Don’t Get Goxed – Use The Five Parties Model
Trust Shall Not Live by Tech AloneBitcoin is an attempt to solve the problem of governance of a centralised issuer of currency through technology. By using a common protocol to manage a public blockchain, we can make it impossible to issue more Bitcoins than the pre-determined limit.As MtGox has shown, the issuance problem is not the only trust problem for the digital currency community.In order to provide useful services, certain businesses must hold the users’ Bitcoins and cash in escrow. These businesses, such as exchanges, brokerages, online wallets, retail payment aggregators, etc. are at risk from insider theft, external hacking and loss through currency volatility risk and poor accounting practices.How can a user trust a business to protect his or her value held in escrow? Clearly the users of MtGox trusted an entity that was not trustworthy.This is not a new problem for finance. It is called the “agency problem” in reference to the fact that an agent acts for the user as a trusted intermediary. Financial institutions have been dealing with the issue of trusted intermediaries for millennia.This field is broadly called “governance” and has many well known methods for achieving accountability and reliability for fiduciary institutions.The question then is how to bring those practices into a digital accounting and payment system.To address this weakness of customer escrowed funds, back in the late 1990’s we developed a governance technique for digital currency that we called the “Five Parties Model of Governance.” (This model was built into the digital currency platform that we designed for exchange, called “Ricardo”.)The five parties model shares the responsibility and roles for protection of value amongst five distinct parties involved in the transactions. Although originally designed to protect an entire digital currency, this technique should be broadly applied to businesses that hold value in escrow for their customers.
The Five Parties Model (5PM)Every business that holds customer funds in escrow and allows them to trade internally, such as MtGox, is effectively a digital currency issuer.For a single issuer of digital currency, the Five Parties Model looks like this (Figure 1).[caption id="attachment_10653" align="aligncenter" width="586"] Figure 1. Five Parties Model of Governance[/caption]
1. IssuerThe Issuer is the institution guaranteeing the contract with the User. This is the person or entity ultimately responsible for the assets and whether the governance succeeds or fails.Every Bitcoin exchange (ie. MtGox), online wallet, and payment service aggregator (ie. BitPay) who escrows customer funds and represents them as an account is acting as a digital value Issuer. The bigger the institution, the greater the need for a strong governance contract with the users.Each holder of value has a signatory who controls creation or deletion of assets on the books - which should mirror the deposit or withdrawal of assets from the reserve asset pool.This position has an alter ego - a different signatory on the other side, who controls deposit and withdrawal from the asset pool (reserve accounts).In the Five Parties Model we assign the signatory role to a Trustee, such as an outside law firm or accountant, who is not an employee or shareholder of the Issuer.The Trustee should operate under two rules:a. The Trustee may only disburse assets with a transaction receipt from the mirror account of the one he controls.Ie. if he controls the internal account for Bitcoin, then he can only create new internal value on presentation of a deposit receipt of equal value of Bitcoin for the reserve asset account (ie. the cold wallet).b. The Trustee can only spend or disburse value to the Manager account. This prevents the Trustee from creating new value and spending to an account that he or an accomplice controls. For a Trustee on the asset reserve account, he can only spend withdrawals to the Manager’s account. In the Five Parties Model the Manager is the person or entity, usually the trading desk of the Issuer, who asks the Trustee to perform the big controlled operations: create or destroy digital assets, or deposit or withdraw physical ones, in order to reflect the overall pattern of trading activities.The Manager typically works on a daily trading basis using float accounts (hot wallets).In an example business day, the trading desk may get 50 BTC deposits and 45 BTC withdrawals, leading to a net position of +5 BTC.As trading balances build up or draw down, the Manager asks the Trustee to authorise the conversion of daily trading assets against the long-term reserves backing the internal value on the exchange books.For the above example, if the exchange has net of +5 BTC deposits at the end of the day, the Manager should transfer 5 BTC from the hot wallet trading account to the cold wallet reserve account. Then he places a request to create 5 BTC new value on the internal books, and gives the Trustee a copy of the deposit receipt to the cold storage account.After verifying the receipt is valid, the Trustee then uses his signing key to create the new value on the internal books, and then spends that value to the Manager’s internal float account. In this way the Manager converted 5 actual Bitcoins in his hot wallet into 5 internal Bitcoins on his float account.That is how value should be moved in and out of a Bitcoin exchange in a controlled and firewalled fashion without putting the reserve funds at risk in a “hot wallet”.[caption id="attachment_10668" align="aligncenter" width="434"] Manager Bails in 5 BTC to the Cold Wallet[/caption]
4. Operator / Escrow / VaultMost Bitcoin Exchanges to date have created their own software and operate their own servers. (This is a big part of the reason that 45% of Bitcoin exchanges have failed - 70% of the failures are due to security breaches.)Another disadvantage of rolling your own Bitcoin exchange software is that someone inside the company may have enough information to alter the software to conduct illicit transactions and then cover their tracks by deleting the logs.In the Five Parties Model, it is preferable to outsource the software and server maintenance to a third party that specializes in this service. In the Bitcoin world, Bex.io is an example of this model. They have created a standardized Bitcoin exchange software, and lease that software out to local exchanges, while controlling the operation of the software itself. (Disclosure: the authors’ company, Dinero Limited, also provides and operates this type of software.)If the role of Operator cannot be outsourced, then we put in place controls to make sure that the IT department does not have access to the signing keys of the Trustee and the Manager. Preferably these parties should not work in close contact with each other, or even work in the same location. The goal is to prevent collusion between the Trustee, the Manager and the department operating the servers.For the Bitcoin reserve assets in cold storage, the Bitcoin Network is the Operator for the accounting and ledger system. There is already an excellent separation of roles in place there.
