Today (v1)
Intent submission is a two-step flow:- Sender calls
BridgeIntentV2.createIntenton the source chain. This is a normal on-chain transaction with the public solver-facing fields (tokenIn, tokenOut, amountIn, minAmountOut, reward, destChainId). The contract also emits an encrypted blob in the same event that only the relayer key can decrypt. - Sender POSTs the encrypted recipient bundle to the relayer via
/store-recipients.
Next (target model)
We’re moving toward off-chain intents. The sender never calls a source-chain contract just to submit an intent. Shape:- Sender signs an intent off-chain (EIP-712 or equivalent).
- Sender signs a permit (EIP-2612 on EVM, analogous primitives elsewhere) authorizing the solver to pull
amountIn + rewardfrom the sender’s address when the winning bid comes in. The permit is scoped to the intent hash so it can’t be replayed on a different intent. - Sender encrypts both (intent + permit) and POSTs to the relayer. Nothing hits a source-chain contract at this step.
- Relayer broadcasts a batched plaintext summary to solvers (rate, token pair, fees, aggregates; no per-intent recipient).
- Winning solver receives the recipient bundle and the permit under re-encryption to their own key.
- Solver presents the permit on the source chain to pull funds, delivers on the destination chain, and submits the fulfillment attestation.
- Enclave attestation is verified on-chain before the solver’s reward is released.
What the target model improves
- Sender is not linked to the protocol action on-chain. The permit sits in the intent envelope until the solver pulls. An observer watching the source chain sees the solver making a standard
transferFrom, not the sender signalling “I want to use Tachyon”. - No per-intent gas for the sender. Submitting an intent is a signature, not a tx.
- Faster. No wait for source-chain confirmations before the auction starts.
- Same guarantees. Re-encryption to the winning solver, enclave attestation on settlement, solver-funded liquidity, escape path on solver failure. All unchanged.
How recovery works without the on-chain blob
We keep the relayer-loss recovery property with two off-chain mechanisms:- Signed durable storage. Relayer writes every accepted intent + permit, encrypted to the relayer key, to append-only storage the relayer key-holder can always read back. Functionally the same as the on-chain blob, without the gas cost and without broadcasting the sender’s intention.
- Periodic on-chain commitments. At an interval, the relayer publishes a single commitment (hash) of the batch of intents seen in that window. Lets anyone prove that a given intent existed at a given time, without publishing the intent itself. This is a public-good anchor: it keeps the network’s honesty externally verifiable even if the relayer’s off-chain storage is ever questioned.
| Data | Primary source | Backup source |
|---|---|---|
| Intent + permit (encrypted) | Relayer’s durable storage | Periodic on-chain commitment proves existence + timestamp |
| Public outcomes (solver pull, settlement) | Source chain | Always replayable |
| Recipient keys | Enclave | User re-registers with wallet signature |
When
Target model ships as part of the solver SDK release (roughly M5 of the Canton grant timeline). V1 on-chain intent flow remains supported during and after the transition so existing integrations don’t break.What integrators should do today
Build against v1. Every docs page labelled for today’s integration is correct. When we ship the target model, the SDK surface stays the same (submit(params, wallet)) and the underlying path swaps from “createIntent + store-recipients” to “signed intent + permit”. Your integration code doesn’t rewrite.
Direct HTTP integrations will get a deprecation window on createIntent before the target model becomes the default.
Related
- Architectural alignment for how v1 composes on Canton
- Privacy guarantees for what’s revealed at each step today
- Relayer HTTP API for the endpoints live now