Dual Authorization: Institution + Custodian
Every trade requires two independent authorizations from the sending side:| Step | Who | What They Do |
|---|---|---|
| 1. Select quote | Institution (your client) | Reviews competing quotes, picks the best rate |
| 2. Authorize movement | You (the custodian) | Co-signs the quote acceptance, authorizing asset release |
How This Differs from Standard Multisig
If you’re used to threshold multisig (2-of-3, 3-of-5), the Canton model works differently:| Standard Multisig (EVM) | Canton 4-Party Approval | |
|---|---|---|
| Signers | Anonymous key holders (any 2 of 3) | 4 named parties with specific roles |
| Threshold | N-of-M (any combination) | All 4 required — no substitutes |
| Ordering | Signatures collected simultaneously | Rolling approval — each party signs sequentially |
| Mechanism | On-chain signature aggregation | DAML choice exercise — each Approve creates an updated contract |
| Visibility | All signers see the same on-chain data | Each party sees only what they’re authorized to see |
| Veto | Any signer can refuse (blocks threshold) | Any of the 4 parties can refuse (blocks settlement) |
Why You See Quotes
On most custody platforms, you sign outbound transactions — you don’t evaluate competing offers. On Musubi, you see all market maker quotes for orders you custody. This is intentional:- You’re the authorization gate for best execution — your co-signature confirms the rate is acceptable
- You can reject a bad quote — if the rate doesn’t meet the cost guard or looks off-market, refuse to co-sign
- Audit trail — your
quote_accepted_attimestamp documents when you authorized the specific rate
The Authorization Flow
Order Proposal Arrives
Your client creates an FX order referencing you as their custodian. The order appears on your system with:
- Target currency and amount (e.g., 100,000 USDCx)
- Target currency (USDCx)
- Receiver institution and their custodian
- KYC/AML clearance reference
- Optional cost guard (
source_amount_max)
Market Maker Quotes Arrive
After you accept the proposal, market makers submit competing quotes. You see all quotes for orders you custody:
You and your client review these independently. The institution selects the best one; you co-sign.
| Quote | FX Rate | USDCx Offered | Valid Until |
|---|---|---|---|
| MM-A | 112.0 | 11,200,000 | 30s |
| MM-B | 8.8950 | 88,950,000 | 30s |
| MM-C | 8.9200 | 89,200,000 | 20s |
You Co-Sign the Quote Acceptance
When the institution selects a quote, the acceptance requires your co-signature:
- Your co-signature authorizes the JPYSC0 release from your custody
- Without your co-signature, the quote acceptance fails and no assets move
- Musubi validates: quote still valid (
valid_untilnot passed), cost guard met, order still PENDING
4-Party Settlement Approval
Your approval from the previous step carries forward into the rolling approval process. The settlement protocol collects the remaining approvals (market maker, receiver custodian) automatically. Once all four have signed, the atomic DvP executes.
Settlement Confirmation
The atomic DvP completes in ~4 seconds. You see the settled order with:
transaction_hash— single proof covering all four legssettled_at— settlement timestamp- Final amounts and executed rate
Receiver Custodian Workflow
As a receiver custodian, your workflow is simpler:- Settlement confirmation arrives — USDCx deposited in your custody by the atomic DvP
- Update client balance — credit the receiver institution’s account
- Reconcile — match
transaction_hash, amounts, and timestamps against your records
What You Can Block
As a sender custodian, you have veto power at two points:| Action | Effect |
|---|---|
| Reject order proposal | Order is cancelled immediately. No quotes are solicited. |
| Refuse to co-sign quote acceptance | Quote acceptance fails. Order remains PENDING until another quote is accepted or it expires. |