Live on Stellar + Canton testnet

Where open liquidity meets institutional finance.

stellarCanton is the interoperability bridge between Stellar and Canton — settling tokenized treasuries, stablecoins, and securities across both networks atomically, with privacy and compliance intact.

CUSTODY
Non-custodial
SETTLEMENT
Atomic · ~5s
AUDITS
4 independent
COMPLIANCE
SOC 2 · ISO 27001
Built on Stellar Soroban Canton Network Daml USDC
$0.00B
Total value bridged
0.0s
Avg. settlement
0+
Asset classes
0.00%
Protocol uptime
How it works

One bridge. Two networks. Atomic settlement.

Assets move between Stellar and Canton in a single, cryptographically proven step — never wrapped, never held in limbo.

STELLAR
stellarCanton
CANTON
01

Initiate

Choose a tokenized asset and destination network. stellarCanton verifies eligibility, limits, and compliance rules in real time.

02

Settle atomically

The asset is locked on the source ledger and a 1:1 claim is issued on the destination — in one atomic, cryptographically proven step.

03

Reconcile & redeem

Positions reconcile on both networks. Redeem back to the source at any time, permissionlessly.

settlement.log
$ stellarcanton transfer --asset USTB --amount 250000 --to canton

   eligibility & compliance verified
   asset locked on Stellar        ledger #58,204,117
   1:1 claim issued on Canton     party::1220…9f
   atomic commit · 2-phase        proof 0x9f3c…a71b

  settled atomically in 4.8s
Protocol internals

Two phases. One pre-image. Provable settlement.

A hash-linked lock on Stellar and a provisional claim on Canton are bound by a single secret. Revealing it settles both sides at once — or, after the timeout, cleanly reverts both.

PENDING LOCKED CLAIMED FINALIZED no reveal < Δt  ⟲  REVERTED
commit.seq
# x ← rand();  h = H(x)
 phase 1 · prepare
   lock(A, v, h, Δt)      escrow on Stellar
   policy(A, v, s, r) == 
   σ = ThreshSig(lock, h) q ≥ 13/18
   claim(A, v, h)         provisional
 phase 2 · commit
   reveal(x)              H(x) == h
   Canton : claim → ACTIVE
   Stellar: release(A,v) → FINAL
 timeout < Δt → refund(s), void claim
Spec sheet
CommitmentSHA-256
Threshold sigBLS12-381
Quorum13 / 18  (>⅔)
Lock timeout Δt45 s
Finality depth1 close
Proven properties
Atomicity — both sides or neither
No double-spend (nullifiers)
No stuck funds — bounded liveness
Verified in TLA+ model checker 4 independent audits Read the whitepaper →
Tokenized assets

Move any tokenized asset across the divide.

US-TBILL

Tokenized Treasuries

On-chain T-bills and money-market funds bridged for institutional yield without leaving the ledger.

STABLE

Regulated Stablecoins

USDC and regulated e-money — liquid on Stellar, settled with finality on Canton.

FUND

Tokenized Funds

Fund units and MMFs with NAV attestation kept consistent across both ledgers.

CREDIT

Private Credit

Bilateral loans and credit instruments moved with counterparty privacy preserved.

SECURITY

Securities & Equities

Tokenized bonds and equities carrying compliant transfer controls end to end.

COMMODITY

Commodities & Carbon

Tokenized commodities and carbon credits made mobile across both networks.

Why both

The strengths of two networks, unified.

Stellar

The open network

Global, permissionless liquidity
~5s low-cost settlement
Deep stablecoin & FX markets
Public, composable rails
Canton

The institutional network

Privacy by design
Permissioned sub-networks
Atomic multi-party settlement
Native compliance & controls

stellarCanton lets assets flow between the two — without giving up the strengths of either.

Security & compliance

Institutional-grade by construction.

Atomic settlement

Assets move in a single atomic operation. No wrapped-asset risk, no partial fills, no double-spend.

Privacy-preserving

Canton's sub-transaction privacy is honored end to end. Counterparties see only what they should.

Non-custodial & audited

You retain control throughout. Contracts are independently audited and formally verified.

Compliance-aware

Allowlists, travel-rule metadata, and jurisdictional controls travel with every transfer.

settlement-proof.json
{
  "settlement": "atomic",
  "status": "finalized",
  "networks": ["stellar", "canton"],
  "asset": "USTB",
  "privacy": "sub-transaction",
  "compliance": {
    "allowlist": "passed",
    "travel_rule": "attached",
    "jurisdiction": "permitted"
  },
  "custodial": false,
  "proof": "0x9f3c4e…a71b"
}
For developers

Bridge in a few lines.

