Betex
Entry · 2026-04-25

Encrypted swaps.
Sandwich-resistant by construction.

A working implementation of BTX threshold encryption[1] wrapped as a DEX. Every order is encrypted in your browser and revealed only by a 2-of-3 committee after the epoch closes. Sandwich attacks become mathematically impossible — not merely hard.

The settlement is atomic. Execution order inside the batch is shuffled by on-chain randomness. The AMM is gated by onlyPool; no external contract can interleave between reveal and settle.

Launch app Read the paper·Source code

On-chain field log.

Three independent processes form the decryptor committee. Each closes its own polling loop against Monad RPC; the combiner (Node 0) waits for two shares before sealing the batch.

Committee0/3 live
  • Node 0· combineridle
  • Node 1idle
  • Node 2idle

Threshold: 2 of 3.

Pool reserves
MON
USDC
Price

The mechanism, sketched.

A threshold-encrypted committee sits between your wallet and the AMM. The plaintext of an order is never broadcast; only its commitment hash and an opaque ciphertext leave the browser. Three steps replace the public mempool:

  1. I.

    Encrypt locally

    Direction, amount, slippage, recipient — all encrypted to a threshold public key under BLS12-381. The plaintext never leaves your device.

  2. II.

    Batch for one epoch

    Orders submitted inside the same five-second window are grouped together. Each ciphertext is bound to a public commitment hash that the contract will check on reveal.

  3. III.

    Reveal & settle

    When the epoch closes, the committee broadcasts decryption shares. The contract verifies a single aggregate pairing, shuffles execution order, and runs every swap atomically.

The settlement transaction is atomic. Aggregate pairing check, hash binding, Fisher-Yates shuffle, and individual AMM calls happen inside a single block — there is no surface for a bot to interleave on.

The foundation.

Betex is the first working DEX built on BTX: Simple and Efficient Batch Threshold Encryption[1]. Each committee server broadcasts a single G₁ element per epoch, regardless of how many orders the batch contains — communication per server is O(1) in the batch size. That property makes the scheme scale to validator-set-sized committees without exploding bandwidth.

σ_j = Σl ∈ U τlj · ctl,1   ∈ G₁

Sections §4 through §7 of the paper are realised in Solidity and JavaScript: punctured CRS, Shamir-over-powers key generation, aggregate pairing check via EIP-2537 PAIRING_CHECK, Schnorr NIZK under the Algebraic Group Model, KEM-DEM ciphertext wrapping. §8 — the encrypted mempool — is wrapped as a working DEX with a Uniswap V2-style AMM[2].

Curve
BLS12-381
Precompile
EIP-2537
NIZK
AGM-Schnorr
KDF
KEM-DEM
Threshold
2-of-3
Bmax
16
Epoch
5 s
Tests
138

On Monad testnet, today.

Mint mock USDC and MON from the in-app faucet, place a swap, and watch the encrypted batch settle in five seconds. All three committee nodes run as independent processes; the contracts are verified on Monad explorer.

Launch app Get testnet tokensBrowse epochs →
  1. [1]Agarwal, Das, Gilkalaye, Rindal, Shoup. BTX: Simple and Efficient Batch Threshold Encryption. Category Labs, 17 Apr 2026.
  2. [2]Adams, Zinsmeister, Salem, Keefer, Robinson. Uniswap v2 Core. 2020.
  3. [3]Fuchsbauer, Kiltz, Loss. The Algebraic Group Model and its Applications. CRYPTO 2018.
  4. [4]EIP-2537. Precompile for BLS12-381 curve operations. Live in Monad (MONAD_FOUR), 2025-10-14.