►
Description
Thesis Founder Matt Luongo (https://twitter.com/thesis_co) and NEAR Co-Founder & CTO, Alex Skidanov (https://twitter.com/AlexSkidanov) discuss the design behind tBTC.
------- About Whiteboard Series ---------
The Whiteboard Series with NEAR is a set of video interviews with Founders who are building scalable solutions for Blockchain. We deep dive into their story, what they're developing and how it is helping the ecosystem.
Follow the latest from NEAR Protocol on,
Website: https://near.org/
Discord: https://near.chat
Twitter: https://twitter.com/NEARProtocol
GitHub: https://near.ai/github
#WhiteboardSeries #Blockchain #FutureIsNEAR
B
A
Will
talk
today
about
the
design
behind
tbtc,
which
is
extremely
exciting,
so
so
matt?
Would
you
like
to
introduce
yourself
and
give
us
the
high
level
overview
yeah.
B
Yeah,
of
course,
so
yeah,
I'm
I'm
matt,
I'm
the
founder
and
ceo
of
thesis
we're
a
cryptocurrency
production
studio.
So,
if
you're
familiar
with
fold,
they
spun
out
recently
they're
shipping,
a
bitcoin
rewards
back
card
keep
network
is
a
big
product
of
ours
and
on
top
of
keith
and
on
top
of
ethereum,
we
built
tbtc,
which
is
a
bridge
to
safely
bring
your
bitcoin
on
and
off
of
ethereum.
B
So
you
can
do
things
like
earn
yield,
take
out
usd
loans
and
really
participate
and
defy
widely
with
confidence
that
you
can
get
back
to
your
exact
bitcoin.
B
Yeah
so
high
level
I
mean
yeah,
there's
a
let's
see
where
to
start
where
to
start.
So
you
think
people
are
probably
already
familiar
with
different
bridge
designs.
A
B
Yeah,
so,
let's
just
really
quickly
go
through
some
bridge
designs,
so
you
know
at
the
end
of
the
day,
what
you're
trying
to
do-
and
I'm
just
gonna,
draw
myself
a
little
blockchain
here,
because
I'm
probably
gonna
need
it
a
lot
that,
at
the
end
of
the
day,
what
you're
trying
to
do
is
you're
trying
to
take
this
one
consensus
mechanism
here.
B
That
is
a
chain
note
that
when
people
draw
the
arrows
going
forward,
they
do
not
understand
linked
lists
or
time.
So
you
have
this
little
block
chain
here.
Obviously
this
is
not
not
my
best
drawing
and
I'll
I'll,
pretty
it
up
a
little
bit.
But
what
you're
trying
to
do?
Let's
say
this
is
bitcoin-
is
you're
trying
to
with
some
confidence,
take
take
some
value
from
this
chain.
B
So
I'm
not
gonna
talk
about
like
more
general
data
transfer
mechanisms
and
merge,
consensus
and
stuff
like
that,
because
this
conversation
will
get
totally
out
of
control
and
I'm
not
a
pro
at
it.
But
what
you're
trying
to
do
is
you're
trying
to
take
data
from
this
chain,
which,
let's
say,
is
the
btc
chain.
B
And
and
you're
trying
to
see
if
this
arrow
will
move
there,
we
go
and
you're
trying
to
then
bring
it
to
another
chain.
So
now
I
do
not
want
to
clear
page.
I
would
love
to
copy,
though
say
copy
paste
beautifully.
B
So
so
the
reason
that
we
want
to
do
this
is
obviously
to
bring
in,
in
my
particular
case,
bitcoin,
but
really
any
value,
that's
been
locked
on
one
chain
onto
another,
so
bitcoin
is
a
little
bit
different
than
a
chain
that
you
might
build
from
scratch
today.
B
If
you
build
a
chain
from
scratch
today,
you
know
that
there
are
a
few
things
that
you're
going
to
need,
but
if
you
care
about
interoperability-
and
I'm
just
going
to
use
ethereum
here
for
our
example
since
it's
where
our
system
runs
today,
but
if
you
care
about
interoperability
today
and
you're,
building
a
new
l1,
what
you're
going
to
do
is
you're
going
to
think
about
how
can
the
state
of
my
chain
or
a
summary
of
the
state
of
my
chain
be
provable
to
people
off
chain?
B
So
it's
very
important
that
you
be
able
to
be
able
to
say
whether
or
not
you're
running
a
fully
validating
node
that
when
someone
gives
you
the
latest
chain
tip
that
you
can
have
some
amount
of
confidence
and
either
you
know
that
could
be.
That
could
be
confidence,
because
you
are
confident
in
a
particular
validator
set
and
that
they've
they've
signed
it.
That
could
be
confidence
because
of
the
weight
of
work
that
goes
along
with
that
data.
B
So
a
lot
of
different
ways
to
do
it,
but
in
the
case
of
bitcoin
a
lot
of
the
fancy
tools
that
we
would
typically
pull
out
when
we're
talking
about
interoperable
blockchain
design,
just
don't
apply
bitcoin
will
not
likely
have
a
soft
fork
that
has
any
focus
on
interoperability,
at
least
for
the
next
two
three
years,
possibly
longer,
maybe
forever,
and
and
that's
just
kind
of
something
that,
when
you
are
trying
to
do
work
with
bitcoin,
you
have
to
be
really
upfront
about.
