Design space for cross-chain pegs
In this article, we use tBTC as an example to explore the design of cross-chain pegs in general. Desirable properties of such a peg could be:
- Censorship-resistance: Anyone can create, redeem, and use the token, no matter their identity or jurisdiction.
- Confiscation-resistance: Neither the custodian nor other third parties can seize the coins in deposit.
- Price-stability against Bitcoin: The proxy token closely tracks the price of Bitcoin and thereby inherits its monetary properties.
- Acceptable operating cost: The system can offer its service at a price that attracts both users and custodians.
If someone could replicate all of these properties on another chain, the trust model would be close (although not equal) to the properties of using Bitcoin on the main chain. In reality, all cross-chain pegs have to make conscious trade offs against BTC by prioritizing some features at the expense of others. Whether these tradeoffs are acceptable, or even preferable in some cases, depends on what users demand the proxy token for in the first place.
Redeemable vs. Irredeemable
The goal of every Bitcoin peg is to imbue a proxy token (like WBTC or LBTC) with the attributes of real Bitcoin, but on another chain. To retain the monetary properties of Bitcoin, the proxy should trade as close as possible to the original. This can be achieved in two ways:
1. Wrapped approach
In the first approach, that is pursued by WBTC, Liquid, and tBTC, a custodian accepts customer deposits in BTC and „wraps“ it by issuing one proxy token on the sidechain for every BTC token in custody. The depositor can then use the proxy token on the sidechain, e.g., by selling it at a premium or lending it out in DeFi markets. Anyone who buys the proxy token can also redeem it for the corresponding BTC token in custody.
As long as the system can ensure that one BTC always creates one proxy token, and one proxy token can always be redeemed for one BTC, it can rely on rational market participants to maintain price parity between them. If the proxy token ever trades below the price of BTC, market participants will buy the discounted proxy tokens and redeem them for BTC deposits, making instant profits. This reduces the token supply until the market reaches a new equilibrium and the price returns to parity. If the proxy token ever trades above the price of BTC, arbitrageurs are incentivized to increase the supply by creating more proxy tokens and then selling them on the market, again making instant profit.
2. Synthetic approach
Instead of wrapping BTC collateral, depositors can also generate synthetic BTC (“sBTC”) from non-BTC collateral. To see how a system like that could work, we will look at MakerDAO. Even though their token, Dai, is a dollar synthetic, the system could just as easily issue a synthetic of any other asset, including Bitcoin.
Dai is created when users deposit collateral into a collateralized debt position (CDP.) While anyone can own and trade Dai, only CDP owners can redeem it for the corresponding collateral. Because this arbitrage loop is much longer, synthetic assets need additional mechanisms to maintain price parity. For that reason MakerDAO employs a Stability Fee (which regulates the cost of CDPs) and the Dai Savings Rate (which regulates the cost of Dai.) Combined, they help to stabilize market supply and demand to reach an equilibrium price of one dollar.
Bonded vs. Trusted
As previously established, for every proxy token on another chain, someone has to control an equivalent amount of collateral to guarantee continuous price parity. When using non-native collateral on another chain, e.g., Bitcoin collateral in a system living on Ethereum, this creates an additional problem: Someone has to control the Bitcoin private keys. Until smart contracts can hold private keys (and it’s not clear if this will ever be possible), the person controlling the private keys also controls the system.
For the system to last, these custodians must be incentivized to not exploit their position. We either trust that theft will not happen (e.g. because it would destroy the custodian’s reputation), or we demand guaranteed remedy in the case of failure. In any case, if the system is to survive long-term, the incentives for custodians must be so that “not stealing the deposits” must be more attractive than “stealing the deposits.”
In WBTC and Blockstream’s Liquid, one custodian (for WBTC), or a federation of several custodians (for Liquid), hold the collateral, and users trust them not to steal it. This is a reasonable assumption under most circumstances, as the custodians are “indirectly bonded”. As major Bitcoin businesses, they put their identity on the line and are subject to recourse via the traditional legal system. However, any system which is a subject of legal regulation cannot be fully permissionless or censorship-resistant.
The alternative is to use a bond that is only accessible to other system actors but no external parties. This was not possible until the invention of public blockchains like Bitcoin and Ethereum, and represents an important invention. Due to permissionless tokens we can now build systems where every step of the process is collateralized (“insured”.) In a custody system, this can give users the guarantee that the custodian either follows the rules or loses his collateral.
The downside of this approach is that production becomes more capital-intensive. Naturally, these additional costs have to be passed on to the user, making the service overall more expensive. Therefore, this tradeoff is best suited for services that require a large amount of trust, and users are not price-sensitive. In some cases, stolen assets are hard to monetize, however, this is not the case with BTC, as if a custodian seize user funds, this theft is final and the market is highly liquid.
tBTC’s approach: Bonded and Redeemable
To recap, we showed that MakerDAO’s synthetic approach is bonded and irredeemable, while the approach by WBTC and Liquid is trusted and redeemable for compliant users, and trusted and irredeemable for non-compliant users. tBTC takes the yet-unexplored design approach of redeemable and bonded.
tBTC is a decentralized, insured custody system for Bitcoin that issues a token called TBTC (capital T). Users don’t have to trust custodians (called signers), because these signers deposit a bond higher than the value of BTC they hold in custody. If they were to move funds unauthorized, leaving more TBTC outstanding than BTC in custody, the system would confiscate their bond to buy and burn an equivalent of TBTC from the market, bringing the amount of TBTC and BTC in custody in equilibrium.