One SDK, one messaging standard. Move assets across Stellar and Canton without stitching together two integrations.

TypeScript & Python SDKs
REST API + signed webhooks
Public testnet & faucet
Open cross-network messaging standard
Read the docs
bridge.ts
import { StellarCanton } from '@stellarcanton/sdk';

const bridge = new StellarCanton({ network: 'mainnet' });

// Move a tokenized treasury: Stellar → Canton
const tx = await bridge.transfer({
  asset:  'USTB',
  amount: 250000,
  from:   'stellar:GC…ABCD',
  to:     'canton:party::1220…',
});

await tx.awaitFinality(); // atomic · ~5s

Put institutional assets in motion.

Integrate the Stellar–Canton bridge, or start moving tokenized assets on testnet today.

Documentation

Build on the Stellar–Canton bridge.

Everything you need to move tokenized assets across Stellar and Canton — concepts, quickstart, and the settlement model, in one place.

Quickstart

Install the SDK, authenticate, and settle your first cross-network transfer in under five minutes.

STEP 1 Install
terminal
# TypeScript / JavaScript
$ npm install @stellarcanton/sdk

# Python
$ pip install stellarcanton
STEP 2 Authenticate & connect
client.ts
import { StellarCanton } from '@stellarcanton/sdk';

const sc = new StellarCanton({
  network: 'testnet',
  apiKey: process.env.SC_API_KEY,
});
STEP 3 Settle your first transfer
transfer.ts
// Lock USTB on Stellar, issue a 1:1 claim on Canton
const tx = await sc.transfer({
  asset:  'USTB',
  amount: 250000,
  from:   'stellar:GC…ABCD',
  to:     'canton:party::1220…',
});

const receipt = await tx.awaitFinality();
console.log(receipt.status); // → 'finalized'

Core concepts

Six ideas underpin every transfer on the protocol.

ATOMICITY

Atomic settlement

A transfer either completes on both ledgers or on neither. There is no intermediate custody state.

MECHANISM

Lock & claim

The source asset is locked in a Soroban contract; a matching claim is minted under a Daml contract on Canton.

PRIVACY

Privacy scoping

Canton sub-transaction privacy is preserved: each party observes only the projections it is entitled to.

CONTROLS

Compliance hooks

Allowlists, transfer limits, and travel-rule metadata are evaluated before a lock is ever created.

FINALITY

Deterministic finality

Once the two-phase commit resolves, the transfer is irreversible and a settlement proof is emitted.

REVERSIBILITY

Permissionless redemption

Burn the claim on the destination to unlock the original asset on the source at any time.

Architecture

A transfer flows through a locking contract on Stellar, a relayer set that attests the lock, and a claim contract on Canton.

STELLAR
relayer set
CANTON
01 · Lock

Soroban Vault escrows the asset and emits a lock event with a commitment hash.

02 · Attest

A threshold of relayers verifies the lock and co-signs a transferable attestation.

03 · Claim

The Daml Claim contract mints a 1:1 position for the destination party.

04 · Finalize

Two-phase commit resolves; a signed settlement proof is written and webhooks fire.

Keep reading

API reference · v1

REST API reference.

A single REST surface for quoting, initiating, tracking, and proving cross-network settlements. JSON over HTTPS, signed webhooks for state changes.

BASE URL
https://api.stellarcanton.com
AUTH

Bearer API key in Authorization; request bodies HMAC-signed with your secret.

FORMAT

All requests and responses are application/json. Amounts are integer minor units.

Authentication

Every request carries a bearer key. Mutating requests additionally require an X-SC-Signature header — an HMAC-SHA256 of the raw body under your API secret.

curl
curl https://api.stellarcanton.com/v1/transfers \
  -H "Authorization: Bearer sk_live_…" \
  -H "X-SC-Signature: 9f3c4e…a71b" \
  -H "Content-Type: application/json" \
  -d '{ "asset": "USTB", "amount": 250000 }'

Endpoints

POST /v1/transfers

Initiate an atomic cross-network transfer. Locks the asset on the source network and issues a claim on the destination.

