Skill Issue Dev | Dax the Dev
search
Part of series: Vanta In Practice

Private atomic swaps and the price-discovery problem

9 min read verified human-written
Last updated:
Print view
Sections

The 2026-04-17 commit message — planning: price-discovery design for private atomic swaps — is one of the more interesting things in the Vanta repo, because it isn’t code. It’s a design exploration in planning/price-discovery-for-private-swaps.md, and it’s the kind of doc I wish more chains shipped: a problem statement, six options, an honest comparison, a recommendation, and an explicit “this is not a commitment” status flag.

This post walks through the design. The HTLC machinery on the implementation side lives in vanta/vanta-swap; the policy question is in planning/.

What atomic swaps are, briefly

A hash-time-locked contract (HTLC) lets two parties on different chains agree to a swap without trusting each other or a third party. Alice has BTC, Bob has VANTA. They agree to swap. Alice picks a random secret s, computes h = sha256(s). They both lock their funds in HTLCs that pay out to whoever knows s (and refund to the original sender after a timeout, if s never gets revealed).

The script for the HTLC is short — quoting vanta/vanta-swap/src/htlc.rs:

OP_IF
  OP_SHA256 <hash> OP_EQUALVERIFY <receiver_pubkey> OP_CHECKSIG
OP_ELSE
  <locktime> OP_CHECKLOCKTIMEVERIFY OP_DROP <sender_pubkey> OP_CHECKSIG
OP_ENDIF

The IF branch is “claim with the preimage.” The ELSE branch is “refund after the timelock.” Both are P2WSH-wrapped. The receiver claims by revealing s to spend the HTLC; once s is on-chain, the other side claims their HTLC using the same s. If either side bails, both refund after the timeout.

Same hash on both chains. Same OP_SHA256. Both Bitcoin and Vanta speak this script unchanged. That’s why the swap implementation in vanta/vanta-swap/src/swap.rs works against both chains’ RPCs with a single ChainConfig abstraction.

The price-discovery problem

The swap implementation today is fully transparent on both sides. From the planning doc:

Worth being precise: the current swap implementation is fully transparent on both sides.

  • swap.rs funds the VANTA leg via L1 RPC (createrawtransactionfundrawtransactionsignrawtransactionwithwalletsendrawtransaction). That’s the transparent L1, not the shielded L2.
  • So vanta_amount is plainly visible in the P2WSH output on L1.
  • btc_amount is visible on Bitcoin.
  • Price is therefore already discoverable today by anyone scanning matched hashes across the two chains.

So the problem is forward-looking. Once the VANTA leg moves to a shielded note (commitment + encrypted amount, no visible value on L1), an external observer can:

  • find the BTC-side HTLC with amount X and embedded hash h
  • see that a note with commitment tied to h exists on VANTA L2, but not its amount Y
  • without Y, no X/Y rate

No rate means no tape. No tape means no public order book. No public order book means no efficient price formation. That is the problem.

I want to push back on a knee-jerk response that “privacy chains shouldn’t have public prices.” Of course they should — every market needs a price. The question is how price emerges without compromising the privacy property. That’s not the same as “should there be a price at all,” which is a question I think privacy maximalists sometimes confuse.

Six options

The doc walks through six designs. I’ll abbreviate.

1. Do nothing — OTC negotiation only

Peers find each other on Nostr / Telegram / a forum, agree privately, swap. Zero engineering. Zero price discovery. Hard to bootstrap a market. New users can’t tell what a fair rate is. LPs won’t come.

Pros: trivial, full privacy. Cons: the market doesn’t form.

2. Voluntary post-trade rate publication

After a swap, either party signs a {rate, timestamp} statement and posts it to a relay (Nostr, an HTTP aggregator, whatever). An aggregator computes a median or time-bucketed mean. Crucially: publish the rate, not the size. Rate is a scalar; it leaks nothing about how much the signer actually traded.

Pros: simple, opt-in, amounts stay shielded. Cons: self-reported, trivially fakeable. Anti-spam needs a cost function — proof of recent swap, a small VANTA burn, a reputation-weighted signer set.

3. ZK-attested rate proofs

Use SP1 (already in the consensus stack) to prove:

“I participated in a swap whose hash is H (publicly known), and the rate was in [r − ε, r + ε], without revealing either amount.”

The circuit takes X, Y, r as private witness, publishes H and r as public output. Anyone can verify the SP1 proof and see a rate without seeing amounts.

Pros: cryptographically binding, not self-reported. Cons: non-trivial circuit work; SP1 proof costs (the doc notes the 5070 box is below the 24 GB GPU minimum, so we’d need CPU proving or a remote prover); UX friction.

4. Off-chain encrypted order book with HTLC settlement

Bisq-style. Orders live in a P2P relay (Tor hidden service, Nostr, Waku). Orders are plaintext (amount, rate, counterparty pubkey) at posting time. Match happens, counterparties swap via HTLC, order disappears. Price discovery is from the order book, not from chain history.

Pros: decouples price discovery (pre-trade order book) from settlement privacy (post-trade on-chain). The doc calls this “arguably the right architecture.”

