Abstract
Tokenized real-world assets are fragmenting across ledgers optimized for incompatible properties: Stellar for open, low-cost, globally composable liquidity, and Canton for privacy-preserving, permissioned, multi-party institutional settlement. Existing bridges reconcile them with lock-and-mint wrapping and custodial or optimistic intermediaries, reintroducing precisely the counterparty and bridge-hack risk tokenization was meant to eliminate.
We present a two-phase, hash-linked atomic settlement protocol coordinating a Soroban escrow on Stellar with a Daml claim on Canton via a stake-weighted threshold attestor set. Settlement is strongly atomic — it commits on both ledgers or neither — non-custodial, and privacy-preserving: attestations carry only commitments, never plaintext. We formalize the safety and liveness guarantees under an honest-⅔ assumption, give a bounded-liveness timeout analysis, and characterize the protocol against a Byzantine adversary controlling a minority of attestor stake and arbitrary transaction ordering.
01
Notation & preliminaries
We write H(·) for a collision-resistant hash (SHA-256), Sigk(m) for a signature over m under key k, and ⟨·⟩ for canonical CBOR encoding. Time is measured in source-ledger ledger-closes; Δt denotes the lock timeout in that unit.
| Symbol | Meaning |
A, v | Asset identifier and transfer amount (integer minor units) |
s → r | Source party on Stellar, recipient party on Canton |
x, h | Secret pre-image x and its commitment h = H(x) |
𝒜, n, t | Attestor set, its size n, and Byzantine bound t |
q | Signing quorum, q = ⌊2n/3⌋ + 1 |
σ | Aggregate threshold signature (BLS) over an attestation |
Δt, δ | Lock timeout and maximum cross-ledger relay delay |
02
System model & participants
The protocol spans two ledgers with disjoint validator sets and distinct finality models. We assume each underlying ledger is individually safe and live, and that honest parties can read both. The bridge introduces no new consensus; it coordinates two independently-final ledgers through a hash-linked commitment and a threshold attestation.
| Participant | Ledger | Role & trust |
Vault | Stellar / Soroban | Escrows the source asset against commitment h; releases on reveal or refunds after Δt. Trustless. |
Claim | Canton / Daml | Mints a provisional 1:1 position bound to h; activates on reveal. Trustless. |
Attestor set 𝒜 | off-ledger | n stake-bonded signers; ≤ t = ⌊(n−1)/3⌋ Byzantine. Verifies the lock and co-signs an attestation. |
Relayer | off-ledger | Transports messages between ledgers. Untrusted — cannot forge or censor beyond Δt. |
Sender / Recipient | both | Counterparties to the transfer. Custody their own keys throughout. |
03
The fragmentation problem
Real-world asset tokenization has scaled on multiple ledgers with incompatible trust models. Bridging them today relies on wrapped assets and custodial or optimistically-verified intermediaries that reintroduce exactly the counterparty risk tokenization set out to remove — and that account for the large majority of value lost in cross-chain exploits to date. A correct bridge must preserve native issuance, avoid synthetic representations, and honor the privacy and compliance semantics of each side rather than flattening them to the lowest common denominator.
04
Design goals
→Atomicity. A transfer commits on both ledgers or neither — no partial or intermediate custody state is ever observable.
→Non-custody. No party — including the attestor set — ever holds unilateral control of user assets.
→Privacy. Canton sub-transaction confidentiality is never weakened; the public side learns no confidential state.
→Compliance. Policy evaluation is a precondition of the lock, not a post-hoc filter.
→Bounded liveness. Every transfer terminates — finalized or cleanly reverted — within a known time bound.
05
Settlement protocol
Settlement is a two-phase commit across a hash-linked lock and claim. The sender samples a secret x and publishes only h = H(x). Phase 1 (prepare) escrows and provisions against h; phase 2 (commit) reveals x, which atomically unlocks both sides.
protocol.txt
participants: Sender s, Vault (Stellar), 𝒜 (attestors), Claim (Canton), Recipient r
── phase 1 · prepare ──────────────────────────────
s : x ← rand(); h ← H(x)
s → V : lock(A, v, h, Δt) escrow on Stellar
V : assert policy(A, v, s, r) = ✓
𝒜 ⊨ : verify lock @ ledger height ≥ f
𝒜 → C : σ ← ThreshSig(⟨lock, h⟩), |σ| ≥ q
C : claim(A, v, h) → PROVISIONAL mint on Canton
── phase 2 · commit ───────────────────────────────
s → C : reveal(x) H(x) = h ⇒ activate
C : claim → ACTIVE; emit proof π
r → V : redeem(x) or any relayer
V : H(x) = h ⇒ release(A, v) final on Stellar
── timeout (no reveal within Δt) ──────────────────
V : refund(A, v) → s; C voids PROVISIONAL claim
Because both the Stellar release and the Canton activation are gated on the same pre-image x, revealing it on either ledger makes it public and redeemable on the other. The transfer is therefore all-or-nothing: either x is revealed before Δt and both sides settle, or it is not and both sides revert.
06
Hash-linked lock & claim
The construction generalizes a hash time-locked contract (HTLC) across heterogeneous ledgers. The novelty is that the Canton side is provisional until reveal: the threshold attestation authorizes minting a claim that carries no economic rights until x is presented. This decouples the (permissioned, private) Canton mint authorization from the (public) secret release, so the attestor set never learns x and cannot itself complete a transfer.
