arXiv is now an independent nonprofit! Learn more
License: CC BY 4.0
arXiv:2607.06525v1 [cs.CR] 07 Jul 2026

Crossroads: A Smart Contract Layer for Chain-Abstracted Assets

James Austgen*    Dani Vilardell*    Ari Juels *These authors contributed equally to this work.
Abstract

This paper introduces Crossroads, a smart contract layer for chain-abstracted assets. In Crossroads, assets from nearly any chain are represented on a single backend blockchain as ERC-20 tokens. As a result, any asset can participate in smart-contract-based exchange, lending, or privacy applications on a single unified platform. So while Crossroads offers cross-chain bridging, a common, partial approach to alleviating the fragmentation of the blockchain ecosystem today, this is just one service within Crossroads’ general-purpose chain-abstraction model.

Crossroads relies on key encumbrance: a threshold signing committee holds encumbered keys controlling assets on each integrated chain, signing transactions only as authorized by smart contracts on the backend blockchain. Asset movements are fee-efficient, as ownership changes are recorded on the backend blockchain and users may set the transaction fee for withdrawals.

Crossroads enables permissionless, modular integration of new blockchains using pluggable oracles with flexible design options (zkBridge, TEE-based, hybrid). Asset deposits into Crossroads benefit from strong, chain-specific finalization guarantees, minimizing the risk of reorg attacks. Unlike existing bridges, however, third-party smart contracts in Crossroads can provide fast, optimistic access to funds before finalization completes.

We prove that Crossroads satisfies soundness: given an honest quorum of signing committee members, any user can unilaterally generate a valid withdrawal transaction transferring their full net balance to an externally owned account on an integrated blockchain. We implement a proof of concept across multiple public blockchains: Bitcoin, Ethereum, and Solana. We catalog a range of applications enabled by Crossroads, including universal wallets, cross-chain staking and lending, privacy-preserving payments, and private management of public blockchain assets.

1 Introduction

Cross-chain bridges are the main path today towards blockchain interoperability. Current bridges, though, generally only support a handful of high-liquidity chains or chains within a single family (EVM, Cosmos, Solana, Bitcoin, etc.). Swaps between two cryptocurrencies often have to traverse several cross-chain exchanges, e.g., an exchange of StarkNet ETH to Solana SOL, might involve three or more bridge operations and several intermediary token swaps [rangoAPI].

The challenge is that a single bridge connects exactly two chains. Full pairwise connectivity is impractical, as supporting NN chains would require N2N^{2} bridges, each separately deployed and operated. Practical designs today therefore employ a sparse graph of bridges between high-liquidity chains, where transfers between unconnected chains must hop through intermediaries and pay fees at each step.

A hub topology avoids such hopping: NN connections make every pair of chains reachable through the hub, and NN bridges are easier to audit than N2N^{2}. Existing hub-and-spoke systems, however, fall short of this potential in three ways: integrating a new chain is a permissioned decision of the hub’s operators or governance; the hub’s functionality is fixed at the protocol level, typically transfers or swaps, rather than open to third-party applications; and integration generally requires verification logic on the connected chain itself, leaving chains without smart contracts, such as Bitcoin, behind.

Crossroads.  In this work, we present Crossroads, a smart contract layer for chain-abstracted assets. Crossroads adopts a hub-and-spoke topology but, unlike existing hubs, supports permissionless integration of any chain and enables a programmable layer that lets arbitrary smart contracts operate on the assets within the hub. Crossroads works with nearly any blockchain, even non-EVM chains and chains without smart contracts. It abstracts all blockchain assets as ERC-20 tokens existing on a single EVM-based chain (the backend chain). On this backend chain, the exchange and transfer of cross-chain assets operate as ordinary on-chain transactions.

To interact with Crossroads-enabled cross-chain applications, users deposit assets into a committee controlled address on the asset’s native chain; a per-chain oracle then attests on the backend chain that the deposit transaction is finalized, after which the corresponding ERC-20 tokens are minted on the backend chain. The committee holds the keys to these addresses under key encumbrance [austgen2025liquefaction]: keys are generated and stored under a threshold signature scheme, so no party ever learns them, and signatures are produced only as authorized by the asset contracts on the backend chain.

Concretely, to withdraw an asset from the Crossroads system, a user first burns its corresponding ERC-20 tokens on the backend chain. The committee verifies the burn against the asset contract and signs a transaction transferring the corresponding native assets to an address chosen by the user, with the user setting the fee and deciding when to broadcast.

Compared to existing cross-chain interoperability platforms, this design gives Crossroads three novel properties. First, cross-chain functionality is programmable: any smart contract deployed on the backend chain (an AMM, a lending market, a stablecoin issuer) operates on assets from every integrated chain. Because each ERC-20 token carries the right to withdraw its underlying asset, transferring tokens also transfers that right with them; a single backend transaction, such as an AMM swap, thus settles an exchange of native assets atomically. Second, integration is permissionless: integrating a chain amounts to deploying its ERC-20 asset contract on the backend chain and an oracle relaying the chain’s finalized transactions, so anyone can add a chain or asset without the approval of a developer or system operator. Third, the requirements on integrated chains are minimal: because Crossroads needs only a unidirectional oracle from the asset chain to the backend chain, any chain with eventual, verifiable finality can be integrated, with no contracts, deployed logic, or protocol changes on the chain itself. This is what brings chains without smart contract support, such as Bitcoin and XRPL, within reach.

Crossroads’ security rests on the standard trust assumption of threshold cryptosystems: an adversary corrupts fewer signing committee members than the signing threshold. Under this assumption, we prove that Crossroads is sound: any user can redeem their Crossroads-issued ERC-20 tokens for the underlying asset and transfer them to an externally owned account (EOA) on the asset’s native chain. Soundness implies that an adversary in our threat model cannot steal or lose user funds. In view of committee compromises in practice [krause20251, chainalysis2026kelpdao, zhang2024cross], however, we present modular security enhancements that provide defense in depth should our corruption assumption fail. These include use of secure hardware (TEEs), security councils with freeze authority, and accountable threshold signatures that identify misbehaving signers.

Crossroads’ design ideas have already seen industry adoption. Oasis Sapphire, a TEE-based blockchain, has integrated many of Crossroads’ components into its multi-chain programmable wallet SDK, Privana [oasis2026privana].

Applications.  Because Crossroads represents assets from arbitrary chains as ERC-20 tokens on a single programmable backend, any ERC-20 compatible smart contract on the backend automatically becomes a cross-chain application. This can turn systems which otherwise would require bridging infrastructure into ordinary single-chain smart contracts.

One direct application of Crossroads is a chain-agnostic wallet, a single key pair that controls assets across every integrated chain, with the user’s full portfolio visible on a single ledger and tokens spendable on any integrated chain without the need to hold native accounts there. Crossroads also allows standard exchange contracts, such as AMM, order book, or RFQ contracts, to be deployed onto the Crossroads platform. Lending and borrowing applications are similarly possible: collateral deposited from one chain can back loans denominated in assets from another, making cross-chain shorts and arbitrage practical with existing lending platforms such as Morpho [morpho] or Euler [euler].

Crossroads also enables applications that existing bridges cannot offer at all. A universal stablecoin can be issued natively on the backend and spent on any integrated chain, removing the centralized issuer’s role in deciding which chains to support. Cross-chain staking via Crossroads offers a new, highly flexible, multi-chain means for emerging chains to bootstrap their security with established assets such as ETH or BTC, rather than just their native liquidity [tas2022babylon, tas2023bitcoin]. When the backend blockchain is itself privacy-preserving (e.g. Oasis Sapphire [cheng2019ekiden, oasis2023sapphire]), Crossroads further enables private payments and private institutional management of public-chain assets, with smart-contract-enforced disclosure and compliance policies layered directly onto exchange transactions.

Contributions

We provide background to Crossroads in Section 2. Subsequently, our contributions are as follows:

  • Crossroads: We introduce Crossroads, a smart-contract layer for chain-abstracted assets. Crossroads can represent assets from any chain as ERC-20s on its unified smart-contract platform (Section 3).

  • Optimizations: We present key optimizations to Crossroads’ core design: per-user deposit addresses to enable broad wallet compatibility; optimistic deposits and withdrawals to reduce settlement latency; and parallelized withdrawals to increase throughput (Section 4).

