Welcome to 3-2-1 Q&A blog, Episode 8. In this episode we have a very special guest Stephane Reverre from SUN ZU Lab who will talk to us about the importance of Best Execution Regulations and Transparency in Liquidity for the Institutions to mass adopt. Then we will cover 2 important twitter threads that our users need to be aware of, one related to How a Twitter user helped prevent a 200 billion BitBTC exploit and the other related to JP Morgan executing its first on-chain DeFi trade. And we’ll finally analyze the Derebit Exchange hot wallet Hack. In summary, here is what you will be learning about:
Question 1. What is SUN ZU Lab and how your service caters to specific clients, focus on type of institutions and services/product answers
Question 2. As SUN ZU Lab works with institutions and exchanges, does lack of clarity/transparency on crypto liquidity prevent their adoption?
Question 3. What are the requirements or challenges that the institutions you work with are facing and potential solutions?
Twitter Thread #1: How a Twitter user helped prevent a $200 billion BitBTC exploit
Twitter Thread #2: JP Morgan executing its first on-chain DeFi trade
DeFi Exploit Analyzed: Derebit Exchange Hot wallet Hack
Transcript from the interview with Stephane Reverre from SUN ZU Lab
Jerome: Thanks for joining us Stefane. First, could you give us an explanation of what SUN ZU does and how your service is catering to different clients and may be focusing on the type of clients that you have?
Stephane: Absolutely. Hello Jerome. Hello Pratik. Thank you very much for having me here.
So what is SUN ZU about? SUN ZU was born two years ago as the right initiative to answer a number of questions about liquidity. So basically when we looked at the market for crypto assets with the eye of an institutional trader, we were wondering are those things liquid and in a more general dimension, how are those markets organized.
How is it structured and with the intent of determining whether investors would find their way to the right liquidity at the right price? And back then in 2019, we could not find any adequate answer. We couldn't find the institutional grade answer to the question of how those assets trade and where can I find liquidity if I'm an institutional investor. And so we decided to start SUN ZU to answer that question. So that's really the origin.
How do we do that? What do we provide in practice and who do we provide it to? Well basically, we deal with data. Transparency is a matter of data. The data you get from past transactions, the data you get from order books, venues, whether centralized or decentralized. You collect the data and look at it and try to extract information from that data. So we have a data business except we go beyond the data and we provide solutions in the form of recommendations, answers, and augmented data feed. So practically we provide data with a lot of added value that investors or clients can find answers to their questions and problems.
And the other aspect of the question is, who do we provide it to? Well. Everyone really. We don't do any transactions. We are not providing execution services. We're not providing investment advice. We are very agnostic to anything that has to do with token recommendations, ecosystem recommendations, or blockchain recommendations. We consider it's not our job to decide what investors should gain exposure to or when they should get the exposure. So that said, it enables us to speak to a lot of people because we can essentially engage in a conversation with everybody in the ecosystem, whether it's a venue, centralized or decentralized, whether it's a blockchain system, and we have a client that is a very significant blockchain ecosystem. Whether you are an investor, a High-net worth individual, an institutional hedge fund on crypto, or are larger hedge fund trying to diversify into crypto. We can talk to everybody and anybody. If you are in the crypto space, chances are you're transacting, you're trading. So you need us to better transact and I'll come back in a second as to why it matters.
Transparency matters in general, but we help you with transaction costs. So we help you save money. So that's if you're in the industry. If you're not in the industry, chances are you really don't know where to get started. If a regulated entity, then liquidity is not an option for you. Because regulators in traditional markets, have some very demanding corpus, which is called best execution for liquidity analysis, pre-trade and post-trade. So if you're regulated and you fall under best execution guidelines, then you expect to find the same thing in crypto. And so far nobody's providing that. Except for us, of course. And so you would come to us very naturally and say, “Okay, I'm used to best exec in the world of traditional finance. I need the best exec in crypto. Where do I find it?” And that's where we come into play. So because we are very neutral in terms of transactions, we are free of conflict of interest. So we can associate and engage with anybody. And because we know what happens in the traditional space of best execution with traditional finance, we have very strong expectations about what will happen in crypto.
Best exec is just around the corner, it's already in fact mentioned explicitly in MiCA. And we think it's gonna hit the radar of a number of participants very soon.
