← Cancel & Manage5 / 6Security & Trust →

The Bot

The bot automates the mechanical steps — mint, deliver, close. It's open source, permissionless, and constrained by the smart contract. If it disappears, nothing is lost.

Infrastructure

What Needs to Be Running

Etcha requires three components. No external proof servers, no centralized APIs, no proprietary backends.

Component	What It Does	Required?
Ergo Node	Reads chain state, submits TXs	Yes
Frontend (Next.js)	UI + API routes	Yes
Bot (packages/bot)	Auto mints, delivers, closes	Yes for automation

Optional services that enhance but are not required for core functionality:

Service	Purpose	When Needed
Supabase	Sparkline price charts	Only for charts
ergopay	TX reduction for mobile	Only for mobile QR signing

Everything reads from the chain. Oracle prices, registry rates, reserve state — all on-chain. No off-chain price feeds.

Automation

Open Source, Permissionless, Any Mnemonic

The bot watches for new option definitions and handles mint + deliver. It also auto-closes expired reserves. The source code is fully open — anyone can run it. It doesn't matter whose mnemonic it uses because the contract paths the bot uses are all permissionless.

Starting the bot:

source ~/.secrets && cd ~/ergo-options-ui/packages/bot && \
  BOT_MNEMONIC="your-mnemonic-here" \
  ERGO_NODE=http://localhost:9053 \
  npx tsx src/index.ts

Safety

Why the Bot Can't Steal Anything

Every action the bot takes is constrained by the ErgoScript contract. The bot constructs and submits transactions, but the Ergo node only accepts them if the contract evaluates to true.

Mint

Token count matches the formula exactly (can't mint extra)

Collateral preserved in the reserve (can't redirect it)

Fee output goes to address in R9[1] (can't redirect the fee)

All registers preserved (can't tamper with parameters)

Deliver

Tokens go to writer's address from R9[0] (can't send elsewhere)

Singleton stays in the reserve (can't extract it)

Collateral stays in the reserve (can't touch it)

Close Expired

Block height past maturity + 720 (can't close early)

ALL collateral goes to writer's address from R9[0] (can't redirect)

Exactly 2 outputs (can't add extra recipients)

A malicious bot can construct any TX it wants — but the Ergo node rejects it if the contract evaluates to false.

Resilience

What if the Bot Goes Down?

Nothing is lost. The bot is a convenience layer, not a dependency.

Definition waiting to be minted? Anyone can submit the mint TX. The contract doesn't care who submits it.
Reserve waiting for delivery? Anyone can submit the deliver TX. Tokens always go to the writer's address in R9[0].
Option expired? Anyone can close it. Collateral always returns to the writer.
Want to exercise? The buyer does this directly from the frontend — the bot isn't involved at all.

If the bot disappears entirely, a new operator can spin up a fresh instance with any mnemonic and it will pick up right where the old one left off. The chain state IS the state — the bot has no memory that matters.

Multiple bots can run simultaneously. If two bots try to mint the same definition, one succeeds and the other gets a harmless "double-spending" error. First-come, first-served. The more bots running, the faster options get processed.

Key Takeaway

The bot is a convenience layer, not a dependency. The contract is the authority. Anyone can run a bot, and if all bots disappear, nothing is lost.

← Cancel & Manage Next: Security & Trust →