; CLI with CLI doc packet; Figma mockups; E2E test suite with RISC0_DEV_MODE=0; CI green on default branch |
| M5 — Documentation & Deployment |
$8,000 |
1 week |
All |
Final README with deployment steps and program addresses; setup guides for users and operators; code formatting/linting; LEZ testnet deployment; liquidation interface documentation for RFP-014 integration |
| Total |
$100,000 |
18 weeks |
|
|
Total Requested Budget (USD)
$100,000
Relevant Experience
Syafiq Nabil Assirhindi — hands-on experience building privacy-preserving cryptographic systems natively on the Logos Execution Zone. Recent completion of LP-0016 demonstrates end-to-end capability across the full Logos stack.
-
LP-0016 — Anonymous Forum with Threshold Moderation (Logos):
Delivered a complete privacy-preserving forum protocol:
• SPEL framework guest program with 4 instructions and per-instance PDA accounts
• RISC Zero ZK circuit for anonymous membership proofs (Merkle tree inclusion + non-revocation + tag integrity)
• Two-tier Shamir Secret Sharing for N-of-M threshold moderation with Schnorr-signed certificates
• Forum-agnostic Rust SDK compiled as both WASM and C-ABI shared library (cbindgen)
• Native Logos Basecamp integration: core module + QML UI module, with metadata.json, Nix flakes, and standalone app via nix run
-
ZK-AppChain: https://github.com/evice-labs/e-zkappchain
A sovereign ZK rollup integrating an intent-centric execution engine with a CLOB matching engine (Velocity-DEX) and MEV protection infrastructure (Rust-MEV-Builder). Architecture: ZK prover (Winterfell AIR), sequencer node, settlement engine (Alloy-rs), and user client — demonstrating full-stack blockchain and DeFi engineering from L1 settlement to ZK proof generation.
Bristin Borah — hands-on experience building core LEZ infrastructure primitives. Winner of LP-0012 and deliverer of LP-0013, covering the exact event system and token authority model that this RFP depends on.
-
LP-0012 — Structured Event System for LEZ Programs (Winner, Merged):
- Repo: https://github.com/bristinWild/logos-execution-zone
- Delivered the complete event system now used by all LEZ programs:
• Guest SDK (emit_event(), EventRecord, Borsh-encoded payloads) in the lez-events crate
• Event persistence on both success and failure paths (via FAILURE_SENTINEL pattern)
• getTransactionReceipt RPC method for event retrieval
• CLI decoder for human-readable event rendering
• 167 tests passing across all crates; merged into upstream LEZ
• This is a direct platform dependency of RFP-013 — position events and rate updates are consumed by the analytics layer
-
LP-0013 — Token Program Improvements: Authorities (Submitted):
- Repo: https://github.com/bristinWild/logos-execution-zone
- Demo: https://www.youtube.com/watch?v=fJWbhobNIFM
- Delivered mint authority model for the LEZ Token Program:
• AuthoritySlot — reusable authority primitive in standalone lez-authority crate (RFP-001)
• NewFungibleDefinitionWithAuthority, updated Mint (authority-gated), and SetAuthority (rotation + permanent revocation) instructions
• Wallet SDK facade methods (send_set_authority, send_new_definition_with_authority)
• 49 tests (42 token program + 7 authority unit tests); all CI green
• Deep knowledge of LEZ token program internals — LP-0013 is a hard dependency of RFP-013 for stablecoin mint/burn operations
Mladen Milankovic — 19 years of professional software development experience, with recent focus on Logos ecosystem infrastructure and cryptographic protocol engineering.
-
RFP-001 — Admin Authority Library (LEZ, Accepted):
Standardised admin authority library for LEZ programs, delivered as a proc macro contribution to the SPEL framework. Implements authority assignment (admin_initialize), transfer (admin_transfer), and revocation (admin_renounce) as first-class SPEL annotations (#[admin_authority], #[require_admin]), with correct signer validation and PDA derivation. Directly applicable to the stablecoin protocol's governance-gated parameter updates (R4).
-
RFP-002 — Freeze Authority Library (LEZ, Accepted):
Emergency circuit breaker library for LEZ programs, extending the admin authority model with two gating modes: manual opt-in per instruction (#[require_not_frozen]) and auto mode with explicit exemptions (#[freeze_exempt]). Supports both program-wide freeze and per-account freeze via multi-seed PDAs. Directly applicable to the stablecoin protocol's emergency circuit breaker (R5).