ParameterTypeDescription
asset requiredstringAsset symbol, e.g. USTB, USDC.
amount requiredintegerAmount in minor units (no decimals).
from requiredstringSource address, stellar:G….
to requiredstringDestination party, canton:party::….
memo optionalstringFree-form reference retained in the proof.
idempotency_key optionalstringSafely retry without double-execution.
200 · response
{
  "id": "tx_9f3c4ea71b",
  "status": "pending",
  "asset": "USTB",
  "amount": 250000,
  "created_at": "2026-07-05T14:22:07Z"
}
GET /v1/transfers/{id}

Retrieve a transfer and its current settlement state. Poll this, or subscribe to webhooks, until finalized.

StateMeaning
pendingAccepted; compliance checks running.
lockedSource asset escrowed; awaiting attestation.
claimedDestination claim issued; two-phase commit open.
finalizedIrreversible; settlement proof available.
revertedLock released; no destination position created.
POST /v1/quotes

Price a transfer before executing — returns protocol fee, estimated finality time, and a short-lived quote id.

ParameterTypeDescription
asset requiredstringAsset symbol to quote.
amount requiredintegerAmount in minor units.
direction requiredenumstellar_to_canton · canton_to_stellar
GET /v1/proofs/{id}

Fetch the signed settlement proof for a finalized transfer — a verifiable, portable attestation of atomic settlement across both ledgers.

Webhooks

Subscribe to settlement events. Every delivery is signed with X-SC-Signature so you can verify authenticity.

transfer.locked transfer.claimed transfer.finalized transfer.reverted proof.available

Errors & rate limits

CodeErrorMeaning
400invalid_requestMalformed body or missing required field.
401unauthorizedMissing or invalid API key.
409compliance_rejectedTransfer blocked by allowlist or limit rule.
422insufficient_liquidityRoute cannot be settled at requested size.
429rate_limitedOver 600 req/min. Back off and retry.
503network_degradedA source/destination ledger is unavailable.

Rate limit: 600 requests / minute per key. Limits are returned in X-RateLimit-* headers.

SDK

One client for both networks.

The stellarCanton SDK wraps quoting, transfers, redemption, proofs, and event streaming behind a single typed interface — TypeScript and Python, full parity.

TypeScript
$ npm i @stellarcanton/sdk
Python
$ pip install stellarcanton

Client options

OptionTypeDefaultDescription
networkenummainnetmainnet · testnet
apiKeystringBearer key for the REST surface.
timeoutMsnumber30000Per-request timeout.
maxRetriesnumber3Automatic retry with backoff on 5xx.

Methods

sc.quote(params)

Price a transfer. Returns fee, ETA, and a quote id valid for 30 seconds.

const q = await sc.quote({ asset: 'USTB', amount: 250000, direction: 'stellar_to_canton' });
sc.transfer(params)

Initiate an atomic transfer. Returns a handle you can await to finality.

const tx = await sc.transfer({ asset: 'USTB', amount: 250000, from: 'stellar:GC…', to: 'canton:party::…' });
await tx.awaitFinality();
sc.redeem(id) · sc.getProof(id)

Burn a destination claim to unlock the source asset, or fetch the signed settlement proof for a finalized transfer.

sc.on(event, handler)

Stream settlement events over a managed WebSocket. Auto-reconnects with resumable cursors.

sc.on('transfer.finalized', (e) => {
  console.log(e.id, e.proof);
});

Error handling

errors.ts
import { ComplianceError, LiquidityError } from '@stellarcanton/sdk';

try { await sc.transfer(params); }
catch (e) {
  if (e instanceof ComplianceError) notifyDesk(e.rule);
}
Testnet

Build against live testnet.

Free test assets, public endpoints, and deployed contracts on both Stellar and Canton test networks. No key required to read; a testnet key unlocks transfers.

