Reframing in progress — Atomic Swap / OTC. Trading PoPC staking contracts (buy/sell/split positions, sell reward rights) is disabled (POPC_DEX_ENABLED=false) and not part of V15. PoPC is a non-tradeable native SOST bond — see PoPC Bond Staking. This surface is being converted into non-custodial swap & OTC coordination (signed offers, encrypted deal channels).
ATOMIC SWAP DEX & OTC

SOST Atomic Swap DEX
& OTC Coordination

Non-custodial peer-to-peer swaps for tokenized gold (XAUT, PAXG) and SOST, settled with on-chain HTLC / smart-contract escrow. OTC coordination runs on signed offers (ED25519) and encrypted deal channels (X25519) — SOST never custodies funds. PoPC is a separate, non-tradeable native SOST bond — see PoPC Bond Staking.

How It Works — Simple

SOST lets two parties agree a swap with signed private messages and settle it non-custodially through on-chain HTLC / smart-contract escrow — SOST never holds your funds.

1. A maker publishes a signed swap offer — for example, tokenized gold (XAUT or PAXG) for SOST, or SOST for an EVM asset. The offer carries a price, an amount, a unique nonce and an expiry, and is signed with the maker’s ED25519 key.

2. Counterparties discover the offer over OTC coordination. There is no order book that custodies anything — the offer is just a signed message describing the swap each side will execute.

3. A taker accepts the offer with their own signed message. Both signatures derive a unique deal, and the two sides open an encrypted deal channel.

4. Each side locks its asset in escrow — an on-chain HTLC / smart-contract escrow on the EVM side and a SOST escrow lock on the SOST side. No party can take the other’s funds without revealing the matching secret.

5. Coordination happens through signed and end-to-end encrypted messages (ED25519 signatures + X25519 key agreement + ChaCha20-Poly1305 AEAD). Every message — offer, accept, cancel, settlement notice — has a hash, a signature, a nonce, and an expiry. No forgery. No replay. No middleman.

6. The settlement engine verifies everything automatically: valid signatures, both legs locked, no double-spend, no expired offers. The atomic swap either completes for both sides or refunds both sides — never one-sided.

Example — Angel swaps gold for SOST with Pedro

Angel holds 0.5 oz of XAUT and wants SOST. Pedro holds SOST and wants gold exposure. They agree a non-custodial atomic swap at ~9.7 SOST.

Step 1: Angel creates a signed offer: “I swap 0.5 oz XAUT for 9.7 SOST.” The offer is signed with Angel’s ED25519 key, includes a unique nonce and expires in 1 hour.

Step 2: Pedro receives the offer through the encrypted deal channel. He verifies the signature is valid and accepts: “I swap 9.7 SOST for 0.5 oz XAUT.” Also signed.

Step 3: The system derives a unique deal_id from both signatures and creates the deal.

Step 4: Each side locks its leg in escrow — Angel locks XAUT in the on-chain HTLC / smart-contract escrow, Pedro locks SOST in the SOST escrow. The settlement engine verifies both legs, signatures and timing.

Step 5: The atomic swap settles. Pedro receives the XAUT, Angel receives 9.7 SOST. A settlement notice is emitted and the full history is recorded in the audit log. If either leg fails, both sides are refunded.

Note: This is a swap of assets each party already holds — not the trading of PoPC staking contracts or reward rights. PoPC is a separate, non-tradeable native SOST bond; see PoPC Bond Staking.

Why Use Atomic Swaps & OTC?

▶ Makers

  • Quote a swap on your own terms
  • Keep custody until the moment of settlement
  • Reach counterparties via OTC coordination
  • Cancel any time before both legs lock
  • Signed offers — no forgery, no replay

▶ Takers

  • Swap gold tokens for SOST (and back) non-custodially
  • Settle atomically — both legs or neither
  • Verify the offer signature before committing
  • On-chain HTLC / smart-contract escrow protects both sides

The DEX exists so two parties can swap assets they already hold — non-custodially, atomically, without a central counterparty.