A
B
A
B
Exactly
what
we
do
yeah,
so
so
so
in
that
direction,
it's
quite
easy
right!
So
so
you
can
use
spv
proofs,
and
these
were
like
you
know
the
original
spv
proofs,
where
you
have
a
person
in
the
middle
and
oh
man.
I.
B
Have
just
like
made
some
people
too.
Let
me
just
make
some
people
real
quick,
so
you
have
a
person
in
the
middle
and
who's
some
off-chain
actor,
and
this
off-chain
actor
is
able
to
read
the
state
of
the
bitcoin
chain
and
they're
able
to
submit
that
state
using
an
spv
proof
to
the
ethereum
chain.
Now
ethereum
is,
I
don't
want
to
call
it
legacy
yet
right,
but
obviously
there's
a
lot.
B
That's
wrong
with
the
evm
that
anyone
who's
familiar
with
kind
of
like
engineering
outside
of
ethereum
knows,
but
it
can.
It
can
verify
spv
proofs.
The
problem
quickly
becomes
the
state
that
you
have
to
track
so
btc
relay,
I
believe,
which
was
a
very
one
of
the
first
really
pegs
to
a
chain
like
ethereum,
actually
tracked,
all
of
bitcoin
state
on
ethereum
and
that
launched
in
2015,
and
it
had
to
be
paused
in
2017,
because
the
expense
was
just
too
high.
B
So
so
there
are
a
number
of
ways
to
go
after
this.
So
if
you're
looking
at
a
chain,
that's
kind
of
like
bitcoin,
but
not
quite
bitcoin,
so
zcash,
for
example,
you
can
use
techniques
like
merkel,
mountain
ranges
and
and
just
kind
of
this
fly
client
idea
and
basically,
what
you're
doing
is
for
each
block
instead
of
needing
to
catch
up
the
chain
on
the
right
to
the
chain.
On
the
left
linearly,
you
can
use
logarithmic
techniques,
so
you
can
actually
like
get
pretty
cheap
validation
on
the
ethereum
side.
B
But
again,
bitcoin
is
not
going
to
make
a
change
like
that
anytime
soon,
so
so
we're
stuck
with
linear.
So
originally
our
approach
building
tbtc
here
was
to
use
something
called
a.
What
we're
calling
a
light
relay
and
the
idea
with
the
light
relay
was
instead
of
tracking
each
head
and
instead
of
constantly
tracking
the
chain
tip
every
10
minutes.
Instead,
what
you
do
is
you
check
difficulty,
retargeting
periods,
so
you
get
this
period
that
is
difficult
to
know
in
advance.
It's
really
hard
to
know.
B
So
that
was
the
original
plan
and
we
got
pretty
far
with
it.
In
fact,
we
have
a
full
implementation,
but
what
we
realized-
and
this
is
100
james
prestwich
at
suma-
who
came
up
with
this-
is
that
you
could
actually
take
an
idea
like
btc
relay
and
dehydrate
it
to
the
barest
minimum
possible
rules,
discarding
almost
all
data
around
spv
proofs
and
then
and
then
it
basically
boils
down
to
code
on
the
ethereum
chain.
B
That's
about
fork,
choice
and
heaviness
of
work,
and
that's
it
so
we
really
dove
in,
but
so
the
way
that
we
keep
track
of
bitcoin
state
on
the
ethereum
side
is
using
this
this
relay.
So
if
you're
interested,
you
can
actually
go
on
mainnet
right
now.
Currently
we
are.
We
are
running
the
relay
as
a
public
good
for
ethereum
users,
which
is
funny
because
it's
gone
down
at
least
once
and
actually
the
community
saw
and
they
stepped
in
and
started
running
it.
B
B
The
second
question,
though,
is
how
does
data
from
ethereum
get
back
to
bitcoin,
so,
unlike
ethereum
being
able
to
validate
spd
proofs
for
bitcoin,
there
are
two
issues
with
going
the
other
direction.
First,
because
ethereum
was
not
designed
with
interoperability
in
mind.
Eath
hash
is
a
very
annoying
proof
of
work.
B
It's
difficult
to
summarize
it's
and
it's
difficult
to
validate
from
other
chains,
it's
much
more
expensive
than
it
should
be,
and
it
sort
of
violates
some
core
design
principles
that
we
would
follow
if
we
were
designing
a
proof-of-work
smart
contract
chain
today,
but
even
more
difficult
than
that
is
the
fact
that
bitcoin
has
no
way
to
actually
verify
the
proof
so
bitcoin's
execution
environment
is
you
know
people?
Actually
it
doesn't
even
have
a
name.
People
refer
to
it
as
script,
but
it's
not
even
technically
a
name.
B
It's
it's!
A
fourth
based
like
stack
based
little
mini
language,
it's
incredibly
restrictive
and
then
the
data
model
is
a
utxo
model,
and
so
that
leads
to
some
great
scalability
opportunities
if
bitcoin
wanted
to
take
them.
B
But
it
also
means
that
you
can't
make
assertions
about
the
entire
chain
state,
necessarily
the
way
that
you
could
in
something
like
ethereum.
So
what
I'm
basically
saying
is
there
is
no
way
for
ethereum
to
to
prove
something
to
bitcoin.
So
this
is
where
what
currently
looks
like
a
pretty
simple
system.
It's
gets
quite
a
bit
less
simple.