Network parameters

STELLAR TESTNET
HORIZON
https://horizon-testnet.stellar.org
PASSPHRASE
Test SDF Network ; September 2015
SOROBAN RPC
https://soroban-testnet.stellar.org
CANTON TESTNET
LEDGER API
https://ledger.testnet.canton.network
DOMAIN ID
sc-testnet::domain::1220a9f0
SYNC PROTOCOL
Canton 3.x

Deployed contracts

ContractNetworkAddress
Vault (lock)SorobanC...V4ULT7X2K
Attestor registrySorobanC...ATT3ST0R9
ClaimCanton / DamlSC.Bridge:Claim@1220…
Compliance hookCanton / DamlSC.Bridge:Policy@1220…

Faucet

Fund a testnet address with mock assets. Rate-limited to 5 requests per address per hour; balances reset weekly.

faucet
$ curl -X POST https://faucet.testnet.stellarcanton.com \
    -d '{ "address": "stellar:GC…", "asset": "USTB" }'

 funded 1,000,000 USTB · tx GD2f…88c1
Open the faucet →

Test assets & explorer

USTB · treasuries USDC · stablecoin tMMF · fund units tCARBON · credits
Open testnet explorer →
Whitepaper · v1.2 · July 2026

Atomic interoperability between Stellar and Canton.

A protocol for settling tokenized real-world assets across an open network and a permissioned network without wrapping, custody, or loss of privacy.

E. MárquezD. OseiP. Nair· stellarCanton Labs
Abstract

Tokenized real-world assets are fragmenting across ledgers optimized for incompatible properties: Stellar for open, low-cost, globally composable liquidity, and Canton for privacy-preserving, permissioned, multi-party institutional settlement. Existing bridges reconcile them with lock-and-mint wrapping and custodial or optimistic intermediaries, reintroducing precisely the counterparty and bridge-hack risk tokenization was meant to eliminate.

We present a two-phase, hash-linked atomic settlement protocol coordinating a Soroban escrow on Stellar with a Daml claim on Canton via a stake-weighted threshold attestor set. Settlement is strongly atomic — it commits on both ledgers or neither — non-custodial, and privacy-preserving: attestations carry only commitments, never plaintext. We formalize the safety and liveness guarantees under an honest-⅔ assumption, give a bounded-liveness timeout analysis, and characterize the protocol against a Byzantine adversary controlling a minority of attestor stake and arbitrary transaction ordering.

01

Notation & preliminaries

We write H(·) for a collision-resistant hash (SHA-256), Sigk(m) for a signature over m under key k, and ⟨·⟩ for canonical CBOR encoding. Time is measured in source-ledger ledger-closes; Δt denotes the lock timeout in that unit.

SymbolMeaning
A, vAsset identifier and transfer amount (integer minor units)
s → rSource party on Stellar, recipient party on Canton
x, hSecret pre-image x and its commitment h = H(x)
𝒜, n, tAttestor set, its size n, and Byzantine bound t
qSigning quorum, q = ⌊2n/3⌋ + 1
σAggregate threshold signature (BLS) over an attestation
Δt, δLock timeout and maximum cross-ledger relay delay
02

System model & participants

The protocol spans two ledgers with disjoint validator sets and distinct finality models. We assume each underlying ledger is individually safe and live, and that honest parties can read both. The bridge introduces no new consensus; it coordinates two independently-final ledgers through a hash-linked commitment and a threshold attestation.

ParticipantLedgerRole & trust
VaultStellar / SorobanEscrows the source asset against commitment h; releases on reveal or refunds after Δt. Trustless.
ClaimCanton / DamlMints a provisional 1:1 position bound to h; activates on reveal. Trustless.
Attestor set 𝒜off-ledgern stake-bonded signers; ≤ t = ⌊(n−1)/3⌋ Byzantine. Verifies the lock and co-signs an attestation.
Relayeroff-ledgerTransports messages between ledgers. Untrusted — cannot forge or censor beyond Δt.
Sender / RecipientbothCounterparties to the transfer. Custody their own keys throughout.
03

The fragmentation problem

Real-world asset tokenization has scaled on multiple ledgers with incompatible trust models. Bridging them today relies on wrapped assets and custodial or optimistically-verified intermediaries that reintroduce exactly the counterparty risk tokenization set out to remove — and that account for the large majority of value lost in cross-chain exploits to date. A correct bridge must preserve native issuance, avoid synthetic representations, and honor the privacy and compliance semantics of each side rather than flattening them to the lowest common denominator.

