English

日本語
Español
Português
Русский
한국어
Türkçe
Tiếng Việt
Bahasa Indonesia
हिन्दी

English

日本語
Español
Português
Русский
한국어
Türkçe
Tiếng Việt
Bahasa Indonesia
हिन्दी

Appearance

Trust & Security

Sailfish is designed so that no single party can move user funds unilaterally. Every state transition requires a verified Echo threshold signature, and all settlement is enforced by on-chain Cardano validators.

TRUST & SAFETY MODELNORMAL OPERATIONUSER ASSETSRemain in self-custodial Sailfish account on L1ECHO THRESHOLD SIGNATURESMultiple independent nodes must agreeNo single party can forge a valid signatureCARDANO L1 VALIDATORSIndependently verify every settlementBalances reconstructed from TX inputs/outputsIF NETWORK GOES OFFLINE1INITIATE WITHDRAWALUser signals intent · Time-lock begins2WAITING PERIODTime-lock elapses on-chain3RECLAIM FUNDSUser signs directly on Cardano L1No cooperation from any operator requiredSAFETY NET HERITAGESimilar in purpose to Hydra's contestation protocol and rollup escape hatches — enforced entirely on-chain

Self-Custodial

Assets remain under user control throughout the trading process. There is no deposit into an exchange-controlled address. Sailfish accounts mirror the custody model of Pond Smart Accounts — the same self-custodial guarantees apply.

Every batch of balance changes requires a cryptographic signature from the Echo consensus network. No single participant, and no subset below the threshold, can produce a valid signature.

On-Chain Verification

Settlement happens on Cardano L1, where on-chain validators independently verify:

  • The Echo signature is valid and from a current consensus key
  • The membership count meets the required threshold
  • The balance transitions match the signed snapshot
  • The state has not expired

No off-chain claim is taken at face value. The validators reconstruct balances from the actual transaction inputs and outputs, then confirm the Echo signature covers exactly what was reconstructed. Any deviation between what the Echo network signed and what the transaction actually does causes the settlement to fail.

This verification model is conceptually similar to how validity rollups work on other chains — rather than optimistically assuming correctness and relying on fraud proofs, Sailfish verifies correctness at the point of settlement.

Self-Withdrawal

If Sailfish or the Echo network ever becomes unavailable, users are not locked out of their funds. A time-locked self-withdrawal process allows users to reclaim their assets directly on Cardano, enforced entirely on-chain.

This is a two-step process:

  1. Initiate withdrawal — the user signals their intent to withdraw. A time-lock period begins.
  2. Complete withdrawal — once the time-lock has elapsed, the user reclaims their funds by signing a transaction directly. No cooperation from any operator is required.

This exit mechanism serves the same purpose as Hydra's contestation protocol and the escape hatches found in rollup designs — it ensures that the security of user funds ultimately rests with Cardano L1, not with the availability of any off-chain service.

Built by Pond Labs

Copyright © 2026 Pondora