Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.nexroute.io/llms.txt

Use this file to discover all available pages before exploring further.

Embedded mode is built on a clear separation of trust: the user authorises only what they intend to swap, nexroute supplies opaque backrun calldata, and at no point can either party take funds the other has not authorised.

Permit2 trust scope

The user signs a Permit2 typed-data message that specifies:
  • input token
  • maximum amount
  • spender (the nexroute wrapper, or the partner’s router for the composition shape)
  • deadline
  • nonce
Nothing the wrapper or the partner router does, including running nexroute’s backrun calldata, can pull more than the permit grants. A new permit and signature are required for every transaction; Permit2 marks the nonce as used on first transfer, so the same signature cannot be replayed.

Backrun calldata trust

The wrapper-contract shape executes nexroute’s backrun calldata only after the user’s swap has completed and any user output has left the wrapper (delivered to the user as the swap’s receiver). At the moment the backrun runs, the wrapper holds at most:
  • nexroute’s own internal arbitrage capital (if any)
  • residual dust from the swap
Worst case: a malicious or buggy backrun call can affect only nexroute’s own balances. The user’s funds are out of reach. For the composition shape, the partner controls the call boundary entirely. The same property holds as long as the backrun call runs after the swap and on isolated balances.

Aggregator calldata trust

The aggregator swap calldata is built by the partner, not by nexroute. The user reviews the swap intent in their wallet (token, amount, deadline) before signing the Permit2 message. The partner is responsible for:
  • using a trusted aggregator
  • setting receiver = user so output tokens go to the end user
  • including a sane minAmountOut
Embedded mode does not interpose on these decisions. They are partner-side correctness concerns.

Failure semantics

ConditionOutcome
Permit2 signature invalid or expiredtransaction reverts before any funds move
Aggregator swap revertstransaction reverts; Permit2 pull is rolled back atomically; user loses only gas
Backrun revertscaught silently; user swap still completes; user pays gas for the failed attempt
The user transaction never partially commits. Either the user’s swap goes through (with or without a successful backrun), or the entire transaction reverts and the user loses only gas.

Privacy

Embedded mode does not, on its own, provide privacy. A transaction submitted to the public mempool can be observed by searchers, builders, and validators, who may extract the embedded MEV by copying the backrun calldata into a higher-priority transaction or by reordering the block. To prevent this, submit the constructed transaction through a private relay (Flashbots, MEV-Share, builder relays) instead of the public mempool.

Network

  • Per-partner IP allowlist enforced at the network layer for the backrun API
  • HTTPS for all endpoints
  • TLS termination at the endpoint; in-flight encryption end-to-end from partner to nexroute