04

Design goals

Atomicity. A transfer commits on both ledgers or neither — no partial or intermediate custody state is ever observable.
Non-custody. No party — including the attestor set — ever holds unilateral control of user assets.
Privacy. Canton sub-transaction confidentiality is never weakened; the public side learns no confidential state.
Compliance. Policy evaluation is a precondition of the lock, not a post-hoc filter.
Bounded liveness. Every transfer terminates — finalized or cleanly reverted — within a known time bound.
05

Settlement protocol

Settlement is a two-phase commit across a hash-linked lock and claim. The sender samples a secret x and publishes only h = H(x). Phase 1 (prepare) escrows and provisions against h; phase 2 (commit) reveals x, which atomically unlocks both sides.

protocol.txt
participants: Sender s, Vault (Stellar), 𝒜 (attestors), Claim (Canton), Recipient r
 ── phase 1 · prepare ──────────────────────────────
  s      : x ← rand();  h ← H(x)
  s  → V : lock(A, v, h, Δt)            escrow on Stellar
  V      : assert policy(A, v, s, r) = ✓
  𝒜  ⊨  : verify lock @ ledger height ≥ f
  𝒜  → C : σ ← ThreshSig(⟨lock, h⟩), |σ| ≥ q
  C      : claim(A, v, h) → PROVISIONAL  mint on Canton
 ── phase 2 · commit ───────────────────────────────
  s  → C : reveal(x)                     H(x) = h ⇒ activate
  C      : claim → ACTIVE;  emit proof π
  r  → V : redeem(x)                     or any relayer
  V      : H(x) = h ⇒ release(A, v)      final on Stellar
 ── timeout (no reveal within Δt) ──────────────────
  V      : refund(A, v) → s;  C voids PROVISIONAL claim

Because both the Stellar release and the Canton activation are gated on the same pre-image x, revealing it on either ledger makes it public and redeemable on the other. The transfer is therefore all-or-nothing: either x is revealed before Δt and both sides settle, or it is not and both sides revert.

06

Hash-linked lock & claim

The construction generalizes a hash time-locked contract (HTLC) across heterogeneous ledgers. The novelty is that the Canton side is provisional until reveal: the threshold attestation authorizes minting a claim that carries no economic rights until x is presented. This decouples the (permissioned, private) Canton mint authorization from the (public) secret release, so the attestor set never learns x and cannot itself complete a transfer.

SOROBAN · Vault

Holds (A, v, h, Δt, s). Exposes redeem(x) gated on H(x)=h and refund() gated on height > Δt.

DAML · Claim

Created by a valid σ. Provisional until Activate(x); auto-archives if the linked lock refunds.

07

Protocol messages

All cross-ledger messages are canonical-CBOR encoded and domain-separated. The attestation is the only message that crosses the trust boundary; it binds the lock, the commitment, and the destination without revealing transfer contents.

attestation.json
{
  "v": 1,
  "domain": "sc:attestation:mainnet",
  "lock_ref": "stellar:ledger:58204117:op:3",
  "commitment": "0x9f3c4e…a71b",   // h = H(x)
  "asset": "USTB",
  "amount": 250000,          // minor units
  "dest": "canton:party::1220…9f",
  "expiry": 58204617,        // source height, = lock + Δt
  "quorum": { "n": 18, "q": 13 },
  "sig": "bls12-381:agg:8a2f…c410"  // σ, threshold-aggregated
}

Note the absence of counterparty identity or contract structure — only the amount and destination party required to size and route the provisional claim. The commitment is a hiding value; observers cannot derive x or link transfers.

08

Timeout & liveness

The lock timeout must exceed the worst-case time to observe the reveal on the source ledger and act on it. Let δ be the maximum relay + inclusion delay per ledger and f the source-finality depth. A safe lower bound is:

Δt  ≥  2δ  +  fsrc  +  fdst  +  Δsafety

With Stellar finality of ~5 s and Canton finality of ~5 s, mainnet fixes Δt = 45 s of source ledger-closes — comfortably above the ~15 s critical path, leaving margin for congestion. Liveness follows: if the sender reveals before Δt, an honest recipient or any relayer can always redeem on the source; if not, the refund path is unconditionally available after Δt. No configuration leaves funds stuck.

09

Security & formal properties

Assume ≤ t = ⌊(n−1)/3⌋ Byzantine attestors and individually-safe ledgers. The reveal/timeout state machine is specified in TLA+ and model-checked; the following hold.

P1 · Atomicity (safety)

No reachable state has the Stellar asset released while the Canton claim is voided, or vice versa. Both settle or both revert.

P2 · No double-spend

A commitment h is consumable exactly once on each ledger; replay of σ or x is rejected by nullifier checks.

P3 · No stuck funds (liveness)

Every lock terminates in RELEASED or REFUNDED within Δt + f, independent of adversary behavior.

