architecture v1_transparent.png

The Arkade Operator coordinates Arkade’s virtual execution environment through a modular architecture that comprises several core functions: transaction validation, batch creation, liquidity provisioning, and system coordination.

This modular design enables horizontal scaling, distributed deployment and increases overall system security.

Future implementations will enable individual operator functions to be replicated across multiple infrastructure providers, geographic regions, or operated by different entities, reducing single points of failure and improving system resilience.

For now, we separate the Signing entity from the Operator role.

Arkade Operator

Transaction Validation and Batch Creation. The operator validates incoming transactions against the current VTXO set, forwards valid requests to the Arkade Signer for cosigning, and aggregates multiple user operations into a single batch output which eventually gets anchored onchain via a commitment transaction.

The operator’s role is designed with strict boundaries. It cannot unilaterally spend user VTXOs or override unilateral exit paths, as these are secured by presigned transaction trees that users control independently.

Liquidity Provision. The Arkade Operator provides liquidity for user operations that require onchain settlement, such as VTXO renewals, offboarding or LN payments. To do so, it temporarily deploys bitcoin from its treasury until it can reclaim funds from expired VTXOs. This creates a capital obligation that requires the operator to manage reserves efficiently and ensure continuous availability. Future versions may delegate this role to third-party liquidity providers.

Arkade Signer

The Arkade Signer represents a critical architectural separation that isolates transaction signing authority from operator control. Rather than allowing the Arkade Operator to directly sign user transactions, this responsibility is delegated to a separate module that operates under verifiable constraints.

The Signer generates a single signing key that all Arkade addresses require for VTXO cosigning, but this key is protected within a secure hardware environment (TEE) that prevents access even by the operator. Users communicate directly with the Signer through encrypted channels, ensuring that signature requests remain confidential and uncensorable. This architectural decision transforms the trust model from relying on operator honesty to relying on cryptographic and hardware guarantees that can be independently verified.

Detailed security mechanisms, including Trusted Execution Environment implementation, remote attestation procedures, and collateral enforcement, are covered in the Security & Trust Model documentation.