Capital markets need discretion by default
Capital markets can't run on a network where every move is public. Positions, counterparties, and strategy would leak to competitors in real time. That's why institutions have stayed out of public blockchains - and why permissioned chains, which solve privacy by isolating organizations, haven't filled the gap either.
Canton is the network that fills it. And if you try to understand it through the usual blockchain mental model, nothing will click. The architecture will feel over-engineered, the vocabulary foreign, the privacy claims like marketing. But Canton isn't complicated. It's just a different shape. Once you see the shape, everything else falls into place.
The shape
Public blockchains start from an assumption most people never question: broadcast everything to everyone, then try to add privacy on top. Canton starts from the opposite assumption: only send transaction data to the parties who actually need it.
Picture a group chat versus a direct message. Public blockchains are the group chat - every message visible to every member. Canton is DMs. When you transact with someone, only the parties to the deal receive the message. Nobody else gets it. They don't "see it but can't decrypt it." They literally never receive it.
What Canton does differently
Three things, on the same network, at the same time.
Atomic settlement across assets. Two transfers happen as one event - if either side fails, neither side moves. This is what made it possible for CantonSwap to execute the first atomic swap between Canton Coin and CBTC, BitSafe's wrapped Bitcoin token: the two assets exchanged in a single, all-or-nothing transaction, with no window where one party held both legs.
On Ethereum this is possible, but custom - each workflow requires a smart contract that defines how the assets interact. On Canton, assets follow a shared model, so different tokens can be composed into atomic settlement without building custom infrastructure for every asset pair.
Multi-party settlement in a single event. Real capital markets deals usually involve more than buyer and seller. A bond trade can include a custodian holding the bond, a cash agent moving the payment, sometimes a regulator receiving a record of the trade. Today these parties coordinate through a chain of separate messages and transactions, with reconciliation in between.
On Canton, all of them act in one event. The custodian's update, the cash transfer, the regulator's record - all happen together, or none of them do.
Privacy by default, with fine-grained visibility. Each party sees only what the contract gives them access to. The buyer doesn't see the seller's other positions. The custodian doesn't see the price unless the contract includes it. The regulator sees only what they're entitled to. Privacy isn't an add-on or a separate pool - it's built into how transactions are shared.
Concretely:
Visible on Canton
- That a transaction occurred between parties
- Timestamp and sequence number
- Aggregate network metrics - throughput, activity
- Each token's issuer, name, and registry metadata
Private on Canton
- The contents - amounts, terms, assets
- Who holds what balance
- The specific parties to any given trade
"Visible" here means visible through the sync domain and tools like Lighthouse Explorer - not public in the Ethereum sense, where anyone with an internet connection can read every balance. The network's heartbeat is open. The specifics of who did what with whom are not.
Other systems can do parts of this. Public blockchains can support atomic and multi-party workflows, but everything is visible. Private systems can support privacy and coordination, but often struggle to connect across organizations without intermediaries. SWIFT enables private messaging, but settlement still happens elsewhere, step by step.
Canton is designed to combine all three in a single system.
That's what made it possible for Tradeweb to settle a US Treasury repo against USDC on-chain in 2025 - something that would be difficult to do on public blockchains without exposing sensitive information.
What this changes
Settlement stops being a process and becomes a single event. No delays, no reconciliation, no capital sitting idle between steps.
Assets can move and settle instantly, then be reused immediately - as collateral, in another trade, or in financing.
And once assets share the same network, they can interact directly. Treasuries, stablecoins, credit - all become composable without intermediaries.
The tradeoff is clear: instead of trusting a decentralized system, you trust accountable institutions. For capital markets, that tradeoff already exists - Canton just makes it operational.
How it works
If most parties on the network can't see most transactions, how does anything get agreed? Three pieces, working together.
Participant nodes are the mailboxes. Each institution runs one, and it holds only the transactions that institution is part of.
The sync domain - on the main public deployment, called the Global Synchronizer - is the post office. It routes each transaction to the right mailboxes, puts every transaction in an agreed order, and timestamps it. It does all this without ever opening the envelope.
Super Validators run the sync domain. They're a known, regulated group, and their job is to keep the post office running. They don't validate the contents of transactions. They ensure ordering, consistency, and that the same asset can't be spent twice.
Who validates a deal
The parties to it.
Every deal on Canton is essentially a small group signing off together: the buyer, the seller, the issuer, and anyone else the deal involves all have to approve before it goes through. Once they sign, the old version of the asset is replaced by the new version - all in a single step.
The people who can see a deal are the same people who validate it. Nobody outside that group sees what's inside the envelope, and nobody outside that group needs to.
What stops cheating
If the parties validate the deal, what stops double-spending or unauthorized issuance? Three layers, working together.
UTXO model. Each asset exists as a discrete contract, owned by specific parties, consumed when spent, replaced by a new one.
The issuer signature. Every token follows a standard called CIP-56. One key rule: the issuer must approve transactions involving their token. This prevents invalid transfers and ensures only one version of a transaction can succeed.
This introduces an explicit dependency: you trust the issuer to enforce the rules correctly. For regulated assets, this is intentional. The issuers on Canton are named, accountable entities: Circle issues USDCx, the Canton-native version of USDC; BitSafe issues CBTC; the Global Synchronizer's Super Validator set issues Canton Coin itself. Wallet infrastructure providers like Loop support CIP-56 directly, so a bank can custody any compliant asset with the same tooling.
The institution behind the issuer. CIP-56 issuers operate under legal, regulatory, and reputational constraints. None of these layers alone is sufficient. Together, they provide privacy, coordinated settlement, and enforceable rules across organizations.
Compliance built into the transfer
On Ethereum, compliance typically happens outside the transaction. KYC is checked at onboarding. Sanctions screening may happen after the transfer. Restrictions are implemented through custom contracts.
On Canton, compliance runs inside the transfer itself.
Because the issuer must approve each transaction, it can enforce rules - KYC, sanctions, jurisdictional limits - before the transfer completes. If a check fails, the transfer doesn't happen.
There's no gap between settlement and compliance. They are the same step.
What this means in practice
A bank holds USDCx, a tokenized Treasury, and Canton Coin in the same wallet, and settles a repo trade atomically against any of them.
An asset issuer writes their token to the CIP-56 spec once. Every wallet and custody provider in the Canton ecosystem can handle it on day one.
A startup builds a DEX, a lending app, or a payments product that works with every CIP-56 token without writing a custom integration for each one.
The model
You trust the issuer of an asset to do their job: not to mint against nothing, not to authorize invalid transfers, to enforce rules correctly.
In exchange, you get atomic multi-party settlement with privacy and embedded compliance.
For regulated instruments - credit, securities, fiat-backed stablecoins - that trust already exists in the legal layer. Canton brings that trust into the transaction layer, where the asset actually moves.
For assets where you don't want to trust an issuer, Bitcoin and Ethereum remain the right tools.
Canton isn't trying to replace them. It's built for a different category - and that category is most of capital markets.