Let
me
see
if
I
can
successfully
move
this
screen
here,
and
here
we
go
okay.
B
So
so
now
our
job
designing
tbtc
is
to
build
a
system
that
will
allow
people
to
move
quote
unquote
their
bitcoin
onto
ethereum,
move
it
back
to
the
bitcoin
l1
and
be
confident
that
that
they'll
always
have
access
to
their
l1
bitcoin.
So
it's
very
important
to
me
as
a
bitcoiner
to
make
sure
that
that
I
that
at
no
point
will
there
be
more
bitcoin
printed
on
ethereum.
So
we
don't
want
this
to
become
a
full
synthetic.
B
It's
very
important
to
me
that
I
can
be
confident
that
there's
always
physical
settlement
and
then
lastly,
it's
it's
important
that
I
have
no
trusted
intermediaries,
so
I
don't
want
to
be
relying
on
people's
reputation
for
access
to
my
bitcoin.
I
can
already
do
that
with
centralized
exchanges.
B
B
So
all
that's
actually
a
really
tall
order
without
any
soft
forks
on
bitcoin,
but
I
will
see
if
I
can
draw
out
the
way
that
we've
got
this
working
here.
B
It's
just
I'm
just
going
to
go
back
to
boxes
and
squares,
it's
too
complicated,
otherwise,
let's
say
duplicate
okay,
so
the
system
that
we
use
and
that
tbtc
is
built
on
we're,
calling
a
bonded,
multi-federated
peg.
Let's
see
if
it
lets
me
collect
any
of
these.
So
what
that
means
is,
if,
if
you
follow
the
history
of
side
chains,
which
why
not
right
like
what
else
you're
gonna
do
on
a
saturday,
then
then
you
know
that
this
original
idea
of
a
side
chain
is
like
okay,
you
want.
B
You
want
one
chain
to
have
data
from
another
chain
and
ideally
those
two
chains
stay
synced,
but
what
you
really
care
about
more,
even
with
a
lot
of
these
early
folks
than
you
care
about
consensus.
Is
you
care
about?
B
What's
called
a
two-way
peg,
and
so
the
idea
of
a
two-way
peg
is
that
you
can
just
be
confident
that
when
one
asset
moves
from
one
chain
to
another,
it
stays
locked
on
chain
one
and
unlocked
on
chain
two
and
then,
when
you
lock
it
on
chain,
two,
it
becomes
unlocked
on
chain
one,
that's
a
subset
of
bigger
consensus
things
we
talked
about
today
on
smart
contract
chains,
which
is
convenient
because
you
can
use
different
tools
to
enforce
it
than
you
would,
if
you're
trying
to
do
this
more
generally.
B
So
what
we've
done
to
solve
this
problem,
because
bitcoin
has
no
way
to
to
actually
verify
ethereum's
ethereum
state?
Is
that
we've
taken
this
idea
of
a
federation
and
we've
said
okay?
Clearly,
we
need
someone,
who's,
custodying,
bitcoin
and
I'll
choose
three
here,
because
we've
started
with
pretty
small
wallet
setups.
Clearly
we
need
someone
who's
costing
bitcoin
the
problem.
It's
it's
not
like
we're.
Okay
with
other
people
like
we
like
to
say
not
your
keys,
not
your
coins,
but
it's
actually.
Okay.
For
me,
at
least,
if
someone
else
holds
my
coins.
B
What's
not,
okay
is
I
I
can't
get
them
back
right,
so
I
don't
think
it's
like
inherently
wrong
that
someone
else
is
holding
your
coins,
so
so
what
we've
done
is
is
we've
got
this
federation
here
and
I've
just
chosen
a
three
of
three
that
I'm
about
to
start
doing
some
doodles
on,
but
what
this
federation
does?
Is
it
actually
locks
up
cash
on
the
ethereum
chain?
So
let's
move
some
of
these
around
here.
B
Artistic
excellent,
so
we
call
these
federations
in
our
particular
system
a
signing
group
rather
than
just
a
general
federation,
and
the
reason
that
we
call
them
that
is
instead
of
acting
as
federated
validators,
which
is
typical
in
a
bridge
design
where
you
have
a
few
people
who
come
together
and
they
vote
on
the
state
of
the
ethereum
chain.
B
B
B
You
have
them
custody
the
bitcoin,
but
then
you
also
have
them.
Let's
get
really
fancy
lock
eth
and
you
have
them
lock
e
so
that
if
they
do
disobey
the
system
and
and
the
parameters
that
and
rules
that
have
been
set
aside
here,
you
can
slash
them.
B
So
what's
nice
about
that
is
normally
if
they're
holding
your
bitcoin,
they
could
abscond
with
it
and
then
your
only
recourse
as
a
user
is,
you
know
a
judge
it's
to
try
to
find
the
jurisdiction
that
these
signers
are
in
and
go
after
them
and
try
to
find
their
identities.
But
in
our
system,
signers
are
chosen.
B
Randomly
many
of
them
have
been
kyc'd,
incidentally,
but
you
can
buy
into
the
system
on
the
free
market
at
any
time,
and
so
it's
not
really
reasonable
to
try
to
look
these
people
up
and
send
them
a
nasty
gram
and
try
to
get
your
bitcoin
back
instead.