  • Security: We prove system soundness by showing that at any point a user can unilaterally withdraw their full net balance to an externally owned account. We also propose modular security enhancements to strengthen the security model (Section 5).

  • Implementation: We implement a proof-of-concept of Crossroads and integrate it with Bitcoin, Ethereum, and Solana (Section 6), available at https://github.com/trate3/crossroads.

  • Applications: We identify a broad range of applications for Crossroads, from chain-agnostic wallets and cross-chain decentralized exchanges to cross-chain staking and lending, privacy payments, and universal stablecoins (Section 7).

We review related work in LABEL:sec:related-work and conclude in LABEL:sec:conclusion.

2 Building Blocks

We introduce the cryptographic and systems primitives that Crossroads builds on.

2.1 Cross-chain oracles

Blockchains cannot natively observe events outside their own ledger; oracles are systems that make external events available to smart contracts. A cross-chain oracle lets a contract on a destination chain verify that an event—for our purposes, the inclusion and finality of a transaction—occurred on a source chain.

Oracle constructions differ primarily in their trust model: committee-based oracles rely on an honest majority of external attesters [wormhole, axelar], light-client oracles verify the source chain’s consensus on the destination chain, possibly via zero knowledge proofs [xie2022zkbridge], and TEE-based oracles run prove transaction finality via their attestation capabilities. Crossroads requires a unidirectional oracle of finalized asset-chain transactions into its backend chain, and any such system can serve that purpose, each with its own security guarantees.

2.2 Cryptocurrency and DeFi

Most major blockchains have a single native asset which is required to pay for transaction fees and protect against unbridled resource consumption or denial of service. Many assets, however, do not require their own blockchain. These can be represented as tokens, and on EVM chains, they are smart contracts which adhere to the ERC-20 standard [erc20standard].

The popularity of ERC-20 tokens gave rise to decentralized finance (DeFi), a term encompassing financial services implemented on smart contracts, such as token-exchange, lending, and derivative-asset platforms.

2.3 Key encumbrance

Nearly all blockchains use public-key cryptography for account authentication and transaction signing. Usually, individual users directly control their private key material. Under key encumbrance, a policy, rather than an individual user, governs a key’s usage. The policy acts as a proxy through which authenticated parties may obtain signatures from the key, and it decides who is authorized to obtain signatures for particular messages. The parties themselves never learn the key.

Key encumbrance can be used to construct a shared blockchain account in which parties who do not trust each other individually control their own portions of the account balance [austgen2025liquefaction]. Furthermore, a single key encumbrance platform can sign transactions for separate blockchains. Practically, a TEE application or MPC protocol is used to generate keys securely and enforce encumbrance policies over them.

2.4 Threshold signature scheme

We require a (t,N)(t,N)-threshold signature scheme comprising four algorithms (𝖪𝖦,𝖲𝗂𝗀𝗇,𝖵𝖾𝗋𝗂𝖿𝗒,𝖢𝗈𝗆𝖻𝗂𝗇𝖾)(\mathsf{KG},\mathsf{Sign},\mathsf{Verify},\mathsf{Combine}):

  • 𝖪𝖦(1λ,N,t)(𝗉𝗄,𝗉𝗄c,𝗌𝗄1,,𝗌𝗄N)\mathsf{KG}(1^{\lambda},N,t)\to(\mathsf{pk},\mathsf{pk}_{c},\mathsf{sk}_{1},\ldots,\mathsf{sk}_{N}): a probabilistic key generation algorithm that generates a tt-out-of-NN shared key, outputting a public key 𝗉𝗄\mathsf{pk}, a combiner public key 𝗉𝗄c\mathsf{pk}_{c}, and NN signing key shares 𝗌𝗄1,,𝗌𝗄N\mathsf{sk}_{1},\ldots,\mathsf{sk}_{N}.

  • 𝖲𝗂𝗀𝗇(𝗌𝗄i,m)σi\mathsf{Sign}(\mathsf{sk}_{i},m)\to\sigma^{\prime}_{i}: a (possibly) probabilistic signing algorithm that takes a key share 𝗌𝗄i\mathsf{sk}_{i} and a message mm, and outputs a signature share σi\sigma^{\prime}_{i}.

  • 𝖵𝖾𝗋𝗂𝖿𝗒(𝗉𝗄,m,σ)b\mathsf{Verify}(\mathsf{pk},m,\sigma)\to b: a deterministic verification algorithm that takes a public key 𝗉𝗄\mathsf{pk}, a message mm, and a signature σ\sigma, and outputs b{𝖺𝖼𝖼𝖾𝗉𝗍,𝗋𝖾𝗃𝖾𝖼𝗍}b\in\{\mathsf{accept},\mathsf{reject}\}.

  • 𝖢𝗈𝗆𝖻𝗂𝗇𝖾(𝗉𝗄c,m,J,{σj}jJ)σ\mathsf{Combine}(\mathsf{pk}_{c},m,J,\{\sigma^{\prime}_{j}\}_{j\in J})\to\sigma: a deterministic combiner algorithm that takes the combiner public key 𝗉𝗄c\mathsf{pk}_{c}, a message mm, a subset J[N]J\subseteq[N] with |J|=t|J|=t, and signature shares {σj}jJ\{\sigma^{\prime}_{j}\}_{j\in J}, and either outputs a combined signature σ\sigma or outputs 𝖻𝗅𝖺𝗆𝖾(J)\mathsf{blame}(J^{*}) for some nonempty JJJ^{*}\subseteq J, indicating that the shares {σj}jJ\{\sigma^{\prime}_{j}\}_{j\in J^{*}} are invalid.

We require the scheme to satisfy correctness, robustness, and existential unforgeability under chosen message attack (EUF-CMA) against an adversary corrupting up to t1t-1 signers, as defined in [boneh2023applied].

Distributed key generation.

Rather than relying on a trusted dealer to execute 𝖪𝖦\mathsf{KG} and distribute shares, Crossroads instantiates key generation through a secure distributed key generation (DKG) protocol Π𝖣𝖪𝖦\Pi_{\mathsf{DKG}} jointly run by the NN signing committee members, as defined in [boneh2023applied].

2.5 Trusted execution environments

A trusted execution environment (TEE) is an isolated execution environment enabled by hardware design that protects applications running inside it from inspection or tampering by the host operating system, and in some designs from the machine owner as well. Programs executing within a TEE can produce outputs accompanied by a remote attestation: a cryptographic statement, signed by a hardware-rooted key, that binds the output to the specific program that produced it. Any external party can then verify, against the manufacturer’s attestation key, that the output was produced by an honest execution of the attested program without trusting the host machine.

Several commercial TEE implementations are widely deployed, including Intel SGX [intel_sgx], AMD SEV-SNP [amd_sev_snp], and AWS Nitro Enclaves [aws_nitro]. They differ in threat model, performance, and exposure to side-channel attacks. Recent work has demonstrated hardware-level vulnerabilities in deployed TEEs, including confidentiality leakage [wilke2024tdxdown, gast2025counterseveillance, yuan2025ciphersteal] and integrity attacks that enable forged attestations [RMPocalypse2025, chuang2026tee]. Crossroads’ core security guarantees, however, do not rest on TEEs and we employ them only as an optional defense-in-depth layer.

3 Crossroads Architecture

In this section, we present the Crossroads architecture: its design goals and the components that fulfill them (Section 3.1), requirements for asset support (Section 3.2), and the deposit and withdrawal flows (Sections 3.3 and 3.4).

3.1 Protocol

Refer to caption
Figure 1: Overview of the Crossroads architecture. Alice deposits assets into encumbered addresses on asset chains (1); oracles verify the deposits and credit her balance on the backend blockchain (2), where she can interact with applications such as AMMs or staking contracts (3). To withdraw, Alice burns tokens on the backend and obtains a signed transfer transaction from the signing committee (4), broadcasts it to the asset chain (5), and the oracle verifies the withdrawal to settle her balance (6). Solid arrows denote on-chain transactions; dotted arrows, off-chain communication. The components in blue are core to Crossroads: the asset contracts, oracles, and the signing committee.

Crossroads must solve several problems to achieve our goal of general cross-chain support. It must (1) hold assets on heterogeneous asset chains, some without smart contracts; (2) support a representation of these assets on a programmable EVM backend blockchain; and (3) maintain consistency between balances on the asset chains and the backend blockchain. Additionally, it must not require special permission to integrate new chains. New integrations must therefore add little additional overhead to the platform, and Crossroads itself must not be opinionated about the validity of a particular chain.