P4 · Unforgeability

A provisional claim exists only with a valid quorum signature; producing one without q honest+Byzantine shares reduces to forging BLS.

10

Threat model

Adversary capabilityMitigation
Compromise < ⅓ of attestor stakeQuorum q > ⅔ ⇒ cannot forge σ; safety preserved.
Compromise ≥ ⅓ (forge attestation)Can mint provisional claims but never learns x; no asset release without sender reveal. Slashing + social recovery.
Relayer censors the revealReveal is public on either ledger; any party relays. Refund after Δt.
Reorg on source below finalityAttestation requires depth ≥ f; provisional claims never activate on unfinalized locks.
Front-run the pre-image revealReveal only benefits the designated recipient; redeem is idempotent and address-bound.
Grief via dust / spam locksMinimum-size + per-key rate limits; refunds are self-service, cost the griefer only fees.
11

Privacy model

On Canton, only stakeholders to a contract observe its contents. The bridge participates as a party with the minimum visibility required to validate a claim — it learns the commitment, asset, and amount, not counterparty identity or downstream contract structure. Attestations carry commitments, never plaintext, and the commitment is a hiding function of a high-entropy secret, so the public Stellar side never leaks confidential Canton state and independent transfers are unlinkable. Amount privacy for large tickets is available via a confidential-value extension in which the attestation binds a Pedersen commitment to v plus a range proof, at the cost of a larger attestation.

12

Economics & governance

A flat protocol fee per settlement funds attestor rewards and an insurance reserve. Attestors post a bond; equivocation (signing two conflicting attestations for one h) is slashable with cryptographic proof. Parameters are governed on-chain by a stake-weighted process with a mandatory timelock on any change affecting live settlements, so in-flight transfers always resolve under the rules they began with.

13

Comparison

PropertyLock & mintOptimisticstellarCanton
Wrapped assetYesYesNo — native claim
Custody riskHighMediumNone
SettlementProbabilisticDelayed (challenge)Atomic
Worst-case latencyminuteshours–days< Δt (45 s)
Privacy preservedNoNoYes
14

Protocol parameters

ParameterSymbolMainnet
Attestor set sizen18
Byzantine boundt5
Signing quorumq13  (⌊2n/3⌋+1)
Lock timeoutΔt45 s
Source finality depthf1 close
Hash / signatureH, σSHA-256, BLS12-381
Governance timelock72 h
References
[1]Stellar Development Foundation. Soroban smart-contract platform specification. 2024.
[2]Digital Asset. The Canton Network & Daml ledger model. 2023.
[3]Nolan, T. Atomic cross-chain trading via hash time-locked contracts. 2013.
[4]Boneh, Lynn, Shacham. Short signatures from the Weil pairing (BLS). 2004.
[5]Lamport, Shostak, Pease. The Byzantine generals problem. 1982.

The reveal/timeout TLA+ specification and audit reports are published in full.

Audits & security

Verified, and open about it.

Independent audits, formal verification of the settlement state machine, and a standing bug bounty. Every report is published in full.

4
Independent audits
100%
Critical findings resolved
$500K
Max bug bounty
Formal
State-machine verification

Audit reports

Bug bounty

We reward responsible disclosure of vulnerabilities in protocol contracts, attestor infrastructure, and the API. Report to [email protected] (PGP available).

CRITICAL
$100K–$500K

Loss of funds, double-spend, forged claim.

HIGH
$25K–$100K

Censorship, liveness failure, privacy leak.

MEDIUM / LOW
$1K–$25K

API abuse, incorrect metadata, minor exposure.

System status

All systems operational

Updated just now · 99.99% uptime over 90 days
Bridge API · last 90 days99.99%
90 days agotoday

Components

Bridge API
142 msOperational
Stellar connector
4.9 s finalityOperational
Canton connector
5.4 s finalityOperational
Attestor set
18 / 18 onlineOperational
Explorer
indexing +38 sDegraded
Faucet (testnet)
210 msOperational

Recent incidents

Jul 3, 2026RESOLVED
Explorer indexing latency

Indexer lag on the Canton side delayed explorer updates ~40s. Settlement itself was unaffected. Backfill completed in 26 minutes.

Jun 21, 2026RESOLVED
Elevated API latency

A rollout increased p99 latency for ~11 minutes. No failed settlements; auto-rollback restored baseline.

About

Connecting open and institutional finance.

stellarCanton exists to make tokenized assets move as freely as information — across the networks that finance actually runs on.

