Unlocking AMM Contracts in Bitcoin's Layered Future with Tondi
Yosei Tsukifune
Introduction
Multi-layer Automated Market Makers (AMMs) enable seamless asset swaps across different blockchain layers and ecosystems, eliminating fragmentation of liquidity. As decentralized finance expands beyond single chains, cross-ecosystem AMMs have become a key innovation to trustlessly trade assets between Layer-1 (L1) networks (like Bitcoin and Ethereum) and Layer-2 (L2) systems (such as client-validated state networks like RGB or payment channels). The motivation for multi-layer AMMs is to combine the strengths of each platform: for example, Bitcoin’s security and liquidity, Ethereum’s smart contract flexibility, and emerging high-performance chains like Tondi (a next-gen L1 by AvatoLabs) with their built-in support for off-chain state protocols. A multi-layer AMM would allow a user to swap, say, Bitcoin for a token on an RGB sidechain, or an RGB token for an ERC-20 on Ethereum, in one integrated system without centralized intermediaries.
A critical building block enabling this vision is the RGB protocol and its state model. RGB is a smart contract system for Bitcoin and Lightning that uses client-side validation and off-chain state commitments instead of global consensus. In RGB, contracts form a directed acyclic graph (DAG) of state transitions anchored to Bitcoin UTXOs (or other chains’ UTXOs) via cryptographic commitments. This means RGB assets (like tokens, rights, NFTs) can be issued and transferred with minimal on-chain footprint, preserving privacy and scalability. The state model is local: only parties to a contract know its data, and transfers are verified by checking cryptographic proofs against the anchor UTXOs. This isolation provides confidentiality (no one can see an RGB contract’s existence or balances except the owners) and flexibility to implement complex contract logic off-chain.
For multi-layer AMMs, RGB’s state model is crucial – it allows representing liquidity pools and trades as off-chain state transitions that are anchored on L1 (ensuring security) but executed off-chain (ensuring speed and privacy).
In summary, integrating Tondi, Bitcoin (BTC), RGB assets on Bitcoin and Tondi, and Ethereum (ETH) into unified AMM mechanisms can leverage the unique benefits of each. Tondi, for instance, is a high-performance Proof-of-Work chain with GhostDAG concurrency, ~1 second finality and native RGB support. Bitcoin provides deep liquidity and security, while Ethereum offers a rich DeFi ecosystem. RGB acts as a bridge, enabling assets to live on Bitcoin or Tondi with smart contract logic but without burdening base chains. In the following sections, we present a scenario matrix of possible AMM setups across these layers, dive into the technical architecture for each scenario, and outline the key technologies ( Avato Labs’ State Relay Graph (SRG) networks, hash time-locks, discrete log contracts, and multi-signature schemes) that make cross-chain swaps safe and efficient. We also discuss privacy/security enhancements (Taproot, CoinJoin, zero-knowledge channels), provide an engineering roadmap, pseudocode for RGB-aware AMM logic, and illustrative flow diagrams. This internal whitepaper is intended to guide AvatoLabs engineers in building a next-generation multi-layer AMM system that spans Bitcoin, Tondi, RGB, and Ethereum.
Scenario Matrix: Multi-Layer AMM Scenarios
The table below summarizes seven AMM scenarios categorized by the layer context (L1 vs L2), the ecosystems involved (Bitcoin, Tondi, Ethereum), and the swapping mechanism used. Each scenario represents a distinct setting in which an AMM or atomic swap could operate:
| Scenario (Example) | Layer Context | Ecosystems | Swap Mechanism |
| 1. BTC ↔ Tondi (native L1 swap) | L1 ↔ L1 (cross-chain) | Bitcoin & Tondi (native coins) | Atomic swap (HTLC or DLC) |
| 2. BTC ↔ RGB on BTC (same-chain) | L1 ↔ L2 (same L1 base) | Bitcoin mainnet & RGB@Bitcoin | Intra-chain atomic swap (HTLC/adaptor) or on-chain pool |
| 3. Tondi ↔ RGB on Tondi (same-chain) | L1 ↔ L2 (same L1 base) | Tondi mainnet & RGB@Tondi | Intra-chain atomic swap or native AMM contract (AluVM) |
| 4. BTC ↔ RGB on Tondi | L1 ↔ L2 (cross-chain) | Bitcoin & Tondi (RGB asset) | Cross-chain atomic swap (HTLC) or SRG relay |
| 5. Tondi ↔ RGB on BTC | L1 ↔ L2 (cross-chain) | Tondi & Bitcoin (RGB asset) | Cross-chain atomic swap (HTLC) or SRG relay |
| 6. RGB on BTC ↔ RGB on Tondi | L2 ↔ L2 (cross-anchor) | RGB@Bitcoin & RGB@Tondi | State Relay Graph (SRG) or dual-HTLC/DLC bridging |
| 7. RGB ↔ ETH (ERC-20 or ETH) | L2 ↔ L1 (cross-ecosystem) | RGB (Bitcoin/Tondi) & Ethereum | HTLC atomic swap (hashed secret on BTC & ETH) or Oracle/DLC bridge |
Each scenario addresses a unique combination: scenarios 2 & 3 are same-ecosystem (swapping a base-layer coin with an RGB asset on the same chain), scenarios 4 & 5 are cross-ecosystem different-layer swaps (swapping a coin on one chain with an RGB asset on another chain), scenario 6 is an L2-only swap across two different base chains, scenario 1 is a direct L1-to-L1 cross-chain swap between native cryptocurrencies, and scenario 7 involves bridging between an RGB asset and the Ethereum ecosystem. The “Swap Mechanism” column outlines the primary technology enabling each swap: for instance, hashed timelock contracts (HTLCs) for trustless cross-chain atomic swaps, State Relay Graph for transferring state across RGB instances, or on-chain AMM logic for intra-chain pools. In the next section, we delve into the technical architecture and mechanisms of each scenario.
Technical Architecture per Scenario
This section describes how an AMM or atomic swap would be implemented for each scenario, highlighting the transaction flows and contract logic required. We cover both cross-chain atomic swap setups and same-chain AMM designs, noting where the approach is on-chain (e.g. using Bitcoin/Tondi scripts or Ethereum contracts) versus off-chain (e.g. using RGB smart contracts or state channels). Each scenario discussion references the mechanisms listed (HTLC, DLC, SRG, etc.) as applicable.
Cross-Layer Cross-Ecosystem AMMs (Tondi ↔ RGB on Bitcoin)
Scenario 4/5: Tondi coin ↔ RGB asset on Bitcoin. Here one side is a native L1 asset on the Tondi blockchain, and the other side is an RGB-issued asset anchored in the Bitcoin blockchain. These swaps are cross-chain and cross-layer: the assets reside on entirely separate networks and one of them is a layer-2 asset. To enable trustless exchange, the typical approach is a two-step atomic swap protocol using HTLCs on both sides. For example, to swap 100 Tondi coins for an equivalent value of an RGB token on Bitcoin, the sequence is:
Hashed Secret Setup: The initiator (say, Alice on Bitcoin side) generates a random secret and shares the hash H(secret) with the counterparty (Bob on Tondi side).
Lock on Chain A: Alice locks her RGB asset output in a Bitcoin UTXO committed to a script requiring revelation of the secret for spend (within a timeout). This can be done via a Bitcoin Taproot script or an RGB contract state update that’s encumbered by an HTLC condition.
Lock on Chain B: Bob locks his Tondi coins in a Tondi transaction (Tondi supports Bitcoin-like scripting with Taproot-only policy) using an HTLC with the same hash and a shorter timeout.
Secret Revelation: Once both funds are locked, Alice reveals the secret to claim the Tondi coins on Tondi’s chain. Revealing the secret (as the HTLC preimage) allows the contract on Tondi to pay Alice. This secret is then seen on-chain.
Cross-claim: Bob, upon seeing the secret on-chain, uses it to claim the Bitcoin-anchored RGB assets. The HTLC on Bitcoin releases the RGB asset to Bob when the correct preimage is provided.
Timeout Refunds: If either party fails to lock or reveal in time, timeouts trigger refunds: e.g. if Bob never locks Tondi coins, Alice’s Bitcoin HTLC lets her reclaim her asset after the timeout, and vice versa.
Using HTLCs in this way ensures the swap is atomic: either both transfers execute or both parties get refunded. However, a downside of naive HTLC atomic swaps is the on-chain linkage – the same hash appears on both blockchains, which can alert observers that a cross-chain swap took place. In the above example, an identical hash H(secret) would be seen on Tondi and Bitcoin within a short time window, linking the transactions.
