Skip to main content
Musubi enforces trust through a multi-party signing model. No single party — including the network operator — can move assets or execute settlements unilaterally. Every settlement requires cryptographic agreement from four independent parties.

Four-Party Settlement Signing

Before any atomic DvP executes, all four parties must authorize:
PartyWhat They AuthorizeTradFi Parallel
Network Operator (Musubi)Validates the trade is compliantExchange/CCP validating a trade
Sender CustodianReleases sender’s source stablecoinCustody bank releasing funds
Market MakerCommits target stablecoin liquidityCounterparty committing to delivery
Receiver CustodianConfirms receipt capabilityCustody bank accepting inbound
If any party refuses or fails to respond, settlement does not proceed and no assets move. This is more conservative than most traditional settlement systems — CLS Bank requires only the two commercial banks to pre-fund; Musubi requires all four participants to explicitly authorize.

Dual Control: Institution + Custodian

Every trade requires two independent authorizations from the sending side:
StepWhoWhatEnforcement
1. Select quoteInstitutionReviews competing quotes, picks the best rateAPI call
2. Authorize movementCustodianCo-signs the quote acceptance, authorizing asset releaseCryptographic co-signature
Neither party can act alone:
  • The institution cannot move assets without the custodian’s co-signature
  • The custodian cannot initiate a trade — only authorize one the institution requested
This maps directly to the maker-checker / four-eyes principle used in institutional operations, enforced by the settlement protocol rather than by internal procedure. The custodian’s co-signature is cryptographic — it cannot be forged, bypassed, or retroactively granted.

Who Holds What Authority

AuthorityHeld ByPurpose
Intent signingInstitutionProves the institution authorized the payment (non-repudiation)
Asset movementCustodianControls when and how much stablecoin leaves custody
Liquidity commitmentMarket MakerCommits target currency for the swap
Trade validationNetwork OperatorValidates compliance, coordinates settlement
The institution proves intent. The custodian controls assets. These are separate keys held by separate organizations — neither can impersonate the other.

Musubi: Coordinator, Not Counterparty

What Musubi DoesWhat Musubi Does NOT Do
Validates order compliance (KYC ref, signatures)Hold or custody any assets
Broadcasts anonymized RFQs to market makersSet or influence FX rates
Coordinates the 4-party settlement signingMove assets without custodian authorization
Executes the atomic DvP transactionAccess participants’ internal systems
Provides settlement confirmationsAct as counterparty to any trade
TradFi parallel: Musubi is to stablecoin settlement what CLS Bank is to FX settlement — it coordinates simultaneous delivery of both currency legs without ever taking ownership. The critical difference: settlement completes in seconds, not hours.

Comparison to Traditional Settlement

AspectTraditional (CLS/Correspondent)Musubi
Who authorizesBank’s internal approval chainCryptographic co-signatures from 4 parties
Settlement guaranteeCLS PvP within settlement windowAtomic DvP — single transaction
Pre-fundingRequired during CLS windowNot required — instant atomic execution
Counterparty riskMitigated by CLS, not eliminatedEliminated — no time gap between legs
Authorization bypassPossible via internal process failureImpossible — cryptographically enforced
Audit trailSWIFT messages + internal logsSingle transaction_hash covering all legs