Ownership Rules (Historical — Model B)

Historical / superseded. The split-ownership design below (Model B “SOSTEscrow” positions with separable principal and reward rights) is historical and has been superseded by the single native SOST bond model. PoPC is now one non-tradeable native SOST bond — create, monitor, claim — with no separable or sellable reward rights; see PoPC Bond Staking. None of the transfer flows described here are active, and trading PoPC positions or reward rights is disabled (POPC_DEX_ENABLED=false) and not part of V15. Retained for reference only.

Historical rule (Model B)

The right to the principal belonged to the principal_owner. The right to the reward belonged to the reward_owner. The escrow paid to the currentBeneficiary, which always reflected the principal_owner.

In the historical Model B design, every position had two separate rights:

1. Right to the Principal

The right to recover the gold locked in the escrow at maturity. Belongs to principal_owner.

2. Right to the Reward

The right to receive the SOST reward at maturity. Belongs to reward_owner. Can be sold separately.

Full Position Transfer (historical Model B)

Before: principal_owner = Angel · reward_owner = Angel · eth_beneficiary = Angel
After: principal_owner = Pedro · reward_owner = Pedro · eth_beneficiary = Pedro
At maturity: Escrow returns gold to Pedro. Reward SOST goes to Pedro.

Reward-Right Transfer Only (historical Model B)

Before: principal_owner = Angel · reward_owner = Angel · eth_beneficiary = Angel
After: principal_owner = Angel · reward_owner = Pedro · eth_beneficiary = Angel
At maturity: Escrow returns gold to Angel. Reward SOST goes to Pedro.

Automation Roadmap (historical Model B testnet components)

COMPONENTSTATUSFUNCTION
Settlement EngineOperationalVerifies signatures, executes transfers, updates ownership
E2E RelayOperationalEncrypted coordination, blind transport, offline delivery
Position RegistryOperationalTracks principal_owner, reward_owner, lifecycle
Maturity TrackerOperationalMonitors unlock times, detects maturity
SOSTEscrow v1Deployed (Sepolia)Immutable lock, pays original depositor only
SOSTEscrow v2ImplementedAdds currentBeneficiary — pays whoever owns the principal
Auto-Withdraw DaemonImplementedCalls withdraw() automatically at maturity
Reward EngineImplementedAutomatically credits reward SOST to reward_owner
Historical status: The Model B SOSTEscrow components above were testnet-only (Sepolia) and are superseded by the single native SOST bond model. They are not deployed to mainnet, not part of V15, and no PoPC position or reward-right transfer is active. See PoPC Bond Staking for the current non-tradeable bond design.

PART 1 — SOST Atomic Swap DEX & OTC

Non-custodial peer-to-peer swaps for tokenized gold and SOST — signed offers, encrypted deal channels, on-chain HTLC / smart-contract escrow

1. Swap Parameters

Core configuration for the SOST Atomic Swap DEX engine. All swaps settle non-custodially through peer-to-peer on-chain HTLC / smart-contract escrow with no central counterparty — SOST never custodies funds.

ParameterValueDescription
Swap PairsSOST/XAUT, SOST/PAXGTokenized gold pairs only
Settlement ModeNon-custodial HTLC EscrowBoth parties lock their own leg before atomic settlement
Message SigningED25519All trade messages cryptographically signed
ETH Confirmations6Required confirmations for ETH-side locks
Deal Expiry3,600 sUnmatched offers expire after 1 hour
Daemon Tick5 sTrade engine polling interval
ETH Watcher15 sEthereum chain polling interval

Supported Gold Tokens

TokenDecimalsBackingStandard
XAUT (Tether Gold)61 token = 1 troy oz = 31,103 mgERC-20
PAXG (Paxos Gold)181 token = 1 troy oz = 31,103 mgERC-20

2. Swap Message Types

All swap messages are ED25519-signed and relayed via encrypted deal channels (SOST E2E protocol). Each message type drives the deal state machine forward. Offers describe a swap each side executes from its own custody — not the trading of PoPC positions or reward rights.

