The Hash Timed Locked Contract (HTLC) involves two users, the owner and the verifier, and it allows the owner to commit to a secret and reveal it afterwards, within a given deadline.
The commitment is the SHA256 digest of the secret (a bitstring). At contract creation, the owner specifies the verifier, who will receive the collateral in case the deposit is not revealed within the deadline.
The deadline expires 1000 blocks after the block where the contract has been deployed: if deployment is at block N, timeout
can be called in a block with height strictly greater than N+1000.
After contract creation, the HTLC allows the following actions:
commit
requires the owner to deposits a collateral (at least 1 ETH) in the contract, and records the commitment;reveal
allows the owner to withdraw the whole contract balance, by revealing a preimage of the committed secret;timeout
can be called by anyone only after the deadline, and tranfers the whole contract balance to the verifier.
- commit-auth-owner: If
commit
is successfully called, then the sender must be the owner. - reveal-auth-owner: If
reveal
is successfully called, then the sender must be the owner. - reveal-timeout-after-commit:
reveal
andtimeout
can only be called aftercommit
. - sent-le-init-bal: The overall sent amount does not exceed the initial deposit.
- timeout-deadline: If
timeout
is called, then at least 1000 blocks have passed since the contract was deployed.
- v1: conformant to specification.
- v2: removed check that
commit
can only be called beforereveal
andtimeout
. - v3:
timeout
can be called since block N+999 (included). - v4:
timeout
transfers balance tomsg.sender
instead of verifier. - v5: removed check that
commit
can only be called byowner
. - v6: removed check that
reveal
can only be called byowner
.
commit-auth-owner | reveal-auth-owner | reveal-timeout-after-commit | sent-le-init-bal | timeout-deadline | |
---|---|---|---|---|---|
v1 | 1 | 1 | 1 | 01 | 1 |
v2 | 1 | 1 | 0 | 0 | 1 |
v3 | 1 | 1 | 1 | 0 | 0 |
v4 | 1 | 1 | 1 | 0 | 1 |
v5 | 0 | 1 | 1 | 0 | 1 |
v6 | 1 | 02 | 1 | 0 | 1 |
commit-auth-owner | reveal-auth-owner | reveal-timeout-after-commit | sent-le-init-bal | timeout-deadline | |
---|---|---|---|---|---|
v1 | TP! | TP! | TP! | TN! | TP! |
v2 | TP! | TP! | TN! | TN! | TP! |
v3 | TP! | TP! | TP! | TN! | TN! |
v4 | TP! | TP! | TP! | TN! | TP! |
v5 | TN! | TP! | TP! | TN! | TP! |
v6 | TP! | TN! | TP! | TN! | TP! |
commit-auth-owner | reveal-auth-owner | reveal-timeout-after-commit | sent-le-init-bal | timeout-deadline | |
---|---|---|---|---|---|
v1 | TP! | TP! | TP! | TN! | TP! |
v2 | TP! | TP! | UNK | UNK | TP! |
v3 | TP! | TP! | TP! | TN! | TN! |
v4 | TP! | TP! | TP! | TN! | TP! |
v5 | TN! | TP! | TP! | UNK | TP! |
v6 | TP! | TN! | TP! | TN! | TP! |
commit-auth-owner | reveal-auth-owner | reveal-timeout-after-commit | sent-le-init-bal | timeout-deadline | |
---|---|---|---|---|---|
v1 | TP! | FN | FN | TN | TP! |
v2 | TP! | FN | TN | TN | TP! |
v3 | TP! | FN | FN | TN | TN |
v4 | TP! | FN | FN | TN | TP! |
v5 | TN | FN | FN | TN | TP! |
v6 | TP! | TN | FN | TN | TP! |
Footnotes
-
This property should always be false, since a contract can receive ETH when its address is specified in a coinbase transaction or in a
selfdestruct
. ↩ -
Since the
reveal
transaction is broadcast in the mempool before the transaction is finalized, anyone can read the secret from the mempool and play its ownreveal
transaction. ↩