Held custody vs. atomic swaps: two safety models for AI agent trades

Baris Sozen opens by noting that several teams shipped production MCP tools in June 2026 enabling agents to run a full commit → hold → complete lifecycle without human involvement — a genuinely new capability in agent infrastructure. He then draws a sharp distinction between two safety primitives that are frequently conflated: held custody and atomic (no-custody) settlement.

In the held-custody model, a third party — a smart contract escrow, a custody service, or a payment facilitator — takes funds, holds them, and releases them when a specified condition is met.

In the held-custody model, a third party — a smart contract escrow, a custody service, or a payment facilitator — takes funds, holds them, and releases them when a specified condition is met. That condition can be a delivery confirmation, an evaluator's attestation, a timeout, or a multi-sig approval. Sozen argues this is the correct primitive when delivery is subjective, off-chain, or unfolds over time, such as agent-to-merchant payments or hiring another agent for a unit of work. The tradeoff is concrete: a held balance is a honeypot, and the custodian must remain online, solvent, and honest at release time — a real trust assumption and liveness dependency.

The no-custody model uses hash-time-locked contracts (HTLCs), where both legs of a trade are locked to a single hash preimage. Revealing the preimage unlocks every leg simultaneously; withholding it triggers a full refund. There is no escrow account, no release decision, and no third party ever holding the funds. Sozen identifies this as the right tool for two non-trusting agents exchanging on-chain assets — particularly cross-chain swaps — where the critical risk is one leg settling without the other. The honest limit of atomicity is that it cannot judge subjective delivery, stream payments against partial work, or resolve off-chain disputes. Sozen presents Hashlock as the no-custody side of this stack: a sealed-bid RFQ fused with HTLC atomic settlement, exposed to agents through an MCP server with six tools. He notes Ethereum mainnet is live end-to-end, Bitcoin is signet-validated with mainnet pending, and Sui contracts are deployed and CLI-tested with gateway wiring in progress.

Key facts

1. 01Two structurally different safety models exist for agent trades: held custody (a third party holds and releases funds) and no custody (HTLC atomic swaps).
2. 02Held custody is suited for subjective, off-chain, or time-extended deliverables such as agent-to-merchant payments or hiring an agent for work.
3. 03The cost of held custody is a trust assumption and liveness dependency: the custodian must be online, solvent, and honest at release time.
4. 04In the no-custody HTLC model, both legs of a trade lock to a single hash preimage — the trade clears atomically or unwinds completely, with no third party ever holding funds.
5. 05HTLCs cannot judge subjective delivery, stream payments against partial work, or resolve off-chain disputes.
6. 06Hashlock is described as a no-custody implementation: sealed-bid RFQ fused with HTLC atomic settlement, exposed to agents via an MCP server with six tools.
7. 07Hashlock's chain status: Ethereum mainnet is live end-to-end; Bitcoin is signet-validated with mainnet pending; Sui contracts are deployed and CLI-tested with gateway wiring in progress.

Topics