first level title

1. Use technical means to prove solvency

Proving that a CEX has the ability to reimburse user withdrawals is basically equivalent to proving that it has not embezzled user deposits. This needs to prove an inequality: the sum of assets controlled by CEX (proof of assets) >= the sum of user deposits used (proof of liabilities). In addition to publishing these two values, CEX also needs to prove that the numbers on the left and right sides of the inequality are true, that is, the asset belongs to and has always belonged to the exchange, and it has not tampered with the user's deposit balance.

secondary title

1.1 Using Merkle tree for proof of liability

Merkle tree is a very common data structure in blockchain. It is a typical binary tree structure consisting of a root node, a set of intermediate nodes and a set of leaf nodes. Each higher-level intermediate node (parent node) of the Merkle tree is the hash of the two intermediate nodes (child nodes) below it, and the final root node is obtained through such layer-by-layer calculations. So the root node contains the information of all the leaf nodes. Any change in the underlying data will be passed to its parent node, and passed to the root node layer by layer. It is often used to quickly prove the existence or non-existence of a specific element in a collection, compare whether a large amount of data is identical, find the location of modification, etc.

CEXs use Merkle trees to build an anonymized and immutable collective snapshot of user account asset balances, thus proving that they have not tampered with users' balances. The most basic method is to hash each user’s username/UID (adding a number known only to the exchange and the user) together with its balance and use it as a leaf node to form a Merkle tree . If the user finds that the correct Merkle root cannot be calculated with his own balance and the path on the Merkle tree, it can be determined that the exchange misappropriated the user's assets.

But as Vitalik said, there is a small bug in the general Merkle tree. Since it cannot help users identify negative values, it cannot be directly used for proof of reserves. As shown in the figure below, if the total customer deposits of an exchange is 1390 ETH, but it embezzles 500 ETH, so its reserve is only 890 ETH. This CEX will announce that the total number of user deposits is 890 ETH. To cover up misappropriation of user assets, it can add a fake account controlled by itself somewhere in the tree with a balance of -500 ETH. After the hash calculation, whether it is a positive number or a negative number, there will be a series of very irregular numbers, which cannot be distinguished by other users. The Merkle tree obtained by using this fake account will perfectly contain the balance information of other users, so that the result of user verification is always correct. Auditing companies can find this loophole, but if it cooperates with the exchange to do evil, the Merkle tree will be useless.

For the problem of negative values, Vitalik proposed an improvement scheme called Merkle sum tree in the article. Each node of the Merkle sum tree contains 2 pieces of information, balance and hash. The underlying leaf nodes are the balance and username hash of each user. In each higher-level node, the balance is the sum of the balances of the two nodes below, and the hash value is the hash of the overall information of the two nodes below, that is, the balance and hash value of the two nodes are hashed together . Displaying the balance separately helps users identify negative values, thereby exposing CEX's misappropriation of user assets. As shown in the figure above, Greta will find that Henny’s balance is negative when doing self-verification; both Eve and Fred will find that the sum of Greta’s and Henny’s balances is negative. This will cause 3 of them to fail verification.

After the transformation, the process of the exchange using the Merkle tree to issue the reserve certificate is as follows.

● Generate Merkle tree proof: The exchange commissions an external audit company or itself to take a snapshot of all user balances, and then aggregates them into a Merkle sum tree.

secondary title

1.2 Improvement scheme of Merkle tree

Using Merkle trees to prove user balances still has a small disadvantage, which is that it will expose privacy. As shown in the figure below, when Charlie verifies himself, CEX must tell him David's balance, the sum of Alice's and Bob's balances, and the sum of all user balances on the right half of the tree. Although users will not (at least it seems that they will not) do harmful behaviors after learning this information, for exchanges and users whose balances are exposed, the disclosure of privacy is not always a problem. comfortable thing.

In response to this problem, BitMEX proposed a simple solution. They randomly split a user's account balance into several shares, and then randomly fill each share into a bottom leaf node of the Merkle tree. The user balances exposed in this way are only fragmented, which can alleviate privacy issues to a certain extent. For example, Fred in the picture, his account is split into two parts, and Charlie doesn't know how much deposit he has. It's just that if someone really wants to obtain other people's information through multiple accounts, he needs to make more efforts, but it can still be done.

secondary title

1.3 Summary and deficiencies of various schemes

Here we first summarize and compare the basic Merkle sum tree, BitMEX scheme, ZK-SNARK Merkle tree, and KZG polynomial commitment, as shown in the table below. The first two methods are simple to operate. Although there is a risk of privacy exposure, it seems that there are no major hidden dangers at present, and they are enough for practical application. In the latter two methods, ZK-SNARK is used to prove the addition calculation, which will bring additional operations to the exchange, thus increasing the operation cost. The method of KZG polynomial commitment is more advanced, but the process of calculating the commitment of the exchange consumes a lot of resources and involves a large number of elliptic curve point calculations, so it may not be adopted for the time being. All of the above methods do not require users to search, and are easy to verify.

