The collapse of FTX has severely eroded user trust in centralized crypto exchanges. Most investors have finally realized the importance of owning the keys to their digital assets and have moved record volumes of tokens from exchanges to non-custodial wallets.
These events have caused a wave of urgency for centralized exchanges to provide reliable proof that they hold more assets than liabilities. In a blog post On Nov. 19, Ethereum co-founder Vitalik Buterin analyzed the cryptographic methods deployed so far by exchanges to become trustless, including the limitations of these methods.
He also suggested new techniques of centralized exchanges to achieve non-trust involving the zero-knowledge non-interactive succinct-knowledge argument (ZK-SNARK) and other advanced technologies.
Binance, Coinbase, and Kraken, along with a16z general partner and former Coinbase CTO Balaji Srinivasan, contributed to the post.
Proving Solvency Using Balance Sheet Lists and Merkle Trees
In 2011, Mt. Gox was one of the first exchanges to provide proof of credit by transferring 424,242 BTC from a cold wallet to a pre-advertised Mt. Gox address. It was later revealed that the transaction may have been misleading since the transferred assets may not have been moved from a cold wallet.
In 2013, talks have started on how exchanges could prove the total size of their user deposits. The idea was that if exchanges proved their total user deposits, i.e. their total liabilities, as well as their ownership of an equivalent amount of assets, i.e. a proof of assets, then that would prove their solvency.
In other words, if exchanges could prove that they held assets equal to or greater than their user deposits, this would prove their ability to reimburse all users in the event of withdrawal requests.
The easiest way for exchanges to prove users’ total deposits was to simply publish a list of usernames along with their account balances. However, this violated users’ privacy, even though the exchanges only published a list of hashes and balances. Therefore, the Merkle tree technique, which allows verification of large datasets, was introduced.
In the Merkle tree technique, the table of user balances is inserted into a Merkle sum tree, in which each node, or leaf, is a pair of balance and hash. The lowest node layer contains individual user balances and salted username hashes. As you move up the tree, each node represents the sum of the balances of the two nodes below it and the sum of the hashes of the two nodes below it.
Although the privacy leak is limited in Merkle trees compared to public lists of names and balances, it is not completely immune, Buterin wrote. Hackers who control a large number of accounts in an exchange can potentially gain important knowledge about the users of the exchange, he added.
Buterin also noted:
“…the Merkle tree technique is as good as a liability proof system can be, if the goal is only to obtain liability proof. But its privacy properties are not are still not ideal.
You can take it a step further by using Merkle trees in a smarter way, like make each satoshi or wei a separate sheetbut ultimately, with more modern technology, there are even better ways to do it.
The use of ZK-SNARK
Exchanges can put all user balances into a Merkle tree or KZG pledge and use a ZK-SNARK to prove that all balances are non-negative and add up to the total deposit value claimed by the exchange. Adding a hash layer to improve privacy would ensure that no exchange user can learn anything about other users’ balances.
“In the longer term, perhaps this type of ZK proof of liability could be used not just for customer deposits on exchanges, but for lending more broadly. “
In other words, borrowers could provide ZK evidence to lenders assuring them that borrowers don’t have too many open loans.
Use of proof of assets
The simplest version of proving that the exchanges own the assets was the method deployed by Mt. Gox. Exchanges simply move their assets at a pre-agreed time or in a transaction where the data field indicates which exchange holds the assets. Exchanges could also avoid gas fees by signing an off-chain message.
However, this technique presents two major problems: the management of cold storage and the double use of guarantees. Most exchanges keep the majority of their assets in cold storage to keep them safe, which means that “doing even a single extra message to prove control of an address is a costly operation!” wrote Buterin.
To deal with the issues, Buterin noted that exchanges could use a few long-term public addresses. Exchanges could generate a few addresses, prove ownership once, and use the same addresses over and over. However, this presents challenges for maintaining privacy and security.
Alternatively, exchanges could have many addresses and prove ownership of a few randomly selected addresses. Additionally, exchanges could also use ZK proofs to ensure privacy preservation and provide the total balance of all on-chain addresses, Buterin said.
The second issue is ensuring that exchanges do not mix collateral to simulate solvency. Buterin said:
“Ideally, proof of solvency would be done in real time, with proof updating after each block. If this is not practical, the best thing to do would be to coordinate on a fixed schedule between the different exchanges, for example. prove reserves at 1400 UTC every Tuesday.
The latest issue provides proof of assets for fiat currencies. Crypto exchanges hold both digital assets and fiat currencies. According to Buterin, since fiat currency balances are not cryptographically verifiable, providing proof of assets requires relying on “fiat trust models.” For example, banks that hold fiat for exchange can attest to available balances and auditors can attest to balance sheets.
Alternatively, exchanges could create two separate entities – one that deals with asset-backed stablecoins and another that manages the bridge between fiat and crypto. Buterin noted:
“Because USDC ‘liabilities’ are just on-chain ERC20 tokens, proof of liabilities is ‘free’ and only proof of assets is required.”
The use of plasma and validia
To prevent exchanges from stealing or misusing client funds, exchanges could use Plasma. A scaling solution that became popular in Ethereum research circles in 2017-2018, Plasma divides the balance into different tokens, where each token is assigned an index and has a particular position in a block’s Merkle tree. Plasma.
However, since the advent of plasma, ZK-SNARKs have emerged as a “more viable” solution, Buterin noted. The modern version of Plasma is a validium, which is the same as ZK rollups, but the data is stored off-chain. However, Buterin warned:
“In a validium, the operator a Nope means of stealing funds, although depending on the implementation details, a certain amount of user funds may be obtained blocked if the operator disappears.
The disadvantages of total decentralization
The most common problem with fully decentralized exchanges is that users can lose access to their accounts if they get hacked, forget their password, or lose their devices. Exchanges can solve this problem with email recovery and other advanced forms of account recovery using Know Your Customer details. But that would require the exchange to control the user’s funds.
“In order to have the ability to steal funds from user accounts for good reasons, exchanges must have power that could also be used to steal funds from user accounts for bad reasons. is an unavoidable compromise.
The “ideal long-term solution,” according to Buterin, relies on self-custody with multi-signature and social clawback wallets. In the short term, however, users must choose between centralized and decentralized exchanges depending on the trade-off they are comfortable with.
|Deposit exchange (e.g. Coinbase today)||User funds may be lost if there is a problem on the exchange side||Exchange can help recover the account|
|Noncustodial exchange (e.g. Uniswap today)||Users can opt out even if the exchange is acting maliciously||User’s funds may be lost if the user makes a mistake|
Conclusions: the future of better exchanges
In the short term, investors have to choose between custodial exchanges and non-custodial exchanges or decentralized exchanges like Uniswap. However, in the future, some centralized exchanges may evolve, which will be crypto-limited so that the exchange cannot steal users’ funds, by holding balances in a validium smart contract, Buterin said.
The future could also lead to semi-custodial exchanges where users trust exchanging with fiat but not with cryptocurrencies, he added.
While the two types of swaps will continue to co-exist, the easiest way to improve the security of custody swaps is to add proof of reserves, Buterin noted. This would include a combination of proof of assets and proof of liabilities.
Going forward, Buterin hopes all exchanges will evolve to become non-custodial, “at least on the crypto side.” Centralized wallet recovery options would exist, “but this can be done at the wallet level rather than within the exchange itself,” he said.
On the fiat side, exchanges could deploy the native cash-in and cash-out processes of fiat-backed stablecoins like USDT and USDC. But “it will still take some time before we can fully get there,” Buterin warned.