Pratik: What is stopping these institutions from mass adoption? Is it the lack of clarity and transparency on the liquidity? What exactly is stopping this mass adoption?
Stephane: There are a number of things that are preventing institutions to enter the space, but first of all, we should start by making the distinction between what is a traditional institution and what is a crypto institution. If you're a small hedge fund and you have $5M-$15M AUM in crypto, you are an institutional investor yet you are a small one. I mean, the world of traditional finance we're talking about institutional investors, people have CalPERS in mind. They have the likes of retirement, pension funds, and so on. This is very, very big money. Those guys are still not investing in crypto, and the reason is they can't for regulatory purposes. And by regulatory reasons, I mean, there are a number of chapters, but custody is one of them. KYC/AML is another one. And Transparency is also another one. So mass adoption from smaller funds is really on its way. And there are some collective investment schemes in place. People have started funds already dealing with crypto. By the way, with the information we have, it points to the fact that it's those types of institutions that dominate the volume in trading. Okay, so they're already there, doesn't mean that they have all the tools they need, but they're already trading and they're doing whatever they can to get the best liquidity.
Now, as far as the big investors are concerned the answer to the question:why don't they come? There's a very strong regulatory aspect, KYC/AML, custody, and so on. But beyond that, liquidity is a big deal. We've looked at a number of surveys that have been released recently. There was one from State Street, the digital asset team from State Street went to its traditional institutional clients and asked the question, ‘What is the major obstacle for you to join?’ And ‘transparency’ was number two. The first one was ‘cybersecurity’, which you can understand with all the news that you have almost daily about hacks and fraud and so on. So that's a fair share of worry for the traditional institution. But the second thing is transparency. Now, transparency means different things to different people, but in general, it means: Am I going to get the right information to trade without paying too much in execution costs? And that brings me to what I was saying before, which is why is SUN ZU is important? Why is our mission important? Because transparency is a question of execution costs. In an opaque market, you are going to pay more for the Bitcoins you buy and you are going to get less for the Bitcoins you sell.
Intermediaries and a lot of participants will take a lot of money from your transactions and won't even say it, they won't even disclose that they are collecting a lot of fees. Whether those fees are in the form of commission or hidden costs such as impact. Those fees exist and this is money that is going out of your pocket. Transparency is directly linked to the efficiency of the market, which means you're paying more and you're paying too much for the services you get. So why is our mission important and why we take it very seriously is because transparency in the end translates into a lower transaction cost and more efficient market. And by the way, that is the mission of the regulator. Regulators consider that part of the mandate is to bring efficiency and transparency to market because in the end, investors benefit in the form of lower transaction fee and more money invested and more money saved.
Once the custody problem is being addressed, the KYC/AML problem is being addressed. I mean, the regulators are on top of it. Everybody knows that it's an issue. Everybody's providing solutions. They are more or less adequate depending on the jurisdiction, depending on the regulatory pressure and certain regulators defer and so on. But custody and the KYC/AML is being addressed. And rightly so. We believe the next one is transparency. And so if you take a traditional institutional investor, and those guys have big pockets, those guys will immediately want billions of exposure. If you take all the small guys savings for their retirement and they want a 5% allocation to crypto, which is not much by the way, then this is gonna translate to billions and billions of investment money, for that money to find it's way its way to transparent market so that institutional investors know their way around. Know that they're not paying too much. And then the regulator knows that small guy is not being unduly taxed or unduly charged for the services he's getting as part of his retirement pension fund. And so that layer of transparency, we believe is coming. It's a good thing, by the way, for investor. It's also a good thing for the industry because what best exec did in traditional of finance, it organized competition. So with the best exec framework in place, suddenly as an investor, I'm able to compare my different providers and see when and how I can get the best price.
By the way, if I'm an execution provider or if I'm a venue, or if I'm anybody providing the liquidity, there is the best exact framework in place. I can also compare myself to the next guy. Okay, so it helps me compete. Okay. So I can objectively go to in prospect and investor and tell them, Look, this is what I do. This is what liquidity will find. This is a transparency that I offer on my order book or on my, or my defi platform. So this is all the data you can access and, and to come to me. Because you would find the liquid you need, and we know that you get the best price and the smallest commission or the smallest even prices such as impact and slippage.
