Bilateral Settlement and the Gryps Security Model
Most DeFi derivatives protocols pool user funds. Whether the mechanism is an AMM liquidity pool, a shared vault, or a lending pool, the underlying architecture is the same: many users' assets sit in a single contract, and the security of every depositor depends on the security of the whole.
Gryps does not work this way.
Every trade on Gryps is a direct, isolated bilateral agreement between you and the specific solver (hedger) who filled your order. There is no shared pool. There is no shared counterparty. Your collateral is locked in a per-trade escrow structure enforced by Symmio's trustless clearing layer -- Not aggregated with other users' funds.
This page explains why that distinction matters and how the architecture protects you.
The Problem with Pooled Architecture
When funds are pooled, a single point of failure can cascade. An exploit in one part of the system -- a price oracle manipulation, a smart contract vulnerability, a liquidation failure -- exposes every participant in the pool.
This is not a theoretical concern. Major DeFi exploits regularly demonstrate how pooled systems propagate damage beyond the initial point of failure. When an exploit hits a pooled protocol, the impact cascades through composability dependencies -- affecting funds that had no direct exposure to the exploited contracts but shared infrastructure or liquidity layers with them.
This is the contagion architecture problem: pooled systems create hidden interdependencies where one failure propagates to many.
How Bilateral Settlement Works
On Gryps, every trade follows the same isolation pattern:
- 01
You submit an RFQ (Request for Quote). The Orbs solver network finds the best available price from competing solvers.
- 02
A specific solver accepts your trade. This creates a bilateral agreement -- a direct contract between you and that solver, and no one else.
- 03
Both parties' collateral is locked in Symmio's smart contracts. Your USDC and the solver's collateral are held in a per-trade escrow structure, isolated from every other trade on the platform.
- 04
Settlement occurs bilaterally. When the position closes -- whether by your action, the solver's action, or liquidation -- the settlement is between you and that solver only.
The critical property: each bilateral agreement is independent. If a solver encounters problems on a different trade with a different user, your position is unaffected. There is no shared pool that could be drained, no shared vault whose solvency depends on the behavior of other participants.
The Symmio Clearing Layer
Gryps does not build its own settlement infrastructure from scratch. The bilateral agreements are enforced by Symmio, a purpose-built trustless clearing and settlement protocol.
Symmio handles:
- On-chain contract enforcement. Every bilateral agreement is a smart contract interaction with deterministic settlement rules. Neither party -- trader nor solver -- can unilaterally alter the terms after the trade is opened.
- Collateral management. Margin requirements are enforced at the protocol level. Both sides of a trade must maintain adequate collateral, and the contracts enforce this continuously.
- Liquidation logic. If either party's margin falls below the required threshold, liquidation is handled by the protocol according to predefined rules -- not by a centralized operator making discretionary decisions.
- Auditability. Symmio's contracts have undergone independent security audits. See the Security & Audits page for details.
The result is that Gryps inherits a battle-tested clearing layer without introducing the counterparty aggregation risks that come with pooled models.
The Fraud-Proof Window
When you withdraw funds from Gryps, there is a 12-hour fraud-proof window before the withdrawal is finalized.
This is a security mechanism, not a processing delay. During this window:
- All settlements associated with your positions are verified for validity.
- If an invalid or manipulated settlement is detected, it can be challenged and corrected before funds are released.
- This protects both traders (from settlement errors that could reduce their payout) and the protocol (from attempts to extract more than the correct settlement amount).
After the 12-hour window passes without a valid challenge, your withdrawal completes. The window exists to ensure that the trustless guarantees of the bilateral settlement model hold even under adversarial conditions.
What This Means for You
Your funds are isolated from other traders' risk. A bad trade by another user, a solver's failure on a different position, or an exploit targeting a different part of the DeFi ecosystem does not put your collateral at risk.
There is no shared pool to drain. The most common DeFi exploit pattern -- draining a liquidity pool or vault through a single vulnerability -- does not apply to Gryps because the architecture does not contain a shared pool.
Each position stands on its own. The failure of one bilateral agreement does not cascade to others. Risk is contained at the individual trade level.
Self-custody is maintained. At no point do you send funds to a centralized entity. Your collateral is held in smart contracts with deterministic, auditable rules -- not in an omnibus account managed by an operator.
Comparison with Other Perpetuals Architectures
Different perpetuals platforms make different architectural tradeoffs. Here is how the major models compare on counterparty isolation:
| Model | Examples | Counterparty Structure | Isolation Properties |
|---|---|---|---|
| Pooled AMM | GMX, GNS | Liquidity providers share a pool that takes the other side of all trades | Pool risk is shared -- an exploit or extreme market event affects all LPs simultaneously |
| Order Book DEX | Hyperliquid, dYdX | Traders interact through a shared matching engine | Better isolation than pooled models, but dependence on shared sequencer infrastructure and cross-margining introduces some systemic coupling |
| Bilateral RFQ | Gryps (via Symmio) | Each trade is a separate bilateral agreement with a specific solver | No shared pool, no shared counterparty risk beyond the specific solver on each trade |
None of these models is without tradeoffs. Pooled AMMs offer simpler liquidity provisioning. Order book DEXs offer tighter spreads on high-volume pairs. Bilateral RFQ settlement offers structural isolation at the cost of depending on solver network depth for pricing.
The question is which tradeoffs matter most for your use case. If counterparty isolation and resistance to contagion risk are priorities, the bilateral model is architecturally designed to provide them.
Further Reading
- Security & Audits -- Symmio audit reports, bug bounty program, and security disclosures
- High-Level Architecture -- How Gryps, Symmio, and the Orbs solver network fit together