Permit2 trust scope
The user signs a Permit2 typed-data message that specifies:- input token
- maximum amount
- spender (the nexroute wrapper, or the partner’s router for the composition shape)
- deadline
- nonce
Backrun calldata trust
The wrapper-contract shape executes nexroute’s backrun calldata only after the user’s swap has completed and any user output has left the wrapper (delivered to the user as the swap’s receiver). At the moment the backrun runs, the wrapper holds at most:- nexroute’s own internal arbitrage capital (if any)
- residual dust from the swap
Aggregator calldata trust
The aggregator swap calldata is built by the partner, not by nexroute. The user reviews the swap intent in their wallet (token, amount, deadline) before signing the Permit2 message. The partner is responsible for:- using a trusted aggregator
- setting
receiver = userso output tokens go to the end user - including a sane
minAmountOut
Failure semantics
The user transaction never partially commits. Either the user’s swap goes through (with or without a successful backrun), or the entire transaction reverts and the user loses only gas.
Privacy
Embedded mode does not, on its own, provide privacy. A transaction submitted to the public mempool can be observed by searchers, builders, and validators, who may extract the embedded MEV by copying the backrun calldata into a higher-priority transaction or by reordering the block. To prevent this, submit the constructed transaction through a private relay (Flashbots, MEV-Share, builder relays) instead of the public mempool.Network
- Per-partner IP allowlist enforced at the network layer for the backrun API
- HTTPS for all endpoints
- TLS termination at the endpoint; in-flight encryption end-to-end from partner to nexroute