The contracts
Abyss's settlement layer is a pair of smart contracts written in Compact, Midnight's zero-knowledge contract language. They implement a hashed timelock contract (HTLC): a locked box with a timer.
The mechanism
A swap involves two escrow boxes, one per side. The source escrow holds what the user is selling. When the user deposits, they set two things: a hashlock (the fingerprint of a secret only they know; whoever later presents the secret itself can open the box) and a timelock (a deadline; if the box is still closed when it passes, the deposit returns to the user automatically, with no permission needed from anyone). The destination escrow holds what the user is buying. The desk deposits there, locked to the same hashlock, with a shorter deadline.
The user checks, on-chain, that the desk's deposit is correct; they are not obliged to continue if it is not. To collect it, the user reveals their secret to the destination escrow. Revealing the secret puts it on the public ledger, and that secret is the key to the source escrow, so the desk reads it and collects the user's deposit. If the user never reveals, both deadlines pass and both boxes refund their owners. A failed swap costs each party only a network fee.
Two further details:
- The fill is bound to the desk. Each order names the solver that quoted it, and only that solver's key can claim the user's deposit, so a stranger who sees the revealed secret and races to claim is rejected by the contract.
- The deadline ordering is a hard invariant. The desk's deadline is always strictly earlier than the user's, so the desk always has time to see the revealed secret and claim before the user's escrow reopens.
What the contract guarantees, and what it does not
| Guarantee | Enforced by |
|---|---|
| The user's deposit cannot be taken without revealing the matching secret | The contract, cryptographically |
| The user's deposit returns automatically if the swap does not complete | The contract's timelock |
| Only the quoted solver can claim the user's deposit | The contract's solver binding |
| The user receives the correct token and amount | The user: they inspect the fill on-chain and reveal only if it is correct. A bad fill cannot be claimed profitably; it only ties up the desk's own capital until its deadline refunds it |
The last row reflects a platform limit. Midnight does not yet support contract-to-contract calls, so the destination contract cannot read the source contract's terms. The design gives the user the final check, and gives the desk no incentive to fill badly.
Failure scenarios
| Scenario | Outcome |
|---|---|
| Desk never fills | User's deposit refunds at their deadline; user lost a network fee |
| User never reveals | Both escrows refund their owners after their deadlines |
| Desk fills the wrong amount | User does not reveal; both refund |
| Desk too slow to claim after reveal | The user keeps both sides. The deadline gap sizes this window so the desk has time to claim; monitoring alarms fire before it closes |
| Attacker tries to guess the secret | 256-bit search space; computationally infeasible |