Skip to main content

Risk Disclosure

ZippySwap is a non-custodial atomic-swap protocol. There is no intermediary and no insurance; you control the keys, you bear the execution risk. Read this page before swapping non-trivial amounts.

Hash Time-Locked Contract (HTLC) basics

Every swap consists of two locks — one on ZippyCoin, one on the destination chain — that share a common SHA-256 hashlock. The user reveals the preimage to claim the destination asset; the LP then uses the now-public preimage to claim the locked ZIPc. If either side fails to lock within the timelock, the funds are refundable to their original owner.

Known failure modes

  • Timelock race. If the destination chain’s timelock is too close to ZippyCoin’s, an LP could lock funds, wait for you to redeem, and then race to refund their side before your preimage propagates. ZippySwap defaults to a 2x asymmetry (longer timelock on the side the user redeems) to avoid this, but you should verify the timelock values shown on the quote before swapping.
  • Fee spikes. A sudden gas-price spike on the destination chain can make redeeming more expensive than the received amount. Your ZIPc lock is still safe (you can refund after timelock), but the swap is dead-in-the-water until fees normalise.
  • LP non-response. Liquidity providers run their own infrastructure. If your LP goes offline after you lock ZIPc but before they lock the destination asset, you must wait for timelock expiry and refund. The UI surfaces a refund button on the swap-history list once expiry is reached.
  • Reorg risk. A deep reorganization on either chain can invalidate your redemption. ZippySwap waits for the chain’s recommended confirmation count before treating a lock as final, but ultimate finality is the chain’s.
  • Oracle staleness. Quotes are built from Pyth Network prices and an on-chain ZIPc/USD TWAP. If either source stalls, the UI labels the quote "stale"; do not swap against a stale price.
  • Address typos. Sends are irreversible. Verify both your ZippyCoin source address and your destination chain address before initiating a swap.

What ZippySwap does not protect against

  • Compromise of your own private keys.
  • Censorship by the destination chain’s validators (e.g. an EVM block builder refusing to include your redeem tx).
  • Smart-contract bugs in the destination-chain HTLC. The ZippySwapHTLC.sol contract is open-source and pending audit.
  • Regulatory action targeting the destination asset (e.g. a stablecoin freeze).

Audit status

The ZippySwapHTLC contract is unaudited as of this release. Independent review is in progress; until then, do not swap amounts you cannot afford to lose to a contract bug. The ZippyCoin-side HTLC primitive is part of the ZippyCoin core protocol and is covered by that protocol’s security model.

Bottom line

Atomic swaps eliminate counterparty custody risk but not execution risk. Start small. Verify timelocks and addresses. Don’t swap stale quotes.