Message TypeDirectionPayloadEffect
trade_offerMaker → Networkpair, side (buy/sell), amount, price, expiryCreates deal in CREATED state
trade_acceptTaker → Makeroffer_id, taker_pubkey, taker_eth_addressTransitions to NEGOTIATED
trade_cancelEither → Eitherdeal_id, reasonTransitions to EXPIRED (if pre-lock)
settlement_noticeEither → Eitherdeal_id, eth_txid, sost_txid, proofsTransitions to SETTLED

3. Deal State Machine

Every deal progresses through a deterministic state machine. The happy path flows left-to-right; alternative flows handle failures and disputes.

Happy Path

CREATED NEGOTIATED AWAITING_ETH_LOCK AWAITING_SOST_LOCK BOTH_LOCKED SETTLING SETTLED

Alternative Flows

CREATED EXPIRED   (deal_expiry exceeded, no acceptance)
NEGOTIATED EXPIRED   (lock timeout, either party cancels)
AWAITING_ETH_LOCK EXPIRED   (ETH lock not confirmed in time)
AWAITING_SOST_LOCK REFUND_PENDING REFUNDED   (SOST lock failed, ETH refunded)
BOTH_LOCKED DISPUTED   (settlement proof mismatch)
StateDescriptionTimeout
CREATEDOffer broadcast, awaiting taker3,600 s
NEGOTIATEDTaker accepted, exchanging lock addresses600 s
AWAITING_ETH_LOCKWaiting for gold token lock on Ethereum (6 confirmations)1,800 s
AWAITING_SOST_LOCKETH confirmed, waiting for SOST escrow lock1,200 s
BOTH_LOCKEDBoth sides locked, ready to settle3,600 s
SETTLINGSettlement transactions broadcast1,800 s
SETTLEDBoth sides confirmed, deal complete
EXPIREDDeal timed out at any pre-lock stage
REFUND_PENDINGOne side locked, other failed; initiating refund7,200 s
REFUNDEDLocked funds returned to original party
DISPUTEDSettlement proof mismatch, requires resolution

4. Settlement Flow

Step-by-step bilateral escrow settlement between maker and taker. All steps are cryptographically verified via ED25519 signatures.

Step 1: OFFER
  Maker broadcasts trade_offer (pair, amount, price, expiry)
  Signed with maker's ED25519 key
  Deal enters CREATED state

Step 2: ACCEPT
  Taker sends trade_accept (offer_id, taker_pubkey, taker_eth_address)
  Signed with taker's ED25519 key
  Deal enters NEGOTIATED state

Step 3: ETH LOCK
  Gold-side party locks XAUT/PAXG in Ethereum escrow contract
  ETH Watcher polls every 15s for confirmation
  After 6 ETH confirmations: deal enters AWAITING_SOST_LOCK

Step 4: SOST LOCK
  SOST-side party creates SOST escrow transaction (OUT_ESCROW_LOCK)
  Transaction confirmed on SOST chain
  Deal enters BOTH_LOCKED state

Step 5: SETTLEMENT
  Both parties release escrow to counterparty addresses
  ETH escrow releases gold tokens to buyer
  SOST escrow releases SOST to seller
  Deal enters SETTLING state

Step 6: NOTICE
  Both parties broadcast settlement_notice with tx proofs
  ETH Watcher confirms gold token transfer (6 confirmations)
  SOST node confirms SOST transfer
  Deal enters SETTLED state (final)
Refund path: If Step 4 (SOST lock) fails after Step 3 (ETH lock), the deal enters REFUND_PENDING. The ETH escrow contract has a timelock that allows the gold-side party to reclaim tokens after the refund timeout (7,200 s).

5. Reference Pricing (Historical)

Historical / superseded. The valuation model below was used by the historical Model A/Model B PoPC position design. PoPC positions and reward rights are not tradeable in V15 (POPC_DEX_ENABLED=false), so this is a reference model only — superseded by the single native SOST bond (PoPC Bond Staking). For atomic swaps, price is simply the rate the two parties sign into their offer.

For reference, the historical model combined spot gold backing with time-discounted future rewards from PoPC contracts.

