Are the popular Bitcoin/Altcoin exchanges really decentralized and safe?
Decentralization is the basis for blockchain technologies. It ensures the security, transparency and integrity of all transactions in the network. But are the popular cryptocurrency exchanges really decentralized and safe? Fact: More than one million bitcoins were stolen after a few cryptocurrency exchanges had been hacked. The team of the Swap.online project analyzed the current problems of deсentralised cryptocurrency exchanges (DEX)
What are the types of DEX?
Pseudo-decentralized (using an unreliable gateway between two blockchains)
Earlier, it was of a common knowledge that a crypto exchange that did not store user keys was decentralized (and therefore safe). However, most of such exchanges are built on a single blockchain, which makes them distrustful. In order to get funds from the bitcoin to such crypto exchange, one needs to trust a gateway: it takes bitcoins and produces a kind of “bitcoins” in another network in return. A similar principle lies in Ethereum-based exchanges, for example, EtherDelta.
The advantage of this approach is the ease of implementation, but it does not outbalance the disadvantages: the gateway may not withdraw the funds back. Fast and free transactions are supported with a cheap infrastructure or by a certain group of people. The price of an attack on such an infrastructure is cheaper than an attack on the bitcoin or ethereum blockchain, which is provided by the capacities of miners around the world.
Crypto exchanges calling themselves decentralized, but functioning only in the Ethereum network, should be distinguished. For example, the 0x project which has many followers.
Their advantages are: Such exchanges are compatible with the most of the tokens issued during ICOs in 2017. In the Ethereum network it is easy to make up complex contracts (Margin Call and the like). But such exchanges do not support other leaders in the terms of the trading volume: Bitcoin, Tether, EOS.
Projects that link blockchains to each other using their own tokens
The most striking instances of such projects are: Polkadot, Kosmos, TON.
Polkadot allows transferring tokens from one network to another by blocking them in one blockchain and issuing them in the other. This exchange involves its own token.
Really decentralized exchanges that use Hashed Timelock Contracts
The community of blockchain developers has already for a long time created technologies that allow you to safely exchange cryptocurrency directly in the browser, without the involvement of a third party.
Devotees of centralization believe that storing private keys on a secure server is safer than storing encrypted keys in the user’s browser. However, if a central server is hacked, everything will be stolen (as it was with a million of bitcoins), and paranoids can remove signing of transactions from the browser into the application on the computer and encrypt it.
In fact, we are talking about the ordinary Atomic Swap (technical description of the algorithm). To understand how this works, watch the video of the system operation below, or try to make an exchange yourself at https://alpha.swap.online.
By using Bitcoin.js, web3.js, and the libp2p library in IPFS, we created a cross-blockchain swap system directly in the browser.
Features of the system:
The solution operates on average from 2 to 10+ times faster than the existing exchanges (taking into account the time to deposit and withdraw funds). On average, the exchange takes 2–3 minutes. Based on the data from our monitor (updated once a day). Source of the script.
Swap Online does not store secret user keys. Moreover, even messages between users do not pass through our servers (we use IPFS).
The exchange works right in the browser. Users do not need to download or install anything.
It already works between the bitcoin and ethereum blockchains. Exchange between Tether, Lightning Network is planned.
Theoretically, it is able to work with most cryptocurrencies, except for those where there is no scripting language. But even for such currencies (including Monero) solutions will be created over time (MultiSig for Monero).
Most frequently asked question about the security of the solution
— How will you deal with the intrusion of malicious scripts into the user’s browser?
Since all code is executed in the user’s browser, the greatest risk is the intrusion of extraneous scripts into the code. It is likely to be made by the extensions the user installed in the browser, or by a hosting provider. To prevent such attacks we will use cloudflare.com together with Workers, a solution that, in response to any request to the domain, sends a “Content Security Policy” header with the hash of the JS code allowed for execution in the user’s browser. Thus, server hacking and most attacks based on the intrusion of malicious code will be cancelled out, while hacking a server for a centralized service can be fatal.
For the B2B market (b2b.swap.online): Widget in the form of html code, which allows accepting any cryptocurrencies directly in the wallet of the site owner by sending tokens in return. The solution has a confirmed demand both from projects in the crowdfunding stage and from those who are already making a real product.
For large holders of cryptocurrencies: Ability to safely exchange cryptocurrency without bringing it to centralized exchanges (by replenishing the account only during the exchange).
As part of research, the possibility of using the solution as a bridge for the sidechains is being studied.