Architecture

Architecture

Tessera is built as a modular, composable stack on Arbitrum Stylus (Rust on an Arbitrum Orbit L2). Each component is independent, open-source, and testable in isolation.

The four-piece stack

1. The vault (Stylus, Rust)

The vault is the core smart contract. It is written in Rust and compiled to WebAssembly (via Arbitrum Stylus), allowing larger contract sizes than standard EVM contracts -- critical because Tessera's safety-hardened vault with all guards compiled in exceeds a standard Arbitrum L2's 24KB code-size limit.

• Deposit (lenders): USDC in, share tokens out. Mints a proportional stake in the lending pool.
• Borrow (borrowers): Lock collateral, mint debt. Subject to max LTV (tAAPL 50%, tTSLA 40%, tSPY 60%) and minimum debt (100 USDC).
• Repay: Burn debt, withdraw USDC. Can be called by any address if debt is repaid from a pre-approved allowance (used by the Watcher with user opt-in).
• Liquidate: A permissionless backstop liquidates unsafe positions (health factor < liquidation threshold). Base bonus 5%, ramping with depth.
• Reserve accrual: 15% of borrow interest is siphoned into an on-chain reserve in real time. Lenders earn 85%.

The vault enforces core invariants at the smart-contract level: no position below minimum debt, no borrows exceeding LTV, no liquidations that drive HF negative, interest accrual on every block.

2. PriceGuard (Rust / Stylus)

PriceGuard is an oracle-policy contract that governs how prices are sourced and applied to collateral. It sits between the price feed and the vault.

• Price feed (testnet mock, mainnet gate): On testnet, prices come from a centralized mock. On mainnet, prices will be sourced from a licensed price oracle (e.g., Chainlink).
• Market hours: PriceGuard tracks when US markets are open/closed. Outside 9:30 AM to 4:00 PM ET, setMarketClosed(true) engages gap haircuts -- conservative risk-weighted discounts applied to each collateral's value.
• Gap detection and haircuts: When markets are closed or a feed is stale, conservative haircuts automatically apply -- for instance, tAAPL and tTSLA may be haircut 10-15% overnight, reducing borrowing power until markets reopen and the Watcher confirms no overnight gaps occurred.
• Testnet mock note: On Robinhood Chain testnet, prices are static or manually set. This is a testnet gate; a real licensed feed is a mainnet gate.

PriceGuard is the structural answer to overnight gaps. By reducing collateral value outside market hours, it prevents positions from being under-collateralized during the 16-hour gap when stocks don't trade but tokenized proxies might.

3. Lens (Rust / Stylus, read-only)

Lens is a public read-only Stylus (Rust) contract that reads data from the vault (no write permissions). It is used by the Watcher, the web UI, and any external agent to fetch:

• Current collateral prices (from PriceGuard)
• A user's debt, collateral, and health factor
• Pool state (total deposits, total borrows, interest rate)
• Liquidation candidate lists and liquidation prices

Lens is stateless and immutable. It only reads; it never modifies state. This makes it safe to use in parallel without locking or race conditions.

4. The Watcher (TypeScript, off-chain)

The Watcher is an autonomous off-chain agent (a TypeScript service) that runs independently and continuously. It is the active risk layer -- the structural answer to liquidation before it happens.

• Monitor (every ~10 seconds): Fetches the health factor of every active borrower via Lens. Checks if HF is approaching the liquidation threshold.
• Alert (plain-English): If HF drops below a critical threshold, the Watcher sends a plain-language alert to the user (via email, Telegram, or on-chain).
• Auto-repay (with user approval and on-chain caps): If a user has pre-approved a USDC allowance, and their HF is critically low, the Watcher can call the vault's repay() function. This is done deterministically (not with an LLM making the decision) and bounded by on-chain per-user caps: 25,000 USDC/user/day, 10,000 USDC/user/tx.
• Heartbeat (on-chain record): Every minute, the Watcher writes an on-chain heartbeat transaction. If the Watcher goes silent (> 15 min on testnet), a permissionless backstop mechanism activates.
• Kill switch: Users can revoke the Watcher's allowance at any time, instantly stopping auto-repays. Plus, the protocol has an on-chain admin failsafe to pause the agent globally if needed.

The decision to repay (is HF below the critical threshold?) is made deterministically by on-chain logic. The explanation (the plain-English alert copy) is written by a language model. The AI never holds funds, never decides whether to move money -- it only narrates what is happening.

Data flow (happy path)

1. A borrower deposits collateral (tAAPL) and borrows 5,000 USDC at an LTV of 50%.
2. The vault records the position: collateral amount, debt, interest rate.
3. Every block, interest accrues. 15% flows to the reserve; 85% is earned by lenders.
4. The Watcher reads the vault via Lens: calculates HF = (collateral value times risk weight) divided by debt.
5. If HF is healthy (> liquidation threshold), no action. If HF is critical, the Watcher sends an alert.
6. If the user approved auto-repay and HF is critical, the Watcher calls repay() on the vault, using the user's allowance to reduce debt and restore HF.
7. If a position becomes unsafe (HF < liquidation threshold) and the Watcher cannot restore it, the backstop opens: anyone can liquidate the position and earn the 5% bonus.
8. Liquidation proceeds are returned to the lender pool; the borrower can re-collateralize and borrow again.

Open-source and auditability

All four components are open-source (GitHub). The vault, PriceGuard, and Lens contracts are committed; the Watcher source is also public. This enables community review, external audits, and transparency. On testnet, the code is live and real, so you can see exactly how liquidations, interest accrual, and AI auto-repay work in practice.