Wrapped ETH on Canton
Atomic swaps let two people trade across chains without trusting anyone. But a swap needs a counterparty: someone on the other side who wants the opposite trade, at the same time, for the same amount. cETH removes that requirement. Instead of trading your ETH for someone else's Canton asset, you move the ETH itself onto Canton. Lock it in a vault contract on the EVM side, and you receive cETH, a Canton token backed one-for-one by the locked ETH and redeemable for it at any time. The same mechanism extends to any EVM-native asset, including ERC-20 tokens.
Wrapped assets are an old idea with a bad track record: bridges are the most attacked contracts in crypto, and most wrapped tokens carry an uncomfortable amount of trust in whoever runs the bridge. So the design goal for cETH was narrow: make the operator as powerless as possible. The operator committee can mint against real deposits and co-sign withdrawals. It cannot touch a balance you already hold.
The safety property Canton makes possible
Canton contracts are written in Daml, where every contract has a fixed list of signatories: parties whose authority is required for any action that touches it. Every cETH Holding is deliberately signed by both the bridge admin and the owner. Neither can act alone: the admin cannot archive, transfer, freeze, or burn your holding without your key, and you cannot mint without the bridge's. Seizure and censorship of existing balances aren't policies the operator promises to avoid; they're actions the ledger will not accept.
This is enforced by Canton's validators, not by application code. It's the same reason we chose protocol-level multisig for the wallet: guarantees that live in the protocol survive bugs in everything above them.
Enroll once
The dual-signatory rule creates a chicken-and-egg problem: if every holding needs your signature, how does anyone mint or transfer to you while you're offline? The answer is a one-time TransferPreapproval, a small contract you sign once to establish standing consent to receive. From then on, mints and incoming transfers carry your authority through the preapproval. Sign once, receive forever.
Wrapping: ETH in, cETH out
- You send ETH to the vault's
lockfunction, naming your Canton party as recipient. The vault holds the ETH and emits aLockedevent. - The bridge's watcher observes the event and waits for Ethereum finality.
- The watcher exercises
MintIntoon your preapproval, creating yourHoldingalong with aMintRecord, an audit row binding the mint to the exact Ethereum transaction that funded it.
Every mint is traceable to its deposit, so anyone with ledger access can verify that cETH in circulation is matched by ETH in the vault. And if a mint never lands (say you locked funds before enrolling), the vault has a 30-day refund path that returns the deposit to the original depositor. No stranded funds.
Moving it around
cETH is a standard CIP-56 token. It transfers through the same token-standard registry API as Canton Coin, shows up in any compliant wallet, and composes with anything built against the standard. That is the point: wrapped assets are only useful if the rest of the ecosystem can treat them like any other token.
Unwrapping: cETH in, ETH out
Burning is owner-initiated: you're a signatory of your own holdings, so no admin is needed to start. You choose an amount (the wallet coin-selects across your holdings and returns change, like any UTXO system) and an Ethereum address to receive the funds.
| Step | Where | What happens |
|---|---|---|
| 1 | Canton | You exercise BurnFrom: input holdings are archived, one BurnReceipt is created with a canonical hash computed on-chain |
| 2 | Canton | Each bridge operator independently recomputes the receipt hash and signs it with its own Ethereum key, publishing the signature back to the ledger |
| 3 | Ethereum | Once enough signatures exist, anyone can call the vault's unlock with the receipt and signatures |
| 4 | Ethereum | The vault recomputes the hash itself, verifies the operator signatures, checks it hasn't paid this receipt before, and releases the ETH |
The receipt hash is computed three times by three independent parties: on Canton when the burn commits, by each operator before signing, and by the vault inside unlock. All three must agree byte for byte. Replay protection is simply the vault refusing a hash it has already paid. Notice what's not required: no operator ever holds your funds in transit, and the final Ethereum transaction can be submitted by anyone, so no single relayer can hold a withdrawal hostage.
The trust model, honestly
What you trust the operator committee for: minting only against real, finalized deposits, and co-signing your withdrawals promptly. What you don't need to trust it for: custody of your Canton balance (dual signatories), correctness of a withdrawal (the vault verifies everything itself), or getting your deposit back if things stall (the refund path).
Today the bridge runs with a small operator set while the M-of-N committee machinery is hardened, and we treat it accordingly, with conservative limits and small amounts. The design scales to a threshold committee where any minority of operators can fail or misbehave without affecting funds, and operator keys can be rotated on-chain.
The larger goal is simple: Canton is where regulated, tokenized assets are settling; Ethereum is where crypto's liquidity lives. cETH is the pipe between them: the most liquid assets in crypto, available as collateral on Canton, held under a model where the bridge can't touch your balance.