Why we exist

Trillions of dollars of assets are being tokenized — but on ledgers that can't talk to each other. Open networks like Stellar deliver global liquidity and composability. Permissioned networks like Canton deliver the privacy and control institutions require. Each is essential; neither is sufficient alone.

We build the connective tissue: a bridge that moves assets between them atomically, without wrapping, custody, or compromise. Our thesis is simple — interoperability, not consolidation, is how tokenized finance scales.

What we value

Correctness first

Money infrastructure earns trust by being provably right — formally, not rhetorically.

Open by default

Public specs, published audits, and an open messaging standard anyone can build on.

Respect the rails

We honor the trust and privacy model of every network we touch — never weaken it.

Team

Elena Márquez
Co-founder & CEO · ex-payments infra
Devin Osei
Co-founder & CTO · distributed systems
Priya Nair
Head of Protocol · formal methods
Marcus Feld
Head of Compliance · ex-market infra

Backed by

Meridian Capital Ledger Ventures Northgate Halcyon Fund
Remote-first · New York · London · Singapore
Blog

Notes from the bridge.

Engineering deep-dives, protocol updates, and thinking on tokenized-asset interoperability.

FEATUREDJul 1, 2026 · Engineering

Two-phase atomic settlement across heterogeneous ledgers

How we bind a Soroban lock to a Daml claim with a single pre-image reveal — and prove that funds can never be stuck or double-spent.

Jun 18, 2026 · Protocol

Preserving Canton sub-transaction privacy through a bridge

What the bridge party can and cannot see — and why attestations carry commitments, never plaintext.

Jun 2, 2026 · Product

Bridging tokenized treasuries: a walkthrough

Moving USTB from Stellar to a Canton sub-network, from quote to settlement proof.

May 20, 2026 · Security

Formally verifying the reveal/timeout state machine

Model-checking every path through the two-phase commit for safety and liveness.

May 6, 2026 · Company

Why interoperability beats consolidation

The case for connecting open and permissioned networks instead of picking one.

Apr 24, 2026 · Engineering

Designing an idempotent transfer API

Safe retries for money movement, and why every transfer takes an idempotency key.

Apr 9, 2026 · Protocol

Threshold attestation and the honest-majority assumption

How the attestor set co-signs locks, and what happens when signers misbehave.

Careers

Build the rails for tokenized finance.

We're a small, senior team shipping correctness-critical infrastructure. If provable, high-stakes systems are your thing, we'd love to talk.

Remote-first

Work from anywhere; quarterly team gatherings.

Meaningful equity

Early ownership with a long exercise window.

Top-tier health

Full medical, dental, and vision, globally.

Real ownership

Small team, high autonomy, direct impact.

Open roles

Don't see your role? Reach us at [email protected].

Contact

Let's talk.

Whether you're integrating the bridge, exploring a partnership, or reporting an issue — reach the right team directly.

Reach the right team

Sales & partnerships
[email protected]
Developer support
[email protected]
Security disclosures
[email protected]
New York · London · Singapore
Remote-first, worldwide

Send a message

By submitting, you agree to our Terms. We reply within one business day.

Brand

Brand guidelines.

The mark, colors, and type that make stellarCanton recognizable. Use them to represent us accurately.

Logo

stellarCanton
stellarCanton
stellarCanton

The wordmark is the logo. Set it in Space Grotesk SemiBold with "Canton" in Canton Yellow (on dark) or a darker yellow on light backgrounds. Keep clear space around it equal to the cap height of the "s". Don't recolor, rotate, stretch, or add effects.

Color

Canton Yellow
#ECE84A
Signal White
#F4F6FB
Space Black
#070A12
Slate
#9AA3B8

Typography

Aa
Space Grotesk
Display & headings
Aa
IBM Plex Sans
Body & UI
Aa
IBM Plex Mono
Code, labels & data

"Stellar" and "Canton" are trademarks of their respective owners. Use the stellarCanton name and mark only to refer to the protocol; do not imply endorsement by, or affiliation with, the Stellar Development Foundation or Digital Asset.

Legal

Terms of Service

Last updated: July 5, 2026

These Terms govern your access to and use of the stellarCanton protocol interfaces, SDKs, and APIs (the "Services"). By using the Services you agree to these Terms. Please read them alongside our Privacy Policy.