What
you
do
is
you
can
submit
more
of
these
proofs
so
once
you've
trusted
bitcoin
to
to
one
of
these
federator
wallets
and
they
have
bonded
their
eth
at
any
point.
If
they
move
that
eth,
you
can
submit
a
fraud.
B
B
So
in
this
case
the
proof
of
fraud
is,
is
it
could
be
an
spb
proof,
but
actually
you
don't
even
need
that
all
you
need
is
any
ecdsa
signature
that
this
key
pair
has
has
generated.
That
has
not
been
authorized
already
on
the
ethereum
chain,
so
anytime
they
do
that
this
same
actor
can
submit
that
and
can
actually
seize
the
eth
from
these
guys.
B
So
that's
the
core
insight
that
you're
going
to
see
in
this
bridge
design
is
rather
than
you
know,
kind
of
like
falling
back
to
something
that
looks
a
little
bit
more
like
liquid,
where
you
really
basically
have
to
have
trusted
parties,
and
rather
than
falling
back
on
something
where,
where
you
talk
about
like
implicit
staking.
This
is
my
favorite
argument
that
oh
these
people
must
have
skin
in
the
game,
because
they're
involved
in
the
system.
So
why
would
they
possibly
be
dishonest?
B
You
actually
fall
back
to
hard
currency,
so
in
our
particular
instantiation
of
tbtc
on
ethereum.
What
we've
done
is
we
require
150
of
anything
that,
oh,
that
didn't
work.
We
require
150
bond
from
any
of
these
guys
who
want
to
act
as
a
signer,
and
so
you
might
ask
like
why
would
they
act
as
a
signer
and,
of
course,
the
answer
to
that?
Is
that
they're
able
to
earn
fees
every
time
they
bridge
bitcoin.
A
B
And
then,
when
there's
a
redemption
every
time
they
send
bitcoin
back
so
high
level.
These
are
some
of
the
components
of
the
system.
I've
gone
about
this
in
a
different
order
than
I
usually
do
some
others
that
are
really
relevant.
So
so
now
you've
got
something
that
looks
like
a
lot
of
bridge
designs
in
tbtc's
specific
case.
We've
added
this
over
collateralization
factor,
we've
added
this
ef
that's
locked
up
and
then
what
we've
also
done
is
every
single
deposit
gets
a
new
federation
and
that
these
are
chosen
from
a
large
group
of
potential
custodians.
B
B
You
can
be
confident
that,
with
a
large
set
of
operators,
large
set
of
signers
and
a
random
beacon
that
that
is
not
going
to
be
possible,
so
that's
that's
roughly
our
design
for
tbtc.
It
really
doesn't
look
complete
now
that
I'm
looking
at
this
whiteboard
but
would
love
to
answer
questions
and
go
into
detail.
A
Yes,
so
so
couple
questions
is
the
first
one
is
so
let
me
first
make
sure
that
I
understand
correctly
right.
So,
let's.
A
So
so
my
if
that
is
put
in
there,
it
just
allows
people
to
send
up
to
some
limit
of
bitcoin
right.
That's
right!
I
see
so
what
happens
is
if,
at
some
point
I
did
have
100
collateral
yeah,
but
I
don't
anymore
because
of
the
fluctuations.
B
Yeah
yeah,
so
there
are
a
lot
of
different
ways
to
handle
this
in
our
particular
again,
first
instantiation
on
ethereum.
What
we've
done
is
we've
said:
okay,
if
this
drops
to
135
percent
collateral,
then
there's
a
courtesy
call.
If
it
drops
to,
I
want
to
say
it's
120,
then
there
is
liquidation.
B
It's
that
you
actually
want
bitcoin
backed
tokens,
and
so
what
happens
in
this
case
is
the
job
of
the
system
is
to
preserve
the
supply
pack.
So
what
you
do
to
preserve
the
supply
peg
is
first,
you
give
your
signers
a
heads
up,
hey
guys,
this
is
going
to
happen.
If
you
don't
respond
soon,
if
they
don't
respond
soon,
you
put
their
collateral
up
for
a
falling
price
auction
and
you
put
that
collateral
up
against
tbtc.
B
B
Eventually,
someone
fills
it
and
the
tbtc
that
fills
that
auction
is
burned
and
then
the
signers
are
left
with
the
bitcoin
and
they
can
sort
of
sort
it
out
on
their
own.
So
at
that
point
they
have.
There
are
a
lot
of
different
ways
to
look
at
this.
There's
a
financial
angle
and
there's
just
the
mechanical
angle,
but
mechanically
they
can
all
chat
and
recover
their
bitcoin
and
and
now
they're
stuck
with
bitcoin.
B
B
They
just
close
it
yeah.
So
if
you,
if
you
look
at
how,
if
you
think
about
this,
like
a
margin
account,
if
you
think
about
a
margin
account
where
you
have
many
many
people
who
are
like
equally
responsible
for
it,
no
one's
gonna
top
up
right.
So
what
you
do
instead
is
you
just
say?
Okay,
guys,
any
of
you
can
take
this
now,
you'll
get
a
slightly
better
price
than
your
peers.
B
A
A
B
Cool
yeah,
so
definitely
it
like.
It
really
benefits
folks
who
are
running
this
bridge
to
have
inventory
in
both
assets.
You
can't
just
hold
eth
and
run
this
bridge
you're
going
to
need
to
hold
tbtc
just
as
an
operational
matter
now
that
said,
we've
been
up
for
four
or
five
weeks.