The first issue is how to control assets on separate chains. Nearly every blockchain handles spending the same way: a transaction is valid only if it carries a signature verifying under the account’s key. So to custody a user’s funds, Crossroads holds it in an account on the asset chain, and spending from that account requires its signing key. Rather than entrust that key to any single party, Crossroads splits it into shares held by a signing committee that threshold-signs transactions or other messages.

We place all chain-specific logic in the backend blockchain, where each asset is represented as an ERC-20 asset contract, ultimately constructing a hub-and-spoke cross-chain topology. The signing committee responds to signing requests sent over the network but only signs transactions if an asset contract has authorized the requester to obtain a signature for the requested message. This simple policy keeps the signing committee’s logic small and separately auditable. This signing style is known as key encumbrance—when meeting the requirements of the asset contract, a requester may request transaction signatures from the committee and broadcast the signed transactions directly, as if the owner of the (encumbered) account.

Crossroads keeps the backend balances blockchain consistent with the asset chain with the help of per-chain transaction finalization oracles. Notably, these oracles only must report the state of the asset chain to the backend chain, so smart contracts are not required on asset chains. Crossroads instead relies on asset chains’ own double-spending protection and transaction validity rules.

We now expand on the five main components within Crossroads. The three drawn in blue in Figure 1 are specific to Crossroads, while the asset chains and backend blockchain are existing systems.

Asset chains.  Crossroads can integrate any blockchain that provides eventual, verifiable finality, including blockchains without smart contracts such as Bitcoin and XRPL, using a per-chain asset contract. The signing committee derives the signature for an encumbered address chainaddr\textsf{chain}_{\textsf{addr}} linked to that asset contract. Users deposit the assets into Crossroads by transferring them into chainaddr\textsf{chain}_{\textsf{addr}}. While assets remain custodied at chainaddr\textsf{chain}_{\textsf{addr}} on the asset chain, all exchange and transfer activity takes place on the backend blockchain.

Backend blockchain.  The backend blockchain is the programmable EVM chain where the Crossroads asset contracts are deployed alongside any other third-party smart contracts. Smart contracts compatible with ERC-20 tokens can therefore operate on assets from every integrated asset chain. For instance, an AMM contract such as Uniswap [uniswapv3] would allow Crossroads tokens from one asset chain to be exchanged atomically for those from another. The backend blockchain can similarly host lending markets, staking platforms, and privacy-preserving payments, all built using standard tooling without any awareness of the underlying asset chains.

Asset contracts.  Every blockchain asset integrated into Crossroads is represented by a dedicated asset contract on the backend blockchain. These contracts follow the ERC-20 standard and track each user’s holdings of wrapped tokens. Each asset contract mediates all operations that affect user balances within Crossroads, including deposits, transfers, and withdrawals. It also exposes a view function called canSign to the signing committee, allowing transaction signing requests to be checked against recorded balances. The full asset contract functionality is presented in Figure 2.

Oracles.  A transaction finalization oracle informs the backend blockchain when a transaction is finalized on the asset chain, letting the asset contracts verify a deposit or withdrawal. Crossroads supports flexible oracle designs, including zkBridges, TEE-based oracles, and hybrid approaches. The choice of oracle determines the security guarantees for each asset contract (Section 5); a single chain may even be served by multiple asset contracts each backed by different oracles.

Signing committee.  The signing committee jointly holds the keys controlling Crossroads assets on each asset chain under key encumbrance. Shares of each key are distributed across committee members via a threshold signature scheme, so no party ever learns a key. Users communicate with the signing committee off-chain, and spending from a Crossroads-controlled address requires a threshold of members to cooperate. The encumbrance policy is read from the asset contract: members produce signature shares only for requests the asset contract authorizes, so withdrawal transactions are only signed when the corresponding tokens are locked. We specify the committee protocol in Figure 3.

The high-level architecture of Crossroads and the associated data flow for users are depicted in Figure 1.

Each asset represented in Crossroads contains its own blockchain-specific deposit and withdrawal mechanisms. As Crossroads aims to be widely permissive in the blockchains it supports, we make few assumptions about blockchain architecture. In the following sections, we detail these assumptions and explain how deposits into and withdrawals from the Crossroads network operate.

Crossroads Assets Contract crsrds(𝒪,TB)\textsf{crsrds}(\mathcal{O},\textsf{TB}) Deposits: DD\leftarrow\emptyset Balances: bal{(acct,chain)0acct𝒰,chainB{η}}\textsf{bal}\leftarrow\{\,(\textsf{acct},\textsf{chain})\mapsto 0\mid\textsf{acct}\in\mathcal{U},\ \textsf{chain}\in B\cup\{\eta\}\,\} Reward: r=r=\bot Pending Withdrawals: PW\textsf{PW}\leftarrow\emptyset Escrowed Rewards: RW\textsf{RW}\leftarrow\emptyset Epochs: epoch {chain0chainB}\leftarrow\{\,\textsf{chain}\mapsto 0\mid\ \textsf{chain}\in B\,\} Crossroads addrs: chainaddr{chainachainchainB}\textsf{chain}_{\textsf{addr}}\leftarrow\{\,\textsf{chain}\mapsto a_{\textsf{chain}}\mid\textsf{chain}\in B\,\} \circ\> On input (“Init”,reward)(\textsf{``Init''},\textsf{reward}) set r=rewardr=\textsf{reward} \circ\> On input (“Deposit”,chain,tx)(\textsf{``Deposit''},\textsf{chain},\textsf{tx}) assert D[tx]=D[\textsf{tx}]=\bot (amt,sdr,rsv,fee)𝒪(chain,tx)(\textsf{amt},\textsf{sdr},\textsf{rsv},\textsf{fee})\leftarrow\mathcal{O}(\textsf{chain},\textsf{tx}) acctTB.Extract(chain,tx)\textsf{acct}\leftarrow\textsf{TB}.\textsf{Extract}(\textsf{chain},\textsf{tx}) assert amt,acct and rsv=chainaddr[chain]\textsf{amt,acct}\neq\bot\textbf{ and }\textsf{rsv}=\textsf{chain}_{\textsf{addr}}[\textsf{chain}] set D[tx]=ClaimedD[\textsf{tx}]=\textsf{Claimed} set bal[(acct,chain)]=bal[(acct,chain)]+amt\textsf{bal}[(\textsf{acct},\textsf{chain})]=\textsf{bal}[(\textsf{acct},\textsf{chain})]+\textsf{amt} \circ\> On input (“Transfer”,chain,amt,rcv)(\textsf{``Transfer''},\textsf{chain},\textsf{amt},\textsf{rcv}) from acct assert bal[(acct,chain)]amt\textsf{bal}[(\textsf{acct},\textsf{chain})]\geq\textsf{amt} and rcv𝒰\textsf{rcv}\in\mathcal{U} set bal[(acct,chain)]=bal[(acct,chain)]amt\textsf{bal}[(\textsf{acct},\textsf{chain})]=\textsf{bal}[(\textsf{acct},\textsf{chain})]-\textsf{amt} set bal[(rcv,chain)]=bal[(rcv,chain)]+amt\textsf{bal}[(\textsf{rcv},\textsf{chain})]=\textsf{bal}[(\textsf{rcv},\textsf{chain})]+\textsf{amt} \circ\> On input (“LockWithdrawal”,chain,amt)(\textsf{``LockWithdrawal''},\textsf{chain},\textsf{amt}) from acct assert bal[(acct,chain)]amt\textsf{bal}[(\textsf{acct},\textsf{chain})]\geq\textsf{amt} and bal[(acct,η)]r\textsf{bal}[(\textsf{acct},\eta)]\geq r set bal[(acct,chain)]=bal[(acct,chain)]amt\textsf{bal}[(\textsf{acct},\textsf{chain})]=\textsf{bal}[(\textsf{acct},\textsf{chain})]-\textsf{amt} set PW[acct,chain]=PW[acct,chain]+amt\textsf{PW}[\textsf{acct},\textsf{chain}]=\textsf{PW}[\textsf{acct},\textsf{chain}]+\textsf{amt} set bal[(acct,η)]=bal[(acct,η)]r\textsf{bal}[(\textsf{acct},\eta)]=\textsf{bal}[(\textsf{acct},\eta)]-r set RW[acct]=RW[acct]+r\textsf{RW}[\textsf{acct}]=\textsf{RW}[\textsf{acct}]+r return id to acct \circ\; On input (“CanSign”,acct,chain,amt,fee)(\textsf{``CanSign''},\textsf{acct},\textsf{chain},\textsf{amt},\textsf{fee}) from SC\mathcal{F}_{\textsf{SC}} assert PW[acct,chain]amt+fee\textsf{PW}[\textsf{acct},\textsf{chain}]\geq\textsf{amt}+\textsf{fee} and RW[acct]r\textsf{RW}[\textsf{acct}]\geq r return 11 to SC\mathcal{F}_{\textsf{SC}} \circ\; On input (“GetEpoch”,chain)(\textsf{``GetEpoch''},\textsf{chain}) from SC\mathcal{F}_{\textsf{SC}} return epoch[chain]\textsf{epoch}[\textsf{chain}] \circ\> On input (“ConfirmWithdrawal”,chain,tx)(\textsf{``ConfirmWithdrawal''},\textsf{chain},\textsf{tx}) from acct\textsf{acct}^{\prime} (amt,sdr,rsv,fee)𝒪(chain,tx)(\textsf{amt},\textsf{sdr},\textsf{rsv},\textsf{fee})\leftarrow\mathcal{O}(\textsf{chain},\textsf{tx}) acctTB.Extract(chain,tx)\textsf{acct}\leftarrow\textsf{TB}.\textsf{Extract}(\textsf{chain},\textsf{tx}) assert amt, acct and sdr=chainaddr[chain]\textsf{amt, acct}\neq\bot\textbf{ and }\textsf{sdr}=\textsf{chain}_{\textsf{addr}}[\textsf{chain}] set PW[(acct,chain)]=PW[(acct,chain)](amt+fee)\textsf{PW}[(\textsf{acct},\textsf{chain})]=\textsf{PW}[(\textsf{acct},\textsf{chain})]-(\textsf{amt}+\textsf{fee}) set RW[acct]=RW[acct]r\textsf{RW}[\textsf{acct}]=\textsf{RW}[\textsf{acct}]-r set bal[(acct,η)]=bal[(acct,η)]+r\textsf{bal}[(\textsf{acct}^{\prime},\eta)]=\textsf{bal}[(\textsf{acct}^{\prime},\eta)]+r set epoch[chain]=epoch[chain]+1\textsf{epoch}[\textsf{chain}]=\textsf{epoch}[\textsf{chain}]+1