Pricing Formula (historical reference)

position_value = gold_backing + time_discounted_rewards - illiquidity_discount

gold_backing     = oz_held * spot_gold_price
reward_component = annual_rate * remaining_term * gold_backing
illiquidity      = 3% * gold_backing

Model A: 12%/yr reward rate (self-custody, higher risk/reward)
Model B: 5%/yr reward rate (escrow, lower risk/reward)
Illiquidity discount: 3% (compensates for lock-up period)

Example: 1 oz XAUT, Model A, 12-month contract, 6 months remaining

gold_backing     = 1 oz * $2,400 = $2,400
reward_component = 12% * 0.5yr * $2,400 = $144
illiquidity      = 3% * $2,400 = -$72
position_value   = $2,400 + $144 - $72 = $2,472

5.5 AI Copilot Layer

The DEX ships with a browser-side Copilot stack that helps the user compose swap offers, understand deals and avoid common mistakes. The copilot is advisory only — it never signs transactions, never moves funds and never updates ownership state. Sensitive actions still require the user's session unlock and (when configured) a passkey re-authentication.

Module Inventory

ModuleFileRole
Intent Parserjs/dex-intent-parser.jsParses natural language (EN + ES) into structured swap intents (pair, side, amount, price, expiry).
Form Assistantjs/dex-ai-assistant.jsFills the Swap Composer / OTC form from a parsed intent and renders an explicit "what the assistant understood" review layer before any submission.
Deal Explainerjs/dex-ai-explainer.jsExplains what a swap does in plain language — which leg locks on SOST, which leg locks on the EVM side, and what each party receives at atomic settlement.
Risk Guardianjs/dex-ai-validator.jsValidates intents and detects problems before the user confirms. Warnings are classified INFO, WARNING or BLOCKING. BLOCKING warnings prevent the form from being submitted.
Compare Helperjs/dex-ai-compare.jsCompares swap alternatives: different rates, expiries and counterparties.
Lifecycle Guidejs/dex-ai-lifecycle.jsExplains deal lifecycle state and available actions (offer, accept, lock, atomic settle, refund).
Swap Enginejs/dex-trade-engine.jsBuilds offers from form data, signs with ED25519, encrypts with ChaCha20-Poly1305 via channel keys, submits to the blind relay.
Session Managerjs/dex-session.jsManages unlock / lock / timeout. Bridges the keystore with the DEX UI and relay.
Onboarding Gluejs/dex-onboarding.jsConnects all Phase A+B+C modules to the DEX page UI — public/private mode, wallet panel, AI assistant box, inbox, error/empty states.

Risk Guardian — Severity Ladder

SeverityEffectExamples
INFOShown but does not block submission.Offer expires soon; counterparty has not locked its leg yet.
WARNINGShown prominently; user must acknowledge.Rate deviates significantly from reference; short HTLC timeout relative to confirmation time.
BLOCKINGSubmission is disabled until the user fixes the issue.Signature invalid; expired offer; reused nonce; insufficient balance to lock the leg; trying to publish a guarantee-style claim.

Authentication Surface

Browser keystore: IndexedDB + Argon2id passphrase encryption
Signing:          ED25519, generated and stored locally
Encryption:       X25519 key agreement + ChaCha20-Poly1305 AEAD
Strong auth:      WebAuthn passkey for sensitive actions
Auto-lock:        5 min idle timeout
Re-auth gate:     sign offer, accept deal, export identity

Hard Guarantees

GuaranteeScope
The AI Copilot never signs a transaction on its own.All signatures originate from a user-initiated unlock + (optional) passkey re-auth.
The Copilot never moves funds.Each party locks its own leg in the on-chain HTLC / smart-contract escrow and on the SOST chain via standard OUT_ESCROW_LOCK transactions. SOST never custodies funds.
The Copilot never settles on your behalf.Atomic settlement is driven by the matching HTLC secret and valid signed messages, not by the browser copilot.
Private keys never leave the device.Keys live in IndexedDB encrypted with Argon2id. WebAuthn returns yes/no signals only.
The relay never sees plaintext deals.Trade messages are end-to-end encrypted before reaching the relay; the relay performs blind transport.
BLOCKING warnings cannot be bypassed silently.The Risk Guardian disables the submit path when a BLOCKING flag is raised; the user must address the cause.

