Institutional liquidity providers cannot deploy capital onto a public rail that exposes their order flow, partial fills, or counterparties to the network. That is the structural fact behind a decade of stalled wholesale tokenisation pilots. The four requirements are well known to anyone who has run a bank desk: sub-transaction privacy by entitlement, deterministic finality, no observable intent ahead of settlement, and no extractive window between a trader pressing send and the trade clearing. Retail-focused chains have layered defences for each of these, but the defences sit above a protocol that broadcasts intent by design. Canton does the opposite. The privacy and atomicity properties live inside the rail.
1. The institutional liquidity problem
A treasury desk hedging a fifty-million-dollar exposure does not want competitors learning the size, the venue, or the counterparty. A market maker quoting both sides of a tokenised treasury cannot afford for inventory shift to be visible mid-trade. A fund custodian settling a delivery-versus-payment leg needs the cash and the asset to move together or not at all. None of these are preferences. They mark the operational floor below which institutional capital cannot legally and competitively transact.
Public chains were not built for this floor. Their default is global broadcast, full transaction visibility, and ordering controlled by parties paid to sequence pending transactions. The pattern works for retail composability. It collides directly with how regulated balance sheets move.
2. Why EVM addresses these defensively
The EVM ecosystem has responded with engineering, not protocol redesign. Flashbots' MEV-Boost separates block building from block proposing so that validators bid on bundles produced by specialised builders, which softens the worst forms of frontrunning. Private mempools such as Flashbots Protect route transactions away from the public mempool. Commit-reveal schemes hide intent until execution. Batched-auction venues such as CowSwap neutralise time-priority races by clearing orders at uniform prices. These mitigations work, and many of them are well engineered. They also operate above the rail, not in it. The base protocol still treats every transaction as a public broadcast, and the mitigation stack assumes adversarial searchers as a constant. An institutional desk evaluating the rail must therefore underwrite both the protocol and the third-party mitigation surface.
3. What Canton does at the protocol layer
Canton's privacy model is documented in the Daml ledger model. Per the Daml SDK documentation: "The privacy model of Daml Ledgers is based on a need-to-know basis, and provides privacy on the level of subtransactions. Namely, a party learns only those parts of ledger changes that affect contracts in which the party has a stake, and the consequences of those changes." Digital Asset's participant node documentation puts the same property more sharply: "Participants see only those parts of a transaction they are entitled to according to the privacy model. For the other parts of a transaction they are not entitled to, the Participants see neither any transaction payload nor metadata like involved Participants or parties."
Two consequences follow. First, sub-transaction privacy is a property of the ledger, not an opt-in feature. A swap between Party A and Party B that depends on a registry held by Party C generates a Daml transaction tree, which the Canton protocol decomposes and distributes to each party only on the nodes where that party is a stakeholder. Party C learns the registry update. Party C does not learn the price. Second, the Global Synchronizer routes encrypted views and coordinates a two-phase atomic commit across the participant nodes. The synchroniser orders and delivers messages and runs the BFT quorum, but as Canton's own technical primer states, it "doesn't see any of the data passing between the validators. It just routes and orders encrypted packages, which it is not able to decrypt." Either every stakeholder validates and the transaction commits in full, or the synchroniser rolls it back. There is no intermediate state to extract from.
That last property has a direct consequence for MEV. OpenZeppelin's research on Canton smart contract security states the obvious: "MEV extraction is not possible because there is no public mempool and the sequencer only sees encrypted payloads. The sequencer cannot reorder based on content it cannot read." Frontrunning, sandwiching, and reorder-based extraction depend on observable pending transactions. Canton does not produce them.
4. Where Canton differs from L1 privacy approaches
Aleo, Aztec, Penumbra, and Namada solve a different problem. They build cryptographic privacy, primarily through zero-knowledge proofs and multi-asset shielded pools, around assets designed to be self-sovereign and pseudonymous. The threat model assumes individual users wanting to hide value movement, and the protocols are optimised for shielded sets, anonymity sets, and selective disclosure to chosen verifiers.
