Safe CEX: We can do better than Proof of Reserves
In response to Nic Carter and support of Vitalik Buterin
TL;DR
Users of centralized exchanges are demanding Proof of Solvency, and claims that “the exchange is regulated” are not sufficient
Existing methods like Proof of Reserves based on a third-party audit have weaknesses (they’re not updated daily, and can be gamed)
Running a centralized exchange on a StarkEx Validity Rollup on top of Ethereum provides the benefits of all worlds:
Exchanges can be gated and follow the regulations of the relevant jurisdictions
There is a Proof of Reserves with every Validity Proof (roughly twice a day!)
Users can opt for self-custody yet still actively trade
Users can withdraw via Ethereum if the operator of the exchange shuts down
The exchange can’t exempt any individual traders from liquidations - everyone plays by the same rules
Introduction
FTX was meant to be a fully regulated exchange that stored user assets 1:1. They failed us and lied to us.
As a result, users want more transparency. They want a way to trustlessly verify that the exchange indeed has the exact assets to meet its liabilities. They don’t trust regulation, they trust code. Additionally, many users want self-custody without losing the ability to trade.
Proof of Reserves isn’t Good Enough
Earlier this week, Nic Carter advocated for Proof of Reserves. See here. How does Proof of Reserves work? Typically, once a quarter, an external auditor gets access to the books of the exchange. They verify that the wallets that the exchange controls have sufficient assets to cover user liabilities. The auditor then keeps a Merkle Tree where each leaf includes each user’s balance of an asset. The user can then verify against this auditor that their balance appears in this tree. Kraken have been doing this well for many years. See their Proof of Reserves webpage.
The problem is that Proof of Reserves provides a false sense of security to the end user. Why?
Proof of Reserves aren’t updated daily
The exchange takes a quarterly snapshot, and it then takes the auditor a few weeks to get everything ready. In that time, the industry may have endured a contagion event that puts severe stress on the exchange.
The exchange can collude with the auditor
While the auditor presumably wants to preserve their long-term reputation, and also avoid breaking the law, the simple truth is that there is still a risk that they may be bribed to lie. FTX claimed to be regulated with GAAP audits, and look at what happened.
The exchange can borrow assets right before the snapshot
The exchange can game the audit by borrowing assets from a counterparty ahead of the snapshot. They can keep this loan off their books and claim to the auditor that the funds were transferred from a cold wallet. This is a real risk.
Exchanges have to sign cold wallets to prove ownership
Often exchanges claim that they have cold wallets that are air-gapped from the internet. These wallets have heavy controls to avoid hacks. If a quarterly attestation is required, these wallets are then signed every quarter. This introduces operational risk to the exchange.
StarkEx Solves Everything
There is a better alternative than Proof of Reserves. There is an architecture that exists that can not only prove that the exchange has the exact assets to meet user liabilities, but additionally, it can trustlessly prevent the exchange from stealing users' funds completely.
Before you read on, make sure to read Vitalik’s article on this, particularly the section titled, “Plasma and validiums: can we make CEXes non-custodial?”.
Using the StarkEx architecture (see the image above), a Centralized Exchange can run most of their system exactly as they run it today. They would still have user sign-up flow exactly as it happens today. It would have the same KYC/AML requirements that the exchange currently follows based on its jurisdiction. Additionally, the order books and matching engines would remain centralized. This is important since it ensures that liquidity providers can provide pricing in real-time, just like they are used to in the traditional finance world. On-chain orders introduce latencies in block times and the network syncing, that discourage traditional market makers from providing liquidity.
The only difference is that actual transactions would be sent to the StarkEx service (a REST API) where they would be settled on-chain on Ethereum, via the verification of a STARK proof. There’s a lot to unpack here, so let’s go over the flow.
I own $1200 USDC and I want to trade it for 1 ETH. I digitally sign an order (with my private key) that I authorize this order.
The exchange matches me with a counterparty, and atomically swaps our assets between each other.
A STARK Validity Proof is then generated that attests to the new state of the network, where my ETH balance has increased by 1, and my USDC balance has decreased by $1200.
This proof is then verified autonomously by a smart contract on Ethereum. This verification attests to the new state, and my private key now controls 1 ETH.
Profit!
The example above was for Spot Trading. For Perpetuals, it’s a similar flow, except that now the proof attests to my position, not to my balance. In fact, I want to go a level deeper and explain the flow if I have a position on a Perpetuals Derivatives exchange (like dYdX) that is now liquidated.
I have $100 USDC on dYdX
I leverage long $1000 worth of ETH exposure
ETH price then drops 10%, so I am liquidated
The StarkEx API then receives an oracle price update that confirms the price drop, and cryptographically proves that my liquidation followed all the rules of the system. The exchange then liquidates my position
If I have funds stuck in a StarkEx instance, and I want to withdraw them, I can submit a transaction on the StarkEx instance and wait for the proof to arrive on-chain and release my funds. However, it gets cooler. If the operator of the exchange chooses to be malicious, or shuts down, the exchange cannot steal users' funds. In this scenario, a user could trustlessly go to Layer 1 Ethereum and submit a withdrawal request there. If the StarkEx instance does not honor the withdrawal within sufficient time, funds are released on Ethereum. See the StarkEx documentation here.
This may sound trivial, but it’s profound. Users are receiving the same UX as trading on traditional exchanges, with all the other benefits:
Users can opt for self-custody yet still actively trade
Users can withdraw via Ethereum if the operator of the exchange shuts down
The exchange can’t exempt any individual traders from liquidations - everyone plays by the same rules. Remember what happened with Alameda? It was revealed that Alameda got to play by special rules on FTX (no auto-liqudiation). This is simply not possible on StarkEx - the prover would never prove a valid state where a position is extended beyond its margin requirements
A small note on Data Availability modes
In addition to the proof that is sent on-chain, Ethereum needs to know what the new state is. It can do this by sending the whole Merkle tree on-chain (Rollup mode) or by storing the Merkle tree with a Data Availability Committee, and only storing the root of the tree on-chain. See this article for more information and trade-offs.
What about real-world assets?
Many are convinced about the power of this solution for Ethereum native assets, but don’t see how it can extend to real-world assets that are tokenized. To this, I copy verbatim Vitalik’s take on the matter, which I agree with wholeheartedly.
One final issue is: can you do proof-of-assets on fiat? Exchanges don't just hold cryptocurrency, they also hold fiat currency within the banking system. Here, the answer is: yes, but such a procedure would inevitably rely on "fiat" trust models: the bank itself can attest to balances, auditors can attest to balance sheets, etc. Given that fiat is not cryptographically verifiable, this is the best that can be done within that framework, but it's still worth doing.
There is a point of trust in this tokenization, but it ends there. The exchange can still run as we described.
This isn’t hypothetical; it’s live at-scale today
We have 8 teams in production on StarkEx today. See the Customers section here: https://starkware.co/starkex/
Let’s take dYdX as a real-world case study.
They’ve processed over $750 billion dollars of cumulative volume, all powered by StarkEx.
Their volumes increased when FTX story broke out (!)
Proof of Assets can be inspected on chain, and are updated with each proof
dYdX uses Rollup-mode Data Availability, so one does not even require a Data Availability Committee to release their funds
Users have complete control of funds with their private key
This is the future of finance, and it solves real problems that those in the traditional system encounter. My vision is that StarkEx will be powering and settling the trading of global equities within the next decade.
Feel free to reach out if you want to learn more.
Liron