Wavestar Technology · Trust model
Merkle, quorum, and anchoring — at the right layer.
- Transparency log
- Trillian · RFC 6962
- Quorum curve
- BLS12-381
- Threshold
- 8-of-12
- Anchored to
- Ethereum + Bitcoin
Three layers
Each layer fails differently — that’s the point.
- 01
Merkle transparency log (Trillian)
Every registry entry, every cleared trade, every attestation, every rulebook version is appended to a Trillian log instance running in our infrastructure. RFC 6962 semantics: append-only, SHA-256 hashes, inclusion proofs verifiable client-side against a signed tree head. If we ever attempt to retroactively edit a settled record, the tree-head hash diverges and every cached client detects it. - 02
BLS12-381 quorum signatures
Twelve independent observers co-sign every settlement input. 8-of-12 threshold, aggregated to a single 96-byte BLS signature verified with one pairing. Diversity rules cap any single operator at two observer seats and any single region at four. A Merkle log says “this is what we recorded.” The quorum says “this is what actually happened.” - 03
Optional L2 atomic-swap escrow
For USDC-leg settlements Wavestar holds neither side’s funds in a pooled account. An L2 escrow contract enforces atomic “cash leg and resource attestation or neither of them” on every trade, with a documented 48-hour recovery path if the observer quorum fails to reach threshold. - 04
Hourly public-chain anchoring
Every hour, the current Trillian signed tree head (STH) is committed to Ethereum mainnet and the Bitcoin blockchain via OP_RETURN. Two independent chains with different consensus mechanisms, different economic security models, and different jurisdictional footprints. An adversary would need to compromise both simultaneously to rewrite history undetectably.
Verification flow
Any counterparty can audit any trade end-to-end.
Counterparty bundle (returned with every settled trade)
----------------------------------------------------------
[1] Trade envelope (COSE, signed by Wavestar ORCH)
[2] Merkle inclusion (leaf hash, audit path, tree size)
[3] Signed tree head (Trillian STH, Ed25519 signature)
[4] Observer quorum sig (BLS12-381, 96 bytes, 8-of-12)
[5] Observer roster (12 DIDs at trade timestamp)
[6] Anchor proofs (Ethereum tx + Bitcoin txid)
Verification (client-side, no Wavestar dependency)
----------------------------------------------------------
verify_cose(envelope, wavestar_orch_pubkey) -> ok
verify_merkle(leaf, path, sth.root, sth.size) -> ok
verify_ed25519(sth.sig, sth.digest, log_pubkey) -> ok
bls_verify(quorum_sig, digest, aggregate(roster)) -> ok
eth_get_tx(anchor.eth_tx).data == sth.root -> ok
btc_op_return(anchor.btc_txid) == sth.root -> ok
-> trade is settled, agreed, and anchored. No single
component's failure invalidates any other.Parameters · v1 go-live
The tunables, with rationale.
Trust-model configuration
- Transparency log
- Trillian 1.6.x (Google) on CockroachDB
Spanner-class consistency for the ledger spine; mature RFC 6962 implementation.
- Hash function
- SHA-256
Per RFC 6962. Ed25519 + SHA-256 are NIST-approved and have no known weaknesses.
- Log signing key
- Ed25519 · HSM-resident
Rotated every 90 days with a key-continuity proof chain.
- Observer curve
- BLS12-381 (G2 public keys, G1 signatures)
Pairing-friendly; threshold-aggregation native; widely adopted (Ethereum, Filecoin, Chainlink).
- Quorum threshold
- 8-of-12 for settlement inputs
Byzantine-tolerant up to 4 corrupt observers; exceeds the 1/3 BFT bound with margin.
- Observer diversity
- ≤ 2 per operator · ≤ 4 per region
Prevents cartel capture; enforced in the Attest rulebook and checked on every quorum formation.
- Anchoring cadence
- Ethereum + Bitcoin · hourly
Hourly is the trade-off between cost (BTC fees) and recovery window.
- Canonicalisation
- RFC 8785 (JSON Canonicalisation Scheme)
Deterministic byte-for-byte hashing. Never JSON.stringify directly.
- Envelope format
- COSE (RFC 8152)
CBOR-based signed envelopes. Crosses every module boundary; language-agnostic.
- PQ readiness
- Dilithium3 wired, not default
Ready to activate when NIST FIPS 204 is load-bearing; on track for 2028 switchover.
Failure modes
What happens when a layer breaks.
- Trillian log outage
- Clearing halts. Writes queue in NATS JetStream.
Resumes automatically on log recovery. No settled trade is lost; pending trades retry idempotently.
- < 8 observers respond
- Settlement input rejected. Trade returns to pending.
Retries at the next observer heartbeat (default 15s). Escalates to manual review after 60s.
- Observer private key compromised
- Revoked in the registry; next-hour STH excludes them.
Slashing: fund penalty + permanent removal. Incident report filed with the OIF within 24h.
- Ethereum anchor delayed
- Clearing continues. Bitcoin anchor remains primary.
> 6h delay triggers a public status incident and notification to all clearing members.
- Both anchors fail
- Trade envelopes are still COSE-signed + log-appended.
Recovery via catch-up anchoring once either chain is reachable. Anchor backfill is idempotent.
- Clearing engine compromised
- Merkle + observer + anchor layers detect divergence.
The transparency log's STH history is externally verifiable; every counterparty holds proofs that any retroactive edit cannot reconcile.
Why this design, not alternatives
We considered a fully on-chain clearing house, a traditional CCP with no blockchain, and everything in between. Neither extreme survives an adversarial court subpoena plus a 10ms match latency requirement. The hybrid does.
Operational targets
Trust model by the numbers.
- Transparency append p99
- 95 ms
- Quorum formation p99
- 420 ms
- Anchor cadence
- Hourly
- STH retention
- Permanent
- Observer count
- 0
- Threshold
- 8-of-12
- Byzantine tolerance
- f ≤ 4
- Anchor chains
- 0
Verify, don't trust
Audit every trade you do with us.
Every settled trade returns a verification bundle with Merkle path, observer signature, and anchor proofs. The tools to verify it are open-source and run without a Wavestar API key.