These technical solutions for proof of liabilities and the more commonly used scheme for proof of assets have not yet solved the following problems:

First, these proof-of-debt schemes require users to supervise, but if there are too few users who verify themselves, it is not enough to check out the exchange's malicious behavior. It is necessary to continue to educate users and improve user awareness. Another method is mutual supervision between exchanges. Large exchanges can register a certain number of accounts with other exchanges and deposit a small amount of assets to verify their proof of liabilities.

Second, neither the asset certificate nor the liability certificate is a real-time certificate. The exchange can obtain funds through borrowing before making the asset certificate, pay for inspection, and then return it. There are two ways to solve this problem. One is to agree a fixed time, and all major exchanges will conduct audits at the same time; the other is to conduct unscheduled sudden audits. Both of these methods can compress the time for fund lending.

Third, the proof process relies on a trustworthy audit company, but if the audit company colludes with the exchange, all subsequent technical means will be invalid.

first level title

2. Semi-centralized CEX

The various proofs mentioned above are used to prove that CEX has not done evil, but CEX still has the ability to do evil. If we go one step further and use technical constraints to make the exchange from not doing evil to being unable to do evil, then the trust of users will be restored or even enhanced, and the encryption ecosystem will be more prosperous.

Vitalik divides exchanges into 5 categories according to the degree of control over user funds and the convenience of doing evil. The current exchanges are mainly 3 types. The first type of exchange from the left in the figure below completely controls the user's funds, and there is no measure to supervise and prevent it from misappropriating user funds. Before the FTX storm, almost all CEXs were like this. Most CEXs today are Type 2, where exchanges control users' funds but have external human controls to oversee them. Most DEXs belong to category 5, where exchanges do not control users’ funds at all, so they have no ability to do evil.

V God pointed out that CEX and DEX are not binary opposites. Between complete centralization and complete decentralization, there is a middle ground of semi-centralized CEX. They can inherit the high-efficiency trading system of traditional centralized exchanges, and decentralize the power of exchanges such as multi-signature private key holders and verifiers, thereby reducing the possibility of exchanges doing evil. They are the 3rd and 4th types of exchanges in V God's article.

A Type 3 exchange still has custody of users' funds, but it cannot operate from insolvency. Such exchanges have not yet appeared. If it is to be implemented, some restrictions need to be placed on it. Here is a little imagination, you can ask CEX to store assets in several fixed multi-signature-controlled addresses, or use MPC technology to split the private key into several copies. Monitor the status of exchange funds through real-time or high-frequency solvency testing. Under normal circumstances, only the private key controlled by the CEX itself is required to complete the signature to transfer funds. If it is detected that the capital is insolvent/the proportion of a single transfer is too high/continuous transfers, etc., other private key holders can activate the emergency mode and collectively refuse the transaction to achieve the effect of freezing the account. This method uses multiple private key holders to reduce the degree of centralization of CEX, thereby reducing the convenience of doing evil. Such exchanges may be the evolution direction of CEX in the future.

If this type of exchange is to continue to develop, it needs to take the audit work to a higher level. The reliability, speed and automation of future audits need to be improved to meet the needs of these exchanges.

first level title

3. Learn from traditional finance

As Wilson, an analyst at X Research DAO,in the textIn other words, the centralized cryptocurrency exchanges at this stage have disadvantages such as excessive internal authority, opaque asset custody, impulsive income amplification, and no external constraints. To solve these problems, relying on technological progress is only one route, and the other route is to establish a set of reasonable institutional arrangements to split and limit the authority of CEX.

The current crypto market is a lot like the mixed operations phase of the early financial industry. CEX is a comprehensive institution integrating various financial functions. On the one hand, it provides on-site transaction entrustment and matching, and also has full authority to manage various token assets (including stable currency assets) recharged by customers, and also provides various financial management services. Multiple businesses also mean multiple jurisdictions, and when an institution has too much power, it is only a matter of thought whether it will use it for personal gain.

In the next phase of the encryption market, there will inevitably be a need to build a more secure trading model. It is a shortcut to learn from the securities industry system that has been verified and improved through decades of practice. The securities industry has formed a standardized trading system, including:

• The third-party depository institution (commercial bank) deposits the client's transaction settlement funds.