01

Acceptance & eligibility

You must be legally capable of entering a binding contract and permitted to use the Services in your jurisdiction. If you use the Services on behalf of an entity, you represent that you are authorized to bind it.

02

The Services

stellarCanton provides non-custodial software for settling tokenized assets across the Stellar and Canton networks. We do not take custody of assets, act as a broker or exchange, or provide financial, legal, or tax advice. Settlement is executed by smart contracts and a decentralized attestor set.

03

Risks

Use of blockchain networks and tokenized assets involves significant risk, including smart-contract vulnerabilities, network failure, price volatility, and irreversible loss. You are solely responsible for securing your keys and for evaluating whether a transfer is appropriate. Transactions, once finalized, cannot be reversed by us.

04

Compliance

You agree to comply with all applicable laws, including sanctions, anti-money-laundering, and securities regulations. You will not use the Services to facilitate unlawful activity or to transfer assets you are not authorized to transfer. Certain transfers may be subject to allowlists and jurisdictional controls.

05

Intellectual property

The Services, including the SDKs and documentation, are provided under their respective licenses. The stellarCanton name and marks may be used only in accordance with our Brand guidelines. All other rights are reserved.

06

Disclaimers & limitation of liability

The Services are provided "as is" without warranties of any kind. To the maximum extent permitted by law, stellarCanton is not liable for any indirect, incidental, or consequential damages, or for any loss of assets arising from your use of the Services.

07

Governing law & changes

These Terms are governed by the laws of the jurisdiction of our incorporation, without regard to conflict-of-law principles. We may update these Terms; material changes will be posted here with a revised date. Continued use constitutes acceptance.

Questions about these Terms? Contact [email protected] or visit our contact page.

← All posts
ENGINEERINGJul 1, 2026 · 8 min read

Two-phase atomic settlement across heterogeneous ledgers

Devin Osei
Co-founder & CTO

Bridging assets between an open ledger and a permissioned one is not a messaging problem — it is a settlement problem. Getting it right means one thing above all: a transfer must either complete on both sides or leave both sides exactly as they were. Here is how we achieve that with a single secret.

Why wrapping is the wrong primitive

Most bridges mint a synthetic representation on the destination and hold the original in a custodial vault. That reintroduces the counterparty risk tokenization was designed to remove: the wrapped asset is only ever as sound as the bridge holding the collateral. For regulated, tokenized real-world assets, that trade-off is unacceptable.

We wanted native issuance on both sides and no window in which a party holds unilateral control. The construction that gives us this is a hash-linked, two-phase commit.

The two phases

In the prepare phase, the sender samples a secret x and publishes only its hash h = H(x). The asset is escrowed in a Soroban Vault on Stellar against h, a threshold of attestors co-signs the lock, and a provisional claim is minted under a Daml contract on Canton. Crucially, that claim carries no economic rights yet.

In the commit phase, the sender reveals x. Because both the Stellar release and the Canton activation are gated on the same pre-image, revealing it on either ledger makes it usable on the other. The transfer becomes all-or-nothing.

Why the attestors never see the secret

This is the subtle part. The attestor set authorizes minting the provisional claim, but it never learns x. It cannot itself complete a transfer, and it cannot forge one without a two-thirds quorum. The permissioned mint authorization is cleanly decoupled from the public secret release — which is exactly what lets us preserve Canton's privacy while anchoring finality on Stellar.

Timeouts make liveness unconditional

If the reveal does not occur before the lock timeout Δt, the escrow refunds the sender and the provisional claim is voided. No configuration leaves funds stuck: every transfer terminates as either finalized or cleanly reverted, independent of adversary behavior. We model-checked the full reveal/timeout state machine in TLA+ to be sure.

Want the formal treatment — notation, proofs, and parameters? Read the whitepaper, or start building on testnet.

Start bridging More posts →
stellarCanton
Institutional access

Move tokenized assets across Stellar and Canton.

Sign in to initiate atomic transfers, monitor settlement, and retrieve verifiable proofs — non-custodial, from one console.

Atomic, non-custodial settlement
Privacy-preserving, compliance-aware
Signed settlement proofs on every transfer
Mainnet operational Attestors 18/18 SOC 2 · ISO 27001

Start bridging

Access is invite-only for verified institutions.

OR
Work email
PasswordForgot?

Don't have access? Request an institutional account →

Protected by enterprise SSO and hardware-key 2FA. By continuing you agree to our Terms. stellarCanton is non-custodial — we never hold your keys.