Last week, Backpack quietly enabled 24/7 trading of tokenized U.S. equities — including pre-IPO shares of SpaceX. The announcement landed with the usual fanfare: “round-the-clock markets,” “access to the next unicorn,” “real-world assets on chain.” But having spent months deconstructing similar hybrid models during the 2022 RWA wave, I noticed something the press release deliberately omitted: no code audit, no proof of reserves, no licensing disclosure. The math whispers what the network shouts: this is a center-of-attention play with a highly asymmetric risk profile.
Context: The Machinery Behind the Curtain
Backpack is a centralized exchange that already offers spot and futures trading. This new service tokenizes shares of public companies (Micron, SanDisk) and a private giant (SpaceX) into tradable digital representations. The technical promise is straightforward: bypass traditional settlement windows (T+1, weekend blackouts) by keeping a continuous order book on Backpack’s servers. The custody model, however, remains opaque. Users never hold private keys to the underlying assets; Backpack’s internal ledger reflects ownership. This is not a DeFi primitive—it is a fintech wrapper around a traditional broker-dealer relationship.
The real innovation lies not in the tokenization itself but in the 24/7 execution engine. Backpack’s matching engine must maintain deep liquidity at all hours, relying on market makers who accept counterparty risk against the exchange’s balance sheet. For public stocks, this is feasible; for SpaceX, with no continuous price discovery, the liquidity is synthetic—priced by a single market maker’s algorithm. Based on my experience auditing early Uniswap V2 pools, I recognize the trap: when only one party provides the price, the spread can expand to 10-20% during low-volume hours, turning “24/7 access” into “24/7 extraction.”
Core Analysis: Code-Level Trade-offs and Structural Blind Spots
Let’s examine the core technical architecture from a security-first lens. Backpack’s system relies on three components: an off-chain order book (centralized), a tokenization layer (likely using a permissioned blockchain or ERC-20 wrapper on Solana), and a traditional custody backend for the actual stock settlement. The off-chain order book is fast but opaque—users cannot independently verify that their trades are being matched against real liquidity rather than internal rebalancing. During the DeFi Summer code audit initiative I led in 2020, we found that any protocol hiding its liquidity source behind a closed matching engine was vulnerable to “phantom order” attacks, where the platform fills orders from a reserve pool that is secretly leveraged. Backpack has not published any proof that its 24/7 liquidity is backed by verifiable reserves.

Second, the tokenization of private equity (SpaceX) introduces a unique failure mode: valuation opacity. SpaceX’s shares are valued during sporadic secondary transactions or internal tender offers. Backpack must either freeze trading during valuation gaps (defeating 24/7) or allow continuous trading based on a stale reference price. The latter creates an opportunity for arbitrageurs to exploit delta between Backpack’s price and the true market price (if a new secondary trade occurs). This is not a theoretical risk—it happened with FTX’s tokenized Tesla derivatives in 2021. When the underlying stock moved after hours, the derivative diverged from the spot, and the exchange paused withdrawals. Backpack’s terms of service likely include similar pause rights, turning 24/7 into a variable-duration promise.
Third, the regulatory code is the hardest contract. Every tokenized security must comply with securities laws. Howey Test analysis shows that these tokens are almost certainly investment contracts: money invested in a common enterprise with expectation of profits from the efforts of others. Backpack has not disclosed whether it holds a broker-dealer license, an Alternative Trading System (ATS) registration, or relies on Regulation S (offshore only). During the Terra collapse, I saw how “regulatory clarity” was treated as an afterthought until the SEC dropped a subpoena. For Backpack, the risk is symmetrical: if the SEC classifies these tokens as unregistered securities, the entire service may be shut down, and user assets could be frozen in legal limbo.

Contrarian Angle: The Silence of the Auditors
The most dangerous blind spot is not the regulatory gray zone—it is the absence of technical transparency. Backpack has not published a formal audit of its tokenization smart contracts, nor has it open-sourced its matching engine logic. In the ZK space, we say: “Trust is not given; it is computed and verified.” Backpack asks users to trust that its off-chain infrastructure is secure, that its custody partner is solvent, and that its market makers are not manipulating spreads. Yet the code that governs these promises is hidden. Compare this to Ondo Finance, which publishes its smart contracts and uses audited proxy contracts for its tokenized Treasuries. Backpack’s opacity suggests a product that prioritizes speed-to-market over structural safety.
Another blind spot: the competitive moat is thin. Robinhood already offers extended-hours trading (until 8 p.m. ET) and plans for 24/7; Coinbase has a separate tokenized stock service via Base. The only differentiator is pre-IPO access—but that market is extremely illiquid and regulated heavily by the SEC under Rule 144. If the SEC deems SpaceX token sales as unregistered public offerings, Backpack could face enforcement action that would also ripple into its core exchange business, risking user deposits across all products.
Takeaway: The Unspoken Vulnerability
Backpack’s 24/7 stock trading is a clever product extension that solves a real user need—but it builds on a foundation of centralized custody, regulatory uncertainty, and unverified liquidity. The math whispers that this is a high-risk experiment disguised as a feature launch. As a community, we should demand three things before trusting such platforms: proof of regulatory authorization, audited smart contracts, and real-time proof of reserves for the underlying assets. Until then, the “24/7 access” narrative may be masking a ticking regulatory clock. The question is not whether the SEC will act, but when—and whether Backpack’s users will have enough time to exit before the music stops.
