Merge pull request #238 from keep-network/gakonst/spec-peer-review

Initial Spec Peer Review

docs/appendix/index.adoc

@@ -6,15 +6,6 @@ ifndef::tbtc[]
 toc::[]
 endif::tbtc[]
 
-== A note on naming
-
-The system, in its entirety, is called "tBTC". In this document and throughout
-the project, the fungible Bitcoin-backed token is called "TBTC" to distinguish
-it from the rest of the project, and strongly suggest an eventual ticker.
-
-Further discussion can be found on
-https://github.com/keep-network/tbtc/issues/17[Github].
-
 include::./states/index.adoc[leveloffset=+1]
 
 include::./spv/index.adoc[leveloffset=+2]

docs/bonding/index.adoc

@@ -30,47 +30,98 @@ native token. For the initial release of tBTC, that means ETH. As the ecosystem
 matures, other bond collateral options might become feasible at the expense of a
 more complex price feed implementation.
 
-=== Measuring security
+== Measuring security
+
+:lot-size: 1 BTC
 
 Clearly, security concerns require signing bonds that are proportional to the
 size of a _Deposit_. To maintain a negative expected value from signers
-colluding, the amount forfeited by a misbehaving signer must be strictly greater
-than the amount they have to gain.
+colluding, the amount forfeited by misbehaving signers must be strictly greater
+than the amount they have to gain. Assuming a lot size of {lot-size}, constant
+exchange rate between BTC and the bonded asset, and a
+M-of-N group of signers backing a _Deposit_, the minimum collateral for each
+signer is `({lot-size})/M`, denominated in the asset being bonded, ETH in the base
+case.
 
-In the case of n-of-n wallets backing each _Deposit_, the minimum collateral
-from each signer is _ethValue(btcDeposit_/n_. In the general case of an m-of-n
-wallet, the minimal set of signers required to collude is _m_, suggesting that
-each signer should bond _ethValue(btcDeposit_/n*(n - m + 1)_.
+Example: Consider a 1 BTC _Deposit_ backed by a 3-of-5 group of Signers. In the
+worse case, 3 of the signers can be malicious and try to steal the Deposit,
+which would net them each 1/3 BTC. As a result, all 5 Signers must bond 0.33 BTC
+each, denominated in ETH.
 
-=== Pricing currency fluctuations
+== Pricing currency fluctuations
 
 The above assumes a constant exchange rate between BTC and ETH, but in truth
 the two currencies fluctuate relative to each other, sometimes wildly.
 
