Fleshing out Vitalik's vision for crypto, post-FTX

And why it's worth getting your head around validiums

TL;DR

FTX happened and CEXs are scrambling to fortify investor confidence. Humans have historically relied on social promises to ensure good governance in the financial system but cryptographic guarantees are an alternative design strategy that depend on maths, not trust. Two attempts in this direction (“proof of reserves” and self-custody) are unworkable for most investors. We introduce a third alternative, “Liquidium” - an exchange specific validium that can solve for fund assurance.

---

In case you missed it - FTX happened. This cataclysmic event destroyed an alleged $8bn in value and now investors are fleeing crypto for steadier assets. According to the FT there were $1.5bn net outflows from centralised exchanges in November alone.

This all begs a few questions:

1. What happened?

2. Why?

3. How can we stop it from happening again?

Web3 moves really fast so there’s no need to rehash familiar ground - we are focussed squarely on that last question. We’ll point to some promising innovations that can propel us to a more trustworthy crypto ecosystem, where fund safety comes first.

Timely as ever, Vitalik published some practical suggestions on November 19th. He covered a lot of ground and in particular, points to a “validium” as the answer.

…we want to prevent the exchange from stealing users' funds completely…In a validium, the operator has no way to steal funds…

So what does this mean, why does it matter and how does it work in practice? To skip ahead - at Aperture Labs we think that a validium is a great solution for a post-FTX world. A validium-based solution would enjoy particular security benefits over DEXs and is far more robust than the recently-popular “proof of reserves” solution. Read on:

ZK-SNARKS: Or, how I learned to stop worrying and love validiums

At Aperture Labs we’re big fans of validiums (and grateful to Starkware for introducing them) because they combine the privacy, compliance and speed of traditional databases, with the security, interoperability and open auditability of blockchains. The Ethereum Foundation has written a fantastic introduction but in short - a validium is very similar to a ZK-rollup, except that the state of the rollup is not stored on-chain. Instead, the state can be stored elsewhere - such as a private database.

Whenever the state changes, a zk-SNARK is produced, proving that the state changed in line with the rules of the game. For example - in any major blockchain, two rules are that (i) you can’t double-spend and (ii) to send a token you have to own it. Traditionally, a node would publish transactions to a public chain, so that other nodes can verify that, for each transaction, the rules are followed.

However, with a validium, no transactions are submitted to a public chain. Intead, a zk-SNARK is created, showing that all transactions honoured those rules, and this proof is then submitted to the public chain. At no point does the validium need to reveal the underlying transactions, which can stay safe and hidden in a private database somewhere.

As long as proofs keep getting submitted, you can be cryptographically certain that the game is being played correctly. Extend this metaphore of “the game” to more and more complex rules, each represented by smart contract code, and you could feasibly:

• Run an EVM,

• Store state off-chain,

• And submit validity proofs to an underlying security later.

This is just like a zk-EVM except the state could, in theory, be completely private. We’re glossing over the detail but this design is fundamentally similar to how Mina works, and one of the reasons why Mina can claim to weigh less than 22kb. Impressive!

So why does this underlying cryptographic innovation matter? We believe that validiums will play a key role in restoring trust to web3, and in particular, to fortifying investor confidence in the wake of FTX. But first, we have to take a quick look at what went wrong in the first place:

Social trust is an ancient and imperfect tool

When a customer deposits funds into a centralised exchange, that exchange can pretty much do whatever with those funds - including using the deposits as collateral on debt, which in turn generates yield. This is the basic and ancient model of banking and there’s nothing remarkably mysterious or unethical about it per se.

It goes wrong when the central party (FTX, Lehman Brothers, Northern Rock) gambles funds away and eventually - due to ignorance, incompetence or plain bad luck - can no longer honour customer withdrawals. To combat this risk of insolvency, strong systems of social trust have been set up in the traditional banking system, including:

• Central banks that have the capacity to bail out investment banks,

• Government regulation to limit risk,

• Regular auditing requirements to ensure that banks are acting in a transparent and responsible manner,

• Professional services bodies to ensure that bankers and accountants are well-trained and held to the highest standards,

• And cultural norms of honesty, humility and wisdom in the banking profession.

However, social trust is unreliable. Humans are fallible and suffer from greed, imperfect access to information and skewed incentives. We’re not ruling out the possibility that social trust, good governance and oversight can increase trust in crypto, but we want to point to alternative solutions where safety is based on maths and cryptography, rather than relationships and reputation.

Enter the holy grail: “proof-of-solvency”

Cryptographers dream of a world in which exchanges prove their solvency in real time, thanks to the fact that blockchains are open and auditable. The basic idea is really simple - to take a CEX’s publicly-observable on-chain account balance, compare it (in some specified way) to the sum of individual depositors’ account balances, and ensure that at any given moment, the CEX can pay back their depositors. It’s called “proof of reserves” and it’s a way to provide “proof of solvency”.