So
far,
it's
not
very
long,
but
we
have
not
had
a
single
deposit
go
below.
I
think
142
collateral
and
the
reason
is
that
ethan
btc
are
so
tightly
correlated.
B
B
Lately,
I'm
I'm
a
I'm
a
bitcoin
bull
and
I
don't
always
necessarily
hold
a
lot
of
eth,
but
you
know
you're
just
looking
at
like
historically
so
because
the
two
are
correlated,
you
can
be
fairly
confident
now,
obviously,
in
an
ideal
world,
maybe
you're
using
multiple
kinds
of
collateral
here,
but
I
think
what
we
kind
of
decided
is
we're
not
maker,
and
we
don't
want
our
job
to
be
this
kind
of
like
collateral
and
risk
assessment
constantly.
B
A
Fairly
highly
correlated
right,
then
the
second
question
is
well
obvious.
Question
is
how
large
is
the
committee
right?
So
if
I'm
moving
my
tb,
you
see
how
many
people
are
chosen
from
the
it's
tiny.
B
Only
three,
only
three,
so
the
reason
that
we
do
that
is
is
for
forward
compatibility
for
something
much
bigger
and
grander
that
we're
that
we're
trying
to
ship
so
right
now,
instead
of
using
bitcoin's
multi-sig
we're
using
threshold
ecdsa
threshold
bcdsa
is
really
freaking
cool.
We
can.
We
can
talk
a
lot
about
this
particular
mpc
application,
but
at
the
time
of
building
tbtc
actually
and
actually
until
today,
this
is
still
true.
B
It's
going
to
stop
being
true
next
month,
but
there
was
not
a
way
to
properly
attribute
malice
in
these
setups,
and
so,
if
you
let's
say,
for
example,
we
had
a
two
of
three
you're:
ensuring
that
two
could
always
steal
from
the
third.
B
Exactly
exactly
so,
what
we
did
to
solve
this
problem
economically.
Is
we
decided
to
start
with
n
of
n
and
then
you
say:
okay?
Well,
it's
n
of
n.
You
don't
have
liveness,
so
drop
the
wallets
as
small
as
possible
and
have
as
many
wallets
as
possible.
So
you
have
robust
liveness
across
the
system,
though
particular
deposits
liveness
might
not
be
as
good
for
the
next
version.
B
The
plan
is
we're
working
with
an
outside
team
that
will
shortly
be
delivering
an
attributable
ecbsa
scheme
which
I'm
really
really
stoked
about,
and
that's
going
to
allow
us
to
explode
these
committees
so
think,
50
to
100
and
think
n
over
two
thresholds.
So
then
it's
just
going
to
look
much
more
robust.
A
Right
so
so
now,
let's
say
that
the
threshold
is
actually
n
over
two
right
yeah
sure,
but
the
collateral
is
only
one
hundred
fifty
percent.
B
That's
exactly
right,
that's
exactly
right!
So
right
here
we
have
done
this.
Is
I'm
not
gonna
call
it
the
most
naive
because
it's
not,
but
this
is
like
a
really
straightforward,
clear,
over
collateralization
situation.
Now,
if
you
look
at
let's
zoom
out
here
for
a
second
and
see
if
I
can
properly
do
this,
so
if
you
start
actually
looking
at
the
real
world
here,
keep
hitting
ctrl
c
thinking,
it's
going
to
copy
and
it
doesn't.
B
You
know
what
actually
happens
is
today
on
mainnet
we
have
a
140
stakers,
we're
targeting
500
by
the
end
of
the
year,
so
very
quickly.
You
know
this
starts
getting
larger
and
then
each
time
you
sample
from
them
as
long
as
you
have
a
fairly
decent
beacon,
each
time
you
sample
from
them,
you
have
some
strength
of
collusion
resistance
right.
B
So
the
idea
is
that
eventually
you
hope
that
you
can
lower
this
150
effectively
and
if
there
are
issues
past
that
150
percent,
that
you
can
socialize-
or
this
is
the
alternative
design
or
you
can-
you
can
basically
treat
people's
membership
in
this
group
is
having
value.
So
what
we've
done
on
ethereum
is.
We
have
a
work,
token
called
keep
and
for
you
to
actually
stake
in
the
system.
You
have
to
buy
this
work
token
and
you
have
to
put
it
at
risk
to
even
be
chosen
in
the
first
place.
B
B
So
if
you
balance
things
right
and
if
you
use
your
beacon
properly
and
you
don't,
let
people
basically
be
in
many
many
shared
setups
with
the
same
group
of
people,
you
can
actually
have
a
piece
of
collateral
that
can
be
leveraged
across
multiple
wallets,
so
that
lets
you
start
to
play
and
get
this
number
lower.
So
you
don't
suddenly
have
to
do
300
collateral
to
get
in
over
to
safety.
B
Ultimately,
though,
like
what
we're
going
to
be
doing
is
finding
all
these
numbers
in
production
right
so
we'll
start
high
and
then
we'll
slowly
slowly
through
governance,
inch
them
down
and
figure
out.
What
is
the
value
of
capital
efficiency,
and
is
there
an
honesty
assumption
here
at
all
this?