-
LP-0009 — Keycard NIP-46 Nostr Signer Proxy (Logos Ecosystem):
- Repo: https://github.com/mmlado/nip46-keycard
- NIP-46 remote signer daemon in Nim bridging Nostr signing requests to Status Keycard hardware wallet:
• NIP-44 v2 encryption implemented from scratch with full spec vector test coverage
• WebSocket relay management with exponential backoff reconnect
• Configurable event approval policy engine
• Demonstrates cryptographic protocol engineering, hardware integration, and secure key management
-
LP-0010 — Shell dApp Integration Proof of Concept (Logos Ecosystem):
- Repo: https://github.com/mmlado/shell_dapp_prototype
- Live demo: https://shelldappprototype.vercel.app/
- QR-based airgapped signer web dApp for Shell hardware wallet:
• Full ERC-4527 / Uniform Resources protocol implementation (TypeScript)
• Multi-derivation-path address display with animated multipart QR encoding
• Browser-safe Bitcoin signature verification
• 56 unit tests covering CBOR, address derivation, signing, and verification
• Demonstrates frontend development, UI/UX design, and browser-safe cryptographic engineering
(Note: LP-0009 and LP-0010 are contributions to the broader Logos ecosystem, covering Keycard and Shell hardware wallet integrations respectively. RFP-001 and RFP-002 represent Mladen's current active development on LEZ-native infrastructure.)
Post-Delivery Plan
Post-delivery, Evice Labs will maintain the repository asynchronously. This includes monitoring the open-source codebase, reviewing community Pull Requests, patching potential bugs, and ensuring ongoing compatibility with future updates to the Logos Basecamp and LEZ environment.
Engineering Standards & Continuity: Nomos enforces strict engineering standards: comprehensive test coverage for all program invariants (including the critical "total minted == Σ position debts" invariant), thorough Rustdoc documentation for the SDK, and automated CI/CD pipelines for E2E integration tests with RISC0_DEV_MODE=0 against the standalone LEZ sequencer. The three-person team structure ensures knowledge is shared across all components from day one — no single point of failure in the on-chain program, client interfaces, or deployment pipeline.
RFP-014 Integration Path: The liquidation seam (position health query, seize hook) is documented and tested as part of M5. Once RFP-014 is delivered, we will coordinate with the implementing team to verify end-to-end integration.
Permissions and Consent
Program Requirements
RFP ID
RFP-013 — Reflexive Stablecoin Protocol
Your Project Name
Nomos
Team or Organization Name
Evice Labs
Primary Contact
Discord @supereil
Team Members
Member 1
Member 2
Member 3
Project Summary
We propose to build the reflexive, non-pegged, over-collateralised stablecoin described in RFP-013: a CDP system (SAFEs) on the Logos Execution Zone whose floating redemption price is driven by an autonomous feedback controller rather than by governance. The protocol follows the RAI / Reflexer design — normalized debt with a continuously accumulating rate, a redemption price that drifts under a proportional-integral controller, and stability fees that accrue via rate accumulation — adapted to LEZ's tail-call execution model, public/private state separation, and SPEL tooling.
We are applying as Evice Labs, a Logos-native development studio. Our case for selection is concrete rather than aspirational: several of RFP-013's stated platform dependencies overlap directly with work we have already shipped or are actively building in the Logos ecosystem (token-authority primitives, structured events, admin/freeze authority libraries, and the on-chain clock primitive). The
dependency map below makes this explicit.
We scope this proposal to the CDP host and reflexive controller only. Liquidation, surplus/debt auctions, multi-collateral, private position state, and governance-token design are explicitly out of scope per the RFP (liquidation is RFP-014). Where the host must expose a seam for RFP-014, we define that interface but do not implement the auction engine.
Technical Approach
Program structure (SPEL)
A single LEZ program built with the SPEL framework, which generates the IDL and client code from the program definition. State is organised as:
nominal_debt = normalized_debt × rate_accumulator.SAFE accounting (RAI-style normalized debt)
Stability fees accrue without touching every position by maintaining a single global rate accumulator. On any interaction we first lazily accrue: advance the accumulator by the stability fee over elapsed time, then read each SAFE's nominal debt as
normalized_debt × accumulator. This keeps per-position operations O(1) and makes "total minted == Σ position debts" an invariant we can assert after every modifying op.Reflexive controller
update_ratecall,redemption_price *= (1 + redemption_rate)^elapsed, computed in high-precision fixed point.(market_price − redemption_price): proportional term opposes the instantaneous deviation; integral term accumulates persistent deviation over a bounded window. Output is clamped to[r_min, r_max]and the integrator uses hard anti-windup clamping so a stuck or stale feed cannot wind the rate to an explosive value.Fixed-point & compute budget
Redemption price, rate, and the debt accumulator use a high-precision fixed-point representation (RAY-style, e.g. 1e27 over
u128/i128) with overflow-safe arithmetic. Per-second compounding (rpow-equivalent) is the most compute-heavy operation; we benchmark it against the LEZ per-transaction budget early (M1) and, if needed, bound iteration count or compound over the update interval rather than persecond. Compute figures for each operation go in the README per the Performance requirements.