And if I can do that, compare myself to the next venue, then it's for my benefit if I'm better. The better is gonna reach the most the best marketplace, the best venue the one that has the most liquidity will attract the most customers and most trading clients. And that's the way it should be.
Okay? So opacity is an impediment to trust, obviously in end clients, but also in the industry. And so if you bring transparency, suddenly you organize a much better competition. Mentality and you enable participants to benchmark themselves, investors to benchmark their service providers, and that's how the industry is gonna grow.
It's not going to grow very much under the belief that, I should keep my practice opaque. I should keep my prices opaque. I'm gonna give this price to the guy on my left because I like him and I'm gonna charge that much to the guy on my right because I don't know him and he's not trading enough for me. Those practices which are still in play in some places should disappear. The market is to grow and mature significantly and attract more and more small guys because that's what we're talking about when we're talking about the money that small people, small investor would want to invest and that they will, not invest directly, but that they will invest in fund managers. In self aggregating a lot of the money, and as I said, probably ready to invest billions and billions when the proper setup is in place.
Jerome: Interesting. So definitely net benefit for everyone in the space, whether for the big guys or whether for the. Small trading small trading people we do, we do cover some of those requirements in the institutional report that we co-author with SUN ZU that people can read on our websites at coinchange.io. I wanted to go back onto the liquidity and specifically about the big money of. Pension fund that you mentioned. So would you say that best execution could be a way that those could enter the space via the best execution provider together with your analysis. An example that I'm thinking would be those pension funds that might be allocating let's say 1%, but 1% of their AUM might be worth billions, which might be moving a lot the market because we might have a lack of liquidity. So would best execution be the solution for those in order to, for them to enter with staged entry or something of the sort?
Stephane: Absolutely. I mean, put yourself in their shoes. You are a pension fund, you have hundreds of billions in the management. You are invested in international equities, bonds and so on, and you have a lot of assets, credit, private equity, venture capital, and so on. And suddenly you realize, That you need a pocket for crypto, you need 3-5% of allocation to crypto because your clients expect it and because it's wise diversification. Okay, what do you do? Then you turn to the crypto market and you turn to a prime broker that you know, or research companies that you know, and you ask the question: How should I go about it? And you realize that there are 10-20 DeFi protocols in place, and you have 50, 60, 70 centralized venues, and you have liquidity providers that can do OTC trading or that can do on exchange trading and then trade with with one another and so on.
How do you trade? I mean, it's a very, very simple question. I have 1 billion, Should I go with one intermediary? Cause that's a lot of money to give to one single broker. Should I go to two? Which ones should I use? Okay. And the guy comes to me and says, Look, I know I'm gonna do commission free trading, but here is your price. So if it's commission free, then maybe the price incorporates some sort of margin. How much margin? Okay, so broker A is giving me a price with no commission and margin. Broker B says, Okay, I'm not gonna give you a margin price with margin, but I'm gonna charge you commission. So I get 5%, commission and a different price, how do I make sense of it. How do I know that in case A or B, I got the best price? How do I know that those guys did a fair job at getting liquidity? And they gave me my billion execution over a period of five hours. How do I know that if I had chosen a different mix of brokers, I wouldn't have been able to do it in three hours? How would, I know that I should trade on 5, 10, or 15 exchanges as opposed to 20, which means all sorts of questions. Okay. Now, why do I need to answer those questions? Because regulator, I'm a pension fund, so I'm already under heavy regulation, and regulator asks me to justify every single order that I place to an intermediary. So I go to a broker. When I buy a $5 million chunk of General Motors, I have to justify every single dollar of it. And the broker gives me a best execution report saying that, you know, your final million were executed with such and such strategy, and the price is this. And by the way, we can demonstrate with data that we couldn't do better.
