Table of Links
-
Protocol
-
Security Analysis
A. Codes
B. Proofs
4.2 Holder Collateral-Free Cross-Chain Options
We want to remove the need for upfront collateral from Alice without using a cross-chain bridge. Allowing Alice direct access to the exercise secret risks Bobβs asset since Alice has no collateral. To address this, we resort to economic incentives and let Bob control the exercise secret while Alice retains the right to penalize Bob. In addition to the usual collateral, Bob locks a valuable asset on πΆβππππ΄ as a guarantee. If Bob fails to release the exercise secret when Alice exercises her right, she receives Bobβs guarantee as compensation, incentivizing Bob to cooperate.
Suppose Alice and Bob reach an agreement that Alice pays Bob π as a premium on a chain denoted by πΆβππππ . The option takes effective at ππ΄ meaning that Alice obtains the right to exchange π΄π π ππ‘π΄ for π΄π π ππ‘π΅ before ππΈ. Bobβs guarantee is π΄π π ππ‘πΊ .
The protocol involves two kinds of asset settlement: first for option establishment (or activation, we use them interchangably) and second for option exercise. We therefore introduce two secrets:
(1) Activation secret π΄, used for Alice to pay the premium and activate the option; and (2) Exercise secret π΅, used for Alice to pay π΄π π ππ‘π΄ to Bob in exchange for π΄π π ππ‘π΅ when the option is exercised. Secret π΄ is generated by Alice and π΅ is generated by Bob.
The protocol is divided into two phases. Figure 2 shows the execution process of this protocol if both parties are honest.
(1) Setup phase: Alice and Bob activate an option. Alice obtains option and Bob obtains premium.
(2) Exercise/Abandon phase: Alice can either exercise the option or abandon it.
In the setup phase, Alice and Bob will establish this option similarly to a vanilla HTLC. Alice locks π with a hashlock π»(π΄) in a contract on any chain. Bob creates two contracts, πΆπππ‘ππππ‘π΄ on πΆβππππ΄ and πΆπππ‘ππππ‘π΅ on πΆβππππ΅, which are used in the option. The option remains inactive until Alice reveals the activation secret π΄ before ππ΄, at which point the state updates to active and Bob gets Aliceβs premium. πΆπππ‘ππππ‘π΄ holds Bobβs guarantee, π΄π π ππ‘πΊ , until the option expires. If Alice exercises the option and Bob fulfills his obligation by revealing the exercise secret π΅, π΄π π ππ‘πΊ is refunded to Bob. If Bob fails to fulfills his obligation, π΄π π ππ‘πΊ will be transferred to Alice. πΆπππ‘ππππ‘π΅ locks Bobβs collateral, π΄π π ππ‘π΅, using π»(π΅).
I. Setup Phase.
(1) Alice randomly selects a secret π΄ as activation secret, and computes its hash value π»(π΄). Bob generates π΅ and π»(π΅), which serve as the exercise secret and hashlock.
(2) Alice locks π with hashlock π»(π΄) on the agree-uponπΆβππππ with timeout ππ΄ + Ξ.
(3) If Bob observes that Alice has honestly deposited the premium, Bob should, at any time before ππ΄ β Ξ:
(a) Create πΆπππ‘ππππ‘π΄ on πΆβππππ΄ and πΆπππ‘ππππ‘π΅ on πΆβππππ΅. These contracts are initially in an inactive state, and record the holder and writer, activation time ππ΄ and option expiration time ππΈ.
(b) Escrow the guarantee π΄π π ππ‘πΊ on πΆβππππ΄, and lock principal π΄π π ππ‘π΅ on πΆβππππ΅ with hashlock π»(π΅).
(4) If Alice observes that Bob has created contracts and made deposits, Alice reveals π΄ at ππ΄ on both chains to activate the option. If not, transaction aborts, Bob calls refund() and retrieves π΄π π ππ‘πΊ and π΄π π ππ‘π΅. Alice refunds π.