To mitigate this and improve efficiency, Adaptor Signatures (scriptless atomic swaps) can be used in chains that support Schnorr signatures (both Tondi and Bitcoin do via Taproot). Instead of explicit hash-lock scripts, the secret is embedded in a partial signature that Alice gives to Bob. Bob can only finalize the signature (to spend Alice’s UTXO) if he provides the secret, and doing so effectively reveals the secret to Alice via the signature’s metadata. This adaptor signature approach is more private (no on-chain hash) and efficient, but requires compatible cryptographic setups on both sides. Tondi’s Taproot-based UTXO model and Bitcoin’s Taproot make this possible. The swap still relies on time-locks for safety (to allow refunds), but the on-chain transactions just look like regular multi-signature spends rather than HLTC scripts.
Another approach especially relevant if one side is an RGB asset is using a Discreet Log Contract (DLC). In a DLC-based swap, Alice and Bob would lock funds in a 2-of-2 multisig on each chain and rely on an oracle to attest which transfer happened first. For instance, both could set up a DLC that essentially bets on the event “Alice revealed the secret on Tondi by time X”. If yes, then the DLC pays out Bob the Bitcoin funds; if not, it refunds Alice. An oracle (or a federation of oracles) would watch Tondi’s chain for the secret revelation and sign an outcome. DLCs keep contract details private on-chain (they look like a 2-of-2 spend, with oracle signatures used off-chain). The trade-off is introducing an external oracle (trusted for correctness). In an internal AMM context, the oracle could be an automated function of the network (e.g., an SRG node acting as watcher) to minimize trust.
Finally, AvatoLabs’ State Relay Graph (SRG) network can facilitate this scenario in a single step. SRG is a proposed off-chain relay network (an evolution of Lightning’s ideas) that can carry state transitions between chains with low latency and high privacy, replacing the need for direct on-chain HTLCs. For example, an SRG node connected to both Bitcoin and Tondi could atomically transfer an RGB state commitment from Alice to Bob while simultaneously triggering a Tondi transaction from Bob to Alice, using cryptographic commitments to ensure atomicity. In practice, SRG would use state channels or state commitments on each chain: Alice and Bob might have channels open with an SRG node or a network of nodes. The SRG node coordinates the swap off-chain and only finalizes on-chain if disputes occur. This approach merges the swap into the network layer, potentially offering better privacy (nothing visible on-chain if cooperative) and speed (near-instant settlement). We discuss SRG architecture more in the Key Technologies section, but in summary, for Tondi ↔ RGB(BTC) swaps, the architecture spans: on-chain HTLCs or adaptor signatures for trustless atomicity, possible DLC/oracle integration for improved cross-chain UX, or advanced off-chain relay via SRG for minimal on-chain footprint and rapid execution.
Same-Ecosystem AMMs (BTC ↔ RGB on BTC, and Tondi ↔ RGB on Tondi)
Scenario 2: Bitcoin (BTC) ↔ RGB asset on Bitcoin. In this case, both assets share the same base chain (Bitcoin). One leg of the swap is plain BTC, the other is an RGB-issued token (or any RGB smart contract asset) that uses Bitcoin UTXOs as its state anchors. Because both assets ultimately settle on Bitcoin, this scenario can be handled in a single on-chain transaction or via a single-chain AMM contract. The simplest mechanism is an on-chain atomic swap: Alice and Bob can create a Bitcoin transaction where one output pays Bob X BTC and another output commits to transferring the RGB asset to Alice. They both sign this transaction cooperatively. If either party refuses to sign, the swap aborts with no partial execution. When it’s broadcast, the swap is atomic by design (both transfers occur in one transaction). This is effectively like a CoinJoin trade – multiple inputs (Alice’s RGB UTXO and Bob’s BTC input) and multiple outputs (Alice’s new RGB UTXO, Bob’s BTC output) in one transaction. Outside observers just see a CoinJoin transaction, not an obvious trade (especially if amounts are not publicly linkable, since RGB commitment outputs do not reveal the asset transfer amount on-chain). In this way, Bitcoin and RGB on Bitcoin can be swapped with strong privacy: it’s indistinguishable from a batch transaction. The trade execution is client-side (constructing and exchanging partially signed Bitcoin transactions).
However, to truly function as an AMM (continuous liquidity, not just peer-to-peer swap), we can introduce an RGB-aware liquidity pool. For example, a pool could hold some BTC and some RGB-token (representing liquidity provided by users) and allow anyone to swap against it at a formulaic price (like Uniswap’s constant product formula). On Ethereum, this is done via smart contracts, but on Bitcoin we don’t have Turing-complete contracts on-chain. Instead, the logic can be implemented in the RGB smart contract (off-chain) with the Bitcoin chain just enforcing custody via multisig and Taproot scripts. The pool would be an RGB contract that tracks two assets (BTC and the token) and defines rules for swapping (ensuring the product invariant or another formula). AluVM, the RGB virtual machine for contract logic, could encode the AMM pricing logic as part of the contract schema, meaning that any state transition (trade) that doesn’t satisfy the price formula or preserve liquidity shares would be invalid.
In practical terms, an RGB AMM swap on Bitcoin works like this: the pool contract has a current state (with certain BTC and token reserves, and perhaps pool share units). A user (trader) proposes a state transition where they add N BTC to the pool and remove M tokens (or vice versa), such that the new state still satisfies the invariant and fees. This state transition will be a new RGB state entry, and it must be anchored in a new Bitcoin transaction output. The user provides BTC input UTXOs and the pool’s existing UTXO is also spent; a new UTXO is created that represents the updated pool reserves (committed via RGB) and another output pays out the swapped asset to the user. Both the user and the pool (or its controlling key) co-sign this Bitcoin transaction, effectively performing a coinjoin swap. This client-side-validated AMM ensures the trade is atomic (one Bitcoin transaction for both legs) and that the pricing is enforced by the RGB contract’s rules (the pool’s state transition is invalid unless the ratio is correct). The advantage is that on Bitcoin’s ledger, this still appears as a single Taproot output being spent and reassigned – with MuSig2 multi-sig, even the fact that two parties signed can be hidden, appearing as a normal Taproot spend.
On Tondi ↔ RGB on Tondi (Scenario 3), a very similar setup applies, because Tondi is designed to support RGB natively. Tondi’s base chain would handle the UTXO and Taproot script aspects, and the RGB contract would handle the pool logic. The difference is Tondi’s much higher throughput and 1-second finality, which means on-chain transactions for swaps can confirm almost instantly, making the AMM experience smoother. In fact, Tondi could potentially support an on-chain AMM contract directly (since it’s taproot-only, one could implement a series of tapscript conditions for an AMM, or leverage AluVM if integrated). But the more flexible approach is still using RGB’s off-chain VM: the AMM logic runs in AluVM off-chain, and Tondi just locks/unlocks funds. Tondi’s GhostDAG concurrency means even heavy traffic won’t slow down confirmation, so users could interact with an AMM frequently on-chain. Privacy is also enhanced via Taproot and Schnorr: multi-party pool updates appear as single-signature spends, and unused branches of logic remain hidden. If needed, CoinJoin techniques can be applied on Tondi as well – multiple trades could be bundled or combined with other transactions to confuse tracing.
To summarize, same-ecosystem BTC–RGB or Tondi–RGB swaps can be done either via one-time atomic swaps (two-party transactions) or via a standing AMM pool contract. The former is simpler; the latter requires more engineering (pool management, LP tokens, etc.) but provides continuous liquidity. Both leverage the fact that a common base chain underpins both assets, allowing atomicity in a single transaction. Bitcoin’s case leans heavily on RGB’s client-side contracts for logic, whereas Tondi’s performance could even allow hybrid on-chain logic. Importantly, these intra-chain swaps do not require complex cross-chain HTLCs since there’s no second blockchain to coordinate with, simplifying the design.
L2-Only Swaps Between Different Anchors (RGB on Tondi ↔ RGB on Bitcoin)
Scenario 6: RGB asset on Bitcoin ↔ RGB asset on Tondi. This scenario is an off-chain asset swap where both assets are RGB-issued, but their anchors reside on different L1 chains. For example, imagine swapping a token that lives on Bitcoin (RGB contract anchored in a BTC UTXO) with a token that lives on Tondi (RGB contract anchored in a Tondi UTXO). This is essentially a cross-chain swap, but both sides use the same contract protocol (RGB), which opens up unique possibilities. One approach is similar to the HTLC atomic swap described earlier: since the anchors are on different chains, we can do a hash-lock on each anchor output (one in a Bitcoin transaction, one in a Tondi transaction) and swap the secrets. But a more elegant approach is to use the State Relay Graph (SRG) network to transfer state.