5. The Fifth Party - The Public as AuditorThe final and most important element of the Five Parties Model is the role of the Public as auditor.Typically, the role of auditor is to examine the books to validate that the other parties are indeed doing their job. As is covered elsewhere (Audit), paid auditors have a long-term conflict of interest, which has been at the root of several notable disasters in the last decade - the failure of Enron, the wholesale bankruptcy of banking in 2007 financial crisis, the collapse of AIG, none of which auditors rang the bell for.Auditors, as well as being conflicted, are also expensive. If governments come in and regulate Bitcoin they will require exchanges to pay for quarterly or annual external audits, which will dramatically increase costs without much benefit.We should be able to find a more effective and less costly alternative.Let me introduce YOU, the user, also know as “The Public.”You, the Public, do not have a conflict of interest, in that it is your value at risk, and you have a strong interest in seeing that the other four parties are doing their jobs properly.Yet, how can the public audit anything when audit almost by definition means seeing that which cannot be seen?The answer is to make that which was previously unseen, seen. Make the net balances of the internal books and the reserve assets visible to the public. (We are not suggesting that customer accounts be exposed.) The public only needs to see the total net liabilities of the internal accounts, to compare them to the assets in the reserve accounts.Some examples of digital currencies that have supported public audit include:
- e-gold published a real time balance sheet of their digital issuance.
- GoldMoney publishes monthly reports and regular audits.
- Bitcoin publishes the blockchain.
- Ricardo publishes the balances of the Trustee and Manager accounts.
The Five Parties Model Applied to Bitcoin ExchangeThe Five Parties Model is just and exactly that - a model. This means there are variations, and a business must modify it to suit. For example, many businesses in the space have not one but two bases of value to control: an underlying asset and a digital issuance. Bitcoin exchanges fall into this category.When an Issuer is backing the digital currency with a reserve asset, both of these assets need to be protected. To do this, we utilise two instances of the Five Parties Model in a mirrored pair. In each, the Issuer and the Public act as parties on both sides, whereas the Trustee, the Operator and the Manager may be duplicated (or not). Figure 2 shows an application of the Five Parties Model to a Bitcoin Exchange.[caption id="attachment_10652" align="aligncenter" width="401"] Figure 2. 5 Party Model for Bitcoin Exchange[/caption]An exchange supporting many currency pairs requires a somewhat more complicated regime. For every one of their assets - BTC, Altcoins, USD, EUR, JPY, etc, they must delegate operators, trustees and managers.However, this model can still be managed for multiple currency types with only two trustees - one for the internal book value, and one for the external reserve assets.
Where MtGox Went WrongNow that we have explained the Five Parties Model and why it is important, let’s look at where MtGox failed. Figure 3. MtGox Custodial Contract[/caption]As an Issuer MtGox failed to implement internal controls to ensure that their contract conditions were honored at all times.Furthermore, recent revelations (by a former MtGox insider who is now a competitor) allege that MtGox management may have knowingly operated the exchange on a fractional reserve basis since a major Bitcoin theft in 2011. If that proves to be true, then sadly, the management may have compounded the initial crime committed against them by secretly operating in breach of contract instead of simply reporting the theft and filing for bankruptcy. That followed by rise in the value of Bitcoin since 2011 has multiplied the impact of the original theft by one-hundred fold.
MtGox Failed to Separate the Roles[caption id="" align="alignright" width="290"] MtGox Failed to Separate Roles to Keep The Wrong Hands Out of the Cookie Jar[/caption]MtGox appears to have had the same trading desk or Manager controlling both the creation of value on the internal books and the release of assets in the reserve accounts.By merging two roles that should have been separated — Manager and Trustee — MtGox allowed the Manager to transfer out the reserve assets without first destroying an equivalent amount of internal value on their books.If MtGox had been following the Five Parties Model from the beginning, it would have been impossible for a security breach or malleability attack to have stolen any more than the Manager’s hot wallet balance. The customers' funds would not have been jeopardized and the discrepancy would have become immediately apparent.The failure of MtGox to separate the asset reserve from the Manager’s trading accounts precipitated an epic disaster.blockchain.info and bitcoincharts.com that can easily support realtime charts using the information from the APIs of participating Bitcoin exchanges. Instead of merely providing price data, these websites can play an integral part of the governance of the Bitcoin community by collecting and displaying data concerning the reserve assets and total liabilities of exchanges and escrow services.The media also play a very important part of the governance equation. Publications that cover the digital currency sector like Bitcoin Magazine, DGC Magazine, and CoinDesk should be asking hard questions of new and old exchanges about their governance procedures.The Bitcoin Foundation and other industry associations would be well advised to encourage the development of an industry standard for governance of exchanges and escrow services using the Five Parties Model.You, the public, should demand it.To voice your support for the Five Parties Model, please use the hashtag #5PModel.
Update - As this article was going to press, BitQuick became the first Bitcoin exchange to move towards implementing the Five Parties Model by making its internal balance and Bitcoin reserve addresses public through their API. (Perhaps that’s why they are called Bit QUICK.)
Ian Grigg and Ken Griffith are the co-founders at Dinero Limited, which provides a secure multi-instrument platform for digital currency exchange. Since 1995 we have built real-time trading exchanges for precious metals, securities and digital currencies. Dinero’s trading platform is a complete solution ideal for hosting crypto-currency exchanges.This article is a modified version of the paper “HOW MTGOX FAILED THE FIVE PARTIES GOVERNANCE TEST” first published at FinancialCryptography.com on 2014-02-26.