II. Exercise/Abandon Phase.
(1) Exercise: If Alice wants to exercise the option at ππ΅ before expiration, she calls exercise() and deposits π΄π π ππ‘π΄ into πΆπππ‘ππππ‘π΄, then within one Ξ:
(a) If Bob reveals π΅ and calls fulfill() on πΆπππ‘ππππ‘π΄, then he obtains both π΄π π ππ‘π΄ and π΄π π ππ‘πΊ . Upon observing π΅, Alice obtains π΄π π ππ‘π΅ with π΅ from πΆπππ‘ππππ‘π΅.
(b) If Bob does not reveal π΅, Alice calls claim() onπΆπππ‘ππππ‘π΄ after ππ΅ + Ξ to receive π΄π π ππ‘πΊ as compensation.
(2) Abandon: If Alice does not call exercise() before or at ππΈ, then the option is abandoned and Bob can call refund() on πΆπππ‘ππππ‘π΄ and πΆπππ‘ππππ‘π΅ to refund π΄π π ππ‘πΊ and π΄π π ππ‘π΅.
Timeouts. The latest deadline ππ΅ is no later than ππΈ. If Bob fails to fulfill his obligations, then Alice receives π΄π π ππ‘πΊ by ππΈ + 2Ξ. Therefore, the lock period for π΄π π ππ‘πΊ in πΆπππ‘ππππ‘π΄ is ππΈ +Ξ if Alice waives the option, or extends toππΈ +2Ξ if Alice exercises the option. Alice exercises the option and receives π΄π π ππ‘π΅ byππΈ +2Ξ. Therefore, the lock period for π΄π π ππ‘π΅ in πΆπππ‘ππππ‘π΅ is ππΈ + 2Ξ.
4.2.1 Integration: Efficient Cross-Chain Options without Upfront Holder Collateral. We incorporate the efficient option transfer protocol to enable a collateral-free option transfer process. From the option transfer perspective, the roles of the holder and writer are reversed, as Bob owns the exercise secret. Bob deposits π΄π π ππ‘πΊ and π΄π π ππ‘π΅ in πΆπππ‘ππππ‘π΄ and πΆπππ‘ππππ‘π΅. In the transfer of Bobβs position, hashlock π»(π΅) must remain consistent.
Take Bob transferring writer to Dave as an example. It is similar to the Protocol 4.1.1 with three notable differences. Suppose Bob reaches an agreement with Dave to transfer the writer position. Dave is able to buy Bobβs risky asset with its obligation at the price of π πππ‘πππΉππ before or at ππ . First, Dave must choose a new hashlock as the exercise secret, and similarly, Bob needs to use his private key π ππ΅ to sign Daveβs new hashlock π»(π·), which means message π = (π, (Dave.ππππππ π , π»(π·), πππ· )). Second, Alice can use Bobβs private key π ππ΅ to reclaim π΄π π ππ‘π΅ and guarantee, π΄π π ππ‘πΊ . Third, if Alice wants to exercise the option and makes the deposit after Bob reveals the signature during the transfer process, the transfer continues, and Dave must forward the signature to obtain the writerβs position. Dave should fulfill his obligation and reveal the exercise secret at ππ β Ξ on πΆπππ‘ππππ‘π΄.
As a result of the support for concurrent bidding, our protocol can effectively defend against phantom bid attack. In phantom bid attack, an adversary creates multiple virtual buyers who offer higher prices but do not finalize the transfer. In the previous protocol [12] which attempts to transfer the option to a buyer sequentially, in face of such an attack, the option holder/writer cannot sell their positions in a reasonable time since the virtual buyers are exhausting the option transfer window.
With our proposed protocol, an adversary option buyer cannot launch this attack. This is due to the use of a signature for option transfer settlement, rather than a hashlock used in the previous protocol. By this signature scheme, once a buyer is chosen by the seller, the option transfer can be finalized. There is no time window for the buyer to choose to finalize the option transfer or abort.
Authors:
(1) Zifan Peng, The Hong Kong University of Science and Technology (Guangzhou) Guangzhou, Guangdong, China ([email protected]);
(2) Yingjie Xue, The Hong Kong University of Science and Technology (Guangzhou) Guangzhou, Guangdong, China ([email protected]);
(3) Jingyu Liu, The Hong Kong University of Science and Technology (Guangzhou) Guangzhou, Guangdong, China ([email protected]).
This paper is available on arxiv under CC BY 4.0 license.