Atomic swaps enable the peer-to-peer exchange of cryptocurrencies, without the need to trust any intermediary.
Atomic swaps thereby eliminate custodial risk and other frictions associated with intermediaries (including decentralized intermediaries!) such as the time and cost of deposits and withdrawals.
However, we know that risk can never be eliminated — only minimized.
So then… what are the risks of atomic swaps and how do we mitigate them?
1. Atomic Swap Building Blocks
Before we can understand the risks of atomic swaps, we must understand how they work — luckily they are actually quite simple.
The main building blocks of atomic swaps are a special type of transaction known as Hash Time Lock Contracts, which are characterized by the following process:
(a) A question is generated
- Alice creates a question for which a secret is the answer.
(b) Payment conditional on public answer
- Alice sends a special payment to Bob which he can only redeem if the secret (from the last step) is publicly broadcast. Bob knows the question but does not know the secret.
(c) Limited by time
- If the question is not publicly answered prior to the end of a specified timelock period then Bob loses the ability to claim the payment and it reverts back to Alice.
2. Atomic Swap Process
Now that you understand HTLCs, you are able to understand the atomic swap process:
(a) Terms
- Alice and Bob must agree on the terms of the atomic swap (i.e. amount, addresses and timelcok periods).
(b) Alice’s offer
- Alice sends a HTLC payment to Bob in accordance with the agreed terms.
(c) Bob’s offer
- Bob sends a HTLC payment to Alice in accordance with the agreed terms. Bob uses the same question in his HTLC payment that Alice used and a shorter timelock than Alice.
(d) Alice redeems
- Alice is able to redeem Bob’s offer since Bob used Alice’s question, for which Alice already knew the secret.
(e) Bob redeems
- Since Alice must publicly answer the question to claim Bob’s offer, Bob can simply look up the now public secret to claim Alice’s offer.
The above process is atomic (with timeout), meaning that it either happens completely or it does not happen at all.
If at any point Alice or Bob cease participating the other party can reclaim their coins after the expiry of the respective timeouts:
- If Alice creates Alice’s offer but Bob does not create Bob’s offer then Alice waits until the expiry of Alice’s offer to reclaim her coins; and
- If Bob creates Bob’s offer but Alice does not claim it then Bob can immediately reclaim his coins and Alice must wait for her offer to expire to reclaim her coins.
3. Risks
(a) Timelock attack
If Alice creates Alice’s offer but Bob does not create Bob’s offer then Alice is subject to the opportunity cost/inconvenience of waiting until the expiry of Alice’s offer to reclaim her coins.
Mitigated by:
(i) Bob Fee
- Bob could be required to pay a fee prior to Alice creating Alice’s offer. This would ensure that there would be an economic cost associated with Bob failing to create Bob’s offer.
(ii) Reputation Systems
- Alice could decide to only perform atomic swaps with certain addresses for which some reputation has been established, either by industry reputation, past history or otherwise. Front-end DEXes and DApps could then filter for only those addresses.
(iii) Collateral Checks
- Alice could check to ensure Bob’s address contains sufficient balance and require him to prove ownership of the address by signing with his private key.
(iv) Spam Checks
- Alice could check to ensure there are no transactions in the mempool spending from the Bob’s address and that there are no open orders on the decentralized exchange using the same inputs.
(b) Optionality Advantage
After Bob creates Bob’s offer, Alice has the advantage of being able to decide whether to redeem Bob’s offer any time before it expires. Alice can therefore wait to see how the market develops before deciding whether to redeem Bob’s offer or to let it expire. In effect, Alice has been granted an American Call Option (See here and here).
Mitigated by:
(i) Shorter Bob offer
- The shorter the timelock on Bob’s offer the less time Alice has to watch the market develop.
- Alice need only ensure that Bob’s offer is long enough to minimize the risk of a double spend.
- If Alice redeems Bob’s offer with zero on-chain confirmations this would only take a matter of seconds.
- If Alice requires further double spend protection she could wait for one or more on-chain confirmations.
- In either case, the time Alice requires will be significantly less than the 24 hours assumed by those who have previously written on this topic (See here and here)
(ii) Longer Alice offer
- Bob could insist on a longer timelock on Alice’s offer. In this way, if Alice does not redeem Bob’s offer she will be subject to the opportunity cost of her funds being locked up until her offer expires. However, a longer timelock on Alice’s offer would also mean that the timelock attack described in the last section would have an even greater impact on Alice. Therefore, a longer Alice offer must strike an appropriate balance.
(iii) Reputation Systems
- Similar to the last section, Alice could decide to only perform atomic swaps with certain addresses for which some reputation has been established, either by industry reputation, past history or otherwise. In this way, Alice could be more confident that Bob would not attempt to double spend allowing her to redeem Bob’s offer without any on-chain confirmations more confidently.
(iii) Premium mechanism
- The final possible solution is using a trusted third party to implement a premium mechanism. When Alice initiates an Atomic Swap Alice is forced to deposit a premium. The trusted third party should be trustworthy (such as a service node) and could be a single point of failure.
(c) Timeout
If after Alice redeems Bob’s offer Bob fails to redeem Alice’s offer before it expires Bob would be forced to leave empty handed.
(i) Security best practices
- Bob could implement security best practices, such as redundant or virtual machines, to ensure that he always has access to the network.
(i) Longer Alice offer
- Bob could insist on a longer timelock on Alice’s offer to give him more time, however, as noted above Alice’s offer must be appropriately balanced against other competing factors.
Conclusion
Atomic swaps eliminate custodial risk and other frictions associated with intermediaries (including decentralized intermediaries!) such as the time and cost of deposits and withdrawals.
Atomic swaps do, however, have some risks. The risks of atomic swaps are largely in the nature of opportunity cost associated with funds being locked-up in failed atomic swaps.
These risks can be mitigated with the use of fees, reputation systems, security checks and competitive timelocks.
It is possible that we may see institutional clients take on the Bob role given they are best positioned to avoid the risks of a loss of funds from a timeout and could be easily integrated into reputation systems.