-If the value of ETH drops precipitously relative to BTC, a group of malicious
-signers will realize that the expected value of theft of the BTC collateral
-they protect outweights the cost of loss to their bonds. For this reason, the
-value bonded by each signer requires a multiple on the minimum. If the value
-of ETH crosses a security threshold, open _Deposit_ s will enter
-<<Undercollateralization>>.
-
-// TODO insert a little historical analysis for a decent starting number
-
-If the value of BTC drops precipitously, signers won't make the return on their
-bonded capital that they'd hoped-- as <<Custodial Fees>> are denominated in TBTC.
-This doesn't pose a problem for tBTC reserves, but is expensive to signers,
-lessening their value proposition.
-
-At a certain threshold, a _Deposit_ whose BTC collateral has devalued will move
-into a variant of the <<preliq, pre-liquidation>> phase that allows bond
-rebalancing without the fallback of signer bond forfeiture.
-
+=== ETH Price Drop relative to BTC
+
+:extracollateral: 50%
+:totalcollateral: 150%
+
+If the value of ETH drops precipitously relative to BTC, then the dollar value
+of the ETH bonded by the signers can be less than the dollar value of the BTC
+Deposit they have backed, meaning they have positive expected value if they try
+to steal the BTC. 
+
+In order to avoid that, we require that the bonds are overcollateralized. For
+each ETH they collateralize, they must put up an additional {extracollateral}, for a total of
+{totalcollateral} collateralization rate.
+
+**Without overcollateralization:** Let 1 BTC be worth $10000, and 1 ETH be worth $200. Signers have to put up 50 ETH
+to back a deposit. Due to market conditions, ETH drops 25% to $150, while
+BTC maintains its value. The 50 ETH is worth $7500, meaning the Signers can make
+a $2500 profit by stealing the Deposit.
+
+**With overcollateralization:** Let 1 BTC be worth $10,000, and 1 ETH be worth
+$200. Signers have to put up 75 ETH (150% of 50) to back a deposit. Due to market conditions,
+ETH drops 25% to $150, while
+BTC maintains its value. The 75 ETH is worth $11250, which is above the dollar
+value of BTC meaning the Signers will maintain honest behavior since they have
+more to lose.
+
+In general, total overcollateralization of {totalcollateral} (`3/2 * 100%`) keeps Signer
+incentives aligned with the well-being of the system up to a 33% drop (`(1 -
+2/3) * 100%`) in price of the bonded asset against the Deposit's asset.
+Increasing this percentage can increase the robustness of the system, at
+the expense of opportunity cost to the Signers which should be compensated via fees.
+
+If the value of ETH crosses a security threshold, open _Deposit_ s will enter
+<<preliq, pre-liquidation>>, followed by <<liq, liquidation>> if they do not top
+up their collateral.
+
 // TODO insert a little historical analysis for a decent starting number
+
+=== BTC Price Drop relative to ETH
+
+Since <<Custodial Fees>> are denominated per BTC in custody (with
+overcollateralization factored in), a BTC value drop against the
+bonded asset translates in lower fees for Signers. Note that this does not
+create any issue for tBTC reserves, but it makes the system less attractive to
+signers looking to earn interest via fees on their assets.
+
+Signers SHOULD buy TBTC from the markets in anticipation of such overly 
+overcollateralized Deposits and they SHOULD use it to redeem these positions,
+thus reclaiming their ETH liquidity which can be used to back other Deposits. An
+alternative would be to provide Signers with the ability to safely rebalance their
+bonds back to {totalcollateral}, however that introduces implementation
+complexities and as a result is not the preferred solution for the initial
+deployment of the mechanism.
+
+Example:
+Let 1 BTC be worth $10,000, and 1 ETH be worth $200. Signers have to put up 75
+ETH to back a deposit. Signers are expected to make a custodial fee of 5 basis
+points for $15,000 (150% of $10,000): $7.5. Due to market conditions, ETH soars
+25% to $250, while BTC maintains its value. The Signers still get $7.5 per BTC
+under custody, however the 75 ETH is worth $18750 (hence 187.5%
+overcollateralized), meaning 5 basis points for its custody would be $9.375. A
+signer redeems the Deposit by paying 1 TBTC, reclaiming 1 BTC and unlocking the
+75 ETH which was locked by all Signers. All significantly overcollateralized Signers now
+have liquid ETH which they can use to back another deposit to mint new TBTC.
 
 == A resilient price oracle
 
 Unlike popular synthetic stablecoin schemes, the tBTC system design makes no
-effort to stabilize the value of TBTC relative to BTC-- TBTC will be priced by
+effort to stabilize the value of TBTC relative to BTC -- TBTC will be priced by
 the market. Instead, the goal is to ensure that the TBTC supply is strictly
 less than its backing BTC reserves.
 
@@ -84,28 +135,32 @@ prices for a single pair of assets, tBTC will initially use a simple
 == Undercollateralization
 
 // TODO explain the undercollateralization curve
-
-
 === Pre-liquidation: a courtesy call
 [[preliq]]
 
 :preliquidation-period: 6 hours
-:second-threshold: 125%
+:first-threshold: 125%
+:second-threshold: 110%
 
-At the first threshold, a _Deposit_ enters pre-liquidation. Pre-liquidation
-indicates that the signers should be close the _Deposit__ or face forced
-liquidation. If the _Deposit_ is not closed within {preliquidation-period}, or
+At the first threshold of  {first-threshold}, a _Deposit_ enters
+pre-liquidation.
+Pre-liquidation indicates that the signers should close the _Deposit__ or face forced
+liquidation after a pre-liquidation period. If the _Deposit_ is not closed within {preliquidation-period}, or
 if the _Deposit_ collateral falls below {second-threshold} collateralization,
 liquidation will follow. This gives each signer an incentive to close the
-position before it becomes severely undercollateralized, as all signers risk
-losing funds in the liquidation process.
+position before it becomes severely undercollateralized. Alternatively, if the
+ETHBTC ratio recovers such that the deposit becomes at least {first-threshold}
+collateralized during the {preliquidation-period} the Deposit is safe and is
+moved away from the pre-liquidation state. 
 