• The registration, custody and settlement of securities are provided centrally by securities registration and settlement institutions.

• Securities brokers accept clients' entrustment and buy and sell securities on their behalf, and provide financing and securities lending services.

• The on-site order matching of transaction information is completed by the stock exchange.

Through such a system of multi-party coordination and checks and balances, the securities industry has avoided the systemic risk caused by a single institution doing evil. The above four functions are all completed by CEX, which greatly increases the danger of single point failure. Therefore, it is necessary to combine the characteristics of encrypted asset transactions, learn from the traditional financial business model, and let multiple independent institutions undertake the various functions of the current cryptocurrency exchange, so as to achieve decentralization and checks and balances.

This kind of reference is by no means easy, and it has the following difficulties:

• Separation of operations means that CEX has handed over a lot of authority, which may reduce its profitability, so CEX itself is not willing to do so.

• This requires regulatory intervention, but how to formulate rules still needs to be explored, and the introduction of laws and regulations is time-consuming.

• The regulatory rules of various countries may be inconsistent, and it is not clear whether this will lead to fragmentation of the encryption market.

• More institutional constraints also mean that there may be higher management costs, and these costs will be passed on to users.

References

References

1. https://www.odaily.news/post/5183267 

2. https://vitalik.ca/general/2022/11/19/proof_of_solvency.html

3. https://www.kraken.com/zh-cn/proof-of-reserves

4. https://www.odaily.news/newsflash/304869 

5. https://www.okx.com/proof-of-reserves

6. https://www.coinbase.com/blog/how-crypto-companies-can-provide-proof-of-reserves?__cf_chl_f_tk= 1 vKp.ArONaAOegsrdt 3 T_m 4.dnLdDjyz 6 eU 3 u 0 fzxY 0-1669552605-0-gaNycGzNDtE

7. https://blog.bitmex.com/bitmex-pol-system-now-live/

8. https://twitter.com/XResearchDAO/status/1592058023715147779 

9. https://www.odaily.news/post/5183328 

10. https://m.jinse.com/blockchain/2667533.html

About Huobi Research Institute

Huobi Blockchain Application Research Institute (referred to as "Huobi Research Institute") was established in April 2016. Since March 2018, it has been committed to comprehensively expanding research and exploration in various fields of blockchain, with a view to pan-blockchain As the research object, the research objectives are to accelerate the research and development of blockchain technology, promote the application of blockchain industry, and promote the ecological optimization of blockchain industry. The main research contents include industry trends, technical paths, application innovation, Pattern Exploration, etc. In line with the principles of public welfare, rigor, and innovation, Huobi Research Institute will carry out extensive and in-depth cooperation with governments, enterprises, universities and other institutions through various forms, and build a research platform covering the complete industrial chain of the blockchain. Industry professionals provide a solid theoretical foundation and trend judgment to promote the healthy and sustainable development of the entire blockchain industry.

contact us:

Consulting email: research@huobi.com

Official website:https://research.huobi.com/

Twitter： Huobi_Research

https://twitter.com/Huobi_Research

Medium： Huobi Research

https://medium.com/huobi-research

Telegram： Huobi Research

https://t.me/HuobiResearchOfficial

disclaimer

1. Huobi Blockchain Research Institute does not have any relationship with the projects or other third parties involved in this report that affect the objectivity, independence, and impartiality of the report.

2. The materials and data cited in this report are all from compliant channels. The sources of the materials and data are considered reliable by Huobi Blockchain Research Institute, and necessary verifications have been carried out for their authenticity, accuracy and completeness , but Huobi Blockchain Research Institute does not make any guarantees about its authenticity, accuracy or completeness.

3. The content of the report is for reference only, and the conclusions and opinions in the report do not constitute any investment advice on relevant digital assets. Huobi Blockchain Research Institute is not responsible for any losses caused by the use of the content of this report, unless it is clearly stipulated by laws and regulations. Readers should not make investment decisions solely based on this report, nor should they lose the ability to make independent judgments based on this report.

4. The information, opinions and speculations contained in this report only reflect the judgment of the researchers on the date of finalizing this report. In the future, based on industry changes and updates of data information, there is a possibility of updating opinions and judgments.

5. The copyright of this report is only owned by Huobi Blockchain Research Institute. If you want to quote the content of this report, please indicate the source. Please let me know in advance if you need to quote a lot, and use it within the scope of permission. Under no circumstances shall any quotation, abridgement and modification contrary to the original intention be made to this report.