Table of Links
-
Protocol
-
Security Analysis
A. Codes
B. Proofs
3 OVERVIEW
Consider the scenario described in Section 1: Alice and Bob strike a deal: Bob agrees to sell his 100 guilder coins to Alice in exchange for 100 florin coins within one week. To secure this arrangement, Alice pays a 2-florin premium for the option to complete the transaction. The 100 florin and 100 guilder coins are referred to as π΄π π ππ‘π΄ on πΆβππππ΄ and π΄π π ππ‘π΅ on πΆβππππ΅, respectively, with one week as the
expiration time ππΈ. Suppose there are πΏ holder position bidders, πΆπππππ , and π writer position bidders,π·ππ£ππ , where π β {1, 2, . . . , πΏ} and π β {1, 2, . . . , π}. They are willing to pay a holder transfer fee, π»ππππππΉπππ , and a writer transfer fee, π πππ‘πππΉππ π , to obtain the option position from Alice and Bob, respectively. The holder transfer fee represents the price for the option and Aliceβs asset locked in the contract, while the writer transfer fee is the fee to acquire Bobβs risky asset locked in a contract with obligations tied to that asset. An HTLC-based option requires Alice to escrow π΄π π ππ‘π΄ in advance, followed by Bob escrowing π΄π π ππ‘π΅.
Making transfer more robust and efficient. In an HTLC-based option, Alice and Bob lock their assets with the hashlock π»(π΄), where π΄ is the exercise secret generated by Alice. Consider the case where Carol purchases Aliceβs position. In the previous work [12], the protocol first locks the contracts by tentatively assigning a new hashlock to replace the old one. Considering that Alice can place different hashlocks on two chains and Carol may replace Alice on one chain but not the other, Bob is given a time-consuming consistency phase to ensure the new hashlocks are consistent. We would like to reduce the time needed for this transfer.
We manage to reduce the transfer time by a key observation. Since Alice cannot transfer the option to multiple bidders simultaneously, it logically prompts the use of Double-AuthenticationPreventing Signatures (DAPS) to prevent a seller from selling signatures to multiple bidders, thus remove the requirement of guaranteeing consistency by Bobβs efforts. If multiple signatures are revealed, a secret key can be extracted by DAPS, then punishment is enforced automatically to ensure fair payoff. By adopting DAPS, the transaction completion in our protocol is less than half the time of the previous method [12].
Holder Collateral-Free Cross-Chain Options. Our objective is to allow Alice to pay a premium to secure this right, without the need to escrow the assets in advance. We need a mechanism to enable the correct exercise of this rightβAlice pays her florin coins to get Bobβs guilder coins. Alice cannot get Bobβs coins without paying florin coins to Bob. A naive approach would be requiring cross-chain transaction confirmation of Aliceβs escrow when Alice decides to exercise. However, cross-chain bridges, which are used for cross-chain transaction confirmation, suffer from various security issues [19, 40], such as key leakage [24], smart contract vulnerabilities [28, 37], and rug pulls [18, 38]. We want to design a holder collateral-free option without a trusted cross-chain bridge.
If we grant Alice direct access to the exercise right (or the preimage of hash, exercise secret in HTLC), then Bobβs interests is not protected, as Alice could withdraw Bobβs coins directly. To resolve this problem, we resort to economic incentives that commonly present in the DeFi markets, which are also drive forces for options. We let Bob control the exercise secret while Alice retains the right to penalize Bob. In addition to a collateral (100 guilder coins in our example) required by normal option contracts, we ask Bob to lock another valuable asset on πΆβππππ΄ as a guarantee for Alice when she wants to exercise the right. If Alice later sends her coins on πΆβππππ΄ in order to exercise her right but Bob does not release the exercise secret, Alice will get Bobβs guarantee as compensation. Suppose this guarantee is sufficient (even more than sufficient) to compensate the expected profit of this option, this method gives Bob incentives to cooperate when Alice wants to exercise her right. Integration. We then integrate the efficient option transfer protocol into the holder collateral-free cross-chain options. Bob controls the exercise secret and the transfer process instead of Alice, then the processes for transferring the holder and writer are reversed. The hash of exercise secret on both chains must remain identical after Bob transfers his position to Dave. A key challenge is ensuring that honest parties incur no losses. This involves addressing potential misbehavior by any party and collusion between any two parties. To counter these, we introduce a withdrawal delay to allow Dave to retrieve assets in case Bob acts maliciously and a transfer confirmation delay to allow Alice to contest any inconsistent replacement of the hashlock.
Authors:
(1) Zifan Peng, The Hong Kong University of Science and Technology (Guangzhou) Guangzhou, Guangdong, China ([email protected]);
(2) Yingjie Xue, The Hong Kong University of Science and Technology (Guangzhou) Guangzhou, Guangdong, China ([email protected]);
(3) Jingyu Liu, The Hong Kong University of Science and Technology (Guangzhou) Guangzhou, Guangdong, China ([email protected]).
This paper is available on arxiv under CC BY 4.0 license.