So that's the way I'm being treated in a traditional space. How am I going to be able to train in the crypto space if I don't get the same treatment, if I don't get the same information, if I cannot justify to my regulator and to my clients, because in the us, but it's also true elsewhere, you have the notion of finish your duty. Finish your duty means you have to manage to properly manage the client that you're being interested with and the money from the client. How am I going to document the fact that I did a good job at allocating the money and paying commissions? Okay. This is a very, very old problem. It's been addressed by regulators worldwide in different ways. Best exec is one of them, but it's a very practical problem. And so the answer to your question is, if you don't have anything like best exec, how would you go about it? You simply can't, you simply cannot justify. So of course, you're gonna give a chunk of your trading to one firm and another chunk to another firm. You're gonna get prices and you hope for the best. While opening for the best is usually not a fantastic sustainable strategy if you really want to compete. And competition in the crypto space is gonna be like traditional space for execution. It's gonna be very fierce, very soon.
To compete you need a little bit more than, hoping for the best. So the answer is it's absolutely necessary and it's absolutely necessary now because if you don't have it, you are absolutely behind. Well, and so that's what we believe and we believe that the industry should consider adopting it faster than the regulator will impose it, because if you do it yourself, chances are you might gain some negotiating power with a regulator and you might gain some benefits in policing yourself. before regulator comes in with heavy ended regulation, and we've seen that in other chapters, but heavy ended regulation is certainly on the horizon if the industry doesn't stand up to the task. So yes, it's a very practical and very common question that needs to be answered according to certain standards.
Pratik: So, Stephane, I have a follow up question on that. So there's best execution requirements in traditional finance versus best execution requirements in crypto. On one hand, I feel like crypto is on public blockchain, so the data is more available. So, It might make it easier to have the liquidity metrics for the institutions to give them the best execution price. But on the other hand, because there's a lot of anonymity and lack of regulation, a lot of the volumes on these venues are inflated artificially by wash trading or some kind of high frequency trading and not knowing who the participants are. So is it easier or harder compared to traditional finance to offer best execution services in crypto?
Stephane: Today it's definitely harder. Because of what you said, because of the data that is being produced by the system, whether it's centralized venues or whether it's decentralized venues, the data is inflated, manipulated, and outright false in some cases. Okay? So because of those circumstances the job is just much more difficult. You will never get ax to publish in inflated volume. Or, or ICE or the New York Stock Exchange or anybody publish inflated prices and as far as I know, they never did it. But then very early they were taken by very strict regulations, so they were never in a position to do it anyway. In crypto, everybody is in a position to do it. Okay, Now on centralized exchanges, it's even easier. Really there is no, you have no way of knowing what the matching engine does. On decentralized platforms, it's probably much harder because you can re constitute every transaction from a smart contract.
And there is an algorithmic aspect, which certainly makes for a level of transparency that you don't have in centralized finance. Which by the way, it's very interesting because it's decentralized and something that is very new and it's, it has built in transparency in it that other problems, but it does build in transparency in it, which is very interesting. So yes, it's a much more difficult job than in traditional finance, but doesn't mean that it's impossible. Okay. If you are training venue, first of all, we're trying our best to do that. What we're collecting the data, we have a PhD candidate working on making sense of that data, trying to identify manipulation or at least manipulation patterns because it's very difficult to say this particular order is is meant to manipulate the market market. What you can say is this particular order, is very strange and chances are it's not a genuine order and it's here to bias the order book.
There are limits to what you can do, but let me share a few ideas. Number one, we can do a few things. So we are building expertise on that. Number two, the industry itself should think about those issues. How do I as an exchange, how do I promote the idea that I'm not open to fake volume? If you're an exchange, it's your responsibility. Nobody can assume that responsibility for you. So what an Exchange is doing, what are this authorized platform doing? What is the industry doing to eliminate fake volume? And by the way, it's, it's a tricky question because if you eliminate fake volume, and suddenly you realize that 50% of the volume is fake, then volumes will decrease by 50%, which is not good.
Coming from a world where there was no regulation and you can put out the data you want migrating to a world where you are going to be held to a different standard. And if you really want to go in the right direction, you're gonna have to yourself police your clients, your order book so that you get rid of fake volume. This is not an easy transition. Okay. But as I said earlier, we strongly believe it's a transition for the best. Number one, because, traditional, institutional investors will not accept to trade and transact in the market so opaque and so manipulate, they just just won't. The regulator won't either. No way because it's been working very, very hard over the past 25, 30 years to make sure manipulation doesn't happen in the traditional market, and I could give you tons of examples where there were legal actions and class actions and so on about those issues and manipulations. And the regulator has been working very hard to eliminate manipulation. So it's not gonna stop them. And by the way, it has the tools. We know what Regulator did because it did it in traditional finance, so we know what's gonna happen in crypto if nothing changes. Institutions won't come, regulator won't open the door for the small guy, and so if crypto wants to be much more than a marginal tech on the side of TradFi it needs to take a few steps forward in that direction. And yes, it's gonna be a hard and it's a transition towards maturity. We think it's necessary. I mean, it's unavoidable, really, in fact. Okay. So we'll see how long it takes to happen. And if it doesn't happen, then well, it will remain a marginal asset class.
