This is a follow-up on my SPV proofs and compact SPV proofs posts. While SPV proofs are interesting and the only way to move funds from one chain to another, moving funds takes time. Typically it would take on the order of days to complete a transfer between chains. Atomic swaps, as described in the sidechains paper, is a way to avoid this friction. It was first described by Tier Nolan on the Bitcointalk forum.
Instead of moving your funds from chain A to chain B you could trade with a coin owner on chain B, by swapping coins. How would you do this between blockchains? Let’s say you want to exchange 2 BTC on the main Bitcoin blockchain for 2 BTC on a sidechain. You may want to do this because the sidechain offers something that the main chain doesn’t. For example, the sidechain might offer a 1 second confirmation time, and you can live with weaker confirmations as that implies. Step one in atomic swaps is to find a swapping partner:
This seems pretty nice, but there are a few catches:
Let’s assume that the difficulty on chain B is 1/5 of the difficulty on A; a 30 blocks confirmation time on chain B would correspond to a 6 blocks confirmation time on A:
- If Barbie spends the output on chain B, then immediately pulls off a double spend attack on her own contract on chain A. Then Kens ‘spending of the output on chain A will be invalid. This can be mitigated by Ken waiting, say, 6 blocks on chain A before publishing his contract transaction on chain B.
- If Ken pulls off a double spend attack on his contract on chain B right after Barbie revealed a, then he’ll make Barbie’s spending transaction invalid. This can be mitigated by Barbie waiting 30 confirmations on chain B before spending the contract output.
This is of course no different than waiting for confirmations on any other payment; you want to make sure it’s not going to change before you act upon it.
Then there’s transaction malleability. As always.
If Ken intercepts Barbie’s contract on the network and changes its transactin id, He’s going to make Barbie’s refund transaction invalid. If Ken doesn’t publish his contract transaction, then Ken keeps his money and Barbie loses her money forever.
If Barbie intercepts Ken’s contract transaction and changes its transaction id, them Ken’s refund transaction becomes invalid. So if Barbie doesn’t spend Ken’s contract output, Ken will lose his money, and Barbie will get her money back after 48 hours.
Fortunately, there’s hope. With Segregated Witness, transaction malleability is no longer a problem.
Note: as buckiller pointed out on reddit, this is not atomic, strictly speaking. If Ken for some reason doesn’t spend Barbie’s contract output, then Barbie can use her refund transaction and end up with all the money. The word “atomic” has been used for these swaps since the beginning at bitcointalk.
Swaps between altcoins
The process described above is applicable to swaps between different coins as well, not only between sidechains of same coin. Then you need to negotiate a coin ratio in step one. For example, Barbie might want to swap her ETH (she keeps her ETC) for Ken’s BTC, so she negotiates with Ken and they agree to swap 120 ETH for 2 BTC. The process would then look the same, but the value of the outputs will differ on the different chains. And just as with sidechains, Barbie and Ken have to take the different difficulty and mining centralization into consideration when you decide on how long to wait.