This
initial
tbtc
design
assumes
100
malice
from
all
players,
which
is
you
know
way
beyond
what
most
literature
outside
of
the
cryptocurrency
space
considers
and
in
v2
will
start
to
will
start
to
relax
its
assumptions.
A
Cool
okay
now
another
question:
well,
one
simple
question
is:
what
is
the
random
beacon
today?
Is
it
just
the
hash
of
the
block?
Oh.
B
How
hell
no
man
I
spent
I've
spent
an
incredible
amount
of
time
on
this,
so
the
random
beacon
today
is
a
bls
threshold
based
on
dfinity's
original
work
in
2017.
B
That's
been
anchored
onto
the
ethereum
chain,
and
so
what
that
does
is
it
means
that,
on
the
one
hand,
it's
anchored
to
the
ethereum
chain
for
better
or
worse.
So
there
are
some
things
that
we
can't
use
this,
for
it's
not
suitable
for
a
consensus
mechanism
period,
any
anything
that
people
want
to
build
where
they
say
well,
the
beacon
is
the
first
piece
that
you're
seeing
in
new
chain
designs.
This
is
not
the
beacon
for
that.
B
Instead,
though,
what
this
beacon
gives
you,
it
gives
you
resistance
to
minor
attacks
and
to
long-range
attacks
so
because
and
and
I
could
almost
start
a
whole
new
diagram
but
I'll
spare
you
who
is
participating
so
all
of
these
same
signers.
So
all.
B
Exactly
so,
all
of
these
stakers
also
participate
in
a
random
beacon
and
our
particular
bls
based
random
beacon.
It's
a
64-member
group
with,
I
believe
it's
a
31-member
honesty
threshold
and
then
the
way
that
it
works
is
what
you're
really
looking
for
is
because
it's
bls
based
people
can't
give
you
malicious
answers,
because
the
ethereum
chain
can
validate
that
the
signature
is
correct.
Instead
you're
fighting
aborts,
and
so
in
the
case
of
our
chain.
Let's
see
the
men's
stake
right
now
is
80k
keep
60
cents
32,
so
we're
talking.
A
So,
in
the
meantime,
what
is
the
curve
on
which
you're
doing
it
is
it.
A
Right
the
ethereum
curve
that
no.
A
B
A
Because,
technically
you
don't
really
need
anything
from
bls,
so
you're
really
only
using
pairing
when
you
validate
the
the
the
output
of
the
randomness
beacon,
but
instead
of
letting
around
output
of
the
randomness
become,
you
can
verify
each
each
reveal
from
every
participant
for
which
you
do
not
need.
You
can
use
just
schnorr.
A
My
cryptography
is
very
rusty
right
but
yeah,
but
you
can
validate
each
of
the
of
their
reveals
and
you
can
re-interpolate
the
polynomial
and
confirm
that
you
know
the
the
point.
A
You
expect
right
so
yeah.
This
is
the
only
place
where
you
use
pairings
and
then,
if
you
use
threat
well
well,
technically
tayden
doesn't
have
restrictors.
It
doesn't
help
much,
but.
B
Yeah
yeah,
so
so
I
was
gonna
say
like
obviously
we're
super
restricted
by
the
evm
right
now
and
I've
already
we've
already
pushed
for
a
couple
eips.
We
got
a
pre
pre-compile
in
for
blake
2b,
for
example,
for
zcash
interop,
but
the
like
greater
curve
work
that
ethereum
needs
done
is
just
like.
I'm
it'll
happen
eventually,
but
we
would
be
years
behind
schedule
if
we'd
waited
on
it.
So.
A
B
Yeah
it's
expensive,
but
yeah
it
works.
You
can
do
it
ev
every
every
tbtc
deposit
uses
it
right
now.
A
But
but
another
question
so
so
let's
say
you
have
200.
Let's
say
you
have
200
of
those
participants
right
and
you
sample.
Let's
say
five
of
them:
yep
right.
A
If
you
only
have
like
one
or
two
bits
of
influence
that
doesn't
really
allow
you
to
to
sample
the
committee
that
that
is
bad
right,
like
if
you
control
50
of
them.
So
so
why
not
use
block
hash
as
a
as
a
randomness.
B
Oh
yeah,
that's
a
good
question,
so
there
are
a
couple
yeah.
Let
me
see
if
I
can
unpack
this
so
first
I'll
be
frank:
we
built
the
beacon
for
much
greater
things,
yeah
yeah,
so
so
we
had
already
built
this
beacon
that,
like
a
committee,
this
small
does
not
need
this
beacon,
but
when
we
start
getting
to
large
samples
and
larger
number
of
stakers,
I
think
it's
going
to
be
quite
relevant
and
then
the
other
thing
that
we've
had
to
do.
B
This
is
an
implementation
detail,
but
it's
an
important
one
is
just
getting
to
the
beacon
there's
actually
a
lot.
You
have
to
do
after
that.
So
on
ethereum,
a
gas
efficient,
sortition
pool
implementation
is
not
trivial,
so
I'm
happy
to
say
that
we've
shipped
that
as
well.
So
what
we
actually
have
is
the
ability
to
sample
from
a
list.
That's
thousands
and
that
well
I
mean
obviously
it's
not
actually
a
list,
but
a
collection,
that's
thousands
and
thousands
of
members
long
and
that's
weighted
arbitrarily,
and
so
that's
really
what
we
brought
to
the
chain.
