The collapse of FTX has severely damaged user confidence in centralized crypto exchanges. Most investors eventually realized the importance of owning the keys to their digital assets and moved record amounts of tokens from exchanges to non-custodial wallets.
These events have created an urgent wave that provides credible evidence that centralized exchanges hold more assets than liabilities. blog post On November 19th, Ethereum co-founder Vitalik Buterin analyzed the cryptographic methods exchanges have deployed to date to become trustless, including the limitations of such methods.
He also proposed new methods of centralized exchange to achieve trustlessness, including zero-knowledge concise non-interactive knowledge arguments (ZK-SNARK) and other advanced techniques.
Balaji Srinivasan, General Partner and former Coinbase CTO of Binance, Coinbase, Kraken, and a16z contributed to the post.
Proof of solvency with balance lists and Merkle trees
In 2011, Mt. Gox was one of the first exchanges to provide proof of solvency by transferring 424,242 BTC from cold wallets to pre-announced Mt. Gox addresses. It was later revealed that the transaction could be misleading, as the transferred assets may not have been moved from cold wallets.
In 2013, discussion started Regarding how the exchange proves the total size of user deposits. The idea was that if an exchange could prove total user deposits, or total liabilities, and equivalent ownership of assets, or proof of assets, then the exchange’s solvency would be proven.
In other words, if an exchange can prove that it has assets equal to or greater than its users’ deposits, it can prove that it has the ability to repay all users in the event of a withdrawal request.
The easiest way for an exchange to prove a user’s total deposits was by publishing a list of usernames and their account balances. However, even if the exchange only published lists of hashes and balances, this violated user privacy. Therefore, the Merkle tree method was introduced to allow validation of large data sets.
The Merkle Tree method inserts a table of user balances into a Merkle totals tree. In this tree, each node or leaf is a balance-hash pair. The lowest layer of nodes contains hashes of individual user balances and salted usernames. Moving up the tree, each node represents the sum of the balances of the two nodes below it and the sum of the hashes of the two nodes below it.
Compared to public lists of names and balances, Merkle Tree offers limited privacy exposure, but not complete immunity, Buterin writes. A hacker who manages a large number of accounts on an exchange could gain important knowledge about the exchange’s users, he added.
Buterin also said:
“…The Merkle tree method is just as good as proof of responsibility schemes when the only goal is to achieve proof of responsibility. However, its privacy properties are still not ideal.
You can go a little further by using Merkle trees in a smarter way: Make each satoshi or way a separate leaf, but in the end, with more modern technology, there are even better ways to do it. ”
The exchange puts all user balances into a Merkle Tree or KZG commitment and uses ZK-SNARK to prove that all balances are non-negative and can be added to the total deposit amount requested by the exchange. I can do it. Adding a layer of hashing to improve privacy prevents exchange users from knowing anything about other users’ balances.
“In the long term, this kind of ZK proof of debt could be used not only for customer deposits on exchanges, but also for broader lending.”
In other words, borrowers can provide ZK proofs to lenders to ensure that borrowers don’t have too many outstanding loans.
Using Proof of Assets
The simplest version of proving the exchange’s own assets was the method adopted by Mt. Gox. Exchanges simply move assets at pre-agreed times or in transactions where the data field indicates which exchange owns the asset. Exchanges can also avoid gas fees by signing off-chain messages.
However, there are two major problems with this technique. Dual use of refrigerated storage and collateral. Most exchanges keep the bulk of their assets in cold storage to keep them safe. In other words, “Even if he creates one additional message to prove control of an address, it’s an expensive operation!” Buterin wrote.
To address the issue, Buterin said exchanges could use several public addresses in the long run. Exchanges can generate several addresses, prove ownership once, and use the same address repeatedly. However, this comes with the challenge of maintaining privacy and security.
Alternatively, an exchange may have a large number of addresses and prove ownership of a few randomly selected addresses. In addition, exchanges can also use his ZK proof to ensure privacy protection and provide a total balance for all on-chain addresses, said Buterin.
The second issue is to prevent exchanges from swapping collateral for fake solvency. Mr Buterin said:
“Ideally, proof of solvency would happen in real-time, with proofs updated on a block-by-block basis. If this is not practical, the next best thing would be to coordinate on a fixed schedule across different exchanges.” We will prove our reserves every Tuesday at 1400 UTC.”
The final issue is to provide fiat currency proof of assets. Crypto exchanges hold both digital assets and fiat currencies. According to Buterin, fiat balances cannot be cryptographically verified, so they will have to rely on a “fiat trust model” to provide proof of assets. For example, a bank holding fiat currency for exchange can prove the available balance, and an auditor can prove the balance sheet.
Alternatively, the exchange could create two separate entities. One handles asset-backed stablecoins and the other handles the bridge between fiat and cryptocurrencies. Mr Buterin said:
“Because USDC’s ‘debt’ is just an ERC20 token on-chain, proof of debt is provided ‘free’ and only proof of assets is required. ”
Using Plasma and Baridium
Exchanges can use Plasma to prevent exchanges from completely stealing or misusing customer funds. A popular scaling solution in the Ethereum research community in 2017-2018, Plasma splits balances into different tokens. Each token is assigned an index and occupies a specific position in the Plasma block’s Merkle tree.
But since the advent of Plasma, ZK-SNARK has emerged as a “more viable” solution, says Buterin. The latest version of Plasma is Validium, the same as ZK Rollup, but data is stored off-chain. However, Buterin warns:
“In Validium, the operator is number A method of stealing funds, but depending on the details of the implementation, it may yield some amount of user funds stuck When the operator is gone
Disadvantages of full decentralization
The most common problem with fully decentralized exchanges is that users can lose access to their accounts if they are hacked, forget their password, or lose their device. Exchanges can solve this problem with email recovery and other advanced forms of account recovery by knowing customer details. However, this requires the exchange to manage user funds.
“In order to be able to recover user account funds for good reasons, exchanges need power that can also be used to steal user account funds for bad reasons. This is an unavoidable trade-off. ”
According to Buterin, the “ideal long-term solution” is to rely on self-management with multisig and social recovery wallets. However, in the short term, users should choose between centralized and decentralized exchanges based on the tradeoffs they are comfortable with.
|Custodial Exchanges (e.g. Coinbase Today)||User funds may be lost if there is a problem on the exchange side||Exchange can help you recover your account|
|Non-custodial exchange (e.g. Today’s Uniswap)||Users can withdraw money even if the exchange acts maliciously||If the user fails, the user’s funds may be lost|
Conclusion: A Better Exchange Future
In the short term, investors will have to choose between custody and non-custody exchanges, or decentralized exchanges like Uniswap. However, in the future, some centralized exchanges may evolve, which will be smart enough to prevent exchanges from stealing users’ funds by holding balances in his contracts. , Buterin said.
The future could also bring about semi-custody exchanges, where users trust fiat exchanges rather than cryptocurrencies, he added.
Buterin noted that both types of exchanges will continue to coexist, but the easiest way to make custodial exchanges more secure is to add proof of reserve. This includes a combination of proof of property and proof of liability.
In the future, Buterin hopes that all exchanges will evolve to be non-custodial, “at least on the crypto side.” A centralized wallet recovery option will exist, but “this can be done at the wallet layer, not at the exchange itself,” he said.
On the fiat side, exchanges can deploy cash-in and cash-out processes specific to fiat-backed stablecoins such as USDT and USDC. But “it will be a while before we are fully there,” warned Buterin.