Overview
Fair ordering is one of the hardest problems in decentralized exchange design. In most systems, a single sequencer or block proposer controls transaction ordering, creating opportunities for front-running, sandwich attacks, and censorship. BULK eliminates these vectors through a multi-layered approach where no single participant controls any aspect of ordering.Layer 1: Quorum-Controlled Batch Admission
The transaction set in each consensus batch is not determined by any single validator. Instead, it is the intersection of pending sets across a supermajority of validators, computed via minisketch reconciliation. To include a transaction in a batch, the transaction must be present in the pending sets of more than 2/3 of validators. To exclude a transaction, an attacker would need to prevent it from reaching more than 1/3 of validators - which requires controlling a significant portion of the network. This means:- No single validator controls what transactions enter the batch
- Censorship requires corrupting a supermajority, not a single sequencer
- Inclusion is determined by quorum agreement, not by a proposer’s choice
Layer 2: Deterministic Shuffle
After a batch is committed by consensus, the transactions within it are shuffled using the Fisher-Yates algorithm with a WyRand PRNG seeded by the batch timestamp. The batch timestamp is a consensus output derived from the committed batch data (see Deterministic Clock). To exploit the shuffle, an adversary would need to:- Know the exact final transaction set before commitment - impossible, since it depends on quorum intersection
- Find a seed value that produces favorable ordering for their specific transaction
- Get the quorum to agree on that seed
Layer 3: Structural Priority Queues
After the shuffle, transactions are separated into priority queues by type:- Cancels execute first
- Post-only (ALO) maker orders execute second
- Regular orders (market, limit, IOC) execute third
- Traders can always cancel before being filled. If a cancel and a matching order are in the same batch, the cancel executes first regardless of shuffle position.
- Makers always seed the book before takers cross it. Post-only orders establish liquidity before aggressive orders can take it.
- No front-running within a batch. Since the transaction set is fixed by consensus and the shuffle is deterministic, there is no mechanism to insert a transaction after observing the batch contents.
Layer 4: Price-Time Priority on the Book
The order book itself uses standard price-time priority for matching. At a given price level, orders that arrived in earlier batches are filled before orders from later batches. Within the same batch, the shuffled-then-prioritized order determines execution sequence.Combined Guarantee
The four layers compose to provide strong fairness:| Attack Vector | Mitigation |
|---|---|
| Front-running (insert tx after seeing target) | Impossible - batch set is fixed by quorum before ordering |
| Censorship (exclude a transaction) | Requires corrupting more than 1/3 of validators |
| Ordering manipulation (reorder within batch) | Shuffle seed is consensus-derived, not controllable by any single party |
| Maker disadvantage (takers cross before book is set) | Post-only orders execute before regular orders by protocol rule |
| Cancel race (can’t cancel before being filled) | Cancels execute before all other order types |