Figure 2: The Crossroads assets contract, parameterized by an oracle 𝒪\mathcal{O} and a transaction binding TB exposing TB.Embed\textsf{TB}.\textsf{Embed} and TB.Extract\textsf{TB}.\textsf{Extract} (see Definition 1). η\eta denotes the native asset of the backend blockchain. 𝒪(b,tx)\mathcal{O}(b,\textsf{tx}) returns the transferred amount, sender, recipient, and on-chain fee, or \bot if the transaction is not finalized on blockchain bb.

Signing Committee Protocol ΠSCTSS,TB\Pi_{\textsf{SC}}^{\textsf{TSS,TB}} Parameters: nn signers 𝒮={s1,,sn}\mathcal{S}=\{s_{1},\ldots,s_{n}\}, threshold tnt\leq n, transaction binding TB State: 𝒦\mathcal{K}\leftarrow\emptyset (per-signer local state) \circ\; On input (“KeyGen”,chain)(\textsf{``KeyGen''},\textsf{chain}) assert 𝒦[chain]=\mathcal{K}[\textsf{chain}]=\bot at all sis_{i} 𝒮\mathcal{S} jointly executes ΠDKG(1λ,n,t)\Pi_{\textsf{DKG}}(1^{\lambda},n,t); each sis_{i} obtains outchain(i)\textsf{out}^{(i)}_{\textsf{chain}} parse outchain(i)\textsf{out}^{(i)}_{\textsf{chain}} as (pkchain,pkc,chain,skchain(i))(\textsf{pk}_{\textsf{chain}},\textsf{pk}_{c,\textsf{chain}},\textsf{sk}^{(i)}_{\textsf{chain}}) At each sis_{i}: set 𝒦[chain]=(pkchain,pkc,chain,skchain(i))\mathcal{K}[\textsf{chain}]=(\textsf{pk}_{\textsf{chain}},\textsf{pk}_{c,\textsf{chain}},\textsf{sk}^{(i)}_{\textsf{chain}}) broadcast (chain,pkchain)(\textsf{chain},\textsf{pk}_{\textsf{chain}}) \circ\; On input (“Sign”,chain,amt,fee,addrdest)(\textsf{``Sign''},\textsf{chain},\textsf{amt},\textsf{fee},\textsf{addr}_{\textsf{dest}}) from acct, at each si𝒮s_{i}\in\mathcal{S} assert 𝒦[chain]\mathcal{K}[\textsf{chain}]\neq\bot assert crsrds.CanSign(acct,chain,amt,fee)=1\textsf{crsrds}.\textsf{CanSign}(\textsf{acct},\textsf{chain},\textsf{amt},\textsf{fee})=1 epochcrsrds.GetEpoch(chain)\textsf{epoch}\leftarrow\textsf{crsrds}.\textsf{GetEpoch}(\textsf{chain}) tx0BuildTx(chain,addrdest,amt,fee,epoch)\textsf{tx}_{0}\leftarrow\textsf{BuildTx}(\textsf{chain},\textsf{addr}_{\textsf{dest}},\textsf{amt},\textsf{fee},\textsf{epoch}) txTB.Embed(chain,tx0,acct)\textsf{tx}\leftarrow\textsf{TB}.\textsf{Embed}(\textsf{chain},\textsf{tx}_{0},\textsf{acct}) σ(i)TSS.𝖲𝗂𝗀𝗇(skchain(i),tx)\sigma^{(i)}\leftarrow\textsf{TSS}.\mathsf{Sign}(\textsf{sk}^{(i)}_{\textsf{chain}},\textsf{tx}) return (tx,i,σ(i))(\textsf{tx},i,\sigma^{(i)}) to acct \circ\; At acct, upon collecting any tt shares {σ(j)}jJ\{\sigma^{(j)}\}_{j\in J} for tx: σTSS.𝖢𝗈𝗆𝖻𝗂𝗇𝖾(pkc,chain,tx,J,{σ(j)}jJ)\sigma\leftarrow\textsf{TSS}.\mathsf{Combine}(\textsf{pk}_{c,\textsf{chain}},\textsf{tx},J,\{\sigma^{(j)}\}_{j\in J}) if σ=𝖻𝗅𝖺𝗆𝖾(J)\sigma=\mathsf{blame}(J^{*}): exclude JJ^{*}, collect more shares, retry assert TSS.𝖵𝖾𝗋𝗂𝖿𝗒(pkchain,tx,σ)=1\textsf{TSS}.\mathsf{Verify}(\textsf{pk}_{\textsf{chain}},\textsf{tx},\sigma)=1 output (tx,σ)(\textsf{tx},\sigma)

Figure 3: The signing committee protocol ΠSCTSS\Pi_{\textsf{SC}}^{\textsf{TSS}}, parameterized by a (t,n)(t,n)-threshold signature scheme TSS (see Section 2.4) and a transaction binding TB (see Definition 1). Key generation is performed per chain by the committee jointly executing a distributed key generation protocol ΠDKG\Pi_{\textsf{DKG}}. On each signing request, committee members independently verify authorization via crsrds.CanSign\textsf{crsrds}.\textsf{CanSign}, embed the requesting acct into the withdrawal transaction via TB.Embed\textsf{TB}.\textsf{Embed}, and produce signature shares that acct combines into a final signature. The 𝖻𝗅𝖺𝗆𝖾\mathsf{blame} mechanism identifies invalid shares, preserving liveness as long as tt honest signers remain.

3.2 Asset chain requirements

Crossroads is compatible with nearly any blockchain, but there are several requirements for a particular integration to take full advantage of our design. All the chains that we have explored meet these requirements, though historically some chains (e.g., Bitcoin) previously have not.

Fee replacements.

Transactions whose fee payments are too low to be included on the target chain must be replaceable by transactions carrying higher fees. This is to prevent a denial-of-service attack in which low-fee transactions are broadcast but never get included in a block.

Single-choice transaction inclusion.

