Atomic Commitment Across Blockchains Victor Zakhary Divyakant Agrawal Amr El Abbadi UC Santa Barbara UC Santa Barbara UC Santa Barbara Santa Barbara, California Santa Barbara, California Santa Barbara, California USA, 93106 USA, 93106 USA, 93106 [email protected] [email protected] [email protected] ABSTRACT developing protocols and infrastructures that support peer- to-peer atomic cross-chain transactions. Users, who usu- The recent adoption of blockchain technologies and open ally do not trust each other, should be able to directly ex- permissionless networks suggest the importance of peer-to- change their tokens and assets that are stored on different peer atomic cross-chain transaction protocols. Users should blockchains (e.g., Bitcoin and Ethereum) without depend- be able to atomically exchange tokens and assets without ing on trusted third party intermediaries. Decentralized per- depending on centralized intermediaries such as exchanges. missionless [20] blockchain ecosystems require infrastructure Recent peer-to-peer atomic cross-chain swap protocols use enablers and protocols that allow users to atomically ex- hashlocks and timelocks to ensure that participants com- change tokens without giving up trust-free decentralization, ply to the protocol. However, an expired timelock could the main reasons behind using permissionless blockchains. lead to a violation of the all-or-nothing atomicity property. We motivate the problem of atomic cross-chain transactions An honest participant who fails to execute a smart contract and discuss the current available solutions and their limita- on time due to a crash failure, denial of service attacks or tions through the following example. even network delays might end up losing assets. Although a crashed participant is the only participant who ends up Suppose Alice owns X bitcoins and she wants to exchange worse off, current proposals are unsuitable for atomic cross- them for Y ethers. Luckily, Bob owns ether and he is will- chain transactions in asynchronous environments where ing to exchange his Y ethers for X bitcoins. to atomi- crash failures and network delays are the norm. In this cally exchange assets that reside in different blockchains. paper, we present AC3WN, the first decentralized all-or- In addition, both Alice and Bob do not trust each other nothing atomic cross-chain commitment protocol. The re- and in many scenarios, they might not be co-located to do deem and refund events of the smart contracts that exchange this atomic exchange in person. Current infrastructures do assets are modeled as conflicting events. An open permis- not support these direct peer-to-peer transactions. Instead, sionless network of witnesses is used to guarantee that con- both Alice and Bob need to independently exchange their flicting events could never simultaneously occur and either tokens through a trusted centralized exchange, Trent (e.g., all smart contracts in an atomic cross-chain transaction are Coinbase [3] and Robinhood [4]) either through fiat currency redeemed or all of them are refunded. or directly. Using Fiat, both Alice and Bob first exchange their tokens with Trent for a fiat currency (e.g., USD) and PVLDB Reference Format: then use the earned fiat currency to buy the other token also from Trent or from another trusted exchange. Alternatively, Victor Zakhary, Divyakant Agrawal, Amr El Abbadi. Atomic Commitment Across Blockchains. PVLDB, 13(9): 1319 - 1331, some exchanges (e.g., Coinbase) allow their customers to di- 2020. rectly exchange tokens (e.g., ether for bitcoin or bitcoin for DOI: https://doi.org/10.14778/3397230.3397231 ether) without going through fiat currencies. These solutions have many drawbacks that make them unacceptable solutions for peer-to-peer atomic cross-chain 1 Introduction transactions. First, they require both Alice and Bob to trust Trent. This centralized trust requirement risks to derail the The wide adoption of permissionless open blockchain net- whole idea of blockchain's trust-free decentralization [22]. works by both industry (e.g., Bitcoin [22], Ethereum [28], Second, they require Trent to trade in all involved resources etc) and academia (e.g., Bzycoin [18], Elastico [19], Bit- (e.g., bitcoin and ether). This requirement is unrealistic coinNG [11], Algorand [21], etc.) suggests the importance of especially if Alice and Bob want to exchange commodity re- sources (e.g., transfer a car ownership for bitcoin assuming This work is licensed under the Creative Commons Attribution- car titles are stored in a blockchain [16]). Third, these solu- NonCommercial-NoDerivatives 4.0 International License. To view a copy tions do not ensure the atomic execution of the transaction of this license, visit http://creativecommons.org/licenses/by-nc-nd/4.0/. For among the involved participants. Alice might trade her bit- any use beyond those covered by this license, obtain permission by emailing coin directly for ether or through a fiat currency while Bob [email protected]. Copyright is held by the