B
So,
while
we're
initially
using
it
for
these
small
committees,
the
idea
is
that
we'll
start
using
it
for
50
to
100
plus
deposits,
we'll
also
right
now
we're
set
so
that
these
deposits
are
using
fixed
sizes.
B
So
one
btc
5,
btc,
10
btc
and
we've
done
that
because
there
are,
we
have
aims
to
build
privacy
solutions
on
top
of
bitcoin
and
ethereum,
and
you
need
fixed
note
sizes
for
good
privacy
solutions.
But
in
the
future,
when
we're
doing
these
larger
committees,
we
will
be
removing
those
balance,
and
so
suddenly
it's
really
important
that
you're
confident
in
the
group
that
you've
chosen.
A
I
have
a
couple
of
questions
in
in
a
completely
different
space,
so
please
so
so
I'm
here
I'm
on
bitcoin
right
and
I
have
my
my
one
btc.
I
want
to
move
it
to
the
to
ethereum
yep
right.
So
so
what
is
the
order
here
right?
I
need
to.
I
need
to
know
who
to
send
it
to
right,
yeah,
bigger,
ethereum,
smart
contract
to
get
my
committee.
B
Yes,
yeah,
so
so
this
is
not
the
smoothest,
ux
minting
process
right
now,
but
the
way
that
it
works
today
is
when
you
say
look,
I
I
have
one
bitcoin.
I
want
to
deposit
one
bitcoin,
you
send
a
single
transaction
to
ethereum
and
then
that
emits
an
event
where
off
chain.
These
guys
are
able
to
figure
out
who
should
be
in
the
committee.
B
B
Once
that
happens,
you
can
send
your
bitcoin
to
that
address
and
then
wait
six
confirmations
and
submit
your
spv
proof
when
you
do
that
you're
originally,
given
an
nft
and
what's
cool.
This
is
like
such
a
low
level
detail.
Most
people
don't
care,
but
it's
really
cool
for
like
tax
nerds
and
bitcoin
nerds
is
that
nft
actually
represents
your
deposited
utxo.
B
If
you
don't-
and
you
just
want
to
like
you
know-
go
farm
on
d5
or
whatever
you
can
then
turn
that
into
what
we
call
the
vending
machine
and
it
just
holds
all
the
utxos
and
mints
new
tbtc
on
ethereum,
and
then
you
can
walk
with
your
fungible
token.
So
it
takes
a
few
steps.
I
think,
if
you
skip
approvals,
it
maybe
takes
three
transactions,
which
is
not.
A
A
Cool,
so
so
the
next
thing
is
so
you're
saying
I
can
I
can
hold
to
this
utxo
for
six
months,
right,
yep,
so
as
a
participant
in
the
in
the
network
of
people
who
you
know
who
put
collateral
and
participate
right
yeah.
So
what
happens
if
three
months
in
I
realized
that
I
cannot
be
participating
anymore.
So
I
need
to
exit
right,
but
there's
a
lot
of
there's
a
lot
of
of
tbtc
that
I
happen
to
have.
You
know
I'm
part
of
their
multisigs
right.
So
I
cannot
just
walk
away.
B
Yeah,
oh
no!
So
so,
if
you
are
a
signer
you're
stuck
for
up
to
six
months
in
that
position,
and
so
now,
luckily
most
people
meant
fungible
tbtc
like
they
want
the
erc20,
and
so
what
you
can
do
is
you
can
just
go
through
and
you
can
use
the
same
piece
of
collateral
to
close,
close,
close,
close,
close
and
just
kind
of
like
zipper
and
which
is
great.
But
in
the
case
where
someone
is
obstinate
and
they
really
want
to
hold
on
to
their
particular
utxo.
B
A
But
so
so,
let's
say
all
of
the
key
btcs
went
to
the
vending
machine.
Sorry,
all
of
the
nfts
went
to
the
vending
machine
right.
B
A
So
none
of
them
is
blocking
me
so
for
me
to
exit.
I
will
just
have
to
close
every
single,
that's
right,
every
single
committee,
so
I
will
have.
B
Yeah,
so
you
just
get
some
tbtc
and
you
can
just
go
down
the
vending
machine
and
close
both
clothes.
That's
right!
Okay
and
we've
already
seen
that
so
this
sounds
kind
of
abstract,
but
this
is
actually
something
you
can
see
on
mainnet
happening
today.
B
That
we've
incentivized
early
bridge
operation
is
for
the
first
interval,
we've
said
for
every
for
every
deposit
that
is
opened
on
your
operator,
and
that
is
then
closed
on
your
operator.
You
get
one
point
and
at
the
end,
all
the
points
are
added
up
and
that's
how
rewards
are
distributed
and.
A
B
And
so
so
we
just
saw
this
like
master
class
and
kind
of
like
incentives
happen
where
we
were
giving
away
a
bunch
of
tokens
for
people
to
do
this,
and
that
was
exactly
what
you
saw
where
we
had.
We
currently
have
a
thousand
btc
cap,
we're
doing
a
guarded
release
and
it's
slowly
growing,
but
every
time
the
cap
goes
up,
the
supply
starts
to
increase
and
then
the
stakers
start
decreasing
it
and
the
supply
increases
and
the
stickers
decrease
it.