The chain must allow a set of valid, signed transactions containing every potential valid spend from the same account to remain valid until a transaction in the set is selected by the chain’s consensus algorithm, after which all the others become invalid forever. On Ethereum, the transaction nonce fills this purpose; on Bitcoin, it can be a UTXO spent in the transaction.

Measurable finalization.

There must be a method for measuring confidence in the finality of a particular transaction using an oracle contract on the backend chain.

Transaction signing support.

The signing committee must support the signature scheme of the chain. Since the committee holds each key under a threshold scheme and never reconstructs it, the scheme must admit a threshold signing protocol whose outputs are accepted by the chain’s native verifier.

Transaction binding.

The chain must support a mechanism for attributing transactions in the asset chains to backend blockchain addresses. For deposits, this attribution determines which Crossroads account is credited; for withdrawals, it identifies the spender so that accounting can be applied correctly. We capture this attribution mechanism as an interface implemented per asset chain.

Definition 1 (Transaction binding).

Let 𝒯B\mathcal{T}_{B} be the well-formed transactions of blockchain BB and 𝒰\mathcal{U} the backend addresses. A transaction binding for BB is a pair of algorithms Embed:𝒯B×𝒰𝒯B\textsf{Embed}:\mathcal{T}_{B}\times\mathcal{U}\to\mathcal{T}_{B} and Extract:𝒯B𝒰{}\textsf{Extract}:\mathcal{T}_{B}\to\mathcal{U}\cup\{\bot\} satisfying Extract(Embed(t,a))=a\textsf{Extract}(\textsf{Embed}(t,a))=a for all t𝒯Bt\in\mathcal{T}_{B}, a𝒰a\in\mathcal{U}.

Concrete bindings are specific to their respective chains. For example, on Bitcoin, Embed might add an OP_RETURN output containing aa. On Ethereum, Embed can append aa to the transaction calldata or the access list. We describe these instantiations in Section 6.

3.3 Deposits

For users to deposit assets on an asset chain into Crossroads, they must transfer them to a Crossroads-controlled encumbered account on the asset chain. Each deposit transaction into Crossroads must include a transaction binding to the account to which the deposit is credited.

After a deposit transaction has been finalized on its asset chain, its sender provides a proof of transaction inclusion to Crossroads. Crossroads validates the proof using the chain-specific oracle, ensures the transaction beneficiary is an account Crossroads controls, and ensures the deposit had not previously been processed. If the checks pass, Crossroads mints a wrapped representation of the deposited tokens to the Crossroads account bound to the deposit and marks the transaction as processed.

3.4 Withdrawals

To withdraw the underlying asset from Crossroads, a user must first burn an amount of tokens needed to cover the withdrawal on the backend blockchain; this establishes the maximum asset-chain transaction cost, which includes both the value being transferred and the transaction fee. The user may then obtain signed transactions from the signing committee spending up to this maximum. Since all withdrawals originate from the same encumbered address, included transactions must be attributable back to the spender. This is achieved by requiring the chain-specific transaction binding in withdrawal transactions, which embeds the spender’s backend account into the signed transaction.

It is possible to use, rather than transaction bindings, simply a commitment (on the backend blockchain) from the spender to pay for a particular transaction hash. However, we propose transaction bindings because they do not require the spender to make additional transactions (fresh commitments) if a different party’s withdrawal is included instead. In this way, transaction bindings are more resistant to frontrunning and denial of service attacks, since the time when a user requests a signature gets revealed only to the signing committee rather than to the public backend chain.

The spender may choose the transaction fee and hold onto signed transactions indefinitely. Crossroads does not guarantee that a particular transaction it has signed will be included on an asset chain, but it can guarantee that the transactions it signs are valid transactions. Multiple spenders may, in fact, compete to broadcast their transactions from the same asset chain account. After a transaction does land on an asset blockchain and finalizes, a transaction inclusion proof must be provided to Crossroads for accounting purposes. Anyone may submit the proof to receive a small reward. The spender must reserve some tokens in advance to cover this fee.

4 Optimizations

The Crossroads construction in Section 3 is functionally complete, but several practical concerns may limit its adoption. On the deposit side, embedding transaction bindings in transaction fields restricts which wallets and applications can produce valid deposits, and the wait for source-chain finality delays deposit times. On the withdrawal side, all withdrawals in the base Crossroads construction from a given chain originate from a single encumbered address, capping throughput at one withdrawal per epoch.

In this section we describe Crossroads optimizations that mitigate these concerns by means of two ideas: use of multiple encumbered addresses on a given asset chain and facilitating fast transactions using third parties. The optimizations we propose can be deployed selectively and do not require modification of the core Crossroads protocol.

4.1 Deposits

We anticipate that Crossroads depositors will not always control their spending key to the extent that they can modify the fields needed to embed a binding in their deposit transaction. Some Crossroads deposits will originate from a centralized exchange or from a wallet which only permits vanilla transfers without embedded transaction data.

We address this with custom deposit addresses, each bound to a single Crossroads account to which deposits are credited (the deposit beneficiary). These require two asset-chain transactions to complete a deposit: one sending assets to the custom deposit address, and another consolidating those funds into the main encumbered address.

To do so, we employ a novel auction mechanism selling a sub-balance of the custom deposit address representing the new deposit in exchange for equivalent Crossroads tokens. The auction’s reserve price is equal to the deposited amount minus the cost the deposit beneficiary would have paid in transaction fees to send the consolidation transaction herself.

This auction is enabled by key encumbrance. The auction winner gains encumbered control over the custom deposit addresses it bid on, allowing it to consolidate them at any later time. Bidders are incentivized to participate: the winner can delay broadcasting the consolidation transaction until transaction fees fall, profiting from the difference. In effect, the auction winner assumes the role of performing the same type of asset consolidation optimization that centralized exchanges perform [coinbasebatching].

Speeding up deposits.  Before issuing tokens, Crossroads needs to wait until a deposit transaction is finalized on the asset chain in order to protect against multiple claims to the same deposit (i.e., a double spend). On some chains this finalization is slow, taking up to 30 minutes or longer [circle-cctp-finality].

We can improve deposit times by transferring the risk of double spending from Crossroads to a third party willing to take it for a fee. A small extension to the asset contract lets a depositor reassign an unfinalized deposit, enabling a separate fast-deposit contract to atomically swap a pending deposit claim for already-issued Crossroads tokens owned by the third party. Suppose, for example, that Alice deposits 10 ETH to Crossroads but does not want to wait for finality (approximately 15 minutes). Bob already has Crossroads ETH tokens and is willing to accept Alice’s deposit in exchange for his tokens, for a small fee, after it gets one block confirmation (under 12 seconds). Alice atomically swaps her deposit claim for 9.999 Crossroads ETH tokens from Bob. Once the deposit finalizes, Bob submits the deposit proof and is issued 10 Crossroads ETH tokens for a profit of 0.001 ETH. This mechanism mirrors the fast fills of intent-based bridges such as Across [across], where relayers provide quick access to bridged funds for a fee; in Crossroads, however, the third party is repaid through the standard deposit flow.

4.2 Withdrawals

On most account-based blockchains, deposits to Crossroads can happen in parallel, since each deposit transaction is independent of all other deposits and all withdrawals. In our Section 3 construction, however, withdrawals from the same chain all originate from the same encumbered address, so the system can only execute one withdrawal at a time per chain, after which it must wait for finalization and inclusion proof before signing the next.

We address this bottleneck with an intent-based withdrawal contract on the backend chain. To withdraw, a user locks the desired amount plus a small reward in Crossroads tokens in the contract. Any party, called a filler, may then send the equivalent native asset to the user’s destination address on the target chain from their own address. The filler then submits an inclusion proof to claim the locked tokens. If no filler claims the intent within a timeout, the user reclaims the locked tokens and falls back to the standard withdrawal path. As the asset transfer happens from the filler’s own address, it does not conflict with the encumbered account’s transactions, and many withdrawals can be served in parallel.

Without coordination, however, two fillers may race to fulfill the same request, with only one being reimbursed. To prevent this, fillers commit to a request by staking collateral on the backend chain; the contract accepts at most one commitment per intent, so any filler that commits is guaranteed to be the sole eligible claimant. If the committed filler fails to complete the transfer within the timeout, the stake is forfeited to the user as compensation for the delay.