Jerome: Very insightful. So I guess that SUN ZU as the pioneer is really doing its part with the adoption of those institution, Pratik, do you have any other questions?
Pratik: No. That was very insightful.
Stephane: Thank you very much guys and we look forward to watching the podcast.
Jerome: Thanks Stefan. Thank you for joining us.
Two Twitter Threads You Need To Be Aware Of
Twitter Thread #1 Jerome intro + text, Pratik take
How a Twitter user helped prevent a 200 billion BitBTC exploit.
A Twitter user named @PlasmaPower0 publicly flagged a vulnerability in BitBTC's Optimism bridge, helping avert an exploit. Following BitBTC's rejection of his messages, Lee Bousfield, a tech lead at Ethereum scaling solution Arbitrum, published the critical exploit in a tweet.
What was the issue?
The BitBTC bridge to or from Optimism’s blockchain enables withdrawals of any token between L-2 and the corresponding layer-1 address. However, the bridge code does not verify which token on L-2 is being bridged, and mints an arbitrary L-1 token to match it. Which means an attacker could deploy their own token on Optimism, give themselves all the supply, and set the corresponding L1 token address to the real BitBTC L1 address. So when the attacker withdraws their malicious token through the BitBTC bridge, it gives them real BitBTC tokens on L1.
What is interesting is the following day, an attacker claiming to be testing the code, tried to withdraw 200 billion BitBTC from Optimism. However the attack was stopped as the bridge is based on Optimistic rollup mechanism, meaning the process of withdrawing the token from the bridge would have taken seven days to complete, and BitBTC team meanwhile patched the vulnerability through a software update.
Coinchange Take: We have seen time and over that bridges are the easiest target for attackers and the teams must take security seriously. In this case the team was lucky as the Optimistic bridges have a 7 day challenge period by design which allows the node to stop any malicious transactions within those 7 days. However there are other bridges where the challenge windows are quite short, as small as 30 minutes and in such cases prompt action is of essence. As a user, it is very important to understand the risks involved in each type of bridge design, be it a centralized bridge, Multisig bridge, or a Decentralized bridge. And we talk about the various bridge designs and the security assumptions in each of them in our next long form research report which is titled “Interoperability of Blockchains'' which will be published in December.
Twitter Thread #2. Pratik text, Jerome take
On Nov 2nd, 2022, JP Morgan, along with DBS Bank and SBI Digital Asset Holdings, executed a currency trade involving tokenized Japanese Yen (JPY) and Singapore Dollar (SGD) deposits.
The trade was carried out on @0xPolygon (Polygon Blockchain) utilizing a modified fork of
@AaveAave Arc (which is the permissioned/institutional version of AAVE protocol) so that the interest rates and FX rates could be manually set.
So why is this important?
There are three major points that the thread lays out:
- Banks are joining DeFi
Rather than building solutions on a private, permissioned blockchain hosted on JPM servers, they are choosing to explicitly build products for permissionless blockchains
- Ethereum Preference
Ty Lobban of JPM, who works on the permissioned blockchain ONYX by JPM, explicitly expressed the desire to use Ethereum in a tweet.
While the trade was carried out on Polygon, a sidechain for Ethereum, this was done because gas costs of the Ethereum L1 would have been too large. Secondly, they used @AaveAave
so that they could leverage their permissioned pools concept. They deployed a modified version of Aave Arc so that they could set certain parameters such as interest rate and fx rates.
