How Crypto Exchanges Can Be Free of Risk

If Web3 is going to rely on centralized markets, then it needs to find ways to manage counterparty risk.

AccessTimeIconDec 21, 2022 at 4:02 p.m. UTC
Updated Sep 28, 2023 at 2:22 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global event for everything crypto, blockchain and Web3.Register Now

We have recently been reminded that markets, as heavily as we rely on them, are far from ideal in practice. For one thing, settlement risk of major equities markets is increasingly capable of taking down the global economy. This is because of the growing number of traders occasionally using social media to in effect collude, such as with GameStop.

For another, cryptocurrency marketplaces such as FTX have caused huge losses to users because of the lack of full custody coverage. These issues stem from the way current electronic markets were simply designed as copies of open outcry and paper-based markets – and, also, ironically, from the fact that all the major crypto markets were built in an unprecedentedly centralized manner.

Even a commitment to full coverage is, of course, not enough to address custody risk – those running an exchange can easily abscond with its assets. And even if both settlement and custody risk are solved, information asymmetry remains a problem. Access to tremendously valuable information about trades and traders is available exclusively to those who operate all types of markets today. Somewhat akin to consumer data in Web2 versus Web3, this data has huge potential for a variety of clandestine market manipulations. There is currently no way to prove the negative, that such information is not being exploited to the detriment of traders and markets overall.

David Chaum, a pioneer in cryptography and in privacy preserving and secure voting technologies, is the creator and founder of the xx network. In 1995 his company, DigiCash, created and deployed eCash, the first digital currency, which used Chaum's breakthrough blind-signature protocol. This essay is part of CoinDesk's Crypto 2023 series.

A market mechanism I’ll introduce below solves these problems. It has no custody risk or settlement risk, and trader information is available only to the respective traders themselves.

The underlying type of market here is generally referred to as a “call market.” Such periodic auction markets are, for instance, used today in Nasdaq’s opening and closing periods. Traders place what should be sealed transaction requests during these trading periods. Only after the period ends are the requests, in effect, unsealed, a single price calculated from the requests and the trades that should clear at that price consummated.

To keep trader information from the exchange operator in the solution here, the market clearing price is calculated by a so-called multiparty computation (MPC). This term was coined by me to describe what are now increasingly often-deployed cryptographic techniques. These allow multiple encrypted inputs to be converted to a cleartext output by an agreed algorithm. The “computation” is in effect performed by the cryptographic protocol itself such that no party can decrypt the encrypted inputs posted, but all parties can be certain that the cleartext output was computed correctly from exactly those inputs.

Although most equities and traditional commodities today are not primarily represented on blockchains, a few are, such as by the Swiss exchange Sixth. In this system, however, to address settlement and custody risk all assets traded are held on blockchains. For instance, when the pair being traded is bitcoin against dollars, bitcoin is, of course, already on a blockchain and dollars would be on a dollar stablecoin blockchain. As part of the process of submitting a bid or ask, the asset is transferred to a wallet on the native blockchain of that asset. But such wallets are created to be under joint custody of the exchange and the trader – so-called “multisig” wallets. Their value can only be transferred out by cooperation of those two entities.

Once the multiparty computation reveals the market clearing price as mentioned above, some of the multisig wallets will trade and the rest will be refunded. Bids above the clearing price, as well as asks below the clearing price, trade at the clearing price in a typical call market; non-traded bids and asks result in the assets in the associated multisig wallet being refunded to the trader who placed them there. Such refunds are easy to achieve: The exchange operator simply reveals its keys for all multisigs for which a zero-knowledge proof, provided by a given trader, shows that the particular price that was cryptographically committed to by that trader does not make the cutoff. (To ensure that the numbers of buyers and sellers that will trade are equal, different cutoffs can be provided for buy- and sell-side.) The keys issued by the exchange are useless to anyone except the trader in question, who then uses them to regain control of the asset they committed.

A simple way to accomplish the swap of those assets remaining locked in the multisig wallets is based on fixed lots on one side of the asset pair: for instance, one bitcoin against a variable number of dollars. (Larger trades could be made more efficient by multiple parallel markets, each for fixed lots such as two, four, eight and 16 bitcoin, but using the same clearing price; however, I’ll ignore this elaboration in what follows.) An amount of value initially moved to the multisig wallets on the variable-amount side by traders functions as a minimum “commitment fee.” Once the clearing price is established by MPC, traders on the variable-amount side transfer additional value to their respective multisig wallets so as to fund the exact amount required by the swap.

Finally, the MPC randomly pairs off all remaining counterparties, each pair comprising one trader on the bid side and one on the ask side. This then allows each pair to bilaterally complete an “atomic swap” protocol, in which settlement occurs directly as part of the trade. Such a swap is the only way the parties can unlock the value they placed in the multisig wallet. As I noted earlier, it results in the party on one side of the trade taking custody of what was the multisig wallet of their counterparty on the other side of the trade. What I’ve called “Liquifinity” is an atomic-swap technology that cryptographically secures against either party walking away before they give their counterparty the keys for the multisig to be transferred and thereby complete the swap. So parties that placed a bid for a price above the clearing price consummate a trade with randomly-selected counterparties that committed to an ask below the clearing price. No third party ever has custody, meaning no custody risk. And the trade is “atomic” – settlement coincident with the trade – meaning no settlement risk.

If, however, those operating the exchange could learn who is associated with specific bids or asks, this information could allow them to manipulate the market, such as by learning the approximate positions and trading patterns of participants. To solve this, what I’ve called “mixing” is used for all communication between traders and the exchange. Mixing conceals who is sending or receiving which message. Moreover, trader identities should not be associated with wallet IDs of the underlying assets being traded. Unlinking, in this way, any persistent user identity from trades hides who is behind transactions, which can be a useful source of information to anyone aiming to manipulate a market.

Collusion between an exchange and traders, or even potential extortion of traders by an exchange, however unthinkable in many settings, can be ensured against by a bond posted by the exchange. The bond need only be sufficient for the exposure of a single round of a call market, because such abuse would come to light before a next round. This makes the maximum backing of such exchanges extremely practical. It is in sharp contrast to what would be impractical bonding requirements for typical settlement or even for exchange arrangements with extended periods over which risks can accumulate.

This is a fully generalizable way to realize a market for pairs of assets. It includes a solution to both custody and settlement risk. And it obviates manipulation through information asymmetry by ensuring that all details remain private to traders. It is immediately applicable to crypto markets, where the need is most urgent and acutely felt. Once deployed, it will demonstrate that traditional markets can benefit significantly from adopting such best practices from crypto.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

David  Chaum

David Chaum, a pioneer in cryptography and in privacy-preserving and secure voting technologies, is the creator and founder of the xx network.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.

Read more about