owner/author(s). Publication rights has no obligation to execute his part of the swap. Finally, licensed to the VLDB Endowment. these solutions significantly increase the number of required Proceedings of the VLDB Endowment, Vol. 13, No. 9 ISSN 2150-8097. transactions to achieve the intended cross-chain transaction, DOI: https://doi.org/10.14778/3397230.3397231 and hence drastically increases the imposed fees. One cross- 1319 chain transaction between Alice and Bob results in either The case against the current proposals: If Bob fails four transactions (two between Alice and Trent and two be- to provide s to SC1 before t1 expires due to a crash fail- tween Bob and Trent) if fiat is used or at best two trans- ure, a network partitioning, or a network denial of service actions (one between Alice and Trent and one between Bob at Bob's site, Bob loses his X bitcoins and SC1 refunds the and Trent) if assets are directly swapped. X bitcoins to Alice. This violation of the atomicity prop- An Atomic Cross-Chain Transaction, AC2T, is a dis- erty of the protocol penalizes Bob for a failure that happens tributed transaction that spans multiple blockchains. This out of his control. Although a crashed participant is the distributed transaction consists of sub-transactions and each only participant who ends up being worse off (Bob in this sub-transaction is executed on a blockchain. An Atomic example), this protocol does not guarantee the atomicity of Cross-Chain Commitment, AC3, protocol is required to ex- AC2Ts in asynchronous environments where crash failures, ecute AC2Ts. This protocol is a variation of traditional dis- network partitioning, and message delays are the norm. tributed atomic commitment protocols (e.g., 2PC [8, 14]). Another important drawback in Nolan's and Herlihy's This protocol should guarantee both atomicity and commit- protocols is the requirement to sequentially publish the ment of AC2Ts. Atomicity ensures the all-or-nothing smart contracts in an atomic swap before the leader (Alice in property where either all sub-transactions take place or none our example) reveals the secret s. This requirement is nec- of them do. Commitment guarantees that any changes essary to ensure that the publishing events of all the smart caused by a cross-chain transaction must eventually take contracts in the atomic swap happen before the redemption place if the transaction is decided to commit. Unlike in of any of the smart contracts. This causality requirement 2PC and other traditional distributed atomic commitment ensures that any malicious participant who declines to pub- protocols, atomic cross-chain commitment protocols are also lish their payment smart contract cannot take advantage of trust-free and therefore must tolerate maliciousness [16]. the protocol. However, the sequential publishing of smart A two-party atomic cross-chain commitment protocol was contracts, especially in atomic swaps that include many par- originally proposed by Nolan [1,23] and generalized by Her- ticipants, proportionally increases the latency of the swap to lihy [16] to process multi-party atomic cross-chain transac- the number of sequentially published contracts. tions, or swaps. Both Nolan's protocol and its generalization In this paper, we propose AC3WN, the first decentralized by Herlihy use smart contracts, hashlocks, and timelocks to all-or-nothing Atomic Cross-Chain Commitment protocol execute atomic cross-chain transactions. A smart contract is that uses an open Witness Network to coordinate AC2T s. a self executing contract (or a program) that gets executed The redemption and the refund events of smart contracts in a blockchain once all the terms of the contract are satis- in AC2T are modeled as conflicting events. A decentral- fied. A hashlock is a cryptographic one-way hash function ized open network of witnesses is used to guarantee that h = H(s) that locks assets in a smart contract until a hash conflicting events must never simultaneously take place and secret s is provided. A timelock is a time bounded lock that either all smart contracts in an AC2T are redeemed or all of triggers the execution of a smart contract function after a them are refunded. Unlike in Nolan's and Herlihy's proto- pre-specified time period. cols, AC3WN allows all participants to concurrently publish The atomic swap between Alice and Bob, explained in their contracts in a swap resulting in a drastic decrease in the earlier example, is executed using Nolan's protocol as the latency of atomic swaps. Our contributions are summa- follows. Let a participant be the leader of the swap, say rized as follows: Alice. Alice creates a secret s, only known to Alice, and a hashlock h = H(s). Alice uses h to lock X bitcoins in a smart • We present AC3WN, the first all-or-nothing atomic 3 contract SC1 and publishes SC1 in the Bitcoin network. cross-chain commitment protocol. AC WN is decen- SC1 transfers X bitcoins to Bob if Bob provides the secret tralized and its correctness does not depend on any s to SC1 where h = H(s).