As an additional line of defense, every Bitcoin is not held by a single signer but is co-custodied by a different randomly selected federation of signers using n-of-n threshold signatures.
Unlike WBTC, the process of creating and redeeming TBTC for BTC is not subject to KYC/AML or jurisdictional regulations. Anyone can deposit BTC and receive TBTC, or redeem a TBTC and receive BTC on the Bitcoin main chain.
The primary job of the tBTC system is to guarantee that there is one BTC in custody for every TBTC in circulation. Maintaining this balance is the main task of signers, who are expected to monitor their bonds, and top it up if the price of BTC increases. Signers are initially asked to deposit collateral worth 150% of the deposit value. The system notifies them when their bond drops below 140%, and initiates liquidation when it drops below 110%. It should be noted that while liquidation should never happen, it is needed as a possibility of severe punishment for signer misconduct.
There are two major challenges for every system that requires actors to bond collateral: First, locking up capital is very costly, increasing the overall cost of the system. Second, the bond must be monitored, which requires the system to know a blockchain-external factor: the price of the collateral against the asset in custody.
Challenge 1: Importing the price of BTC
In tBTC’s case, the system needs to know the price of the bond token against TBTC at two critical times: First, it must know the amount of collateral required for a new deposit. Second, it must know when a deposit becomes undercollateralized, and by how much, to issue a courtesy call or move straight to liquidation.
In neither of the two cases, it matters if the real collateral value against BTC is higher than the reported value. The system is only at risk if the real collateral value is lower than the reported value,and missing an auto-liquidation that should be happening at that moment. If the value of their collateral was ever allowed to fall below the value of the BTC in custody, we must expect signers to walk away with the BTC.
Instead of employing a price oracle, tBTC is looking to use a new market-based approach where that lower bound of the Bitcoin price is imported from an actual cross-chain order book. If a sufficiently liquid ETH/BTC market exists, we can expect that market participants will not let the Bitcoin clear at a discount to the global spot price. By looking at the highest bid that has not been cleared for a period of time, e.g., 24 hours, we can say with confidence that the quoted price is indeed the lower bound for the global spot price.
If an attacker tried to manipulate the system into registering the collateral value that is higher than its actual value, he would have to bid up the price of BTC beyond the global spot price. Meanwhile, rational market participants would take note of this buy-wall and start selling BTC into it, effectively frontrunning the attacker. This mechanism sets the buying power of the manipulator against the selling power of the entire market, making the system robust to manipulation.
If there is no sufficiently liquid order book the system could still use a trusted oracle as a backup.
Challenge 2: Lowering capital requirements
The second challenge for any bonded system is lowering the operating costs to a level where both rational custodians and users can participate. At launch, every TBTC in existence will be 250% collateralized: 100% from the BTC in custody, and another 150% in ETH from signers to secure the original BTC deposit.
Since there is no known way to make these costs market-discoverable, the tBTC team is responsible for setting the fees. At launch, signers will earn a custody fee of 50 bps (or 0.5%) every 6 months, resulting in 1% revenue per year. Given that deposits have to be 150% overcollateralized, signers would break even when their cost of capital for the bond is <0.66% p.a.
Even if we ignore the costs of redundancy (signers have to be online at all times or risk getting slashed), demand to be a signer may be very limited, considering the low returns. At much higher rates, there might be high demand to be a signer, but low demand to be a user. Whether the system can afford higher custody fees and still attract users will depend primarily on the lending rates of TBTC on Ethereum, which are themselves a function of how much utility TBTC users gain from accessing applications like Compound or MakerDAO.
To lower the costs of capital for signers, the tBTC system could automatically lend their bonds on Compound, or other capital markets that are fully collateralized. If someone was going to lend ETH (or TBTC) on Compound, they might as well become a tBTC signer and receive the signer fees at no extra cost (other than the cost of redundancy). On the other hand, adding another layer of smart-contract-risk could further diminish the “hard money” properties of the TBTC token.
Instead of using non-native collateral like ETH, tBTC could also introduce a work token that generates cash-flow from custody fees. The system would then be collateralized primarily by its own future cash-flows. If this work token were less volatile relative to the BTC in custody than ETH, the total bonding requirement could be reduced further.
Whether these changes will lower the cost of TBTC to a point where both users and custodians are satisfied with the system remains to be seen. For now, we can see how TBTC compares with the various other cross-chain pegs:
Looking at the desirable properties relative to operating cost, we showed that a system like tBTC can achieve higher security by insuring every step with bonds, which can be slashed or confiscated for misconduct. Whether this additional security is worth the costs to users is easily the central question in crypto today.