STAXIS
Start

How it works · Property 2

The 2.5% / 3% daily circuit breaker.

A daily technical risk control. Three-layer enforcement. Property-tested invariants.

Normal< 2.5%Tripped · 2.5%closing positionsOpen · 3%no new trades
Important — read this verbatim

The 2.5% / 3% daily circuit breaker is a technical risk control, NOT a guarantee of maximum loss. Market gaps, slippage, exchange outages, liquidity events, or technical failures may cause losses exceeding 3%. STAXIS does not insure against losses. The user is at all times the sole holder of their capital and assumes the corresponding risk.

Three layers of enforcement

One state, propagated through three layers.

LAYER 1In-process Rust validationLAYER 2Redis shared stateLAYER 3Postgres audit logSTATE PROPAGATES
  1. Layer 1

    In-process Rust validation

    Every trade-decision is validated by the Rust risk module before being signed. Validation completes in under 10 milliseconds. If validation fails — the proposed trade would breach the breaker bound — the trade is rejected at the process level.

  2. Layer 2

    Redis shared state

    The breaker state is replicated to Redis, accessible by all STAXIS processes. In a load-balanced production deployment, every process shares a consistent breaker view: a breaker triggered in process A is visible to process B within milliseconds.

  3. Layer 3

    Postgres audit log

    Every breaker-state change is written to a hash-chained Postgres audit log. The log is permanent — 7-year retention standard, longer on Enterprise request — and cryptographically tamper-evident: any modification breaks the chain.

The breaker state must be consistent across all three layers. Property tests enforce this invariant.

Property-tested invariants

Not marketing claims — testable properties.

The breaker is governed by formal invariants tested via property-based tests (proptest). Test cases are generated randomly; counter-examples are fixed.

Invariant 1

No trade can execute if the breaker is tripped.

for all proposed trades T:
  if breaker.state == TRIPPED: T is rejected
Invariant 2

Breaker state is consistent across replicas.

for all process replicas A, B:
  within 50ms: A.breaker_state == B.breaker_state
Invariant 3

Audit log entry precedes trade signal.

for all trade signals T:
  audit_log.contains(T) at timestamp(T)

These invariants are enforced by automated tests in our CI pipeline — not by assertion in a brochure.

What the breaker does not protect against

We are explicit about this, because the breaker is often misunderstood.

  • Market gaps

    If BTC moves 8% in 30 seconds — an overnight gap, a liquidation cascade — you may take a loss up to that gap before the breaker can act.

  • Slippage

    The breaker sits between trades. If a trade experiences slippage, the realized loss may exceed the planned bound.

  • Exchange outages

    If your venue is unreachable, the breaker cannot close positions. We detect the outage and notify you, but the position remains until reconnection.

  • Liquidity events

    If liquidity dries up in an asset, unwinding may be slower than the breaker decision, causing realized losses to exceed planned bounds.

  • Technical failures

    A bug in STAXIS, Privy, or the exchange may prevent the breaker from acting. We disclose all such incidents in the monthly Calibration Report.

The breaker bounds discipline-driven drawdowns. It does not eliminate the risk of crypto trading.

The 2.5% / 3% daily circuit breaker is a technical risk control, NOT a guarantee of maximum loss. Market gaps, slippage, exchange outages, liquidity events, or technical failures may cause losses exceeding 3%. STAXIS does not insure against losses. The user is at all times the sole holder of their capital and assumes the corresponding risk.

Next property

Next: the governance pipeline.

The breaker controls a single day. Governance controls a swarm’s whole life — paper to live to retired, with every transition on the record.

The governance pipeline →Read the risk disclosure