A second route to higher throughput is to use multi-payment contracts on asset chains that support them, executing many transfers in a single transaction. Users wishing to withdraw in the next epoch lock the corresponding tokens and specify their destination addresses; the signing committee then signs a single transaction transferring all locked funds since the last epoch.

Finally, withdrawal throughput can also be increased by having Crossroads control several encumbered addresses per chain rather than one. Since the per-chain bottleneck in Section 3 stems from every withdrawal originating from a single address, distributing the chain’s liquidity across multiple encumbered addresses lets the signing committee sign withdrawals from each in parallel, one per address per epoch. The trade-off is that liquidity becomes fragmented across addresses, so withdrawals must be routed to an address holding sufficient funds, and occasional rebalancing is needed when balances drift.

5 Security of Crossroads

The main security property of Crossroads relates to asset ownership. We define the system as sound if and only if any user can, at any point, unilaterally withdraw their Crossroads net balance to externally owned accounts (EOAs) of their choosing. The net balance is calculated as the sum of all deposited assets, adjusted for the net value of internal transfers, minus any assets that have already been withdrawn. We show that this result implies both correctness and soundness of the system: under the threat model outlined below, no matter the circumstances, a user is always able to withdraw the assets it owns and no adversary can mint or burn tokens deliberately.

Crossroads makes several trust assumptions to achieve soundness, beyond the threshold assumption on the signing committee discussed in Section 5. We articulate them here.

5.1 Threat model

Backend blockchain.  We assume the backend blockchain provides standard execution guarantees: transactions are executed correctly, finalized transactions are permanent, and the chain remains available. A compromise of the backend blockchain (for instance, through a successful attack on its consensus) could lead to corruption of contract state, allowing an adversary to double spend withdrawals. We therefore recommend deploying Crossroads on a backend blockchain whose security guarantees match or exceed those of the asset chains it serves.

Signing committee.  Crossroads relies on a (t,n)(t,n)-threshold signing committee. We assume an adversary corrupts strictly fewer than tt committee members. Beyond this baseline, we present additional mechanisms (Section 5.3) to mitigate the impact of committee compromise. To achieve soundness we also require the signing committee to be live and acting strictly under Π𝖲𝖢𝖳𝖲𝖲\Pi^{\mathsf{TSS}}_{\mathsf{SC}}.

Oracles.  Crossroads relies on per-chain oracles to relay finalized transaction information from asset chains to the backend blockchain. We assume each oracle only confirms transactions that have been finalized on the source chain. We additionally assume oracles are live, meaning that any party can obtain a confirmation for any finalized transaction at any point. A compromised oracle could falsely confirm deposits that never occurred, causing the asset contract to mint unbacked wrapped tokens, or fail to confirm withdrawals, freezing user funds. Different oracle constructions satisfy oracle soundness under different trust assumptions: zkBridge-based oracles rely on the soundness of zero-knowledge proofs and the source chain’s consensus, while TEE-based oracles trust the integrity of the hardware enclave. This makes this trust assumption application specific. However, the impact of an oracle compromise is contained to its own integration: each asset contract mints tokens only against attestations from its designated oracle, so a faulty oracle for one chain can inflate or freeze only the wrapped assets of that chain.

5.2 Crossroads soundness

Let 𝒰\mathcal{U} be the set of registered accounts to the Crossroads system, and \mathcal{B} the set of asset blockchains which fulfill the requirements of 3.2. We model the system’s evolution as an ordered sequence of operations, where each operation is either a call to the Crossroads asset contract crsrds(𝒪,𝒯)\textsf{crsrds}(\mathcal{O},\mathcal{T}_{\mathcal{B}}), a message in the signing-committee protocol Π𝖲𝖢𝖳𝖲𝖲\Pi^{\mathsf{TSS}}_{\mathsf{SC}}, or the broadcast of a transaction to an asset chain. A transcript σ\vec{\sigma} is a finite, ordered sequence of operations. We say an operation is 𝖺𝖼𝖼𝗍\mathsf{acct}-issuable if it can be performed using only 𝖺𝖼𝖼𝗍\mathsf{acct}’s backend signing key; in particular, it requires no cooperation from any other backend account, oracle, or external party.

We assume each asset chain 𝖼𝗁𝖺𝗂𝗇\mathsf{chain} defines a validity predicate 𝖵𝖺𝗅𝗂𝖽𝖼𝗁𝖺𝗂𝗇(𝗍𝗑,𝗌𝗍)\mathsf{Valid}_{\mathsf{chain}}(\mathsf{tx},\mathsf{st}) on transactions and chain states, capturing the chain’s inclusion checks: well-formedness, signature verification under the sender’s key, epoch validity (or non-conflict with prior spends), and assurance the sender’s native balance covers 𝗏𝖺𝗅𝗎𝖾(𝗍𝗑)+𝖿𝖾𝖾(𝗍𝗑)\mathsf{value}(\mathsf{tx})+\mathsf{fee}(\mathsf{tx}).

Fix an account 𝖺𝖼𝖼𝗍𝒰\mathsf{acct}\in\mathcal{U}, a blockchain 𝖼𝗁𝖺𝗂𝗇\mathsf{chain}\in\mathcal{B}, and a transcript σ\vec{\sigma}, and consider the operations of σ\vec{\sigma} that call 𝖼𝗁𝖺𝗂𝗇\mathsf{chain}’s asset contract crsrds(𝒪,𝒯)\textsf{crsrds}(\mathcal{O},\mathcal{T}_{\mathcal{B}}) and execute successfully, i.e., that pass the contract’s assertions and so update balances. Among these, let 𝖣𝖾𝗉(𝖺𝖼𝖼𝗍)\mathsf{Dep}(\mathsf{acct}) be the Deposit calls credited to 𝖺𝖼𝖼𝗍\mathsf{acct} and 𝖶𝗂𝗍𝗁(𝖺𝖼𝖼𝗍)\mathsf{With}(\mathsf{acct}) the ConfirmWithdrawal calls attributed to 𝖺𝖼𝖼𝗍\mathsf{acct} via the transaction binding, and let 𝖱𝖼𝗏(𝖺𝖼𝖼𝗍)\mathsf{Rcv}(\mathsf{acct}) and 𝖲𝗇𝖽(𝖺𝖼𝖼𝗍)\mathsf{Snd}(\mathsf{acct}) be the Transfer calls in which 𝖺𝖼𝖼𝗍\mathsf{acct} is the recipient and the sender, respectively. For each such operation, 𝖺𝗆𝗍\mathsf{amt} denotes the amount deposited, withdrawn, or transferred; for 𝗍𝗑𝖶𝗂𝗍𝗁(𝖺𝖼𝖼𝗍)\mathsf{tx}\in\mathsf{With}(\mathsf{acct}), 𝖿𝖾𝖾\mathsf{fee} additionally denotes the on-chain withdrawal fee reported by 𝒪\mathcal{O}. We define the net balance of 𝖺𝖼𝖼𝗍\mathsf{acct} for 𝖼𝗁𝖺𝗂𝗇\mathsf{chain} with respect to σ\vec{\sigma} as:

𝖭𝖾𝗍(𝖺𝖼𝖼𝗍,𝖼𝗁𝖺𝗂𝗇,σ)=𝗍𝗑σ𝖣𝖾𝗉(𝖺𝖼𝖼𝗍)𝖺𝗆𝗍(𝗍𝗑)+𝗍𝗑σ𝖱𝖼𝗏(𝖺𝖼𝖼𝗍)𝖺𝗆𝗍(𝗍𝗑)\displaystyle\mathsf{Net}(\mathsf{acct},\mathsf{chain},\vec{\sigma})\;=\;\sum_{\begin{subarray}{c}\mathsf{tx}\in\vec{\sigma}\\ \mathsf{Dep}(\mathsf{acct})\end{subarray}}\mathsf{amt}(\mathsf{tx})\;+\;\sum_{\begin{subarray}{c}\mathsf{tx}\in\vec{\sigma}\\ \mathsf{Rcv}(\mathsf{acct})\end{subarray}}\mathsf{amt}(\mathsf{tx})
𝗍𝗑σ𝖶𝗂𝗍𝗁(𝖺𝖼𝖼𝗍)(𝖺𝗆𝗍(𝗍𝗑)+𝖿𝖾𝖾(𝗍𝗑))𝗍𝗑σ𝖲𝗇𝖽(𝖺𝖼𝖼𝗍)𝖺𝗆𝗍(𝗍𝗑).\displaystyle-\;\sum_{\begin{subarray}{c}\mathsf{tx}\in\vec{\sigma}\\ \mathsf{With}(\mathsf{acct})\end{subarray}}\big(\mathsf{amt}(\mathsf{tx})+\mathsf{fee}(\mathsf{tx})\big)\;-\;\sum_{\begin{subarray}{c}\mathsf{tx}\in\vec{\sigma}\\ \mathsf{Snd}(\mathsf{acct})\end{subarray}}\mathsf{amt}(\mathsf{tx}).
Definition 2 (Soundness).