SRG can be thought of as an inter-layer router for state updates. If two RGB smart contracts on different chains need to interchange ownership of assets, SRG nodes can facilitate this by creating a state transfer channel. For instance, Alice holds RGB Token X on Bitcoin, Bob holds RGB Token Y on Tondi, and they want to swap. With SRG, they open a joint state channel (possibly through intermediary nodes) that connects the two contract states. The SRG protocol (as conceived by AvatoLabs) replaces Lightning’s gossip with a graph of state relayers, meaning an update can be rapidly propagated across chain boundaries. Alice and Bob would both commit their current RGB states into the SRG (perhaps by partial withdrawal to an SRG multi-sig address on each chain). Then, an off-chain atomic state swap occurs: effectively, the SRG node updates its record such that ownership of Token X’s state is assigned to Bob and Token Y’s state to Alice. This would be done by exchanging state transfer proofs off-chain. Finally, each party closes out their channel on each chain, anchoring the new ownership. The result: Alice ends up with an RGB state (Token Y) on Tondi, and Bob ends up with Token X on Bitcoin, without needing a direct on-chain atomic swap. The Mermaid diagram below illustrates the SRG flow between two RGB anchors (Bitcoin and Tondi):
flowchart LR
subgraph Bitcoin Network
A[RGB Anchor UTXO on BTC]
end
subgraph SRG Relay Network
R[State Relay Nodes]
end
subgraph Tondi Network
B[RGB Anchor UTXO on Tondi]
end
A -- lock state --> R
B -- lock state --> R
R -- swap state off-chain --> R
A == new owner ==> B
B == new owner ==> A
R -- release updated state --> A
R -- release updated state --> B
Figure: SRG-mediated state swap between an RGB contract anchored on Bitcoin and one on Tondi. In this flow, both parties commit their state to an SRG node or a network of relays (locking them temporarily, akin to opening a channel). The SRG performs an off-chain atomic swap of the state assignments, then each party releases (withdraws) the updated state back to the respective L1 anchors.
Of course, SRG is a cutting-edge approach and requires infrastructure support. In absence of SRG, a fallback is to use dual HTLC or DLC: treat each RGB asset like it was a coin on its base chain and do cross swaps. That means constructing an HTLC on Bitcoin (for Token X transfer) and one on Tondi (for Token Y transfer) with a shared secret. The complexity is that executing the RGB transfer might involve making a dummy payment (e.g., sending the RGB state to a predetermined pubkey that the other party can later claim with the secret). Another fallback is to bridge one asset to the other chain first (e.g., move Token Y from Tondi to Bitcoin via a bridge, then swap on one chain), but that introduces additional trust and latency.
In summary, L2-to-L2 cross-anchor swaps benefit greatly from a dedicated relay network. SRG provides a trust-minimized way to do this by leveraging off-chain channels and possibly cryptographic guarantees similar to payment channels. This preserves privacy (no on-chain hash clues) and speed (nearly instant finality off-chain, with only final settlement on-chain). It essentially generalizes the concept of a decentralized exchange to operate across layers. We will integrate SRG support in later roadmap phases to handle scenarios like RGB@Bitcoin ↔ RGB@Tondi seamlessly.
L1-to-L1 Native Asset Atomic Swaps (BTC ↔ Tondi)
Scenario 1: Bitcoin vs Tondi native coins. This is a cross-chain atomic swap between two Layer-1 blockchains. The mechanism here is the classical cross-chain HTLC swap, since neither Bitcoin nor Tondi by themselves trust or recognize each other’s transactions. We use a hash time-locked contract on both chains: e.g., Alice locks BTC in a Bitcoin output that can be spent by Bob if and only if Bob reveals a secret (preimage) before time T1, otherwise Alice can refund after T1. Similarly, Bob locks TONDI (native coin of Tondi) in a Tondi transaction that Alice can spend if she reveals the same secret before time T2 (with T2 < T1), otherwise Bob refunds after T2. This protocol was first proposed by TierNolan in 2013 and successfully demonstrated between chains like Litecoin and Bitcoin in 2017. It ensures that if Alice redeems Bob’s coins by revealing the secret, Bob immediately learns the secret and can redeem Alice’s coins. If either side aborts, each retrieves their original coins after timeouts.
One important consideration for a BTC–Tondi HTLC swap is that both chains must support the same hash function and time-lock capability. Bitcoin and Tondi both support SHA-256 hashing and timelocks (Tondi adopts Bitcoin script semantics with Taproot-only outputs), so this is satisfied. The swap can be implemented with a Taproot script output on Bitcoin and an analogous output on Tondi. For privacy and efficiency, we can incorporate MuSig2 multi-signatures and Taproot: For instance, Alice and Bob could create a Taproot output on Bitcoin with an internal key that is a MuSig2 aggregation of their keys (meaning if they cooperate with no dispute, they can sign and spend it directly, hiding the swap script), and with a fallback tapscript that is the HTLC condition. Similarly on Tondi. During a successful swap, Alice and Bob might actually co-sign spends (this would happen if they trust the outcome enough or use adaptor sigs), making the transactions look like ordinary transfers. Only if a timeout refund is needed would the HTLC script be revealed. This “Taprootized” design hides the very fact that an atomic swap took place – an external observer just sees normal payments on both chains. If the swap is executed, the secret’s revelation might be the only link, but even that can be obscured using adaptor signatures (where the secret is never explicitly on-chain, it’s deduced from signatures).
The diagram below shows a simplified HTLC atomic swap flow between BTC and Tondi:
sequenceDiagram
participant Alice as Alice (BTC holder)
participant Bob as Bob (Tondi holder)
Alice->>Bitcoin: Lock BTC with hash H(sec) & timelock (T1)
Bob-->>Tondi: Lock Tondi coins with H(sec) & timelock (T2 < T1)
Alice-->>Tondi: Reveal secret to claim Tondi coins
Bob->>Bitcoin: Use secret to claim BTC
Note over Alice,Bob: If secret not revealed by T2/T1, coins refund to original owners
Figure: Cross-chain atomic swap between Bitcoin and Tondi using HTLC. The two time-locked contracts enforce atomicity.
Aside from HTLCs, one could explore DLC here as well: e.g., use an oracle that monitors one chain from the other. For instance, a federation of watchtowers could attest “Bitcoin transaction X paid Alice” and trigger a Tondi contract to pay Bob, or vice versa. This, however, introduces a semi-trusted layer, so generally HTLCs are preferred for a trustless swap.
Because Tondi is a new chain with possibly low adoption initially, early swaps might involve order matching. A central order book (off-chain) could help find counterparties, but execution remains atomic on-chain. Over time, liquidity providers (like swapping nodes) could run automated programs to market-make between BTC and Tondi, ensuring someone is always available to swap at a given rate. These nodes could use the same HTLC protocols behind the scenes, but to the end-user it would feel like using a decentralized exchange.
In summary, the BTC–Tondi swap architecture is a textbook cross-chain atomic swap, augmented with modern enhancements (Taproot, MuSig2) to improve privacy and efficiency. No direct on-chain connection exists between Bitcoin and Tondi, so we rely on cryptographic tricks rather than any interoperability framework. We ensure the mechanism is secure (neither party can cheat the other: either swap completes or everyone keeps their coins) and, when possible, make it invisible – thanks to Taproot, the on-chain footprint of the swap can be made indistinguishable from normal transactions.
L2-to-EVM Bridging (RGB ↔ Ethereum)
Scenario 7: RGB asset ↔ Ethereum (ERC-20 or ETH). Bridging between Bitcoin-origin assets (like an RGB token) and Ethereum’s ecosystem presents a different set of challenges. Unlike Tondi, Ethereum is an account-based smart contract platform with no native concept of Bitcoin scripts or HTLCs, but it can run arbitrary logic in smart contracts. To swap an RGB asset for an Ethereum asset, we need a cross-chain bridge or atomic swap mechanism that spans a UTXO-based system and an account-based system.
One approach is to use a hashed secret lock on Ethereum and Bitcoin, similar to HTLC. Ethereum smart contracts can be written to mimic an HTLC: for example, Alice could deploy or call a small contract on Ethereum that holds her ETH (or ERC-20 tokens) and will release them to Bob if Bob provides a secret by time T2, otherwise refund to Alice after T2. On the RGB side, since RGB transfers aren’t “contracts” in the on-chain sense, Alice and Bob would use a Bitcoin HTLC for the Bitcoin UTXO that controls the RGB asset state (or use an adaptor signature setup). Concretely, Bob (RGB asset holder) would lock an RGB transfer to Alice contingent on the same secret (this might mean Bob creates an RGB transfer that is not final until the secret is known – e.g., he could embed H(secret) in the transfer’s validity predicate via AluVM, or simply use a Bitcoin script in the anchor UTXO). If Alice reveals the secret on Ethereum to get the ETH, that secret can be fed into the RGB transfer on Bitcoin to finalize it to Alice. The challenge here is Ethereum’s block times and Bitcoin’s – careful selection of timeouts is needed to account for chain differences.