What the AI Copilot does NOT do

- It does not trade autonomously.
- It does not create or fund liquidity pools.
- It does not guarantee price, liquidity, or settlement timing.
- It does not call paid third-party AI models.
- It does not call external network services from the trade flow.
- It does not bypass the Risk Guardian on BLOCKING flags.
- It does not relax public-claim wording (no "trustless" promotion
  while alpha is operator-assisted).

This module set is the operational AI layer of the DEX. The off-chain SOST AI Engine is a separate internal research system; it does not run inside the DEX page and does not have access to keys, beneficiaries or signed messages.

PART 2 — PoPC Contracts (Historical Spec)

Historical Model A / Model B design — superseded by the single native SOST bond (PoPC Bond Staking)

Historical / superseded. The dual-model PoPC design below (Model A self-custody and Model B escrow) is historical. PoPC has been redesigned to a single native SOST bond — the only collateral and the only thing slashable — created, monitored and claimed as a staking product that activates at V15 / block 20,000. PoPC bonds are not tradeable and there is no separable reward right. The optional “Gold Boost” is a reward boost only (never collateral, never slashed) and is disabled on mainnet. The spec below is retained for reference only — see PoPC Bond Staking for the current model.

6. Model A vs Model B (Historical)

Historical reference. Two custody models once served different risk profiles — Model A rewarded self-custody with higher yields; Model B offered simplicity through immutable escrow. Both are superseded by the single native SOST bond (PoPC Bond Staking) and are shown here for reference only.

AttributeModel A (Self-Custody)Model B (Escrow)
Gold LocationUser's own ETH wallet (EOA)Immutable EVM escrow contract
Bond RequiredYes (20-30% of gold value in SOST)No bond required
Reward PayoutPeriodic from PoPC PoolImmediate from PoPC Pool
Protocol Fee3%8%
AuditsRandom, entropy-basedNone (escrow is self-proving)
Slash RiskYes — 50% PoPC Pool + 50% Gold VaultNone
Reward Floor≥ 1% (min 10 SOST)≥ 0.5% (min 5 SOST)
Hard Cap1,000 SOST per contract · 1,000 max active contracts
Durations1 / 3 / 6 / 9 / 12 months1 / 3 / 6 / 9 / 12 months
BlacklistBlacklisted after 3 slashes
Escrow contract: Model B uses an immutable EVM escrow with no admin key, no upgrade proxy, and no withdrawal function until timelock expiry. The contract is self-proving — no audits are needed because funds are cryptographically locked.

7. Reward Rates

Annualized reward rates scale with lock duration. Longer commitments earn higher yields. All rates are percentages of gold value, paid in SOST from the PoPC Pool.

DurationModel A RateModel B Rate
1 month1%0.4%
3 months4%1.5%
6 months9%3.5%
9 months14%5.5%
12 months20%8%
Reward floors: Model A minimum reward is 1% (at least 10 SOST per payout). Model B minimum reward is 0.5% (at least 5 SOST per payout). These floors ensure small positions still receive meaningful compensation.

8. Bond Sizing

Model A requires a SOST bond proportional to gold value. The bond percentage decreases as the SOST/gold ratio increases, incentivizing larger positions while managing protocol risk.

Ratio (bps)Bond %Description
< 100 bps25%Low ratio — maximum bond requirement
100 – 500 bps20%Standard ratio
500 – 1,000 bps15%Elevated ratio
1,000 – 5,000 bps12%High ratio
≥ 5,000 bps10%Maximum ratio — minimum bond

The ratio is calculated as (sost_value_usd / gold_value_usd) * 10000 in basis points. Higher SOST-to-gold ratios indicate greater protocol coverage, allowing reduced bond requirements.

9. Anti-Whale Tiers

To prevent concentration risk and ensure broad participation, the protocol applies acceptance limits based on gold position size.