Many high-profile exchanges are implementing proof of reserves to shore up confidence in the wake of FTX, by arranging trusted third-party auditors to periodically verify the exchange’s on-chain assets.

Asides from introducing dependency on another trusted third party (and after some debate on Twitter), proof of reserves doesn’t work. An exchange’s on-chain account balance does not take into account all their assets and liabilities, many of which occur off-chain.

For example, an exchange may owe $100m in fiat to J.P. Morgan, in a traditional, private debt arrangement. It doesn’t matter if the exchange can prove that they can honour 50m USDC in client deposits because they own 50m USDC in on-chain assets - there’s still a $100m burning hole, completely off-chain. This is in part what happened to FTX when they covertly lent money to Alameda. An exchange will typically have a long list of debts and debtors, ranked according to who is paid first in case of insolvency - and crucially, who is paid last, or, once the funds have run out, not paid at all. Retail investors often fall very far down this list, as reflected in FTX’s periodic and illegitimate freezing of customer accounts.

In a sense, this also reflects a failure of cryptographic guarantees to erode the need for all social trust. Can cryptography do one better?

“Not your keys, not your crypto” - but not very safe either

The next obvious answer is to always self-custody your wallet, so that a centralised exchange can never steal your funds. Traders can ensure that a central third party will never lose their deposit, by using DEXs rather than CEXs, and self-hosted wallets rather than custodied wallets.

Defi maxis look away! There are many reasons that, in practice, this may still not be the right option for many traders:

• Traders need to interact with a legally-identifiable third party for them to hold accountable in case anything goes wrong. Traders can sue FTX for fraud but can’t sue a fully decentralised protocol with no legally-identifiable actors.

• Traders need to insure their funds, and insurers are unlikely to offer policies unless the trader agrees to only interact with legally-identifiable parties.

• Traders want the speed, UX, customer support, liquidity and yield available from centralised exchanges. Crucially, DEXs like Uniswap are just a simple frontend for a decentralised protocol, and don’t support sophisticated consumer experiences.

Recognising this demand shift, some CEXs let customers use a self-hosted wallet to gain additional security on funds. This is a worthy direction but still suboptimal for at least two important reasons. First, when investors self-custody their funds, they cannot take advantage of the speed benefits of CEXs. Second, CEXs are put in the legally risky position of potentially facilitating money laundering. For a CEX, there is no way to freeze funds in accordance with AML policies, if the funds are held on a self-custodied wallet.

Above, we said that we don’t write to write off traditional systems of governance and social trust, as a fund assurance mechanism. Similarly, we don’t want to write off self-custody and DEXs, who are innovating all the time. Instead, we want to suggest a novel alternative approach that avoids some of the pitfalls to which pure self-custody and DEXs are prone. We call it Liquidium.

Introducing Liquidium

Liquidium is a validium for exchange-specific transactions. For example, Binance could have their own validium, containing customer deposits and transactions, that periodically proves to some underlying security layer that all funds are moving around legitimately.

Importantly, each depositor mints their own validium-specific account, and self-custodies their keys such that funds cannot be moved around without the depositor’s approval. This has a few obvious and non-obvious benefits.

• Since validiums are a scaling solution, this would be really fast - like the best CEXs of today. They could also be private.

• The bespoke nature of each validium would make it relatively easy to build sophisticated UX and wallet functionality, such as smooth key recovery and on-ramping.

• Customer support, legal recourse and fund insurance would also be simplified because the validium would be operated by a single party - it’s not a decentralised protocol.

• The exchange cannot seize your funds, because you have self-custody.

• However, in case of suspected money laundering, the validium can simply stop producing proofs for a given wallet’s activity. This effectively freezes the wallet, thereby fulfiling vital AML requirements, but also does not grant the exchange the ability to withdraw the deposit for themselves. This treads an elegant middle line between empowering investors with self-custody, yet staying within the constraints of regulation.

It’s not perfect, and there are many open questions we’re seeking to answer, such as:

• The extent to which self-custody or partial custody is compatible with sophisticated financial products (such as derivatives) that tend to produce a higher yield, at the cost of centralised control.

• The possibility of supporting different cryptocurrencies within a single validium, and the security risks of relying on wrapped tokens and bridges.

• The extent to which exchanges using Liquidium can front-run transactions.

Nevertheless, in a world where maths beats trust, cryptographic guarantees will play a key role in organising and facilitating economic relationships between human beings. Liquidium relies on cryptography rather than social reputation to fortify investor confidence in the wake of a rocky 2022, and prioritises security and self-custody within the constraints of institutional needs and regulation.

If you, or someone you know, would be interested to know more or challenge our thinking, we’d love to hear from you. We’re passionate about the potential of zero-knowledge cryptography to build a better internet, for collaborative enterprise and self-sovereignty.

hello@aperturelabs.gg