Protocol Architecture
Lombard's architecture distributes trust across multiple independent parties, ensuring that custody, verification, and authorization all operate through cryptographic coordination rather than single points of control. This page provides an overview of each component and how they work together.
Components
Lombard's architecture consists of five core components:
Lombard Ledger — The BFT appchain where the Security Consortium coordinates and authorizes operations.
CubeSigner — Hardware-backed key management that protects cryptographic keys
Bascule Drawbridge — Independent verification layer that cross-checks consortium actions
Smart Contracts — The token contracts deployed on each supported chain
Trustless Relayer — Infrastructure services that facilitate communication between networks
Lombard Ledger
The Lombard Ledger is the coordination layer at the heart of Lombard. It's a Cosmos-based appchain running CometBFT consensus, operated by the Security Consortium.
The Ledger serves as the single source of truth for all Lombard operations. It tracks every BTC deposit, every LBTC mint, every redemption, and every cross-chain transfer. Before any tokenized asset can be minted onchain, the Ledger must first record and authorize that mint.
The Ledger also acts as the platform for collecting and distributing yield.
What the Consortium Does
The Security Consortium performs five core functions through the Ledger:
1. Create deposit addresses. When you request to stake, the Consortium creates a new Bitcoin address managed by CubeSigner.
2. Verify deposits. Consortium members independently verify that your BTC deposit exists on the Bitcoin network, has 6 confirmations, and matches the expected amount and address.
3. Stake and unstake BTC. The Consortium selects Finality Providers and manages staking/unstaking operations with Babylon.
4. Mint and burn tokenized assets. After verifying deposits, the Consortium authorizes minting (e.g. LBTC). For redemptions, the Consortium authorizes burns and processes payouts.
5. Pay out unstaked BTC. Once BTC is unstaked (if necessary), the Consortium handles sending native BTC back to users.
Every action requires signatures from two-thirds of Consortium members.
→ How the Security Model protects these operations
CubeSigner
CubeSigner is the key management platform built by Cubist that protects all cryptographic keys in the Lombard system. Keys are generated and stored in Hardware Security Modules (HSMs), they never leave secure hardware.
This means no one, not Consortium members, not Lombard, not even Cubist, can see or extract private keys. When a signature is needed, the HSM performs the operation internally and returns only the signed result.
Beyond protecting keys, CubeSigner enforces policies that control how keys can be used: who can sign, what types of transactions, under what conditions. These policies run in hardware and can't be bypassed through software attacks.
Bascule Drawbridge
The Bascule Drawbridge is an independent verification layer operated by Cubist. It provides a second check on all consortium operations — if the consortium's verification had a bug or was compromised, Bascule would catch it.
For deposits (Bascule): Before any mint, Bascule independently verifies that the BTC deposit exists on the Bitcoin network with 6 confirmations. Minting requires valid signatures from both the Consortium and Bascule.
For withdrawals (Reverse Bascule): Bascule monitors redemption events on supported chains. Before CubeSigner authorizes a BTC payout, the Reverse Bascule verifies that the corresponding LBTC was actually burned.
This creates defense in depth, an attacker would need to compromise both the Consortium and Bascule simultaneously.
Smart Contracts
LBTC and BTC.b is deployed as a standard token on each supported blockchain; ERC-20 on Ethereum, BEP-20 on BSC, and equivalent standards elsewhere.
The contracts include:
Minting logic. Creates new supply after authorization from both the Security Consortium and Bascule. Supports individual and batch minting.
Redemption logic. Burns LBTC and records the user's Bitcoin address for payout.
Bridge integration. Chainlink CCIP integration for cross-chain transfers, requiring authorization from both the Consortium and Chainlink.
Consortium verification. Multi-sig contract that validates all authorizations are signed by two-thirds of members.
Safety features. Pausable functions for emergency response, two-step upgrades with timelocks.
Trustless Relayer
The Trustless Relayer is a set of infrastructure services that facilitate communication between blockchain networks and automate routine operations.
The Relayer handles:
Deposit monitoring. Watches the Bitcoin network and reports Lombard-related deposits to the Ledger.
Bridge event monitoring. Monitors supported chains for CCIP bridge events and reports them to the Ledger.
Auto-mint. Automatically mints LBTC for depositors after Consortium authorization, so users don't have to submit a separate transaction.
Address registry. Records all Lombard deposit addresses on-chain (on Base) for Proof of Reserve validation.
Staking operations. Requests stake/unstake operations on the Ledger (temporary until automation is built into the Ledger).
The Relayer has limited privileges (Operator and Claimer roles) — it can facilitate operations but cannot authorize mints or move funds without Consortium approval.
How It All Connects
When you stake BTC, here's how the components work together:
1. You request a deposit address → Ledger creates it via CubeSigner
2. You send BTC → Relayer detects and reports to Ledger
3. Consortium members verify → Ledger records notarization
4. Bascule independently verifies the deposit
5. Ledger authorizes mint → Smart Contract mints tokens
6. Relayer auto-mints to your wallet (or you claim manually)
For redemptions, the flow reverses: Smart Contract burns → Ledger records → Reverse Bascule verifies → CubeSigner authorizes → BTC sent to your address.
Next Steps
Security Model — Deep dive into how each component protects user funds
Deployed Contracts — Contract addresses across all chains
Last updated