6 min readJuly 9, 2026

Designing Cross-Chain Authority and Supply Integrity for Stablecoins

a stablecoin issuer

Architecture and technical leadershipGovernance, risk, and market structure

Context

A stablecoin issuer wanted to extend an established asset into an additional execution environment. The visible part of that work was an asset bridge: users should be able to move economic value between an EVM network and an SVM network without breaking the relationship between the representations. The less visible part was a distributed control system. Minting, burning, pausing, upgrading, and recovering from message failure would now depend on authority and evidence crossing two environments with different account models, transaction semantics, and operational conventions.

Treating the work as token transport alone would have left the most consequential questions unanswered. A message can be authentic yet authorize the wrong action. Supply can reconcile globally while one network retains an unintended local control path. An upgrade can be safe in one environment but create an incompatible verifier expectation in the other. The architecture therefore had to describe who could cause state to change, what each network could prove about the other, and how the system would fail when those proofs or messages were unavailable.

Challenge

The core challenge was cross-network authorization semantics. The system needed to preserve a single economic asset while distributing execution across two very different runtime models. Each side had its own representation of ownership and program authority, but neither side could be allowed to make unilateral assumptions about the other's state.

That created several coupled constraints. Supply invariants had to hold through retries, delayed delivery, and partial failure. Governance actions had to be distinguishable from ordinary asset movement. Upgrade authority had to remain coherent when implementations evolved at different speeds. Verifier changes could not silently widen the set of messages that were accepted. Operational controls had to contain a fault without turning a local incident into a network-wide loss of control.

The hard cases sat between components rather than inside them: a valid message arriving after a pause, an upgrade changing the interpretation of an in-flight instruction, or a recovery procedure restoring liveness while accidentally permitting duplicate execution. Those cases required EVM and SVM treatment with equal architectural seriousness. Neither environment could be reduced to an adapter around the other.

Approach

We began with an authority map rather than a contract diagram. For every state-changing action, we identified its origin, the evidence required at the destination, the state transition it permitted, and the party responsible for recovery if the transition could not complete. This separated asset-transfer messages from governance messages and made implicit trust assumptions reviewable.

We then defined end-to-end invariants. Asset movement had a conservation model covering issuance, destruction, and representations in transit. Message handling had explicit uniqueness and ordering expectations. Governance actions required a narrower authorization path than routine transfers. Upgrade procedures included compatibility checks for both the message format and the destination's interpretation of it. The point was not to assume reliable delivery, but to make delayed, duplicated, rejected, and out-of-order messages safe to reason about.

Failure containment shaped the component boundaries. A problem with one route needed a bounded response that did not grant broader authority elsewhere. Pausing and recovery were modeled as state transitions with clear preconditions, not as operational improvisation. Monitoring was tied to the invariants: changes in supply state, unexpected authorization attempts, verifier lifecycle events, and unresolved messages were signals for investigation rather than isolated dashboard counters.

The design review compared equivalent responsibilities across both runtimes. On the EVM side, that meant tracing calls, ownership, proxy or upgrade behavior, and message verification. On the SVM side, it meant tracing account constraints, signer and program-derived authority, instruction validation, and upgrade control. The resulting architecture expressed shared guarantees while respecting the mechanics of each environment.

Decision and control model

The final design material was organized around decisions the operator would need to make over the system's life: how a new route becomes trusted, how a verifier change is introduced, how an upgrade remains compatible, what evidence permits recovery, and what conditions justify restricting movement. Each decision was linked to an invariant and an observable signal.

This made governance part of the bridge rather than an administrative layer around it. It also created a review surface for security and operations teams without exposing sensitive deployment data. The model described responsibilities and failure modes, while deliberately omitting live routes, addresses, private authority arrangements, and verifier configuration.

Outcome

The architecture treats asset movement and governance movement as one system. Supply integrity, authorization, upgrades, verification, monitoring, and recovery are connected through explicit invariants. Implementation teams work from shared control objectives rather than reconciling design independently.

The design makes trust boundaries visible and exceptional paths explicit. Cross-network authority is constrained before value moves. Both runtimes can be reviewed against the same control objectives. Failures that bypass conventional bridge-custody risk are identified.

What this demonstrates

Cross-chain work is protocol architecture and governance design at the same time. Matariki's method is to start with authority, invariants, and failure containment, then map those guarantees into the native mechanics of each runtime. That approach is useful wherever an asset, instruction, or administrative decision must cross networks without creating an unexamined control surface.

Confidentiality

This account is intentionally generalized. It does not identify the issuer or disclose live routes, addresses, endpoint identifiers, verifier configuration, governance structures, deployment dates, or private operating procedures.

Related

Related work

Work with us

Apply this thinking to a live system.

Speak with Us