Token mint/burn integration
The protocol custodies reference-token collateral and is the mint authority for the stablecoin, minting on
generate_debtand burning onrepay, via the LEZ Token Program. This is where LP-0013's transfer/mint-authority primitives are load-bearing.Tail-call composition (LP-0015)
A "lock collateral and mint" operation is two logical steps: (1) transfer collateral into the position via the token program, then (2) continue into a capability- protected internal continuation that updates SAFE state and mints. LEZ's tail-call model hands off control entirely (no return), so the continuation is an internal-only entrypoint protected by an unforgeable capability — it cannot be called directly to bypass the collateral transfer. This is exactly LP-0015's continuation model.
Price feed interface (F6, R3)
A configurable price-feed handle exposing market price with staleness detection. If the feed is stale or unavailable, rate updates pause; existing positions stay operational but new debt generation may be restricted. The interface is implementation-agnostic; our intended provider is the Aperture TWAP oracle (RFP-019), whose TWAP + staleness-window design is precisely the hardening the appendix recommends. Multi-oracle redundancy with fallback is a soft requirement.
On-chain elapsed time
Rate drift and fee accrual need elapsed time between interactions. We consume a monotonic on-chain time source exposed by LEZ (block/slot timestamp). Where a trustless wall-clock is not directly available inside the zkVM, we apply validity-window time-binding: each rate/accrual update asserts a time window that the proof commits to, bounding the elapsed-time delta rather than trusting an ambient
clock. The exact mechanism depends on what LEZ exposes; we resolve this in M0 and document the trust assumption.
Atomic privacy pattern (SDK level)
The SDK orchestrates the deshield→interact→re-shield flow as a single, indivisible operation for every protocol interaction (lock collateral, mint, repay, withdraw). The atomic deshield transfers both the operation token and gas to a freshly generated ephemeral account; the protocol operation executes; outputs are re-shielded to the user's validated private account. If any step fails, the entire transaction reverts. The SDK enforces that the re-shield target is a private (shielded) account and hard-blocks any transaction where the shielded balance cannot cover both operation amount and gas.
Logos Basecamp mini-app
The mini-app follows the current Logos module architecture (tutorial-v3):
type: core,interface: universal) built withmkLogosModule, wrapping the Nomos Rust SDK via C-ABI FFI. All SAFE lifecycle and rate query methods are exposed as public methods on the impl class, auto-generated bylogos-cpp-generator.type: ui_qmlwith C++ backend) built withmkLogosQmlModule. Views include: Position management (open/modify/close SAFEs, view collateralization ratio, projected outcomes), Rate dashboard (current redemption rate, redemption price, stability fee, projected debt growth), and Health factor preview (before/after state for operations). Privacy disclosure rendered before each operation from a private account..lgxpackages, installable vialgpm.Liquidation seam (out of scope, interface only)
F4 requires that positions cannot be modified below the liquidation threshold, but the liquidation engine is RFP-014. We expose a clean, well-defined interface (position health query, seize hook) that an RFP-014 instance can integrate against, and enforce the min-CR / liquidation-threshold check on every modifying op — without implementing auctions here.
RFP-013 Hard Requirements Coverage
Functionality
Usability
Reliability
Performance
Supportability
Privacy
Soft Requirements
Out of Scope — Acknowledged
Milestones, Payout and Timeline
Total Requested Budget (USD)
$100,000
Relevant Experience
Syafiq Nabil Assirhindi — hands-on experience building privacy-preserving cryptographic systems natively on the Logos Execution Zone. Recent completion of LP-0016 demonstrates end-to-end capability across the full Logos stack.
LP-0016 — Anonymous Forum with Threshold Moderation (Logos):
Delivered a complete privacy-preserving forum protocol:
• SPEL framework guest program with 4 instructions and per-instance PDA accounts
• RISC Zero ZK circuit for anonymous membership proofs (Merkle tree inclusion + non-revocation + tag integrity)
• Two-tier Shamir Secret Sharing for N-of-M threshold moderation with Schnorr-signed certificates
• Forum-agnostic Rust SDK compiled as both WASM and C-ABI shared library (cbindgen)
• Native Logos Basecamp integration: core module + QML UI module, with metadata.json, Nix flakes, and standalone app via
nix runZK-AppChain: https://github.com/evice-labs/e-zkappchain
A sovereign ZK rollup integrating an intent-centric execution engine with a CLOB matching engine (Velocity-DEX) and MEV protection infrastructure (Rust-MEV-Builder). Architecture: ZK prover (Winterfell AIR), sequencer node, settlement engine (Alloy-rs), and user client — demonstrating full-stack blockchain and DeFi engineering from L1 settlement to ZK proof generation.