A straightforward atomic swap is possible because Ethereum and Bitcoin share common hash functions and both support time locks. In fact, atomic swaps between BTC and ETH have been demonstrated using HTLCs: the Ethereum side uses a contract with keccak256(secret) (or SHA-256 if using a compatibility library) and a deadline, Bitcoin uses a script with OP_SHA256. Provided the hash and time parameters are chosen correctly, the swap is trustless. We would implement this such that the Ethereum contract holds asset A, the Bitcoin Taproot output (anchoring the RGB state) holds asset B, and the secret exchange links them.
However, direct cross-swap is not user-friendly for an AMM setting, because it requires users on both sides to be online and initiate transactions around the same time. A more practical design is a bridge with liquidity providers. For example, a bridging service (could be decentralized) might lock the RGB asset and mint an ERC-20 representation on Ethereum, or vice versa. This looks more like a two-step peg rather than an atomic swap. For instance, an RGB-to-ERC20 peg: Alice locks 100 RGB-USDT tokens in a Bitcoin transaction to a federation address; the federation (or a smart contract via an oracle) then mints 100 “Wrapped RGB-USDT” on Ethereum for Alice. Later, Alice can redeem by burning the ERC-20 and having the federation release her RGB tokens. This approach inevitably introduces trust in the bridge operators or oracles – something we aim to minimize.
A trust-minimized bridge can be done with DLC-style oracles: imagine a set of oracles that observe Ethereum events and have pre-committed to sign a message if a certain event (like a burn or lock) happened. On Bitcoin, Alice and the bridge operator could have a DLC that says: if oracle attests “ERC20 burned”, operator will pay out RGB to Alice; if oracle says “not burned by deadline”, operator gets to keep something (or Alice’s lock is refunded). This again complicates the design but avoids a single point of failure.
From the AMM perspective, one strategy is to integrate with existing Ethereum DEXes via proxy tokens. For example, if there is an asset on RGB that corresponds to an ERC-20 (like Tether USDt which exists on multiple chains), the AMM could allow a user to swap RGB-USDt for ETH by first converting RGB-USDt to ERC20-USDT through a bridge, then using Uniswap on Ethereum to swap USDT to ETH – all orchestrated behind the scenes. This would involve composing multiple steps but could be abstracted in the UI.
It’s worth noting that advanced research like Taprootized Atomic Swaps includes Bitcoin–Ethereum swaps using adaptor signatures and even zero-knowledge proofs to hide the swap link. In such a scheme, Alice and Bob could set up a situation where Alice’s Bitcoin Taproot output is spendable by a key that is tied (via an adaptor) to Bob’s secret on Ethereum. One concrete example is using ECDSA/Schnorr adaptor sig on Bitcoin and an EC-DSA signature on Ethereum’s contract (Ethereum’s EVM can verify an ECDSA signature, so one could engineer a contract where providing a valid signature for a known message equates to revealing the secret). These schemes are complex but they achieve cross-chain swaps with minimal leakage; in fact, one design shows that to an observer on Bitcoin, the transaction looks like any other payment, and on Ethereum it looks like a normal token transfer, with only off-chain knowledge linking them.
For our architecture, the likely near-term solution is to implement atomic swaps between RGB and Ethereum via HTLC contracts, and partner with or build a simple bridge interface. A user on RGB could interact with an AMM that has pooled liquidity in a contract on Ethereum. For example, AvatoLabs might deploy an Ethereum smart contract that serves as an automated market maker between ETH and a wrapped version of an RGB asset. When a user wants to swap RGB asset for ETH, the AMM would coordinate locking the RGB and calling the Ethereum contract (perhaps through an SRG oracle that has a foot in both worlds). This veers into cross-chain liquidity pools, which are an active research area.
In summary, RGB–ETH swaps require bridging the gap between UTXO-client-validated systems and EVM smart contracts. We will rely on HTLC atomic swaps as the baseline (ensuring security via time-locked secrets), and consider DLC or federation-based bridges for a smoother user experience. Privacy is weaker here since Ethereum transactions are public and not easily shielded (one might see an HTLC contract execution). CoinJoin doesn’t apply on Ethereum, but using privacy pools or soon zkRollups on Ethereum could obfuscate the trail (for instance, use a privacy-preserving DEX on Ethereum side). This scenario likely involves more moving parts (multiple transactions across chains), so in the roadmap we plan to tackle it in later phases after solidifying intra-Bitcoin and Bitcoin–Tondi mechanisms.
Key Technologies Enabling Multi-Layer AMMs
Having outlined the scenarios, we now focus on the core technologies that make these cross-layer, cross-ecosystem AMMs possible. These technologies include novel networking layers like SRG, smart contract logic for RGB, and cryptographic protocols ensuring atomicity and security. We describe each and its role in our system:
State Relay Graph (SRG) Architecture for Cross-Chain State
The State Relay Graph (SRG) is a proposed off-chain network architecture designed to generalize the Lightning Network’s channel mechanism into a graph for state transfer. In Lightning, off-chain payments are routed through channels with hash-locked secrets; SRG replaces this with a graph of state relayers that can transfer arbitrary state (not just payments) with improved privacy and flexibility. Each SRG node can be connected to multiple blockchains (Bitcoin, Tondi, etc.) and multiple peers, forming a graph. When we say “relay state”, we mean that an SRG node can take a committed state from one chain and atomically relay it to another chain’s context.
In our AMM design, SRG plays two major roles:
Cross-anchor RGB Transfers: As described in Scenario 6, SRG nodes can facilitate the transfer of RGB contract state between Bitcoin and Tondi. Instead of each user opening separate channels with every other user (as in Lightning), they open channels with a few SRG hubs. The state relay graph allows a user to send an update (like “I give up ownership of asset X state” to someone else) and have it delivered through intermediate nodes without broadcasting on-chain. Because it’s graph-based, you are not limited by direct channels; if a path exists through the network, the state can flow. Importantly, SRG uses cryptographic conditions (like hashlocks or adaptor signatures) to ensure that either the state update completes end-to-end or is rolled back, similar to HTLC fairness but generalized beyond payments.
AMM Order Relay and Matching: SRG can also function as a real-time order relay network. Imagine an off-chain order book or an RFQ (request-for-quote) system integrated with SRG: a user wanting to swap could send an order into the SRG network, which finds a node (or combination of liquidity providers) to fill it. For example, if there’s an AMM pool on Bitcoin and another on Tondi, an SRG node connected to both could automatically facilitate a cross-chain arbitrage or swap by creating the appropriate state transitions on each side. Because SRG communications are off-chain and encrypted, users gain low-latency and private trade execution. No global mempool sees the order, reducing front-running risk.
The SRG architecture emphasizes privacy. Since it doesn’t rely on a blockchain, updates are only seen by participating nodes, and they use onion routing or similar techniques to hide the path. It “replaces LN’s off-chain broadcast mechanism” (i.e., the need to announce channels and route payments in Lightning) with something more akin to a distributed hash table or graph that can locate liquidity without revealing channel balances. This suits our multi-layer AMM because we might not want to publicly announce all cross-chain liquidity connections.
In implementation, SRG channels might leverage MuSig2 multi-sig and adaptor signatures heavily. For instance, a state update might be a partially signed transaction or transfer that only becomes fully valid when a secret is exchanged – the same idea as HTLC but at the state layer. And with MuSig2, multiple SRG hops can collaborate to produce aggregate signatures that make the final on-chain settlement look innocuous. If SRG is successful, we envision something like “Swapping Nodes” (as mentioned in AvatoLabs materials) which are servers running SRG software, providing liquidity and relay services in exchange for small fees (similar to Lightning routing fees).
In conclusion, SRG integration gives us a powerful way to tie together disparate layers without burdening users with complex manual swaps. It will effectively act as the unifying network layer for our AMM, connecting Bitcoin, Tondi, and potentially other chains behind the scenes. Early versions might be simpler (a centralized or federated relay), but the goal is a decentralized graph where state transitions flow freely with guarantees of atomic execution or rollback.
