Hashlock exposes HTLC atomic settlement to AI agents via MCP
Baris Sozen argues that AI trading agents built on custodial exchanges inherit old trust risks, and introduces Hashlock — an MCP server that lets agents settle cross-chain swaps atomically using HTLCs, so no custodian ever holds the funds.
Score breakdown
The post identifies that normalizing custodial agent trading at scale compounds key-leakage and fund-drain risk with every new connection, and Hashlock's MCP-exposed HTLC settlement offers an alternative shape where there is no custodied balance for a bad actor to take.
- 01Connecting AI agents to custodial exchanges adds autonomous trading but does not remove the underlying trust assumption — the venue still holds the keys and balance.
- 02Hashed Timelock Contracts (HTLCs) allow two parties to lock assets so that either both legs settle atomically or both refund after a timelock, with no custodian in between.
- 03In an HTLC swap, revealing the preimage on one chain exposes it for the counterparty to claim on the other, eliminating any window where one party holds both assets.
Baris Sozen opens by observing that a new pattern has emerged: AI assistants connected to exchange accounts that can place trades autonomously. While convenient, he argues this approach layers a smart agent on top of an unchanged custodial trust assumption — the exchange still holds the funds and can freeze, limit, or lose them, and every custodial API connection becomes a standing key and a standing target.
The post contrasts this with trust-minimized atomic settlement via Hashed Timelock Contracts (HTLCs).
The post contrasts this with trust-minimized atomic settlement via Hashed Timelock Contracts (HTLCs). In an HTLC swap, both parties lock their assets against the hash of a secret; to claim, a party must reveal the preimage, which simultaneously exposes it for the counterparty to claim on the other chain. The result is that either both legs settle with the same secret, or neither does and both refund after a timelock — no window where one party holds both assets, and no custodian holding either. Sozen is careful to note that custodial rails have a legitimate role for payments involving subjective judgment (e.g., did the work get delivered), citing x402, which crossed 160M cumulative payments, as a purpose-built tool for that case. Atomic settlement is reserved for the case where two parties are simply swapping different assets and the only question is whether both sides delivered.
Sozen introduces Hashlock as a concrete implementation: it fuses sealed-bid RFQ with HTLC atomic settlement and exposes the full flow to agents as an MCP server with a small set of tools, so an agent can request a quote, get matched, and settle a cross-chain swap without any party ever custodying the funds. As of the post, Ethereum mainnet is live end-to-end, Bitcoin is signet-validated, and Sui is deployed and CLI-tested. The source text is truncated before further details.
Key facts
- 01Connecting AI agents to custodial exchanges adds autonomous trading but does not remove the underlying trust assumption — the venue still holds the keys and balance.
- 02Hashed Timelock Contracts (HTLCs) allow two parties to lock assets so that either both legs settle atomically or both refund after a timelock, with no custodian in between.
- 03In an HTLC swap, revealing the preimage on one chain exposes it for the counterparty to claim on the other, eliminating any window where one party holds both assets.
- 04The post distinguishes custodial rails (appropriate for payments requiring subjective judgment) from atomic settlement (appropriate for pure asset swaps with no subjective element).
- 05x402 is cited as having crossed 160M cumulative payments as an example of a purpose-built custodial payment rail.
- 06Hashlock fuses sealed-bid RFQ with HTLC atomic settlement and exposes it to agents as an MCP server.
- 07Ethereum mainnet is live end-to-end; Bitcoin is signet-validated; Sui is deployed and CLI-tested.
Topics
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Jun 16, 2026 · 23:11 UTC. How this works →