We say Crossroads is sound if, for any transcript σ\vec{\sigma}, 𝖼𝗁𝖺𝗂𝗇\mathsf{chain}\in\mathcal{B}, 𝖺𝖼𝖼𝗍𝒰\mathsf{acct}\in\mathcal{U}, 𝖺𝖽𝖽𝗋𝖽𝖾𝗌𝗍\mathsf{addr}_{\mathsf{dest}}, 𝖺𝗆𝗍\mathsf{amt}, 𝖿𝖾𝖾\mathsf{fee} with 𝖭𝖾𝗍(𝖺𝖼𝖼𝗍,𝖼𝗁𝖺𝗂𝗇,σ)𝖺𝗆𝗍+𝖿𝖾𝖾\mathsf{Net}(\mathsf{acct},\mathsf{chain},\vec{\sigma})\geq\mathsf{amt}+\mathsf{fee}, and with 𝖻𝖺𝗅[(𝖺𝖼𝖼𝗍,η)]r\mathsf{bal}[(\mathsf{acct},\eta)]\geq r in the contract state determined by the execution of σ\vec{\sigma}, 𝖺𝖼𝖼𝗍\mathsf{acct} can produce a finite ordered sequence SS of 𝖺𝖼𝖼𝗍\mathsf{acct}-issuable operations such that, for every PPT adversary, with all but negligible probability over the coins of ΠDKG\Pi_{\textsf{DKG}}, TSS, and the adversary, every transcript σ\vec{\sigma}^{\prime} extending σ\vec{\sigma} that contains SS in order includes a transaction 𝗍𝗑\mathsf{tx} broadcast to 𝖼𝗁𝖺𝗂𝗇\mathsf{chain} with 𝗋𝖾𝖼𝗂𝗉𝗂𝖾𝗇𝗍(𝗍𝗑)=𝖺𝖽𝖽𝗋𝖽𝖾𝗌𝗍\mathsf{recipient}(\mathsf{tx})=\mathsf{addr}_{\mathsf{dest}}, 𝗏𝖺𝗅𝗎𝖾(𝗍𝗑)=𝖺𝗆𝗍\mathsf{value}(\mathsf{tx})=\mathsf{amt}, and 𝖵𝖺𝗅𝗂𝖽𝖼𝗁𝖺𝗂𝗇(𝗍𝗑,𝗌𝗍𝖼𝗁𝖺𝗂𝗇)=1\mathsf{Valid}_{\mathsf{chain}}(\mathsf{tx},\mathsf{st}_{\mathsf{chain}})=1, where 𝗌𝗍𝖼𝗁𝖺𝗂𝗇\mathsf{st}_{\mathsf{chain}} is the chain state at the moment 𝗍𝗑\mathsf{tx} is broadcast.

Intuitively, soundness captures the end-to-end guarantee that no sequence of valid operations can deprive a user of their assets: whatever value a user has deposited into Crossroads, adjusted for internal transfers and prior withdrawals, remains recoverable.

Soundness thus guarantees a valid broadcast, not inclusion. All withdrawals spend from the same encumbered address, so signed transactions for the same epoch are mutually exclusive, and a competing withdrawal may be included first. Losing such a race costs latency, never funds. By single-choice inclusion (Section 3.2), the superseded transaction becomes permanently invalid, while the user’s pending-withdrawal balance is untouched, so the user may request a fresh signature for the next epoch and rebroadcast.

Moreover, soundness is a property of the Crossroads protocol, not of the applications built on it. It guarantees that whoever holds a net balance can withdraw it, not that a faulty application won’t take that balance from you. If a flawed AMM or lending contract drains your tokens, soundness still holds (the new holder can withdraw), but your assets are gone. As on any smart-contract platform, application-layer security is orthogonal to soundness of the underlying system.

We now prove that the Crossroads functionalities satisfy this property under the threat model presented in 5.1.

Theorem 3 (System Soundness).

Let 𝖼𝗁𝖺𝗂𝗇\mathsf{chain}\in\mathcal{B} be a compatible blockchain satisfying Oracle Soundness, and instantiate the signing committee protocol ΠSCTSS\Pi_{\textsf{SC}}^{\textsf{TSS}} with distributed key generation and a (t,n)(t,n)-threshold signature scheme TSS that is EUF-CMA secure against an adversary corrupting up to t1t-1 signers. Then, under the Crossroads asset contract crsrds(𝒪,𝒯)\textsf{crsrds}(\mathcal{O},\mathcal{T}_{\mathcal{B}}) and ΠSCTSS\Pi_{\textsf{SC}}^{\textsf{TSS}}, Crossroads satisfies soundness (Definition 2) against any PPT, resource-bounded adversary.

The proof is deferred to Appendix LABEL:appdx:proofs. The assumption on the bound of adversarial resources limits the number of withdrawals the adversary can finalize to compete with an honest user’s, and hence the number of times it can deny any single withdrawal; we discuss denial-of-service attacks, along with mitigations, in Appendix LABEL:subsec:dos.

5.3 Modular security enhancements

Committee-based protocols that custody large volumes of funds are frequent attack targets [krause20251, chainalysis2026kelpdao, zhang2024cross], so we now present several mechanisms that strengthen the security guarantees of Crossroads beyond the threshold assumption.

Heterogeneous TEE committee.

A first mechanism is to require (and enforce via attestation) that all committee nodes run within TEEs. Using a diverse mix of hardware architectures—such as Intel SGX, AMD SEV, and AWS Nitro Enclaves—further ensures that a hardware-level vulnerability specific to one manufacturer cannot compromise all committee members at once.

Security Council.  Another layer of security would be to have an emergency council with the power to freeze Crossroads contracts. This council could act as a decentralized governance layer designed to intervene during technical failures that automated systems might not catch. While the signing committee provides cryptographic security, the Council provides oversight to protect user capital from unforeseen exploits.

Hybridization.  When Crossroads is integrated with a blockchain that has smart contract capabilities, it is possible to introduce an additional layer of security that remains effective even in the event of a TEE and committee compromise. In this scenario, funds can be stored within a smart contract on the native blockchain. This allows the smart contract to enforce programmatic security measures, such as limiting withdrawal throughput to prevent mass drainage, or providing a freeze functionality that can be activated by an external security council via a threshold signature.

Accountable threshold signing.  Standard threshold signatures conceal which committee members contributed to a given signature, limiting the system’s ability to hold misbehaving signers accountable. Accountable-subgroup multisignatures [10.1145/501983.502017] instead produce signatures that cryptographically reveal the signing subgroup to any verifier, with no reliance on off-chain transcripts or trusted logs. Adopting such a scheme in Crossroads would allow any signature produced outside the authorized withdrawal flow to be traced back to the participating signers, enabling on-chain slashing or removal from the committee.

6 Implementation

We provide a complete prototype of Crossroads with three blockchains currently integrated: Bitcoin, Ethereum, and Solana. Others may be integrated permissionlessly. The prototype uses a local EVM devnet as the backend blockchain as well as a simple MPC signing committee consisting of three signers. We make the source code of our prototype publicly available at https://github.com/trate3/crossroads.

6.1 Setup

We instantiate the signing committee using the threshold-signatures library by NEAR [near_threshold_signatures_2026]. Committee members participate in threshold signing under MPC to compute signatures—specifically, threshold ECDSA using a two-phase signing protocol [damgrard20fastthreshold] and FROST-Ed25519 [komlo2020frost]. ECDSA and Ed25519 cover the majority of signing algorithms used in current blockchains.

Bootstrap phase.

The signing committee requires a bootstrap phase for establishing the initial membership of the committee as well as generating the committee’s MPC root key. During the bootstrap phase, a smart contract is posted on the backend blockchain. Each member of the signing committee registers its identity to the smart contract. In our prototype, the committee members must be approved by a coordinator of the bootstrap contract (who has no other authority in the system) but in practice this step could require additional certification, such as a remote attestation of the committee members’ node software.

