Atomic swaps

This is a follow-up on my SPV proofs and compact SPV proofs posts. While SPV proofs are interesting and the only way to move funds from one chain to another, moving funds takes time. Typically it would take on the order of days to complete a transfer between chains. Atomic swaps, as described in the sidechains paper, is a way to avoid this friction. It was first described by Tier Nolan on the Bitcointalk forum.

Instead of moving your funds from chain A to chain B you could trade with a coin owner on chain B, by swapping coins. How would you do this between blockchains? Let's say you want to exchange 2 BTC on the main Bitcoin blockchain for 2 BTC on a sidechain. You may want to do this because the sidechain offers something that the main chain doesn't. For example, the sidechain might offer a 1 second confirmation time, and you can live with weaker confirmations as that implies. Step one in atomic swaps is to find a swapping partner:

Barbie and Ken agrees on a swap. They exchange addresses. Ken gives Barbie his chain A address, and Barbie gives Ken her chain B address
Barbie generates a random number a. Then she creates two dependent transactions. The Locktime transaction is used in case of breech of contract, let's call it the refund transaction. The other transaction is the contract. In order to spend the contract output, either both Ken and Barbie signs it OR Ken signs and provides a.
She sends the refund transaction to Ken and asks him to sign it and send it back to her.
Now that Barbie has her refund transaction she'll be able to publish the contract transaction to the A chain. No one can spend it yet because Barbie's refund transaction is timelocked for 48 hours and ken don't know a yet. But if the situation stays like this for 48 hours, she can refund her money with her refund transaction that Ken signed in step 3.
Ken can now pick up hash(a) from the blockchain and create a contract transaction and a refund transaction just like Barbie's. But his refund transaction is locked 24 hours instead of Barbie's 48 hours.
Barbie is nice enough to sign Ken's refund transaction. and send it back. to him.
Now that Ken has secured his refund transaction, he can publish his contract transaction to the B chain..
Barbie can immediately spend Ken's output, since she knows a and of course her private key corresponding to her B chain address Bbarbie123. So she spends the output, while at the same time she reveals a for anyone to see. If she doesn't spend the output within 24 hours, then Ken will be able to refund the transaction to himself. Then Barbie will have to use her refund transaction within the next 24 hours.
No comment
Now Ken can spend Barbie's output on chain A, because he now knows a. But he must do it within 48 hours, otherwise Barbie might be an a-hole and use her refund transaction.
This is the end result after Barbies and Kens swap.

This seems pretty nice, but there are a few catches:

Let's assume that the difficulty on chain B is 1/5 of the difficulty on A; a 30 blocks confirmation time on chain B would correspond to a 6 blocks confirmation time on A:

  • If Barbie spends the output on chain B, then immediately pulls off a double spend attack on her own contract on chain A. Then Kens 'spending of the output on chain A will be invalid. This can be mitigated by Ken waiting, say, 6 blocks on chain A before publishing his contract transaction on chain B.
  • If Ken pulls off a double spend attack on his contract on chain B right after Barbie revealed a, then he'll make Barbie's spending transaction invalid. This can be mitigated by Barbie waiting 30 confirmations on chain B before spending the contract output.

This is of course no different than waiting for confirmations on any other payment; you want to make sure it's not going to change before you act upon it.

Then there's transaction malleability. As always.

If Ken intercepts Barbie's contract on the network and changes its transactin id, He's going to make Barbie's refund transaction invalid. If Ken doesn't publish his contract transaction, then Ken keeps his money and Barbie loses her money forever.

If Barbie intercepts Ken's contract transaction and changes its transaction id, them Ken's refund transaction becomes invalid. So if Barbie doesn't spend Ken's contract output, Ken will lose his money, and Barbie will get her money back after 48 hours.

Fortunately, there's hope. With Segregated Witness, transaction malleability is no longer a problem.

Note: as buckiller pointed out on reddit, this is not atomic, strictly speaking. If Ken for some reason doesn't spend Barbie's contract output, then Barbie can use her refund transaction and end up with all the money. The word "atomic" has been used for these swaps since the beginning at bitcointalk.

Swaps between altcoins

The process described above is applicable to swaps between different coins as well, not only between sidechains of same coin. Then you need to negotiate a coin ratio in step one. For example, Barbie might want to swap her ETH (she keeps her ETC) for Ken's BTC, so she negotiates with Ken and they agree to swap 120 ETH for 2 BTC. The process would then look the same, but the value of the outputs will differ on the different chains. And just as with sidechains, Barbie and Ken have to take the different difficulty and mining centralization into consideration when you decide on how long to wait.

Previous Post Next Post