Three contracts
| Contract | Purpose | Deployment |
|---|---|---|
| SettlementCoordinator | State machine enforcement, transition validation, atomicity gate | One instance on the coordinator chain |
| KeystoneEscrow | Lock, release, and rollback of deposits per settlement leg | One instance per supported chain |
| ComplianceRegistry | On-chain compliance attestations as a gate for state transitions | One instance on the coordinator chain |
Design principles
- No custody. KeyStone never holds funds. Escrow contracts have no admin keys, no upgrade authority, and no KeyStone-controlled withdrawal.
- No chain dependency. The SettlementCoordinator can live on any EVM chain. It only needs EVM compatibility and LayerZero support for cross-chain messaging.
- Assets never bridge. Bonds stay on Ethereum. USDC stays on Avalanche. Escrow contracts lock and release locally. Cross-chain coordination happens via messaging (LayerZero), not bridging.
- Permissionless creation. Anyone can call
createSettlement(). Gas cost is the natural spam filter. A settlement with no deposits is harmless (it simply times out). - Permissionless timeout. Anyone can call
timeout()after the deadline. No dependency on KeyStone being operational.
What lives on-chain vs off-chain
| On-chain (trustless) | Off-chain (KeyStone service layer) |
|---|---|
| Settlement creation (permissionless) | Instruction matching (convenience) |
| State machine enforcement | Compliance screening (LSEG, CipherOwl API calls) |
Compliance gate (ComplianceRegistry.areAllPartiesCleared) | Compliance attestation submission (oracle) |
Deposit gate (Escrow.allLegsDeposited) | SDK / Fireblocks integration |
| Token deposits (lock) | Webhooks, dashboards, monitoring |
| Atomic swap execution (release) | Trade reference generation |
| Rollback | Repo maturity triggers |
| Timeout (permissionless) | Event indexing (DB as read cache) |
| All state change events |
Trust model
| Question | Answer |
|---|---|
| Can KeyStone skip compliance? | No - contract checks areAllPartiesCleared gate |
| Can KeyStone execute without all deposits? | No - contract checks allLegsDeposited gate |
| Can KeyStone skip states? | No - contract enforces registered transitions |
| Can KeyStone prevent timeout? | No - permissionless call, anyone after deadline |
| Can an auditor verify independently? | Yes - read contract events directly from the chain |
| Can a platform bypass KeyStone’s API? | Yes - call contracts directly |
Cross-chain architecture
Phase 1 (current): Single-chain. SettlementCoordinator and KeystoneEscrow deployed on the same chain. No LayerZero needed. Phase 2: Cross-chain. SettlementCoordinator on one chain, escrow contracts on every chain. LayerZero carries lock confirmations and release/rollback instructions between chains.SettlementCoordinator
State machine, gates, and transition validation.
KeystoneEscrow
Per-chain deposit lock, release, and rollback.
ComplianceRegistry
On-chain compliance attestations.
Testnet Addresses
Deployed contract addresses on Sepolia.