RGB-Aware AMM Logic: Client-Side vs. On-Chain (AluVM Execution)
Implementing AMM functionality in a multi-layer environment raises the question: where does the AMM logic live? Traditional AMMs on Ethereum have all logic on-chain in a smart contract. In our design, we have options: keep logic client-side (in the wallet/node software) or encode it in an RGB contract schema that is enforced by the AluVM (RGB’s virtual machine for smart contracts).
Client-Side AMM Logic: In this model, the rules of the AMM (price calculation, fee calculation, etc.) are enforced by the participants’ software. For example, an AvatoLabs wallet or an SRG node knows that for a given pool with reserves (R1, R2), if a user wants to swap ΔR1 for ΔR2, it must satisfy the invariant (R1+ΔR1)(R2–ΔR2) = R1R2 (for constant product AMM) within slippage tolerance. The software would compute the expected ΔR2, verify the pool state and balances, and only sign the state transition if it’s favorable. Because RGB uses client-side validation, each participant validating the contract can simply refuse any state that doesn’t follow the agreed AMM rules. The advantage of this approach is flexibility – we can update AMM logic via software upgrades, and it’s easier to debug. Also, it avoids heavy lifting in AluVM, which is a simpler RISC-style VM not as developer-friendly as say EVM. The disadvantage is that there’s no global enforcement – if someone were to write a custom client that ignores the rules, they might attempt invalid states (though they wouldn’t get others to accept them). Essentially, trust is still anchored in cryptography: the pool’s UTXO commitments can include checksums or hashes that commit to certain parameters, and if a rogue actor tries a violation, others will detect it and reject the state.
On-Chain via AluVM: RGB contracts can include validation scripts written for AluVM (short for Alu Assembly VM) which run whenever a state transition is attempted. We could encode the AMM formula and constraints as such a script. For instance, the contract schema for an AMM pool might define fields for reserve1, reserve2, and it could include a rule: assert((new_reserve1 * new_reserve2) >= (old_reserve1 * old_reserve2)) to enforce constant product (actually, >= to account for fees making k increase). We could also enforce that any state transition must have an accompanying Bitcoin transaction of a certain form. AluVM is powerful enough to implement arithmetic and checks needed for AMM formulas, though complex math might be challenging (e.g., computing exact output with fee might require division, which could be approximated or handled via lookup).
By having the logic in AluVM, every validating node automatically enforces AMM rules – it’s trustless and transparent (to those who know the contract schema). Liquidity providers could deposit funds by doing a state transition that only the AMM contract allows if it mints them LP tokens in return (thus preventing adding liquidity at unfair prices). Traders can swap by triggering state changes that adjust reserves and must match the formula. If they try to cheat (take too many tokens out for too little in), the state transition will not satisfy the VM constraints and will be considered invalid, so it can never get confirmed (since the pool’s UTXO won’t be updated/co-signed by honest nodes).
The downside of on-chain logic (in this case on-chain meaning in the contract, not literally on L1 chain) is complexity of writing and updating that code. AluVM scripts are not trivial to write and upgrade – but as RGB evolves, there may be standard library schemas for common DeFi constructs. There’s mention of RGB Schema concept where contract authors define a template that others instantiate. We might define an “AMM Pool Schema” that can be reused.
Hybrid approach: We could start with a simpler client-side enforcement (essentially informal consensus on rules) and move to formal AluVM-enforced rules as the tech matures. In early phases, perhaps the AMM is run by a set of known liquidity providers who simply promise to follow certain pricing, and users verify each swap by checking the math themselves. In later phases, we lock it down with AluVM so that not even liquidity providers could violate the invariant without it being cryptographically prevented.
In terms of on-chain vs off-chain execution, note that if AluVM enforces rules, the actual computation still happens off-chain by each party validating – it’s just that the rule is codified in the contract and any invalid state transition will be rejected by all. There’s no global miner/validator executing it (unlike EVM); that’s the beauty of RGB’s design – smart contracts without smart-contracting overhead on-chain. It fits perfectly for our needs because we can have quite complex logic for an AMM without worrying about block gas limits, as long as users’ machines can handle it.
Finally, UTXO-level validation: whether logic is client-side or AluVM, the base chains (Bitcoin, Tondi) still enforce certain things: mainly the ownership and sum of values. For example, if an AMM uses BTC and another asset, the Bitcoin transaction itself will ensure BTC in equals BTC out (aside from fees), and that signatures are valid. But Bitcoin can’t ensure the swap ratio is correct – that’s up to RGB/AluVM. So we will always need a combination: base layer for custody and finality, RGB for contract logic, and clients for coordination.
Atomic Swap Safety Models: HTLC, DLC, and MuSig2
Ensuring atomicity (all-or-nothing execution) is paramount in cross-chain swaps to avoid scenarios where one party loses funds. Several cryptographic mechanisms underpin the safety of our protocols:
Hash Time-Locked Contracts (HTLCs): As extensively discussed, HTLCs use a hashlock (secret preimage) and timelock (timeout) to bind two transactions on two chains. They are simple and trustless – both chains execute or none do. The limitation is the on-chain footprint (scripts revealing the secret and hash linkage across chains). In our designs, we incorporate HTLCs for any trustless cross-chain scenario especially in initial phases. For example, BTC–Tondi, BTC–ETH atomic swaps use HTLCs. We mitigate their privacy issues via improvements like adaptor signatures to make the secret exchange off-chain or implicit. One noted issue is the free option problem in atomic swaps: one party could stall until expiry if the rate moves against them. DLCs and mechanism design (deposit penalties) can alleviate this.
Discrete Log Contracts (DLCs): DLCs involve an oracle and a 2-of-2 multisig output that pays out based on the oracle’s signature of an event. They were invented for bets and derivatives, but we can repurpose them for cross-chain swaps by treating “counterparty delivered asset” as the event. The safety model here is different: you trust that the oracle will tell the truth about what happened on the other chain. If the oracle is honest (could be a federation or a programmable event like a Bitcoin block proof), then the outcome is atomic in effect: either the oracle sees one side didn’t pay and thus the other side’s funds revert. DLCs have great privacy – on-chain they look like a simple multi-sig (especially with Taproot, a DLC contract looks like any 2-of-2 output). We plan to possibly use DLCs in scenarios like RGB–ETH where direct HTLC is cumbersome; e.g., an oracle could watch the Ethereum contract and feed a signature to a Bitcoin DLC. The downside is the introduction of a third party and the need for every participant to agree on using that oracle.
MuSig2 and Adaptor Signatures: MuSig2 is a Schnorr multi-signature scheme that allows multiple signers to produce one aggregated signature and public key. This is vital for our privacy and efficiency. Using MuSig2, an atomic swap or an AMM pool with many liquidity providers can produce a single signature for a transaction, hiding the number of participants. For example, a CoinJoin of an AMM trade can appear as a single-sig spend thanks to MuSig2, thereby not leaking that it was a two-party swap. Adaptor signatures are a related concept (sometimes called partial signatures or one-time verifiably encrypted signatures) where you create a signature that is only valid if a secret is known. In practice, we use adaptor sigs to couple transactions: Alice gives Bob a “pre-signature” for her transaction that Bob can fulfill only by revealing X (secret). These are the backbone of scriptless atomic swaps and are used in Lightning’s payment points (the revocation keys, etc.). In the context of MuSig2, adaptor signatures can be used such that the combined signature reveals something if one party injects a secret. For example, we can make the combined signature on Bitcoin dependent on a secret that comes from an Ethereum signature – effectively linking the two without explicit hashes on-chain.
MuSig2 also improves the safety of multi-party protocols by reducing interactivity (just two rounds) and preventing rogue key attacks. Our AMM architecture will use MuSig2 in multiple places: for pooling funds (LPs can jointly control a pool UTXO without exposing an on-chain multisig policy), for atomic swaps (presenting cooperative spends as single sig), and even for DLC oracle signatures (oracle consortium can use MuSig2 to aggregate an attestation).
To illustrate these safety models in action: In a BTC–ETH atomic swap, the HTLC ensures if Alice doesn’t get Bob’s payment, she times out and gets her BTC back. In a DLC-based swap, if Bob fails to pay on Ethereum, an oracle says “no pay” and Alice’s BTC is refunded via the DLC CET transaction. With MuSig2 + adaptor, Alice and Bob might not even need on-chain scripts: they could create a Taproot output that they can cooperatively spend with MuSig2 (appearing normal), but each has an adaptor partial signature from the other that forces secret revelation if one completes the signature. This way, the safety is baked into cryptography: if one tries to finalize the trade, the other automatically gets the info to finalize theirs.
