Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.inkwell.finance/llms.txt

Use this file to discover all available pages before exploring further.

CONFIDENTIAL & PROPRIETARY © 2026 Inkwell Finance, Inc. All Rights Reserved. This document is for informational purposes only and does not constitute legal, tax, or investment advice, nor an offer to sell or a solicitation to buy any security or other financial instrument. Any examples, structures, or flows described here are design intent only and may change.
Pre-alpha vs production. Pages that describe “the operator holds the session-to-ephemeral-key mapping” describe today’s single-operator implementation. Production Dagon will distribute this custody across an Ika 2PC-MPC dWallet network — no single “operator” entity will hold the mapping, and no unilateral disclosure (lawful or otherwise) will be possible without the network agreeing. The two-party composition described here is strengthened, not weakened, by the migration. See Design Philosophy for the full decentralization roadmap.

”This is an unregistered exchange.”

Dagon is a venue — in US taxonomy, this most closely maps to an ATS (Alternative Trading System) under Reg ATS. An ATS requires broker-dealer sponsorship and Form ATS filing. Dagon’s operating entity is working toward that registration. Pre-alpha operation is on devnet only, with no real money at stake. “DEX” in marketing is paired with “confidential matching venue” specifically to avoid the Exchange Act §3(a)(1) unregistered-exchange trap. See Decentralized or not? for the precise shape of the claim.

”Two-party compelled process is novel and unproven.”

Correct and acknowledged. No US court has ruled on a two-party-composition disclosure claim in a crypto context. The closest analogues:
  • ProtonMail / Swiss MLAT: a mail provider responds to valid Swiss process by producing what it has. Users whose privacy depended on extra-legal secrecy were disappointed. Users whose privacy depended on the structural non-retention of plaintext were protected.
  • BBS+ credentials in broader identity systems: signed credentials held by an issuer, presented as blind proofs by users, are a mature primitive.
The novelty is the composition: blind credential + encrypted session + encrypted matching. Legal opinions from counsel cover the design but not a hypothetical adversarial ruling. We do not pretend this is settled.

”OFAC will treat this as a mixer.”

OFAC’s Tornado Cash designation targeted infrastructure whose design had no natural compliance surface. Dagon has a compliance surface (the two-party composition), and every participant holds a credential issued by a KYC’d party. Designation risk is non-zero but structurally lower than Tornado’s. See Is this a mixer? for the per-question diff.

”MAS requires real-time trade surveillance. You can’t do that.”

Correct. Dagon’s operator structurally cannot do real-time trade surveillance because it cannot see orders during matching. What it can do is:
  • Produce aggregate batch statistics (notional, participant count, clearing price) in near-real-time.
  • Respond to compelled process on a per-user basis within a defensible SLA.
  • Publish a post-trade tape with vault-delta per lane (not per user).
Whether this satisfies a given jurisdiction’s market-abuse surveillance obligation is a regulator-specific question. We are in counsel discussions for Singapore (MAS), EU (MiCA), and UAE (VARA); we will publish jurisdictional-fit memos as they close.

”MiCA best-execution and RTS 27/28 require venue comparison data.”

RTS 27/28 obligations apply to authorized CASPs in scope. Dagon’s reporting architecture publishes:
  • Per-batch clearing price p★.
  • Aggregate notional.
  • Per-lane vault-delta (not per-user).
  • Cross-venue comparison benchmarks (against lit CEX reference price).
For a MiCA-authorized investor to route to Dagon and claim best execution, they must be able to justify the route versus alternatives. The comparison data exists; whether a given NCA accepts the justification for blind-matching venues is an open regulatory question.

”VARA § 4.2 surveillance obligations collide with FHE.”

Yes. VARA requires real-time market-abuse surveillance. Dagon’s matching is structurally blind. This is a real unresolved item for DIFC-hosted participation and is tracked in our counsel queue. Possible resolutions:
  • Publish aggregate flow statistics in near-real-time (doesn’t satisfy per-user surveillance).
  • Design a regulator-held override key (changes the composition story).
  • Limit Dagon to jurisdictions that accept post-facto compelled-process response.
We have not picked a resolution. We are not pretending the conflict doesn’t exist.

”What about FINMA’s AMLA Art. 3?”

Swiss AMLA requires identification of the contracting party. Under Dagon’s model, the contracting party is identified (via credentials from an issuer under KYC discipline). The AMLA question is whether a Swiss-licensed entity can route to Dagon while meeting Art. 3 obligations. Current posture: the credential issuer can be a Swiss-licensed party for Swiss users, which routes AMLA compliance through an existing regulated channel. This requires issuer design work that is in progress.

Unresolved items (honest list)

  • Two-party-composition disclosure has no US precedent.
  • VARA real-time surveillance conflicts with FHE matching — no resolution yet.
  • MAS PSA-2019 travel rule obligations need a designed-in response; see MAS critique in our 100-agent review.
  • MLAT flows for foreign jurisdictions are slow; cross-border users should assume disclosure is possible, just not fast.
  • Pre-alpha state means several claims here are gated on Encrypt REFHE shipping production FHE. If that slips, regulatory claims shift too.

Further reading