Once all the committee members are registered, the bootstrap coordinator distributes connection information (e.g. network addresses) to the committee members, who then begin distributed key generation and create the root secret key material.

Asset contracts.

We cleanly separate the Crossroads asset contract into two components: a chain-agnostic ERC-20 contract which is reused across all Crossroads tokens, and a contract responsible for the chain-specific implementation. The chain-specific contract must decode deposit/withdrawal transactions and transaction bindings, prove transaction inclusion (often with a separate oracle), and decide how much a serialized transaction costs or spends on its asset chain.

6.2 Ethereum

Ethereum’s account-based address system is well suited for Crossroads; deposits into an encumbered Ethereum account never not impose additional costs on withdrawals.

Epochs.

Ethereum transactions contain a natural gating mechanism, the nonce, as all transactions from the same signer must be included in nonce order. When a withdrawal transaction is proven included, the asset contract then allows signatures using the next nonce. For simplicity, only typical type-2 transactions may be signed, which prevents newer transaction types from interfering with our accounting.

Transaction binding.

As described in Section 3.4, deposits and signed withdrawal transactions must be attributable to a Crossroads account, and this is accomplished through a transaction binding. Although Ethereum transactions have a data field, this field is used for smart contract interactions. Fortunately, extra data appended after the required transaction data is often ignored by smart contracts. Therefore, we use the final 20 bytes of the transaction calldata as the transaction binding.

Oracle.

Ethereum is secured through proof of stake, which cannot be verified succinctly in smart contracts, so we rely on an external block hash oracle. Transactions and their receipts are checked through Merkle proofs to their respective roots in the block header.

6.3 Bitcoin

Bitcoin follows the unspent transaction outputs (UTXO) model: transactions consist of at least one input (a previous unspent output) and at least one output. This affects our deposit model. If Crossroads were to accept payments from depositors as a typical Bitcoin wallet does, it would accumulate a set of spendable UTXOs. Bitcoin transaction fees are charged by the size of a transaction, so spending a large number of small UTXOs, each of which must be referenced in the transaction, adversely affects withdrawal costs.

We remedy this by requiring depositors to perform the UTXO consolidation (similar to the custom address deposits of Section 4.1). Rather than collecting new UTXOs, the Bitcoin asset contract instead maintains a single UTXO per encumbered account. The asset contract permits anyone to request transaction signatures with the current encumbered UTXO as an input—but only if the requester combines it with another input resulting in a net deposit to the encumbered account. When inclusion is proven for a Bitcoin transaction spending the encumbered account’s UTXO, the asset contract updates the current UTXO to the newly created one and increments the epoch number.

Epochs.

The asset contract’s single UTXO is initialized using a deposit transaction with the transaction binding, but all future deposits must use the encumbered account’s last UTXO. UTXOs from deposits made to the encumbered account which do not conform to the binding can be handled as separate deposit accounts as described in Section 4, but this is not part of our prototype.

Transaction binding.

The transaction binding we choose for Bitcoin transactions is a zero-value OP_RETURN output in the transaction, which contains a Crossroads address. For deposits, the address is where deposited funds should be issued, and for withdrawals, it is the spender account (enforced by the smart contract).

Oracle.

Our transaction oracle for Bitcoin validates a Merkle proof of transaction inclusion within the Bitcoin block in which it was mined. The block header can be verified using Bitcoin’s simplified payment verification scheme, i.e., a light client of Bitcoin which runs directly on the backend blockchain.

The requirement for signatures from the signing committee during the consolidation step of a deposit, spending the same Crossroads UTXO a withdrawal would spend, introduces an additional bottleneck not present in deposits on account-based blockchains. We note that combining multiple deposits or withdrawals into a single transaction would further increase throughput and reduce fees. Furthermore, multiple encumbered accounts can be used in parallel to account for this limitation (similar to how centralized exchanges maintain multiple hot wallets on each blockchain).

6.4 Solana

Like Ethereum, Solana is an account-based blockchain and accepts deposits into a Crossroads encumbered account without requiring interaction with the signing committee. Solana transactions are composed of a series of instructions to programs (equivalent to smart contracts).

Epochs.

Solana does not have a native per-account nonce by default, but it does support one, called the “durable nonce” [solana_durable_nonces]. A one-time payment initializing a durable nonce account must be made to cover the cost of storing the nonce. This requires an initialization step of two System Program instructions calling CreateAccount and InitializeNonceAccount on a fresh public key derived from the committee, separate from the primary account which holds deposited SOL tokens. The authority of this nonce account is set to the primary account during this step.111In Solana, the nonce account’s “authority” is the public key authorized to advance the nonce.

Transaction binding.

All signed Crossroads withdrawals contain three instructions: (1) AdvanceNonceAccount, (2) Transfer, and (3) Memo, which includes the transaction binding (the spender’s Crossroads account). If a signed transaction with an incorrect nonce is sent to the network (e.g., when a different transaction containing the same nonce has already been included), the transaction is considered invalid and is dropped without penalty.

Oracle.

Solana does not have a transaction Merkle tree, so we instead integrate a TEE-based transaction oracle service. This service aggregates the responses of a quorum of independent Solana RPC providers to the finalization state of a given transaction and, if they agree, produces a response signed by a key that itself is bound to the program’s attestation. The oracle smart contract verifies the attestation and adds the transaction hash to a set of finalized transactions.

6.5 Evaluation

We evaluated our implementation to assess the feasibility of running our system.

Although we used a free local Ethereum devnet as the backend blockchain for most of our testing, in practice Crossroads would be deployed on a public EVM blockchain. In Table I we report the cost of using Crossroads to deposit, transfer, and withdraw each of the three assets we integrated on five compatible backend blockchains. Unsurprisingly, L2 blockchains—Optimism, Base, and Arbitrum—offer better fee rates than Ethereum, as does Oasis Sapphire, a TEE-based blockchain used for privacy applications described in Section 7. Moreover, as shown in LABEL:appdx:signing-latency, Crossroads deposits and withdrawals cost little more than ordinary native transfers on each asset chain.

Throughput.

The base Crossroads design is constrained by withdrawals: there is one withdrawal per epoch per encumbered address, and each epoch is as long as the transaction finalization oracle requires. Under maximum security oracles that wait for six confirmations on Bitcoin and full finality on Ethereum and Solana, this means one transaction per encumbered account every 60 minutes, 15 minutes, and 13 seconds, respectively. Nonetheless, as described in Section 4.2, withdrawal throughput can easily be scaled across multiple encumbered accounts associated with that asset.

Latency.

If an encumbered account does not currently have a withdrawal waiting to finalize, it is immediately available for withdrawal use; otherwise, a user must wait for the existing transaction to finalize. We report the latency of signature requests using our prototype in LABEL:appdx:signing-latency.

Signing committee resources.

We measured the resources required to run an individual signing committee member under multiple committee sizes. Even with a committee size of 15, each node used under 20 MB of memory to run the signer application (on top of OS memory) and at 20 signing requests per second used approximately 637.6 KB/s of network bandwidth, split equally in both directions. Thus, a committee node would fit in most small-sized cloud compute instances at low cost.

Action Asset Ethereum Optimism Base Arbitrum Sapphire
Prove deposit Ethereum $0.1418 $0.000573 $0.00323 $0.0109 $0.000205
Bitcoin $0.1564 $0.000625 $0.00355 $0.0120 $0.000226
Solana $0.0733 $0.000289 $0.00166 $0.00564 $0.000106
Transfer (any) $0.0223 $0.000090 $0.00051 $0.00173 $0.000032
Burn for spending (any) $0.0487 $0.000189 $0.00110 $0.00374 $0.000071
Prove with- drawal Ethereum $0.1411 $0.000572 $0.00321 $0.0109 $0.000204
Bitcoin $0.1584 $0.000635 $0.00360 $0.0122 $0.000229
Solana $0.0758 $0.000301 $0.00172 $0.00584 $0.000110
TABLE I: Crossroads operation costs in USD targeting our three asset integrations, under different backend chains. The backend native token prices, gas prices, and L1 data fees are based on those from June 10, 2026: ETH $1,624.48, BTC $61,575.66, SOL $64.03, and ROSE $0.006203.

7 Crossroads Applications

\__nicematrix_patch_booktabs:\__nicematrix_revert_colortbl: