GHOST stands for Generalized Heuristic for Obfuscated Settlement and Transfer. It's a peer to peer lending protocol where no one, not even the server, knows what interest rate you're willing to lend at. Lenders submit sealed bids, borrowers post collateral and request loans, and a confidential matching engine pairs them together without ever exposing individual rates to the outside world. The entire protocol is designed around one principle: financial privacy shouldn't require trusting anyone.

The Problem

In traditional DeFi lending, everything is public. Your rates, your positions, your collateral levels. This creates real problems that compound on each other.

1. First, rate transparency enables front running. When bots can see pending rate submissions in the mempool, they sandwich transactions and extract value from honest participants. Lenders and borrowers both lose to MEV extraction on every interaction.
2. Second, pooled rate models create a free rider problem. In protocols like Aave or Compound, all lenders earn the same blended rate regardless of their individual risk tolerance. A lender willing to accept 3% earns the same as one who would have accepted 5%. This kills truthful price discovery because there's no incentive to reveal your actual reservation rate. The result is rates that don't reflect real supply and demand.
3. Third, financial positions are completely exposed. Anyone can see your collateral levels, your liquidation thresholds, your outstanding loans. This opens the door to targeted liquidation attacks, competitive intelligence gathering, and social engineering based on on chain wealth.

These aren't theoretical concerns. They're happening every day across DeFi and they fundamentally undermine the efficiency and fairness of decentralized credit markets.

How GHOST Solves It?

GHOST fixes this by splitting the system into three layers that don't trust each other. No single layer has enough information or capability to compromise the system on its own.

1. The first layer is on chain custody through Chainlink's Compliant Private Transfer Vault on Sepolia. It holds the funds and nobody else can touch them. All deposits and withdrawals happen through shielded addresses, so even fund movements don't leak information about who is lending or borrowing how much.
2. The second layer is a server built with Hono and Bun that stores encrypted lending intents. It handles the API, tracks loan lifecycles, and queues transfers, but it literally cannot read your interest rate because it's encrypted with a key it doesn't have. Even if the server is fully compromised, an attacker learns nothing about the rate landscape.
3. The third layer is the settlement engine running inside Chainlink's Confidential Runtime Environment. This is where the magic happens. Three stateless workflows run on a loop: one matches loans every 30 seconds, one executes fund transfers every 15 seconds, and one monitors collateral health every 60 seconds. The CREs use ConfidentialHTTPClient and ensures that the API key is being fetched from the secured DON vault to requests without exposing it in plaintext outside CRE enclave. Then decrypts rates only momentarily, runs the matching logic, and then wipes everything. No persistent state, no logs of plaintext rates, nothing left behind.

Sealed Bid Rate Discovery

When you want to lend, you encrypt your desired rate using the CRE's public key and submit it to the server. The server stores the ciphertext but has no way to read it. When a borrower comes in, the CRE wakes up, pulls all pending intents, decrypts the rates inside its TEE, sorts lenders from cheapest to most expensive, and fills the borrow starting from the bottom.

The key insight is discriminatory pricing. Each lender earns their own bid rate, not some averaged pool rate. If you bid 3.5% and get matched, you earn 3.5%. The lender next to you who bid 4% earns 4%. This means your best strategy is to bid honestly. There's no advantage to underbidding because you'd just leave money on the table. There's no advantage to overbidding because you risk not getting matched at all. And you can't see anyone else's bid to game the system. Truthful bidding emerges as the dominant strategy, which is exactly what you want for efficient rate discovery.

This approach is grounded in auction theory. Discriminatory (pay as bid) auctions with sealed bids and private valuations incentivize truthful revelation in ways that uniform price auctions simply don't. The academic foundation draws from Stiglitz and Weiss on credit rationing, Bester on screening mechanisms, and more recent work by Monostori on discriminatory versus uniform price auction dynamics.

Credit Tiers and Collateral

Borrowers post collateral in gETH and borrow gUSD. Every new borrower starts at Bronze tier, which requires 2x collateral. Repay a loan successfully and you move up to Silver (1.8x), then Gold (1.5x), then Platinum (1.2x). Default on a loan and you drop a tier. This creates a real incentive to maintain good standing because the capital efficiency gains from higher tiers are significant. A Platinum borrower needs to lock up 40% less collateral than a Bronze borrower for the same loan.

Reject a valid match proposal and you lose 5% of your collateral as a penalty. This prevents borrowers from using proposals as free rate discovery by submitting borrow intents, seeing the effective rate they'd get, rejecting it, and resubmitting with a lower max rate. The penalty makes that strategy expensive enough to discourage it, while still giving borrowers a genuine option to walk away from a match they don't like.

Loan Monitoring and Liquidation

Once a loan is active, the CRE monitors it continuously. Every 60 seconds, the check loans workflow reads the ETH/USD price from Chainlink Data Streams and computes a health factor for every active loan. If collateral value drops below 1.5x the principal, or if the loan has passed its maturity date, the CRE flags it for liquidation.

Liquidation is handled automatically. There's no external liquidator role and no liquidation auctions. The CRE itself triggers the process. The protocol takes a 5% fee from the seized collateral and distributes the remaining 95% pro rata to the lenders who funded that loan, proportional to their matched tick amounts. The borrower's credit tier drops by one level.

The End Result

The result is a lending market where rates reflect genuine supply and demand because participants bid truthfully. Positions stay private because encryption is end to end and the server is blind. No single component has enough information to compromise the system because custody, storage, and computation are separated across independent trust domains. And the whole thing runs autonomously through CRE workflows that wake up, do their job, and forget everything.