 In future versions of the system, more complex pre-liquidation mechanisms could
 be introduced. For the initial version it seems prudent to choose a simple
-mechanism with large penalties for ongoing undercollateralization.
-
+mechanism with large penalties for ongoing undercollateralization. In addition,
+by incentivizing redemption of undercollateralized or significantly overcollateralized
+positions, Signers are protected from being long ETH for long periods of time.
 
 === Liquidation
+[[liq]]
 
 :auction-start-percent: 80%
 
@@ -114,17 +169,19 @@ before liquidation becomes necessary. However, the possibility of extreme
 punishment via liquidation is necessary to prevent dishonest behavior from
 signers. Liquidation may occur because because signers didn't produce a valid
 signature  in response a redemption request, because the value of the signing
-bond dropped below the collateralization threshold, or because the signers
-produced an unauthorized signature.
+bond dropped below the liquidation threshold, because they did not respond to the
+courtesy call, or because the signers produced a fraudulent signature. 
+// comment(Georgios): What does unauthorized signature mean here?
 
 The primary goal of the liquidation process is to bring the TBTC supply in line
 with the BTC custodied by _Deposits_. The most valuable asset held by the
 system is the signers' bonds. Therefore, the liquidation process seizes the
 signers bonds and attempts to use the bonded value to purchase and burn TBTC.
 
-// TODO: cite uniswap
 First, the contract attempts to use on-chain liquidity sources, such as
-Uniswap. If the bond is sufficient to cover the outstanding TBTC value on these
+[Uniswap](https://hackmd.io/@477aQ9OrQTCbVR3fq1Qzxg/HJ9jLsfTz). 
+
+If the bond is sufficient to cover the outstanding TBTC value on these
 markets, it is immediately exchanged for TBTC.
 
 Second, the contract starts a falling-price auction. It offers
@@ -135,10 +192,37 @@ remain open until a buyer is found.
 
 TBTC received during this process is burned to maintain the supply peg. If any
 bond value is left after liquidation, a small fee is distributed to the account
-which trigger liquidation. After that, any remaining value is either
+which triggered the liquidation. After that, any remaining value is either
 distributed to the signers (in case of liquidation due to
 undercollateralization) or burned (in case of liquidation due to fraud).
 
 What the unresponsive signers do with the BTC outside the tBTC system design is
 for them to decide-- it might be split up, stolen by a signing majority, or
 lost permanently.
+
+Example: 
+1. Signers guard a deposit of 1 BTC, backed by 75 ETH at 0.02 BTC/ETH (1.5 BTC
+in ETH, 150% collateralization ratio).
+
+1. ETH price drops to 0.01333 BTC/ETH. 75 ETH now only collateralizes 100% of
+the Deposit (1 BTC / 75 ETH)
+
+1. Liquidation is triggered and the 75 ETH is seized to buy back TBTC.
+
+1. Assuming Uniswap has only 0.8 TBTC available in its reserves, that amount is
+bought, at market price, for 60 ETH (`0.8 BTC / (1/75) = 60`) and is
+subsequently burned. Note that there may be slippage here so the contract SHOULD
+check that it does not purchase TBTC at non-favorable rates
+
+1. The Deposit is left with 15 ETH which must be used to purchase 0.2 TBTC. In
+an attempt to get a discount, it auctions {auction-start-percent} of its ETH
+reserves.
+
+1. An arbitrageur burns 0.2 TBTC at 90% of the auction and obtains 13.5 ETH. The
+liquidation of the Deposit is now over.
+
+1. The remaining 1.4 ETH is distributed to the signers (if they had committed
+fraud it'd be burned), and 0.1 ETH is given to the account which called the
+liquidation function on the Ethereum smart contract.
+
+1. The N signers coordinate and agree on how they will distribute the 1 BTC deposit.

docs/custodial-fees/index.adoc

@@ -17,26 +17,46 @@ that a centralized custodian protects a bitcoin deposit, that's as much as
 0.75% lost to the costs of custody.
 