In conclusion, our design employs a toolbox of atomicity techniques: HTLC for simplicity, DLC for oracle-based conditionality, MuSig2/adaptors for privacy and efficiency. These are not mutually exclusive – they can be layered. For instance, we could have a Taproot output with a MuSig2 key (cooperative case) and a fallback HTLC script (dispute case). We can also have a DLC where the oracle is actually giving a signature that can be used as an adaptor secret, etc. By combining these, we aim for a system where no single failure or misbehavior can cheat honest participants and where the mechanism is as invisible as possible on the public ledgers.
Privacy and Security Models
Privacy and security are first-class concerns in multi-layer AMMs because cross-chain operations can inadvertently leak information or be vulnerable to interception. We incorporate several measures to protect users:
Taproot & Schnorr for Contract Discretion: Both Bitcoin and Tondi use Taproot outputs (in fact Tondi is Taproot-only for all transactions). Taproot allows hiding complex spending conditions behind what looks like a single public key. In our context, this means an atomic swap or an AMM pool can be implemented such that on-chain it appears as a normal payment with no visible script. Only if parties disagree or a timeout happens would a script (HTLC or refund condition) be revealed. As cited earlier, taprootized atomic swaps make the swap “indistinguishable from regular Bitcoin payments” to outside observers. This drastically improves privacy: casual blockchain analysis will not know an atomic swap happened, nor link the two legs. Additionally, Schnorr signatures (which Taproot relies on) enable key aggregation (MuSig2) and signature adaption as described, meaning multi-party cooperations don’t leak participant identities and cross-chain secrets can remain off-chain.
CoinJoin and Batch Swaps: Where possible, we will integrate CoinJoin techniques. For example, if multiple users want to swap at the same time, an SRG node or coordinator can combine all their transactions into one big Bitcoin transaction (or Tondi transaction). This is similar to how modern CoinJoins (like Whirlpool, CoinSwap) break transaction graph analysis by combining multiple spends. In an AMM scenario, one transaction could serve many swaps: inputs could include several users’ BTC and one pool’s UTXO; outputs could deliver various tokens to users and return a single change to the pool. By obfuscating which input corresponds to which output (especially if values are padded or using equal-value outputs), we can prevent an observer from knowing who swapped what. CoinJoin in combination with Taproot (where the transaction looks like a bunch of Taproot inputs and outputs) can hide even the fact that it was an AMM operation.
Zero-Knowledge Channels and Protocols: For off-chain layer-2 interactions, especially payments, we look to zkChannels and similar concepts for enhanced privacy. zkChannels are an evolution of Lightning channels that incorporate zero-knowledge proofs so that even channel counterparties learn minimal information. In a normal Lightning channel, your peer knows exactly how much you paid them and when. In a zkChannel, techniques like blind signatures and zk-SNARKs allow one party (e.g., a customer) to make off-chain payments to another (e.g., merchant or liquidity provider) without revealing the individual payment amounts – only the net is known. Applying this to our AMM, if we have state channels (like SRG channels) with liquidity providers, zk proofs could ensure that when you do a swap via a channel, the LP does not know your identity or even the exact trade details beyond what’s needed. They might only see cryptographic proof that they will end up with net +X of one asset and -Y of another, without linking it to you or a specific transaction. This level of privacy is still experimental, but it’s on our radar especially as protocols like BOLT (privacy-preserving payment channels) and zk-rollups become more mature.
CoinJoin via CoinSwap/CoinPools: Another Bitcoin-specific privacy tool is CoinSwap, which is like atomic swap but for privacy (swap equal amounts with someone to confuse chain analysis). Although our focus is functional swaps (different assets), in cases where privacy is paramount, participants could route through intermediary addresses or use decoy swaps. A user could swap BTC for a pegged asset and then swap back, solely to break the trace. Similarly, a CoinPool (multiple users sharing a UTXO) could be used for the pool itself – imagine an AMM pool UTXO that actually belongs to N people but just looks like one address; outsiders can’t tell how many owners or the breakdown, increasing security against targeting.
Secure Multi-Party Computation (MPC) for Oracles/Bridges: If we rely on any oracles or federations (e.g., in DLCs or bridges), those components must be robust against corruption. We plan to use techniques like threshold signatures (MuSig or FROST) for oracles so that no single oracle controls an outcome. For example, 5-of-7 oracles must sign an attestation for a DLC payout. Using threshold cryptography means the oracle key can’t be easily compromised (an attacker would need to breach multiple independent entities). Additionally, by combining threshold oracles with Taproot, the oracle’s involvement remains invisible unless used.
Auditability and Compliance with Privacy: This may seem contradictory, but in some contexts (enterprise or regulatory), one might need to prove something about a trade without revealing details. The RGB paradigm actually supports selective disclosure – you can show a proof of your contract state to someone without publishing it to the world. If AvatoLabs needs to build compliance features (e.g., proof that no blacklisted asset was swapped, or proof of reserves in a pool), zero-knowledge proofs or view-keys can be used. This way we maintain user privacy while still providing any necessary guarantees. For example, using a zk-SNARK, an exchange could prove “we performed K swaps correctly according to the AMM formula and no fund was stolen” without revealing individual swap amounts.
Resistance to Attacks: From a security standpoint, cross-chain AMMs must consider the attack surface: timing attacks (a malicious party not pulling their side of a swap at the last minute to see if you react – mitigated by using safe timeouts), liquidity attacks (someone draining a pool by exploiting price differences – mitigated by using oracles or circuit breakers to pause when price deviates too much), and front-running. Front-running is especially relevant in Ethereum (mempool sniping), but much less in Bitcoin/Tondi due to lack of a visible mempool of complex transactions – and SRG would eliminate public mempool usage by doing negotiation privately. For Ethereum interactions, we could integrate with MEV protection relays or require transactions to be submitted privately (e.g., via Flashbots or threshold encryption) to avoid sandwich attacks on our bridge transactions.
Taproot Channels on Tondi/Bitcoin: Combining Taproot and channels, we can create Taproot-based payment pools (like Lightning but with more participants, sometimes called Channel Factories). This could allow multiple swaps to happen off-chain among a group. It’s a future idea for pooling liquidity among trusted participants off-chain to reduce on-chain footprint further.
In essence, our design strives for "privacy by design" – using the latest Bitcoin and crypto primitives (Taproot, Schnorr sig aggregation, ZK proofs) to make even complex cross-chain operations look ordinary and reveal as little as possible. At the same time, we adhere to robust security models where all failure modes are considered. The combination of these measures – from base layer improvements to cutting-edge ZK channels – will safeguard users and liquidity providers in the multi-layer AMM.
Development Roadmap (0–12 months)
Implementing a fully functional multi-layer, cross-ecosystem AMM is an ambitious undertaking. We propose a phased roadmap over the next 24 months, broken into four major phases, each with specific milestones:
Phase 1 (0–3 months): Research & Prototype – Establish the foundations. In this phase, the team will finalize requirements and do deep research into RGB, Tondi, and cross-chain protocols. Key tasks include: (a) Building a minimal prototype of an atomic swap between Bitcoin and Tondi on testnets using HTLCs (possibly using regtest/simnet environments). This will validate the hash-lock scripts on Tondi and the interop between Bitcoin and Tondi transactions. (b) Prototyping a simple RGB asset transfer on both Bitcoin and Tondi to ensure our understanding of RGB v0.10+ and the AluVM. Possibly issue a test token on RGB and manually swap it for BTC in a single transaction as a POC. (c) Experimenting with MuSig2 libraries (e.g., libsecp256k1’s MuSig module) in our codebase to learn how to produce aggregate signatures for two-party transactions. (d) Drafting technical specifications: formalize the “swap protocols” (message flows, timeouts, etc.) for each scenario in a design document. By the end of Phase1, we aim to have a command-line demo where two nodes can atomically swap BTC and a test RGB token via a hashlock, as well as documentation of the architecture.
Phase 2 (3–6 months): Core AMM Engine & Single-Ecosystem Demo – Build the building blocks of the AMM. This phase focuses on same-chain AMM functionality and preparing the ground for SRG. Key deliverables: (a) Develop an RGB AMM Pool contract schema – define an RGB schema for a liquidity pool (two assets + LP tokens), implement it in Rust using RGB’s APIs. If full AluVM logic is too difficult initially, we hardcode the rules in the client but still use RGB for state. (b) Implement a basic AMM daemon that runs a liquidity provider node. This daemon manages a pool UTXO, processes incoming swap requests (from users or from a CLI), and uses Bitcoin testnet transactions to execute swaps. (c) Achieve a demo of BTC ↔ RGB token swap on Bitcoin testnet with a liquidity pool. For instance, show that a user can send 1 RGB token to the pool and get X sats in return in one transaction. (d) UI/CLI tools for liquidity providers to add/remove liquidity (probably simplified, like editing a config and the node does it). (e) On Tondi, deploy a similar pool for Tondi native vs an RGB token on Tondi; demonstrate a Tondi ↔ RGB(Tondi) swap on Tondi testnet. (f) Begin designing the State Relay Graph (SRG) in detail: data structures, how state commitments are passed, security model. Possibly build a simulation of SRG with 3 nodes and a fake asset to see how state could move between them. By end of Phase2, we expect to have functioning single-chain AMMs on both Bitcoin and Tondi test networks, and a clear design for cross-chain state relay.