- Verifiable Credentials
One mechanism used in this transaction is Verifiable Credentials (VCs), which allow users to present necessary compliance information to third-party verifiers, which can then let issuers know of compliance without revealing any sensitive data. They used @w3c (World Wide Web Consortium) VC to provide compliant access to @AaveAave (or any other DeFi protocol). VCs give much more fine grained control than just white-listing addresses. Risk limits, asset limits etc. are all possible. What’s even more interesting is that they built *on-chain* verification of VCs! This is huge. It brings composability to identity where you could have little verifiers that know how to verify certain things, and use them across dApps, bringing further standardization & portability to identity. Ty Lobban said that they designed this in a way that ensures VC-based compliance checks can be used with any DeFi protocol without those protocols needing to know anything about VCs, freeing DeFi front ends from needing to do “KYC checks”. Although he does acknowledge that their design isn’t perfect & in the future they want to use ZKP (Zero-Knowledge Proofs)
They co-authored a report that goes into further details of why Institutional DeFi could enable the next generation of finance, as well as further details on Project Guardian.
Coinchange Take: This is a huge step towards making Institutional DeFi a reality. Currently there are multiple reasons why big institutions are holding back from participating in DeFi. We highlight several of them in our recent 3-2-1 QnA sessions which you can watch on our youtube channel www.youtube.com/@coinchange.
What is interesting here is that it shows that institutional adoption can come from two side: one being through DeFi protocols attracting institutional capital with new product, the other is institutions themselves adapting Decentralized Finance protocols to fit specific needs with the objective to create less burdensome and more efficient version of traditional financial instrument, be it impact finance, bond issuance, operational financing etc....
(Jerome for intro + take, Pratik for the text)
Deribit hot wallet compromised link
Deribit, launched in 2016, is a leading cryptocurrency futures and options exchange that enables crypto traders to execute derivatives trading strategies. Their hot wallet was hacked for $28m on 1st November 2022. But in their tweet they said that the client funds are safe and loss is covered by company reserves. Which was a bit confusing because how can the client funds be safe if you just lost $28m? They clarify this by saying that it's their company procedure to keep 99% of user funds in cold storage to limit the impact of these types of events and that they have enough company reserves to cover for these losses meaning effectively no user lost any funds.
Also the hack was applicable only to BTC, ETH and USDC hot wallets where they got drained completely within minutes. They halted withdrawals to make sure it is safe to open it back up.
How did this happen?
The attacker was able to get access to their hot wallet server which enabled him/her to withdraw the funds from those hot wallets. They withdrew BTC, ETH and USDC and later converted all the USDC to ETH. So currently the stolen BTC and ETH sit in an externally owned attackers wallet which is outside of Deribit’s control. How the attacker got access to the server is still not clear. Was it a regular phishing attack like in the case of the Ronin hack that gave the attacker access to the server? Or was it an insider who already had access to the server? We don’t know as of this recording.
How will they make up for the lost money?
Well, they have two ways, Insurance funds and Protocol Reserves. And in this case, they mentioned that the insurance fund will not be affected and the Protocol Reserves are sufficient to cover the loss. They do not openly communicate about how much they have in reserves but they do have around $40M in the insurance fund.
How did they fix the issue?
- They re-generated the deposit wallet addresses on the front end and removed the old deposit addresses.
- They migrated all hot wallets to Fireblocks which resulted in all Deribit deposit addresses to be renewed.
- All on-chain withdrawals require manual (human) approval for the time being by a Deribit admin on the 3rd party Fireblocks application.
- And they have appointed an on-chain forensics company to assist with tracking and recovery of assets or liaising with global law enforcement.
With the limited information that we have at the moment, this is clearly not a web3 attack vector, but a Web 2 security breach. One of the issues in Web 3 is that we have a tendency to emphasize too much on smart contract audits and coding best practices, which is essential but not sufficient. We simply cannot ignore the traditional cybersecurity best practices of Web 2 such as keeping your servers secure so that hot wallet keys are not lost. It is very surprising that an exchange that has been in operation since 2016 (7 years) gets attacked for traditional cybersecurity issues. We talk about this in much detail in our next long-form research report on the “Interoperability of Blockchains” which will be released in December. The bottomline is we should make sure that the Web 2 infrastructure that enables the Web 3 applications is secured by the best cybersecurity practices.
This concludes our 3-2-1 Q&A Blog. We’ll see you in the next one, two weeks from now. Meanwhile, kick back and earn passive income using Coinchange. Sign up today!