B
So
we've
actually
got
a
velocity
of
something
like
7x,
where
bitcoin
goes
into
the
system
and
goes
out
very
very
quickly,
because
these,
because
these
stakers
want
to
get
it
off
the
books
and
make
sure
they
get
their
rewards.
So
it's.
B
A
And
so
now
let's
say
someone
wants
to
exit
right.
So
so
I
have
my
tbtc
and
I
want
to
get
actual
bitcoin
right.
So
I
go
to
ethereum.
Do
I
need
to
convert
it
to
nft
first,
or
do
I
just
say.
B
You
can
do
it
in
one
call,
so
you
can
just
say
give
me
a
random
nft.
That's
the
size
and
and
then
pay
to
this
address,
but.
B
Of
this
size,
oh
so
you
do
have
to
choose
something:
that's
of
a
particular
lot
size,
so
that
is,
that
is
a
key
part
of
the
system
as
it
works
today,
and
even
even
if
we
remove
lot
sizes.
The
way
that
the
system
works
is
that
each
committee
has
a
single
amount
of
bitcoin
that
they're
custodying
and
you
need
to
choose
from
those
amounts
to
exit.
When
you
start
allowing
partial
exits
from
a
particular
bitcoin
utxo,
the
complexity
of
managing
bitcoin,
transaction
fees
and
and
change
and
wallets
is,
is
very
high.
B
A
And
so
so,
okay,
so
I'm
exiting
right,
I
chose
let's
say
I
chose
myself
a
lot
right,
so
I
went
there.
I
said,
give
me
this
nft.
So
now
I
have
this
nft.
I
want
that
energy
to
become
a
bitcoin
on
my
account
right,
so
so
transaction
needs
to
happen.
Yeah.
So
so
is
it
the
case.
The
transaction
is
just
constructed
on
ethereum
and
the
the
committee
signs
it
and
then
it's
up
to
me
to
submit
it.
B
B
Then
the
notes
get
it
and
at
that
point
they
have
six
hours
if
they
do
not
physically
deliver,
not
only
that
transaction
signed,
but
also
in
a
block.
Importantly,
then
you
can
seize
their
collateral.
B
Like
you
know
the
okay,
here's
a
transaction,
and
now
you
need
to
get
it
in
and
give
that
to
your
user,
but
very
quickly.
What
you
run
into
is:
okay
who's
paying
when
the
transaction
fees
need
to
go
up
at
what
point
are
these
guys
not
delivering?
Can
you
prove
that
they're
not
delivering?
B
It
becomes
quite
quite
hairy,
and
so
what
we
found
for
this
first
version
that
was
a
little
bit
better
was
the
user,
and
actually
they
do
this
most
of
the
time
can
optimistically
kindly
altruistically
deliver
the
proof
that
the
transaction's
been
submitted,
but
ultimately
it
falls
to
the
nodes
to
actually
do
it.
B
That
we
have
a
transaction
fee,
bumping
algorithm
where
basically,
the
timeout
slowly
gets
increased
if
things
aren't
arriving
in
a
block-
and
you
can
continue
doubling
the
fee
until
it
makes
it
in,
but
it's
not
the
user's
expense.
So
if
the
user
decides
I'm
going
to
withdraw
a
whole
bunch
of
bitcoin
in
the
middle
of
a
bitcoin
fee
event,
they
should
be
the
ones
who
pay
the
signers,
don't
control
when
the
user
decides
to
withdraw
right.
B
So
each
fee
bump
increases
the
timeout
yeah.
I.
A
B
Yeah,
so
they
don't
get
slashed
until
the
user
says
I
haven't
gotten
my
bitcoin
and
so
at
the
end
of
that
six
hours,
if
no
one
has
said
we
need
a
fee
bump.
A
B
A
See
I
see
but
well.
Well
maybe
I
don't
understand
the
whole
state
mission
but
but
seems
like
sure
so
so
the
way
the
way
I
hear
it
right
is
that
so
so
request
is
submitted
right
and
user
says.
I
want
to
pay
zero
fee
right.
B
B
A
B
A
B
A
A
B
B
Whoo
I
mean
that
was
a
pretty
good
amount.
I
guess
a
couple
things
that
are
kind
of
cool
and
that
maybe
aren't
obvious.
B
One
of
them
is,
if
you
take
all
of
those
nfts,
and
you
put
them
in
and
you
put
them
in
something
like
tornado
cache.
You
now
have
the
most
robust
mixer
that
bitcoiners
have
ever
seen
very
very
quickly,
because
you've
already
got
fixed
slot
sizes
and
everything
else
that
you
need
fixed,
node
sizes
that
you
need
for
privacy.
So
I
think
that's
one,
that's
interesting!
B
Another
is
that
if
you
really
care
about
your
taxes-
and
you
want
to
avoid
disposal
of
bitcoin,
you
need
to
use
a
system
like
this
for
this
to
not
look
like
a
cell.
So
I'm
not
an
accountant
and
I'm
definitely
not
a
lawyer.
Definitely
not
yours,
but
that's.
That's!
A
pretty
key
design
that
we
found
when
we're
dealing
with
bigger
depositors
is
they're
like
look,
I'm
not
sure
of
the
treatment
here.
I
don't
want
this
to
trigger
capital
gains.
B
A
Cool
okay:
that
was
very
exciting
thanks
a
lot
for
sharing
yeah,
of
course,
and
let's
see,
let's
see
how
it
evolves.
Great
thanks.