Phase 3 (6–12 months): Cross-Chain Integration & SRG Network – Connect the ecosystems. In this phase, we tackle cross-chain swaps (Phase1’s prototypes) and integrate them with the AMM pools from Phase2. Goals include: (a) Develop the BTC–Tondi atomic swap service – essentially a “broker” software that can pool liquidity to swap BTC and Tondi. This might be an order-book or simple request-matching system where someone can ask to swap and a service (or a decentralized algorithm) pairs them. We’ll likely implement a bot that provides continuous quotes at some pegged rate for testing. (b) Integrate DLC or adaptor signatures for improved swaps: e.g., code up a DLC with a dummy oracle for BTC–Tondi as a proof of concept (if oracle says pay, then pay). (c) Launch an SRG testnet in minimal form. This might be as simple as a single hub node acting as SRG, or a couple of nodes passing state around. Use SRG to demonstrate an RGB cross-anchor transfer: e.g., move an RGB token from Bitcoin to Tondi via SRG without a direct HTLC (this could be orchestrated by manually triggering channel operations). (d) Connect the AMM pools via SRG: for example, if we have BTC–RGB pool on Bitcoin and Tondi–RGB pool on Tondi, use SRG to allow a user to effectively go from BTC to Tondi in one step (the SRG node would perform back-to-back swaps on each pool, like atomic arbitrage). This demonstrates multi-hop atomicity. (e) Security audits and refinements: as we start going cross-chain, do threat modeling for new attack surfaces (reorgs, liquidity exhaustion, timing issues) and refine timeouts or add monitoring. (f) Ethereum bridge prototype: since Ethereum integration is complex, begin with a simple case – an Ethereum Ropsten (or Goerli) contract that can participate in an HTLC with Bitcoin. We write a small Solidity contract for an HTLC and do a test swap between BTC testnet and Goerli (manually triggered). This will prepare us for full scenario7 integration next phase. By the end of Phase3, we should have a unified demonstration: e.g., Alice on Bitcoin swaps an asset to Bob on Tondi through an SRG-assisted AMM path, all automated. We should also have the scaffolding for Ethereum ready (contracts, perhaps a simplified oracle to signal between BTC and ETH).
Phase 4 (12–18 months): Production-Grade Network & Ethereum Integration – Polish, scale, and integrate Ethereum. This is where we aim to roll out a beta network and involve real users (on testnet or even mainnet for some components).
Key tasks:
(a) Hardening and Optimization: improve the performance of the AMM engine (batch multiple swaps per block, optimize fee handling, handle L1 fee volatility), improve SRG routing (possibly implement pathfinding if multiple nodes). Do extensive testing on edge cases – chain reorgs (ensure our protocols handle reorgs gracefully, e.g., a swap UTXO gets reorged out), channel closures in SRG, etc.
(b) Ethereum Integration: deploy a robust bridge contract on Ethereum mainnet or testnet that can lock ERC-20 tokens. Implement an Ethereum agent in our software that can listen for events and initiate Bitcoin transactions accordingly. Possibly integrate an existing cross-chain framework (like Interlay’s XCLAIM or Atomic Finance’s tools) if it accelerates development. The goal is to allow a swap like RGB-T stablecoin on Bitcoin ↔ DAI on Ethereum via a combination of HTLC and liquidity provider. We likely need to incentivize some liquidity on Ethereum (maybe the team provides a pool of DAI or WBTC as counterpart).
(c) Front-end/UX: develop a simple UI (maybe web or desktop app) for users to perform swaps. This UI would hide the complexity: a user selects “Sell BTC for TONDI” or “Swap RGB-USDT on Bitcoin for USDC on Ethereum”, and the app uses our backend protocols to execute it. User experience, including time it takes (we’ll try to use instant finality via SRG where possible, or inform the user of wait times for block confirmations in atomic swaps).
(d) Launch and Monitoring: If confident, roll out on mainnets. This might be gradual – e.g., start with Tondi’s launch (as per AvatoLabs, Tondi mainnet might be launching around this timeframe). We’d deploy the AMM on Tondi mainnet and do some swaps with Bitcoin testnet or a small amount of BTC mainnet through a bridge. Monitor for any issues, iterate. Setup monitoring for the network (channel health, liquidity metrics, etc.).
(e) Community and Liquidity: work with partners to bring liquidity. For instance, encourage some BTC holders to provide liquidity to the BTC-Tondi pool in exchange for yield (we might reward early LPs with some incentive, maybe Tondi coins). Similarly, on Ethereum side, maybe collaborate with a DeFi project to use our bridge for a specific asset.
Throughout all phases, documentation and testing are ongoing. We treat this as an evolving protocol, so by Phase 4 we should ideally publish a detailed protocol whitepaper (perhaps an external version of this internal report) and security audits.
Milestone summary:
3 months: Atomic swap prototype (BTC↔Tondi), basic RGB token swaps.
6 months: Working AMM on single chains (Bitcoin, Tondi), partial integration.
12 months: Cross-chain swaps operational via SRG, testnet integration with Ethereum.
18 months: Beta launch on mainnets, user-facing app, initial liquidity and partnerships.
This roadmap is aggressive but feasible with dedicated effort, leveraging existing libraries and the expertise we have on Bitcoin L2 technologies. It also remains adaptable – for instance, if SRG is harder to implement, we may rely more on simpler atomic swaps in early versions and push SRG to a later iteration.
Pseudocode: RGB-Aware AMM Logic
The following pseudocode outlines how an RGB-aware AMM operation might be handled by a client or node. It covers UTXO validation, preparing the pool commitment, and executing the trade atomically. This is a simplified high-level logic for a swap of Asset X for Asset Y against an AMM pool:
# Assume we have an RGB AMM Pool with assets X and Y anchored in UTXO pool_utxo.
# The pool state includes reserves: R_x, R_y and a public key controlling the UTXO.
function execute_swap(request):
# request contains: asset_in (X or Y), amount_in, asset_out (the other asset), min_amount_out, user_pubkey, etc.
asset_in = request.asset_in
asset_out = request.asset_out
amt_in = request.amount_in
# 1. Retrieve and validate current pool state from RGB contract
state = RGB.getContractState(pool_contract_id, pool_utxo)
R_x = state.reserve_x
R_y = state.reserve_y
if asset_in == X:
input_reserve = R_x
output_reserve = R_y
else:
input_reserve = R_y
output_reserve = R_x
# 2. Calculate output amount based on AMM pricing (constant product formula)
# Δout = output_reserve * amt_in / (input_reserve + amt_in - fee)
fee_rate = state.fee_rate # e.g., 0.3%
amt_in_after_fee = amt_in * (1 - fee_rate)
delta_out = floor(output_reserve * amt_in_after_fee / (input_reserve + amt_in_after_fee))
if delta_out < request.min_amount_out:
return Error("Slippage too high, output would be less than minimum")
# 3. Prepare new state values
new_R_x = R_x
new_R_y = R_y
if asset_in == X:
new_R_x = R_x + amt_in_after_fee # pool gains the net input after fee
new_R_y = R_y - delta_out # pool loses the output asset
else:
new_R_y = R_y + amt_in_after_fee
new_R_x = R_x - delta_out
# 4. Ensure reserves won't go negative and invariant holds (sanity checks)
if new_R_x < 0 or new_R_y < 0:
return Error("Pool reserve would go negative")
# Invariant check (allow some tiny rounding error):
old_k = R_x * R_y
new_k = new_R_x * new_R_y
if new_k < old_k:
return Error("Invariant violation: new_k < old_k (should increase with fees)")
# 5. Construct the Bitcoin/Tondi transaction for the swap
tx = new Transaction()
# Input 1: the pool UTXO (to be spent by pool's key and user's cooperation)
tx.addInput(pool_utxo)
# Input 2: user's payment for amt_in of asset_in
if asset_in is a Bitcoin/Tondi native asset:
tx.addInput(user.provideUTXO(amount=amt_in))
else:
# asset_in is RGB: user provides an RGB UTXO with amt_in of asset_in
tx.addInput(user.rgb_utxo(asset_in, amt_in))
# Outputs:
# Output 1: new pool UTXO with updated reserves committed via RGB
new_pool_output = new Output()
new_pool_output.value = (pool_utxo.value + (asset_in is native ? amt_in_after_fee : 0) - (asset_out is native ? delta_out : 0))
new_pool_output.scriptPubKey = pool_public_key # same controlling key (could also change if rotating keys)
# Attach RGB state commitment for new_R_x, new_R_y to this output:
new_pool_output.embedData( RGB.commit(pool_contract_id, {reserve_x: new_R_x, reserve_y: new_R_y}) )
tx.addOutput(new_pool_output)
# Output 2: user's output asset
user_output = new Output()
if asset_out is native (BTC or Tondi coin):
user_output.value = delta_out
user_output.scriptPubKey = user_pubkey
else:
# asset_out is RGB token, issue an output with that RGB state
user_output.value = some minimal value (e.g. 546 sats for Bitcoin)
user_output.scriptPubKey = user_pubkey
user_output.embedData( RGB.transfer(asset_out, delta_out, to=user_pubkey) )
tx.addOutput(user_output)
