On a single network, DvP is atomic by construction: one transaction settles both legs or reverts. The remaining design work is the release logic: the conditions and compliance checks that gate settlement.
For institutional settlement among known counterparties, Escrow with Dual Approval is the default: it matches the human-in-the-loop nature of traditional settlement, accommodates compliance and operational checks before release, and provides an explicit dispute path that legal review can rely on. Conditional Transfer with Oracle suits event-driven flows (regulatory approval, payment-finality confirmation, cross-network triggers) where the release condition is external; the operational burden is the oracle governance rather than the contract itself. HTLC is a cross-chain primitive, relevant only when the two legs sit on different chains; institutional desks rarely use it for single-network DvP, where a native swap or escrow is simpler and the hashlock would otherwise publish the trade.
On any of these paths, privacy comes from settling the legs inside a shielded pool; the atomicity mechanism alone leaves the trade visible.
Single-network atomicity is free: a single contract call that swaps both legs either commits or reverts, with no capital lockup. The engineering question is the release logic.
Escrow is the most legible: deposit, verify, release, refund, with a clear state machine per branch. Conditional Transfer with Oracle adds the oracle-integration surface (push vs pull, single vs quorum, fallback semantics) and inherits the attestation infrastructure's failure modes. HTLC is the cross-chain option and the trickiest to parameterize: T2 > T1 with margins for network congestion is load-bearing, a stalled leg has no recovery beyond timeout, and the preimage publishes the trade, so it is reserved for the genuinely cross-chain case.
Cross-network atomicity is the open frontier: ERC-7573 is the working draft, but trustless cross-chain DvP remains unresolved (see Private Trade Settlement for the privacy rails).
This is a perspective for legal review by the deploying institution, not legal advice.
Escrow with a named arbitrator references existing arbitration frameworks (LCIA, ICC); whether the chosen framework binds in cross-border settlement is a question for counsel. Conditional Transfer with Oracle raises a classification question about the oracle's role (data provider, attestation issuer, fiduciary?) and the audit access to its evidence trail. HTLC, where used for a cross-chain leg, has a deterministic outcome (preimage revealed or timeout) that can be documented precisely, but it publishes the trade on chain; whether that documentation and disclosure suit a specific dispute regime is for legal review.
For each option, the dispute and recovery path (arbitrator decision, oracle non-response, timeout refund, escrow bug) would need to be modelled explicitly under the applicable law.
Requirements
- Both legs complete atomically or neither does; no partial settlement
- Counterparty risk is structurally eliminated (assets in escrow, not held by the other party)
- Deterministic conditions and timeouts; clear failure semantics for legal review
- Optional: compatible with ERC-6123 (derivative lifecycle, Draft) and ERC-3643 (securities token, Final)
Constraints
- Single-network DvP is atomic by construction: one transaction settles both legs or reverts. Cross-network atomicity is the hard case and needs a trusted intermediary, an oracle, or a hashlock + timeout (HTLC)
- The cross-network and HTLC paths lock capital for the settlement or timeout window; lockup duration is a design parameter specific to those paths
- Escrow contracts are practically immutable in production; upgrades imply migration
Architectural options
Recommended
For institutional bond DvP among known counterparties on a single network, default to Escrow with Dual Approval, integrated with ERC-3643 for security tokens. The arbitration path is named in the trade documentation; the oracle (if invoked) is scoped to specific external triggers (e.g., regulatory approval, payment finality).
Side-by-side
| Axis | HTLC | Escrow with Dual Approval | Conditional Transfer with Oracle |
|---|---|---|---|
| Maturity | prototyped | prototyped | prototyped |
| Context | i2i | i2i | i2i |
| Trust model | Trustless (hash + timeout) | Counterparties + arbitrator | Oracle |
| Privacy scope | None on chain: hashlock, preimage, amounts, parties visible | Public escrow; party identities visible | Public escrow + oracle attestation |
| Performance | Two transactions per leg | Deposit + dual signature + release | Deposit + attestation + release |
| Operator req. | None | Arbitrator on dispute | Oracle (single or quorum) |
| Cost class | Low | Medium (dispute path) | Medium (oracle infra) |
| Regulatory fit | Strong for trustless contexts | Strong with named arbitrator | Conditional on oracle governance |
| Failure modes | Network congestion at timeout; free-option | Counterparty stalls; arbitrator compromise | Oracle outage or compromise |
Decision factors
- If settlement is event-driven and the trigger is external (regulatory approval, payment finality, cross-network confirmation), choose Conditional Transfer with Oracle, ideally via ERC-7573.
- If the two legs sit on different chains, use HTLC or oracle/intermediary coordination and accept that the hashlock publishes the trade; trustless cross-chain DvP remains an open problem (see Private Trade Settlement).
- If amounts and counterparties must stay private, settle the legs inside a shielded pool rather than relying on the atomicity mechanism for privacy.
Hybrid composition
Bond DvP can run primary settlement through Escrow with Dual Approval and fall back to a timed unilateral refund path on counterparty non-response, with an oracle attesting to payment finality on an external rail. For privacy, the escrow legs settle inside a shielded pool so trade IDs and party identities are not exposed on chain.
Open questions
- Trustless cross-network DvP. Without a trusted oracle or intermediary, cross-chain atomicity is unsolved; ERC-7573 acknowledges this as an open problem.
- Free-option pricing. HTLC's free-option problem is well-known but underpriced in institutional contexts; how should it be hedged or contractually offset?
- Oracle governance for institutional DvP. What governance model satisfies regulator audit expectations for ERC-7573 oracles?
- Privacy of escrow state. Standard escrow contracts publish trade IDs and party identities; privacy-preserving DvP requires composing with shielded pools or Commit and Prove.
- Settlement-window calibration. Network congestion margins for HTLC timeouts and escrow dispute windows are deployment-specific; no canonical guidance.
Referenced by
approaches
Last reviewed