Gold Amount (oz)Acceptance RateEffect
0 – 10 oz100%Always accepted
10 – 50 oz75%Reduced acceptance
50 – 200 oz50%Half acceptance rate
> 200 ozREJECTEDPosition too large — must split
Hard limit: Positions exceeding 200 oz are unconditionally rejected. Large holders must split across multiple contracts (each up to 200 oz). Combined with the 1,000 max active contracts limit, this bounds total protocol exposure.

10. Dynamic Reward Adjustment

Rewards adjust dynamically based on total protocol participation to maintain sustainable rewards from the PoPC Pool.

PUR Formula (Pool Utilization Ratio)

PUR = active_contracts / max_contracts
    = active_contracts / 1000

dynamic_factor = participation_tier_multiplier(PUR)
effective_rate = base_rate * dynamic_factor

Participation Tiers

Active ContractsPUR RangeDynamic FactorEffect
0 – 250 – 2.5%100%Full rewards (bootstrap phase)
26 – 502.6 – 5%75%Slight reduction
51 – 1005.1 – 10%50%Moderate reduction
101 – 20010.1 – 20%30%Significant reduction
201 – 50020.1 – 50%15%Heavy reduction
501 – 1,00050.1 – 100%8%Minimum factor (high utilization)

Example: With 150 active contracts (PUR = 15%), a Model A 12-month base rate of 20% becomes: 20% * 30% = 6% effective annualized rate.

11. Reputation System

Model A custodians build reputation through successful audits. Higher reputation reduces audit frequency, rewarding honest behavior.

StarsStatusAudit ProbabilityRequirements
0New30%Initial state for all custodians
1Established20%1 successful audit cycle
3Trusted10%3 consecutive successful audits
5Exemplary5%5 consecutive successful audits

Audit Mechanics

Audit entropy:  SHA256(block_id || commit || checkpoints_root)
Audit grace:    288 blocks (48 hours)
Slash penalty:  50% to PoPC Pool + 50% to Gold Vault
Blacklist:      After 3 slashes (permanent ban from Model A)

Audit challenges are derived from ConvergenceX entropy (block_id, commit, checkpoints_root), making them unpredictable and tamper-proof. Custodians have a 288-block (48-hour) grace period to respond to an audit challenge before being slashed.

12. Gold Vault Governance

Constitutional governance rules for the Gold Vault. These rules are immutable and enforced at consensus level.

Activation: Gold Vault governance rules GV1–GV4 activate at V15 / block 20,000.
RuleNameDescription
GV1Accumulation OnlyGold Vault funds may only be used to purchase physical gold or tokenized gold (XAUT, PAXG). No other expenditures permitted.
GV2Transparent AccountingEvery Gold Vault transaction must include an on-chain memo referencing the gold acquisition (weight, purity, custodian, or token contract address).
GV3Multi-Signature RequirementGold Vault disbursements require multi-signature authorization. No single key can move Gold Vault funds.
GV4Quarterly Proof of ReservesThe protocol must publish a quarterly proof-of-reserves report linking on-chain Gold Vault balances to verifiable gold holdings (physical receipts or Ethereum token balances).

13. Constitutional Addresses

Hardcoded protocol addresses receiving 25% each of every block reward. These are immutable and enforced by consensus rules CB4 (output order) and CB6 (PKH validation).

RoleAddressAllocation
PoPC Poolsost1d876c5b8580ca8d2818ab0fed393df9cb1c3a30f25% of every block reward
Gold Vaultsost11a9c6fe1de076fc31c8e74ee084f8e5025d2bb4d25% of every block reward

The remaining 50% goes to the miner who solves the block. The PoPC Pool funds all custody rewards (Model A and Model B). The Gold Vault accumulates funds exclusively for gold acquisition under GV1–GV4 governance rules.

Coinbase Split (50/25/25)

q = (subsidy + fees) / 4
miner     = (subsidy + fees) - 2*q    // 50% + rounding remainder
gold_vault = q                         // 25% → sost11a9c6fe1de...
popc_pool  = q                         // 25% → sost1d876c5b85...
Enforcement: Any block deviating from the 50/25/25 split or sending gold/popc funds to addresses other than the constitutional addresses is rejected at consensus level. These addresses cannot be changed without a hard fork.
🎮