Canton is not built for shielded sets. It is built for a different relationship: regulated entities running their own participant nodes, transacting under named legal identities, where each contract has signatories, observers, and stakeholders whose entitlement is enforced by the Daml engine. Privacy is structural and per-contract, not statistical and per-asset. An institution running a Canton validator can prove to a regulator exactly what it saw and exactly what it did not. A shielded-pool design cannot make the second statement in the same form. Canton's own boilerplate, used in the Visa Super Validator and DTCC announcements, frames the network as "the only public, permissionless blockchain purpose-built for institutional finance," and the architectural reason is the one above.
5. The proof: production institutional users
The case for the rail does not rest on documentation. Goldman Sachs' GS DAP, the bank's tokenisation platform, runs on Daml and Canton. The European Investment Bank used it in November 2022 to issue a hundred-million-euro, two-year digital bond that settled same-day at sub-sixty-second speed, the first fully digitally native bond on a private blockchain. Goldman announced on 18 November 2024 its plan to spin GS DAP out as an industry-owned company, and Global Head of Digital Assets Mathew McDermott confirmed in the $135 million strategic funding round announced on 24 June 2025 that Digital Asset's technology "continues to be foundational to the development and ongoing success of GS DAP."
BNP Paribas runs Neobonds, its primary tokenisation platform, on Daml and Canton. On 25 July 2024, BNP arranged the first Eurozone sovereign digital bond, a thirty-million-euro issuance for the Republic of Slovenia, settled on chain through the Banque de France's DL3S wholesale CBDC system and recorded on Neobonds. Broadridge's Distributed Ledger Repo, also a Canton production deployment, processed an average of $362 billion in daily repo transactions during February 2026, with monthly volumes totalling $6.9 trillion, per Broadridge's 9 March 2026 press release. None of this is a pilot. All of it is live financial market infrastructure.
The DTCC partnership announced on 17 December 2025 extends the pattern. DTCC and Digital Asset are moving toward a controlled production environment in the first half of 2026 to mint a subset of DTC-custodied US Treasury securities on Canton, with phased expansion across DTC-eligible assets to follow.
6. The economic layer
Canton's economic model is governed by the CIP process. CIP-0078, finalised on 15 September 2025, removed Canton Coin transfer fees and rewired the burn pressure entirely toward traffic purchases, which already accounted for 94.8 percent of MainNet burn over the May to August 2025 sample. CIP-0104, approved on 12 February 2026, replaces featured-app activity markers with traffic-based reward attribution measured directly from sequencer and mediator data. The intent is that an application's reward share tracks the actual traffic spent on transactions that change its state, not on marker plumbing. CIP-0098, approved on 7 January 2026, caps per-transaction application reward value at $1.50.
All of these are forward parameters, not yields. A liquidity provider on a Canton AMM can model expected reward attribution against expected traffic, but no figure here should be read as a guaranteed return.
7. A live reference implementation
HelvetSwap is the first atomic AMM on Canton, built on the Quantstamp-audited Splice foundation and live on Canton MainNet since 14 April 2026. The CBTC/CC pool was seeded on 16 April 2026 with bootstrap reserves. Each pool is an independent Daml contract using a full-range x*y=k design with 30 basis points per swap, split 75 percent to LPs and 25 percent to the protocol. Atomic execution happens via a single Daml choice. The Featured App application is under review with the Canton Foundation. Public swapping opens once the grant lands.
8. The next test
Canton 3.5 entered its transition window in April 2026, introducing Logical Synchronizer Upgrades that allow protocol upgrades without network pause, with completion targeted for Q2 2026. The next flow to test the rail is DTCC's controlled-production tokenisation of US Treasury securities, expected within the first half of 2026. When that volume routes into atomic AMM liquidity, the question for institutional desks will not be whether the rail works. It will be how much of their book they want on it.