SOROBAN · Vault
Holds (A, v, h, Δt, s). Exposes redeem(x) gated on H(x)=h and refund() gated on height > Δt.
DAML · Claim
Created by a valid σ. Provisional until Activate(x); auto-archives if the linked lock refunds.
07
Protocol messages
All cross-ledger messages are canonical-CBOR encoded and domain-separated. The attestation is the only message that crosses the trust boundary; it binds the lock, the commitment, and the destination without revealing transfer contents.
attestation.json
{
"v": 1,
"domain": "sc:attestation:mainnet",
"lock_ref": "stellar:ledger:58204117:op:3",
"commitment": "0x9f3c4e…a71b", // h = H(x)
"asset": "USTB",
"amount": 250000, // minor units
"dest": "canton:party::1220…9f",
"expiry": 58204617, // source height, = lock + Δt
"quorum": { "n": 18, "q": 13 },
"sig": "bls12-381:agg:8a2f…c410" // σ, threshold-aggregated
}
Note the absence of counterparty identity or contract structure — only the amount and destination party required to size and route the provisional claim. The commitment is a hiding value; observers cannot derive x or link transfers.
08
Timeout & liveness
The lock timeout must exceed the worst-case time to observe the reveal on the source ledger and act on it. Let δ be the maximum relay + inclusion delay per ledger and f the source-finality depth. A safe lower bound is:
Δt ≥ 2δ + fsrc + fdst + Δsafety
With Stellar finality of ~5 s and Canton finality of ~5 s, mainnet fixes Δt = 45 s of source ledger-closes — comfortably above the ~15 s critical path, leaving margin for congestion. Liveness follows: if the sender reveals before Δt, an honest recipient or any relayer can always redeem on the source; if not, the refund path is unconditionally available after Δt. No configuration leaves funds stuck.
09
Security & formal properties
Assume ≤ t = ⌊(n−1)/3⌋ Byzantine attestors and individually-safe ledgers. The reveal/timeout state machine is specified in TLA+ and model-checked; the following hold.
P1 · Atomicity (safety)
No reachable state has the Stellar asset released while the Canton claim is voided, or vice versa. Both settle or both revert.
P2 · No double-spend
A commitment h is consumable exactly once on each ledger; replay of σ or x is rejected by nullifier checks.
P3 · No stuck funds (liveness)
Every lock terminates in RELEASED or REFUNDED within Δt + f, independent of adversary behavior.
P4 · Unforgeability
A provisional claim exists only with a valid quorum signature; producing one without q honest+Byzantine shares reduces to forging BLS.
10
Threat model
| Adversary capability | Mitigation |
| Compromise < ⅓ of attestor stake | Quorum q > ⅔ ⇒ cannot forge σ; safety preserved. |
| Compromise ≥ ⅓ (forge attestation) | Can mint provisional claims but never learns x; no asset release without sender reveal. Slashing + social recovery. |
| Relayer censors the reveal | Reveal is public on either ledger; any party relays. Refund after Δt. |
| Reorg on source below finality | Attestation requires depth ≥ f; provisional claims never activate on unfinalized locks. |
| Front-run the pre-image reveal | Reveal only benefits the designated recipient; redeem is idempotent and address-bound. |
| Grief via dust / spam locks | Minimum-size + per-key rate limits; refunds are self-service, cost the griefer only fees. |
11
Privacy model
On Canton, only stakeholders to a contract observe its contents. The bridge participates as a party with the minimum visibility required to validate a claim — it learns the commitment, asset, and amount, not counterparty identity or downstream contract structure. Attestations carry commitments, never plaintext, and the commitment is a hiding function of a high-entropy secret, so the public Stellar side never leaks confidential Canton state and independent transfers are unlinkable. Amount privacy for large tickets is available via a confidential-value extension in which the attestation binds a Pedersen commitment to v plus a range proof, at the cost of a larger attestation.
12
Economics & governance
A flat protocol fee per settlement funds attestor rewards and an insurance reserve. Attestors post a bond; equivocation (signing two conflicting attestations for one h) is slashable with cryptographic proof. Parameters are governed on-chain by a stake-weighted process with a mandatory timelock on any change affecting live settlements, so in-flight transfers always resolve under the rules they began with.
13
Comparison
| Property | Lock & mint | Optimistic | stellarCanton |
| Wrapped asset | Yes | Yes | No — native claim |
| Custody risk | High | Medium | None |
| Settlement | Probabilistic | Delayed (challenge) | Atomic |
| Worst-case latency | minutes | hours–days | < Δt (45 s) |
| Privacy preserved | No | No | Yes |
14
Protocol parameters
| Parameter | Symbol | Mainnet |
| Attestor set size | n | 18 |
| Byzantine bound | t | 5 |
| Signing quorum | q | 13 (⌊2n/3⌋+1) |
| Lock timeout | Δt | 45 s |
| Source finality depth | f | 1 close |
| Hash / signature | H, σ | SHA-256, BLS12-381 |
| Governance timelock | — | 72 h |
References
[1]Stellar Development Foundation. Soroban smart-contract platform specification. 2024.
[2]Digital Asset. The Canton Network & Daml ledger model. 2023.
[3]Nolan, T. Atomic cross-chain trading via hash time-locked contracts. 2013.
[4]Boneh, Lynn, Shacham. Short signatures from the Weil pairing (BLS). 2004.
[5]Lamport, Shostak, Pease. The Byzantine generals problem. 1982.