Skip to main content
Live on Sepolia ↔ Stellar Testnet. Real bridge transactions settle end-to-end through this architecture today. Subsequent phases incrementally retire trust assumptions on top of it.
This is the protocol as it runs today. Funds never leave contract escrow without a verified ZK proof, but a pre-authorization relayer sits in front of every state-changing call as scaffolding while the BLS-based end-state is being built.

Architecture diagram

Phase 1 architecture — Pre-auth MVP Refer to the protocol overview pages for the actor definitions, the 12-step settlement flow, and the per-contract function reference:

Makers & Bridgers

The two end-user roles.

How it works

The 12-step cross-chain flow as it runs today.

Smart contracts

Function signatures, storage, and deployed testnet addresses.

What’s transitional

Three pieces only exist because the BLS end-state isn’t shipped yet. Phase 2 retires the first, Phase 4 retires the second, and the third is a documentation nuance:
  • Pre-auth signing. Every state-changing user call carries a manager-signed request hash. A compromised manager key can authorize any user request — though it still cannot redirect funds without a valid ZK proof. Retired in Phase 2.
  • Single-key admin on each chain. setChain, setTokenRoute, setManager, and role grants execute instantly with no delay or multisig. Replaced by multisig + 24h timelock in Phase 4.
  • Native-token wrapping uses an internal wNativeToken contract via a sentinel address. The “native handled directly” story is an aspirational simplification of what the contracts actually do today.
For the full set of trust assumptions and how each phase shrinks them, see the security model.

What ships next

Phase 2: BLS Auth & Pre-auth Retirement

Both Maker and Bridger sign the order with BLS once; one aggregated signature gates both unlock calls. The pre-auth path is removed entirely.