SmallSwap SmallSwap

FAQs

Plain answers to questions the swap form doesn't.

What is SmallSwap and who runs it?

SmallSwap is an open-source crypto-swap tool, published under AGPL-3.0. The version you're reading right now (v3) is intentionally a tool, not a service: the code is available on Forgejo and any operator can run their own instance. If you're on a hosted instance and want to know who's running it, ask whoever directed you here — and verify against their published fork.

Do I need an account or KYC?

No. There are no accounts. There is no identity verification. You enter a destination address, optionally a refund address, and you swap. The swap itself is the entire interaction — no signup, no email, no phone.

What does it cost?

Each quote shows the breakdown: the network fee (paid to miners/validators), the provider fee (the spread the operator earns), and any partner markup (zero unless you arrived through an affiliate). What you see on the quote page is what you get — no hidden charges added downstream.

What data does the codebase collect about me?

The default v3 codebase doesn't run any analytics, third-party tracking, fingerprinting libraries, or fonts/images from CDNs. It records the swap itself — addresses, amounts, timestamps — because the swap protocol can't work without them. It does not log IP addresses. An operator running a modified fork may add their own logging; their published source code is the only honest answer to what they do.

Is there JavaScript, tracking, or cookies?

No JavaScript. View source if you'd like to confirm — every page is server-rendered HTML. The site sets three cookies and only three: __Host-ss_csrf (CSRF protection, 24h), __Host-ss_theme (your dark/light preference, 1 year), and ss_onion (a per-session token used only when you visit the .onion). None of them identify you across sessions or sites. Tor Browser Safest works without modification.

What's the swap password and what should I do with it?

When you create a swap, the status page shows a long hex password. Save it. It's the only way to recover funds if anything goes wrong — for example, if you didn't provide a refund address and need to claim one later. The password is shown once, never re-displayed, and not recoverable if lost.

Do I have to provide a refund address?

No — the refund address is optional. Most users paste their sending wallet as the refund address, which would link their source-chain wallet to the fact they swapped through us. Leaving it blank avoids that disclosure. If a refund event ever fires on a swap with no refund address on file, return to the swap's status page with your password and provide an address at that point.

What counts as a self-custody address?

A wallet where you hold the keys: hardware wallets (Trezor, Ledger), local wallets (Cake Wallet, Sparrow, Electrum), or any wallet you set up yourself. Not self-custody: centralized exchange deposit addresses (Coinbase, Binance, Kraken), smart-contract wallets (Safe / Gnosis, account-abstraction), delegated addresses, and EIP-7702 wallets. Sending swap output to those addresses will result in loss of funds — the swap engine cannot interact with their custody logic.

What if my swap fails, or I sent the wrong amount?

Sent too little or too late? The swap window is 60 minutes. After it closes, deposits already in flight are refunded to your refund address if you provided one — otherwise you recover via the swap password from the status page. Sent too much? Most operators pay out at the floating rate for the amount received. Wrong destination address? That's the one bell you can't unring — addresses cannot be edited once a swap is created, which is why the self-custody disclaimer is the most important checkbox on the form.

How long until my swap completes?

Typical end-to-end is 5–30 minutes depending on the source-chain confirmation requirements. Bitcoin deposits wait for 1 confirmation (~10 min). Monero deposits wait for 10 confirmations (~20 min). EVM-chain deposits are usually faster. The status page meta-refreshes automatically so you can leave it open.

Are addresses screened against sanctions lists?

The default v3 codebase does not perform any third-party address screening (no OFAC SDN, no TRM Labs, no Chainalysis). Operators running a modified fork may add a screener plugin; if they do, their published source code will show it and the affected error responses will appear in their `/api/v1` documentation. If you want to know what a specific operator does, read their fork — that's exactly what the AGPL license exists for.

Is there a Tor / .onion version?

Yes. The "via Tor" pill in the header links to it. Every page works identically on the .onion — same visual system, same form flow, same no-JS guarantee. Tor Browser Safest is supported without exceptions.

Why isn't there a Terms of Service or Privacy Policy?

Because SmallSwap v3 is a tool, not a service. A Terms of Service binds an operator entity in a specific jurisdiction to specific commitments — we (the people who maintain the codebase) are not running a service we could put behind such a document. The operator hosting the instance you're on may publish their own ToS and privacy policy bound to their entity — if they do, they should link to it here in their fork. If they don't, treat what you see as the entirety of what they've promised.

Where's the source code?

The v3 codebase is published under AGPL-3.0. Under AGPL §13, an operator running a modified version as a network service is required to publish their modifications. If you don't know where to find an operator's fork, ask them — and consider their answer when deciding whether to trust the instance.