Cons: requires a relay layer; orders-in-the-open weakens pre-trade privacy of unfilled orders.

5. Trusted LP / market maker

Professional MMs run their own nodes, quote two-sided publicly, users trade against them via atomic swap. LPs willingly reveal quotes because that’s their business.

Pros: realistic bootstrapping path, CEXes already work this way. Cons: centralises price discovery; LPs need KYC/operational reality → potentially a regulatory attack surface.

6. Hybrid: opt-in transparent-swap mode

Users opt into a “transparent swap” that pins the VANTA leg to L1 (visible). Those swaps contribute to a public price tape. Private traders settle on L2 and free-ride on the tape.

Pros: zero new crypto; user-level privacy/contribution choice. Cons: tragedy-of-the-commons. Everyone wants privacy, nobody wants to be the transparent swapper. Requires incentive design (fee rebates for transparent swappers?).

The recommendation

The doc lands on a hybrid of #4 and #2:

For a near-term path: combine #4 (off-chain order book) + #2 (voluntary rate publication). Rationale:

  • #4 gives us an actual market — users see bids/asks before committing.
  • #2 gives us a historical tape — aggregators compile published rates into OHLC candles.
  • Both respect the privacy invariant: amounts stay shielded.
  • Both are boring engineering, not new cryptography. We can ship them.
  • #3 (ZK rate proofs) is a “do it later if spam becomes a real problem” lever.

I agree with this and want to underscore the framing: boring engineering, not new cryptography. New cryptography is expensive in the medium term — it has to be audited, the implementation has to land, the wallets have to integrate, the tooling has to mature. An off-chain order book + voluntary rate posts ship in a quarter using existing primitives. The ZK rate-proof option is a clean lever to pull later, if the simpler scheme proves insufficient against spam.

Worth a moment on #3 specifically. ZK rate proofs are tempting because they’re cool. They’re also a chunk of circuit work, and the wallet UX gets one more “generate proof” wait. Building it before we know whether voluntary publication produces enough useful data is over-engineering. The principle: build the simplest thing that could work, instrument it, then add cryptography when the simpler thing demonstrably fails.

Open questions the doc flags

The planning note ends with five questions I haven’t answered yet:

  1. Anti-spam for voluntary publication. Cost function: proof of recent shielded spend? Small VANTA burn? Reputation-weighted signer? My current bias is “small VANTA burn weighted by chain age” — cheap to publish if you’ve held VANTA for a while, expensive if you haven’t, no operational dependency on a reputation graph.
  2. Relay topology. Nostr (easy, public), Waku, or a Tor hidden-service relay? Probably Nostr to start. TODO: Dax confirm we want Nostr-first vs a custom relay.
  3. Quote units. sats/VANTA or VANTA/BTC? Pick one canonical representation up front and stick it in the whitepaper suite. I lean sats/VANTA because it makes for round numbers at current valuation.
  4. Handling the current transparent swap. Migration path or permanent second mode? Affects whether the price-discovery design has to handle two worlds. TODO: Dax confirm.
  5. Cross-asset routing. VANTA ↔ X ↔ BTC via multi-hop. Out of scope here, but on the longer-term roadmap.

These are the kind of open questions that should be public. A privacy chain whose policy decisions are made behind closed doors is, sociologically, a chain you can’t trust. Putting the design exploration in the open repo means the discussion happens in pull requests, not in a slack I run.

What’s not in this design

A couple of things I want to flag explicitly because they often come up.

Oracles. Vanta does not currently feed external prices into on-chain logic. There’s no smart-contract platform, so there’s no place to feed them to. Oracles are an L2 problem; they’ll show up if and when programmable shielded contracts ship.

Loans / derivatives. Out of scope. Spot atomic swaps are the spot market. DeFi primitives beyond spot are a much larger conversation.

A unified DEX. I am skeptical of “one app to rule them all” DEX designs for a privacy chain. Composability is harder when amounts are shielded; the simplest path is probably multiple small-surface protocols (atomic swaps for cross-chain, order book for in-chain, AMM only if liquidity demands it).

What changed my mind about the swap problem

Two things.

First, when I started thinking about this, I assumed ZK rate proofs (option 3) were the obvious answer because they’re the most cryptographically clean. They’re also the most cryptographically expensive. Once I actually thought about the user flow — generate a swap, generate a proof, then publish — I realised the friction would crater participation. The voluntary scheme is worse on cryptographic strength but enormously better on participation, and a market with weaker price proofs that more people use is a better market than a strong-proof market that nobody uses.

Second, I underestimated how much of the answer is just an order book. Bisq’s design has been working for years on exactly this problem (privacy-respecting BTC ↔ fiat). An off-chain encrypted order book with on-chain HTLC settlement is the architecture that already works in the wild for a closely-related problem. Reusing it for VANTA ↔ BTC is the smallest delta.

Both of these updates landed because the planning doc was a pull-out-the-options doc, not a “here’s the design” doc. Writing it forced the comparison.

Further reading

Related

Hire me — book a 30-min call $ book →