Bristin Borah — hands-on experience building core LEZ infrastructure primitives. Winner of LP-0012 and deliverer of LP-0013, covering the exact event system and token authority model that this RFP depends on.
LP-0012 — Structured Event System for LEZ Programs (Winner, Merged):
• Guest SDK (
emit_event(),EventRecord, Borsh-encoded payloads) in thelez-eventscrate• Event persistence on both success and failure paths (via
FAILURE_SENTINELpattern)•
getTransactionReceiptRPC method for event retrieval• CLI decoder for human-readable event rendering
• 167 tests passing across all crates; merged into upstream LEZ
• This is a direct platform dependency of RFP-013 — position events and rate updates are consumed by the analytics layer
LP-0013 — Token Program Improvements: Authorities (Submitted):
•
AuthoritySlot— reusable authority primitive in standalonelez-authoritycrate (RFP-001)•
NewFungibleDefinitionWithAuthority, updatedMint(authority-gated), andSetAuthority(rotation + permanent revocation) instructions• Wallet SDK facade methods (
send_set_authority,send_new_definition_with_authority)• 49 tests (42 token program + 7 authority unit tests); all CI green
• Deep knowledge of LEZ token program internals — LP-0013 is a hard dependency of RFP-013 for stablecoin mint/burn operations
Mladen Milankovic — 19 years of professional software development experience, with recent focus on Logos ecosystem infrastructure and cryptographic protocol engineering.
RFP-001 — Admin Authority Library (LEZ, Accepted):
Standardised admin authority library for LEZ programs, delivered as a proc macro contribution to the SPEL framework. Implements authority assignment (
admin_initialize), transfer (admin_transfer), and revocation (admin_renounce) as first-class SPEL annotations (#[admin_authority],#[require_admin]), with correct signer validation and PDA derivation. Directly applicable to the stablecoin protocol's governance-gated parameter updates (R4).RFP-002 — Freeze Authority Library (LEZ, Accepted):
Emergency circuit breaker library for LEZ programs, extending the admin authority model with two gating modes: manual opt-in per instruction (
#[require_not_frozen]) and auto mode with explicit exemptions (#[freeze_exempt]). Supports both program-wide freeze and per-account freeze via multi-seed PDAs. Directly applicable to the stablecoin protocol's emergency circuit breaker (R5).LP-0009 — Keycard NIP-46 Nostr Signer Proxy (Logos Ecosystem):
• NIP-44 v2 encryption implemented from scratch with full spec vector test coverage
• WebSocket relay management with exponential backoff reconnect
• Configurable event approval policy engine
• Demonstrates cryptographic protocol engineering, hardware integration, and secure key management
LP-0010 — Shell dApp Integration Proof of Concept (Logos Ecosystem):
• Full ERC-4527 / Uniform Resources protocol implementation (TypeScript)
• Multi-derivation-path address display with animated multipart QR encoding
• Browser-safe Bitcoin signature verification
• 56 unit tests covering CBOR, address derivation, signing, and verification
• Demonstrates frontend development, UI/UX design, and browser-safe cryptographic engineering
(Note: LP-0009 and LP-0010 are contributions to the broader Logos ecosystem, covering Keycard and Shell hardware wallet integrations respectively. RFP-001 and RFP-002 represent Mladen's current active development on LEZ-native infrastructure.)
Post-Delivery Plan
Post-delivery, Evice Labs will maintain the repository asynchronously. This includes monitoring the open-source codebase, reviewing community Pull Requests, patching potential bugs, and ensuring ongoing compatibility with future updates to the Logos Basecamp and LEZ environment.
Engineering Standards & Continuity: Nomos enforces strict engineering standards: comprehensive test coverage for all program invariants (including the critical "total minted == Σ position debts" invariant), thorough Rustdoc documentation for the SDK, and automated CI/CD pipelines for E2E integration tests with RISC0_DEV_MODE=0 against the standalone LEZ sequencer. The three-person team structure ensures knowledge is shared across all components from day one — no single point of failure in the on-chain program, client interfaces, or deployment pipeline.
RFP-014 Integration Path: The liquidation seam (position health query, seize hook) is documented and tested as part of M5. Once RFP-014 is delivered, we will coordinate with the implementing team to verify end-to-end integration.
Permissions and Consent
Program Requirements