 A decentralized model should eventually allow a lower effective fee on custody
-by introducing more competition to the space. There's a caveat, however-- a
+by introducing more competition to the space. There's a caveat, however -- a
 decentralized approach to custodianship makes legal recourse more difficult,
 requiring additional bonded collateral to ensure recompense in case of failure.
 
-Applying this pricing model to tBTC's bonding, it's clear that a signer would
-like to make a similar return on the total capital it's responsible for-- its
-portion of `Deposit` security. In the full threshold case, that's
-`1 / min(m, n)` in deposit security, or `1 / m` as `m` is less than `n`, with
-`m` signers are required to move funds. Those `m` signers would each require
-`1 / m * OverCollateralizationFactor` in  bonds, assuming for a moment a shared
-value currency.
-
-For a few conservative values,
-`n = 20, m = 15, OverCollateralizationFactor = 150%, LotSize = 1 BTC`, a single
-signer can make .0005 TBTC a year per deposit. For depositors, that costs 1.5% a
-year. Lowering single-signer returns from 0.75% to 0.25% across the security
-value they provide means total signing revenue is 0.5% of the market cap of TBTC
-each year, with a return a year of their locked up capital, denominated in TBTC.
-
-While these returns are reasonable relative to their risk in the cryptocurrency
-space, we can save both sides money through a more efficient use of capital. As
-the network matures, these costs can be lowered through the introduction of
-leveraged bonds.
+Applying this pricing model to tBTC's bonding, it's clear that a Signer would
+like to make a similar return on the total capital it is locking up.
+
+## Fee parameterization
+
+### Terminology
+
+- `Deposit`: A non-fungible smart contarct construct to which a signing group is
+assigned. It coordinates the creation and redemption of `LotSize * 1 TBTC`.
+- `LotSize`: The exact value of a `Deposit` denominated in `BTC`.
+- `OvercollateralizationFactor`: The additional amount which must be deposited as
+collateral by the Signer 
+- `BondValue`: The amount a `Signer` must lock in a smart contract as
+collateral to mint `TBTC`. Initially this will be denominated in `ETH`. `Deposit
+= OverCollateralizationFactor * LotSize * (ETHBTC conversion rate)`. In the
+future, `TBTC` may be used to collateralize a deposit. As a result, assuming a
+1:1 ratio between `BTC` and `TBTC`, the price conversion can be skipped.
+- `N`: The number of Signers authorized to sign on a `Deposit`'s withdrawal request.
+- `M`: The minimum number of Signers required to sign the authorization of a `Deposit`'s withdrawal request.
+
+### Description
+
+:initial-signers: 15
+
+It is assumed that each `Signer` contributes equally to the collateralization of
+a `Deposit`.
+
+The capital cost per `Signer` is `BondValue / N`. Using `LotSize = 1
+BTC` and `OverCollateralizationFactor = 150%`, that is `1.5 BTC / N`.
+
+An initial parameterization of the system will use `{initial-signers}` Signers per lot. In
+addition, due to the lack of attributability in the link:../signing/index.adoc[aggregate
+signature mechanism] used, we pick `M = N`. This requires a `0.1` BTC value in capital
+cost for **each** Signer per `1.0 TBTC` minted.
+
+Taking into account the fees from centralized custodians (`0.0025-0.0075 BTC`),
+we choose to reward signers with a flat `0.005 TBTC` per `1.0 TBTC` minted,
+meaning the total signing revenue is `0.5%` of the market cap of the minted amount
+of `TBTC` each year.