Developers Bash DTCC’s $8 Trillion Tokenization Infrastructure Pick Over Lack of Transparency

Key Insights:

• DTCC selected Canton for US Treasury tokenization, starting with the 2026 MVP deployment.
• Cyprien Grau criticized Canton on December 22 for lacking public verifiability and for being censorship-resistant.
• Canton documentation explicitly positions the network as permissioned with regulatory oversight capabilities built in.

DTCC announced plans to tokenize US Treasuries on Canton Network in mid-December 2025, securing an SEC no-action letter for the service and targeting an MVP launch in 2026.

The selection sparked debate within the crypto community over whether Canton qualified as a genuine public blockchain or more closely resembled a permissioned database with blockchain branding.

Cyprien Grau, lead of Status Network, criticized Canton’s architecture and design philosophy.

At the same time, Canton’s own documentation described the network as deliberately built for institutional finance with privacy and regulatory compliance as core features rather than bugs.

Tokenization Critics Question Canton’s Public Blockchain Claims

Grau argued on December 22 that Canton positioned itself as a public, decentralized chain but operated through super validators that required vetting and approval, creating what he described as “a fully permissioned DAG with no globally verifiable state.”

He stated that the network rejected zero-knowledge proofs as “black box” technology and instead used data sharding with access control lists, which he characterized as “privacy by fragmentation and gated access instead of cryptography.”

The Status Network lead contended that private data observable by higher authorities constituted corporate secrecy rather than genuine privacy.

He added that Canton’s inability to replay or audit full transaction history made it impossible to prove fraud or token supply manipulation cryptographically.

Grau also argued that this design resembled a trusted database more than a blockchain, particularly because regular validators could only observe shards of global state rather than enforce inclusion or fork the chain.

Developer Hanniabu joined the discussion, doubling that Canton’s DAG architecture lacked a globally verifiable state, preventing anyone from auditing a token against its full transaction history if they suspected inaccurate or malicious behavior.

He noted that Canton’s use of data sharding for privacy could allow colluding parties to reveal private data, in contrast to zero-knowledge proof systems that maintain privacy through cryptographic guarantees.

Grau’s critique extended to Canton’s token distribution, which he stated showed approximately 75% held by team and early investors, with forced buy-in requirements for new participants.

Additionally, he opposed the network’s requirement that users identify themselves before executing transactions, eliminating support for self-custodial or anonymous wallets.

Canton Documentation Confirms Permissioned Design as Intentional Feature

Canton’s own technical documentation and blog posts confirmed many of the architectural choices that drew criticism, framing them as deliberate design decisions suited to regulated financial markets rather than flaws.

The network came from Digital Asset’s DAML stack and explicitly stated in its whitepaper that Canton “has no physical global state,” with nodes only receiving, storing, and processing data relevant to their specific contracts.

The architecture separated transaction validation from sequencing through “sync domains,” where a BFT-style super-validator set sequenced transactions while participant nodes committed changes if their local checks passed.

The Global Synchronizer Foundation, under the Linux Foundation, governed the main public sync domain, with super validators including Chainlink, Coin Metrics, and TRM Labs operating the infrastructure.

Canton published multiple blog posts defending its approach to privacy and observability. One piece is “Enron On-Chain? Why Opaque Blockchain Systems Could Undermine Trust,” arguing that full-stack zero-knowledge privacy created excessive opacity that could hide bugs and fraud behind mathematical complexity.

Canton positioned itself as offering privacy plus auditability, with the capability to add regulators as “supervisory nodes” with real-time read access to contracts they oversaw.

The network’s documentation stated that data access was deliberately fragmented, with no single RPC endpoint for reading the entire network, and that viewing a party’s data required connecting to the validator hosting that party’s data.

Canton’s identity management relied on named legal entities rather than pseudonymous addresses, with a topology of identity providers and signing authorities governing network access.

Wall Street Adoption Highlights Tokenization Infrastructure Split

DTCC’s tokenization page listed two networks for its infrastructure: an internal AppChain based on Hyperledger Besu and Canton, which DTCC described as “a public blockchain used at scale in regulated markets, combining institutional-grade privacy with native interoperability.”

The Canton selection came as Broadridge’s Distributed Ledger Repo (DLR) platform, already built on Canton, processed over $8 trillion in monthly repo transactions with average daily volumes in the mid-$300 billion range.

As of December 19, the Broadridge DLR already registered over $6 trillion in daily repo turnover, according to data from rwa.xyz.

The Canton ecosystem includes Goldman Sachs Digital Asset Platform, Euroclear, HSBC Orion, HKEX Synapse, Nasdaq for carbon credits and collateral, Tradeweb’s 24×7 repo application, and Versana for syndicated loans, with participation from major banks including Citi, JPMorgan, Deutsche Bank, Morgan Stanley, and Société Générale.

On the infrastructure side, Coin Metrics, TRM Labs, Elliptic, Nansen, and Kaiko operated as analytics providers and in some cases as super validators.

Canton marketed itself on its website as “the public blockchain chosen by Wall Street” and emphasized openness for builders, with native Canton Coin and comparisons to networks like Solana and Avalanche.

However, institutional reports from GFMA described Canton as “a privacy-centric, permissioned blockchain” where banks ran nodes, shared data only with contract stakeholders, and relied on central coordination for consistency.

The tension between public blockchain branding and the operational reality of permissioned systems formed the core of the debate.

Canton’s FAQ acknowledges that applications could range “from fully permissionless to entirely private,” while noting that meaningful apps for repo, Treasuries, and securities sat behind KYC gates requiring regulatory-grade onboarding.

RWA Tokenization Bifurcates Into Institutional and Public-DeFi Layers

The Canton architecture provided each participant with a verifiable, immutable log of their own contracts and actions, with the protocol designed so all parties to a contract saw a consistent shared state.

However, no single global chain existed that outside observers could download and audit for total supply, cross-app liquidity flows, or censorship patterns, with the “global ledger” existing as a virtual abstraction rather than a physically replicated state machine.

Verification remained conditional on access, meaning regulators, DTCC, or forensics firms could receive observer rights or run super-validator infrastructure to monitor systemic risk and compliance.

Meanwhile, retail investors or independent researchers could not reconstruct the full network without being invited into those privileged views.

This design meant the first trillions of dollars in tokenized securities volume would live on infrastructure that functioned more like a shared, auditable database with programmable contracts than like permissionless DeFi on Ethereum or Solana.

The DTCC-Canton partnership signaled that real-world asset (RWA) tokenization was bifurcating into distinct layers.

On one side, there is an institutional layer built on networks like Canton and internal appchains, where benefits are centered on settlement efficiency, collateral mobility, and regulatory reporting.

On the other hand, there is a public-DeFi layer on Ethereum and Solana, where openness and composability came with greater institutional hesitation around privacy and compliance frameworks.

Canton’s selection by DTCC for tokenizing US Treasuries confirmed that Wall Street’s interpretation of “public blockchain” diverged from crypto-native definitions.

Despite theoretical openness for Canton holders and wallet connections, the network offers institution-controlled infrastructure in which meaningful applications remained gated by KYC and contractual onboarding.