# (Optionally, Output 3: fee output for LP or network if fee taken in base asset)
# 6. Sign the transaction
# Both the pool and the user need to sign their respective inputs.
tx.signInput(0, pool_private_key) # pool UTXO signed by pool
tx.signInput(1, user_private_key) # user input signed by user
# If adaptor sig or hashlock was used for atomicity, handle that here (not shown for simplicity).
# 7. Broadcast the transaction to the base chain
result = submitTransaction(tx)
if result.success:
# Update local RGB state:
RGB.applyStateTransition(pool_contract_id, pool_utxo, new_pool_output, {reserve_x: new_R_x, reserve_y: new_R_y})
return Success(delta_out)
else:
return Error("Transaction failed to broadcast/confirm")
A few notes on this pseudocode:
It fetches the current reserves from the RGB contract state associated with the pool’s UTXO and calculates the output using a constant-product AMM formula (with fee).
It then constructs a new transaction with two inputs: the pool’s UTXO and the user’s asset input. There are two outputs: a replacement pool UTXO with updated reserves (committed in the RGB metadata) and the user’s output asset. If the input or output asset is an RGB token, the transaction includes the necessary commitment data for transferring that token (via
embedDatawhich is conceptual for adding OP_RETURN or Taproot annex data carrying the commitment).The pool’s UTXO value on-chain is adjusted if native assets are entering or leaving (for example, if user pays BTC in, the new UTXO’s satoshi value increases accordingly; if user takes BTC out, it decreases).
Both parties sign. The
tx.signInputis a simplification – in practice, with Taproot and MuSig, the pool and user might produce an aggregate signature for the first input rather than two separate sigs if using key aggregation. The pseudocode just shows separate signing for clarity.The transaction is then broadcast to either Bitcoin or Tondi network. On confirmation, the RGB state is updated: the pool’s old UTXO is replaced by the new one with updated reserves. The user’s receipt of asset_out is also finalized (in Bitcoin, the user output might contain the asset if it’s RGB – meaning the user will have a new RGB UTXO to claim that asset).
Error handling includes slippage check (don’t execute if output too low) and invariant check (ensuring no glitch allowed the product to decrease).
This pseudocode highlights the client-side operations needed to execute a swap. The actual implementation in Rust/Java/etc. would use proper transaction and RGB libraries rather than this skeletal structure. Also, atomicity across chains (if this was a cross-chain swap) would require interlocking two such transactions with hashlocks or adaptor signatures, which is outside the single transaction scope above.
Mermaid Diagrams for Protocol Flows
To visually clarify some of the interactions in our system, we include Mermaid diagrams illustrating key flows:
SRG Relay Flow Between RGB Anchors
(Already shown in the earlier section under L2-only swaps.) The flowchart diagram provided demonstrates how an SRG node relays state between an RGB contract on Bitcoin and one on Tondi, ensuring atomic state transfer across anchors.
RGB AMM Interaction Lifecycle
The sequence diagram below shows a typical lifecycle of interactions when a user trades with an RGB-based AMM pool (same-ecosystem case):
sequenceDiagram
participant Trader
participant AMM as RGB AMM Pool
participant L1 as Base Chain (Bitcoin/Tondi)
Trader->>AMM: Provide liquidity (deposit Asset A & B)
AMM-->>L1: Commit new pool UTXO with updated reserves
Note right of AMM: Liquidity added, LP tokens issued
Trader->>AMM: Swap Asset A for Asset B (input A amount)
AMM-->>Trader: Quote price (output B amount with fee)
Trader->>AMM: Confirm swap and sign transaction
AMM-->>L1: Publish swap tx (pool state updated, Trader receives asset B)
Note over Trader,AMM: Pool reserves adjusted, trade executed atomically
Figure: Sequence of adding liquidity and performing a swap on an RGB AMM pool. First, a liquidity provider deposits two assets, and the pool’s state is committed on-chain. Later, a trader initiates a swap; the AMM quotes the amount based on the formula, the trader agrees, and the final transaction updates the state and delivers the output asset to the trader, all in one on-chain transaction.
Cross-Chain BTC ↔ RGB Swap Flow (HTLC Example)
Finally, the sequence diagram below illustrates a cross-chain atomic swap between a Bitcoin BTC and an RGB asset (anchored on another chain, e.g., Tondi or Bitcoin itself) using HTLCs or similar mechanism:
sequenceDiagram
participant Alice as Alice (BTC holder)
participant Bob as Bob (RGB asset holder)
Alice->>Bitcoin: Lock BTC in HTLC (hash = H(sec), timelock T1)
Bob-->>OtherChain: Lock RGB asset in HTLC (same hash, timelock T2 < T1)
Alice-->>OtherChain: Reveal secret sec to claim RGB asset
Bob->>Bitcoin: Use sec to unlock BTC
Note over Alice,Bob: If sec not revealed by deadlines, both get refunds after T1/T2
Figure: Cross-chain atomic swap using HTLC between BTC and an RGB asset on another chain. The flow is similar to the earlier BTC–Tondi description: one side reveals a secret to claim the other’s asset, which enables the second party to claim the first asset, achieving atomic exchange. The OtherChain could be Tondi if the RGB asset is on Tondi, or even Bitcoin if the RGB asset is on Bitcoin (in that case, “OtherChain” is also Bitcoin but conceptually the RGB transfer is a separate leg).
These diagrams reinforce the earlier textual descriptions by showing the step-by-step progression of actions and which actors/chains are involved at each step. They serve as a reference for engineers to visualize the protocol flows when implementing the system.
Sources:
Zucco, G., Orlovsky, M. et al., “RGB: A Scalable & Confidential Smart Contracts System for Bitcoin & Lightning” – Gate.io Research (RGB client-side state model, DAG and privacy features).
Bitlayer Research, “Adaptor Signatures and Cross-Chain Atomic Swaps” – Bitlayer Blog (Cross-chain atomic swap fundamentals, HTLC requirements and history).
Bitlayer Research, ibid. (Privacy issues with on-chain HTLCs and introduction of adaptor signature (scriptless) swaps).
Trust Machines, “What are Bitcoin Discreet Log Contracts (DLCs)?” – TrustMachines.co (DLC privacy: indistinguishable from 2-of-2, oracle info hidden on-chain).
Blockchain Commons, “MuSig2 Overview” – Developer Resources (MuSig2 applications: enables atomic swaps, payment channels, cross-chain with efficient single-sig).
Distributed Lab, “Taprootized Atomic Swaps (TAS)” – GitHub/Arxiv paper (Hiding atomic swaps as normal payments using Taproot, Schnorr, ZK proofs).
Tezos Commons, “A Closer Look into zkChannels” – Medium/Tezos Commons (zkChannels concept: off-chain anonymous payment channels, privacy vs Lightning).
Subscribe to my newsletter
Read articles from Yosei Tsukifune directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Yosei Tsukifune
Yosei Tsukifune
月舟 曜誠(つきふね ようせい)と申します。 人体工学エンジニア、クオンツ金融エンジンアーキテクト、暗号技術の専門家として、 現在は Tondiチェーンの主任研究員を務めております。 RGBプロトコル、DAG構造、クライアント検証型スマートコントラクトなど、 次世代の分散型金融インフラの設計と実装に取り組んでいます。 私は、技術とは単なる道具ではなく、文明秩序を記述するコードだと考えています。 本日、このような機会をいただき、大変光栄です。