FairTraDEX: Chopping Down the Dark Forest
FairTraDEX is a decentralised exchange (DEX) protocol based on Frequent Batch Auctions (FBAs) which addresses the existing Dark Forest of value extraction in blockchain-based token-exchange protocols. FairTraDEX is based on a recent paper by myself, Vanesa Daza and Matthias Fitzi, and an ongoing collaboration with Padraic O'Donoghue.
As the number of registered users in FairTraDEX increases, all of the information that can be used to extract value from users in a DEX is effectively hidden. This translates to a DEX protocol where trading at the market fair price plus or minus upfront fees is the optimal strategy for everyone. In other words, FairTraDEX stands as the first protocol, to the best of our knowledge*, to implement a DEX in which value-extraction from users becomes practically impossible.
This is achieved through a combination of a commit-reveal protocol, the proving of set membership in zero-knowledge (ZK) (proving you are a member of a set without revealing any other information), relayers (players who post messages to a blockchain on behalf of certain clients in exchange for a fee which is paid out by a smart contract after the message is committed to the blockchain), and escrows (used to enforce players to follow the FairTraDEX protocol). FairTraDEX is built using tried and tested techniques from existing privacy tokens such as ZCash and Tornado Cash, and provides a detailed road-map to to its deployment on any smart-contract enabled blockchain.
The phenomenon of extractable-value has been well-publicised by the team at Flashbots following the seminal work on miner-extractable value (MEV) by Daian et al.. MEV has since been generalised to expected extractable value (EEV) to incorporate value extraction from any blockchain player, not just the miners. With upwards of $500 million taken directly out of the pockets of helpless DEX users since January, 2021, the problem is a big one.
Retail users in previous DEXs, referred to as clients in the paper, are forced to submit order information publicly, or engage in an off-chain handshake protocol (known in the biz as a Σ-protocol) with a liquidity provider, or market-maker (MM), before the order gets confirmed.
This information is enough to extract a tonne of money from clients. If a professional MM knows an incoming order is Goldman Sachs instead of Barclays, Elon Musk instead of Joe Soap, a buyer instead of a seller, the market prices, width, and desire to trade all change drastically. In centralised markets, strict legal procedures exist to prevent MMs from using any of this information to extract value from a client. On a blockchain like Ethereum however, none of these laws exist. A MM, or even observant blockchain participants can use all of this information to extract their pound of flesh, and then some, from clients. Front-running, back-running, sandwiching, transaction reordering, transaction injection, and optional participation (to name but a few) are all tools at the disposal of MMs and/or blockchain participants in general to unequivocally tear the percentages off any and all DEX users.
No longer.
FairTraDEX: The Nuts and Bolts
FairTraDEX consists of three consecutive phases, Commit, Reveal and Resolution. In the Commit phase, you guessed it, players commit to trade. In the Reveal phase, you guessed it again, players reveal the orders and markets committed to in the previous phase. The orders are then settled in the Resolution phase at a single clearing price which maximises the notional to be traded.
MMs commit to a market by hashing the market information, producing a value that is used to ensure the MMs stick to the same markets in the Reveal phase. This is enforced by the use of an escrow, which is returned to the MM upon a valid Reveal. The escrow is independent of the market, so reveals no information to other participants during the Commit phase.
Clients have a few extra hoops to jump through due to the directional nature of a client order. To qualify to submit a client order, a prospective client must first register. Registration can happen at any time, and plays a key role in the guarantees of FairTraDEX. To register, clients generate some secrets and commit to them (using Pedersen commitments), posting the commitment, or registration ID as it is called in the protocol, to the blockchain. When a client wants to submit an order to trade, the client generates a proof-of-knowledge that she knows the secrets corresponding to a registration ID in the set of registration IDs without revealing which ID. This is a process known as proving set-membership in ZK (for more details on these protocols, go here).
In smart-contract enabled blockchains, players must pay to submit a transaction. This payment effectively reveals your identity, associated account balances and trading patterns. In FairTraDEX, we cartwheel around this obstacle through transaction relayers, such as those in Ox or the Open Gas Station Network. Relayers allow clients who have previously deposited money into certain smart-contracts to pay the relayer for submitting a transaction to the blockchain on behalf of the client. In FairTraDEX, producing a valid proof-of-membership to the set of registration IDs unlocks a relayer fee deposited during registration. Moreover, in FairTraDEX the proof is specific to the order being committed by the client, so no relayer can tamper with the commitment. Composing these tools allows a client to commit to orders without revealing any information to other players in the blockchain ecosystem other than the fact the the player who produced the proof must previously have registered to the protocol. As the number of registrations increases, the probability that a proof can be linked to a specific order diminishes, effectively hiding any meta-information about what the order could be.
Another key feature of FairTraDEX is the fact that two proofs corresponding to the same registration ID reveal a common piece of information, as is the case in ZCash and Tornado Cash. If a client commits to an order and for some reason decides not to correctly reveal that order, the proof information is recorded, preventing a client from committing to another order using that same registration ID, effectively burning the escrow.
In the Reveal phase, markets and orders are revealed, and are then settled in the Resolution phase. FairTraDEX provides a bounty for the correct submission of a clearing price, which maximises the notional to be traded. The verification of the clearing price happens on-chain by checking the price directly above and below the proposed clearing price. If either of those prices clear higher volume, or result in a smaller absolute imbalance (|buy_volume - sell_volume|), the proposed price is rejected. This is discussed in more detail in the paper.
Putting all of this together, FairTraDEX stands as a protocol in which all rational players follow the protocol (a property known as strong incentive compatible in expectation). More than this, we prove that when enough clients register, there is a strict Nash equilibrium in which trades occur at the market-implied fair price plus or minus at most the fees clients are willing to pay to trade. In the presence of two or more non-cooperative MMs, the fees paid by clients approaches 0. This is unprecedented in a decentralised setting, and flies in the face of the 100s of millions being extracted from MMs and clients alike in mainstream DEXs.
Next Steps
FairTraDEX was always intended to be built on strong formal foundations. Now that the formalisation of the protocol and its properties is complete, the development stage begins, and is already underway. Watch this space.
