MtGox, the Bitcoin exchange, is in the news again, this time for collapsing. One leaked report maintains that MtGox may only have 2,000 Bitcoins in reserve over against 744,408 Btc in liabilities – which indicates a reserve of less than 1%. With new revelations coming out daily this paragraph will be out of date by the time this article hits the press. Whatever the final details turn out to be, MtGox melted down, and the digital currency community needs to ask why this happened, and how can we prevent this from happening again.
MtGox originally claimed that their troubles stemmed from a long-term exploit of the malleability bug which tricked exchange providers into spending bitcoins to the attacker’s account. However, the loss of 99.7% of their reserves cannot be attributed to the malleability bug. It is clear that the failure of MtGox is a failure of governance.
MtGox is not alone. Forty-five percent of Bitcoin exchanges to date have failed, in most cases with their customers’ money. The digital currency industry’s track record on fiduciary responsibility is abysmal.
Some people on the sidelines have been jumping up and down calling for government regulation of Bitcoin. However, government regulation is not the solution.
The digital currency community should be self-regulating. This is best achieved by using good governance.
In this article we will show how the Five Parties Model of governance can be applied to Bitcoin exchanges as a way to give better quality oversight than any regulator can impose. Then we will analyze the failure of MtGox and how it could have been prevented by using the Five Parties Model.
Trust Shall Not Live by Tech Alone
Bitcoin is an attempt to solve the problem of governance of a centralised issuer of currency through technology. By using a common protocol to manage a public blockchain, we can make it impossible to issue more Bitcoins than the pre-determined limit.
As MtGox has shown, the issuance problem is not the only trust problem for the digital currency community.
In order to provide useful services, certain businesses must hold the users’ Bitcoins and cash in escrow. These businesses, such as exchanges, brokerages, online wallets, retail payment aggregators, etc. are at risk from insider theft, external hacking and loss through currency volatility risk and poor accounting practices.
How can a user trust a business to protect his or her value held in escrow? Clearly the users of MtGox trusted an entity that was not trustworthy.
This is not a new problem for finance. It is called the “agency problem” in reference to the fact that an agent acts for the user as a trusted intermediary. Financial institutions have been dealing with the issue of trusted intermediaries for millennia.
This field is broadly called “governance” and has many well known methods for achieving accountability and reliability for fiduciary institutions.
The question then is how to bring those practices into a digital accounting and payment system.
To address this weakness of customer escrowed funds, back in the late 1990’s we developed a governance technique for digital currency that we called the “Five Parties Model of Governance.” (This model was built into the digital currency platform that we designed for exchange, called “Ricardo”.)
The five parties model shares the responsibility and roles for protection of value amongst five distinct parties involved in the transactions. Although originally designed to protect an entire digital currency, this technique should be broadly applied to businesses that hold value in escrow for their customers.
The Five Parties Model (5PM)
Every business that holds customer funds in escrow and allows them to trade internally, such as MtGox, is effectively a digital currency issuer.
For a single issuer of digital currency, the Five Parties Model looks like this (Figure 1).
1. Issuer
The Issuer is the institution guaranteeing the contract with the User. This is the person or entity ultimately responsible for the assets and whether the governance succeeds or fails.
Every Bitcoin exchange (ie. MtGox), online wallet, and payment service aggregator (ie. BitPay) who escrows customer funds and represents them as an account is acting as a digital value Issuer. The bigger the institution, the greater the need for a strong governance contract with the users.
2. Trustee
Each holder of value has a signatory who controls creation or deletion of assets on the books – which should mirror the deposit or withdrawal of assets from the reserve asset pool.
This position has an alter ego – a different signatory on the other side, who controls deposit and withdrawal from the asset pool (reserve accounts).
In the Five Parties Model we assign the signatory role to a Trustee, such as an outside law firm or accountant, who is not an employee or shareholder of the Issuer.
The Trustee should operate under two rules:
a. The Trustee may only disburse assets with a transaction receipt from the mirror account of the one he controls.
Ie. if he controls the internal account for Bitcoin, then he can only create new internal value on presentation of a deposit receipt of equal value of Bitcoin for the reserve asset account (ie. the cold wallet).
b. The Trustee can only spend or disburse value to the Manager account. This prevents the Trustee from creating new value and spending to an account that he or an accomplice controls. For a Trustee on the asset reserve account, he can only spend withdrawals to the Manager’s account.
3. Manager
In the Five Parties Model the Manager is the person or entity, usually the trading desk of the Issuer, who asks the Trustee to perform the big controlled operations: create or destroy digital assets, or deposit or withdraw physical ones, in order to reflect the overall pattern of trading activities.
The Manager typically works on a daily trading basis using float accounts (hot wallets).
In an example business day, the trading desk may get 50 BTC deposits and 45 BTC withdrawals, leading to a net position of +5 BTC.
As trading balances build up or draw down, the Manager asks the Trustee to authorise the conversion of daily trading assets against the long-term reserves backing the internal value on the exchange books.
For the above example, if the exchange has net of +5 BTC deposits at the end of the day, the Manager should transfer 5 BTC from the hot wallet trading account to the cold wallet reserve account. Then he places a request to create 5 BTC new value on the internal books, and gives the Trustee a copy of the deposit receipt to the cold storage account.
After verifying the receipt is valid, the Trustee then uses his signing key to create the new value on the internal books, and then spends that value to the Manager’s internal float account. In this way the Manager converted 5 actual Bitcoins in his hot wallet into 5 internal Bitcoins on his float account.
That is how value should be moved in and out of a Bitcoin exchange in a controlled and firewalled fashion without putting the reserve funds at risk in a “hot wallet”.
4. Operator / Escrow / Vault
Most Bitcoin Exchanges to date have created their own software and operate their own servers. (This is a big part of the reason that 45% of Bitcoin exchanges have failed – 70% of the failures are due to security breaches.)
Another disadvantage of rolling your own Bitcoin exchange software is that someone inside the company may have enough information to alter the software to conduct illicit transactions and then cover their tracks by deleting the logs.
In the Five Parties Model, it is preferable to outsource the software and server maintenance to a third party that specializes in this service. In the Bitcoin world, Bex.io is an example of this model. They have created a standardized Bitcoin exchange software, and lease that software out to local exchanges, while controlling the operation of the software itself. (Disclosure: the authors’ company, Dinero Limited, also provides and operates this type of software.)
If the role of Operator cannot be outsourced, then we put in place controls to make sure that the IT department does not have access to the signing keys of the Trustee and the Manager. Preferably these parties should not work in close contact with each other, or even work in the same location. The goal is to prevent collusion between the Trustee, the Manager and the department operating the servers.
For the Bitcoin reserve assets in cold storage, the Bitcoin Network is the Operator for the accounting and ledger system. There is already an excellent separation of roles in place there.
5. The Fifth Party – The Public as Auditor
The final and most important element of the Five Parties Model is the role of the Public as auditor.
Typically, the role of auditor is to examine the books to validate that the other parties are indeed doing their job. As is covered elsewhere (Audit), paid auditors have a long-term conflict of interest, which has been at the root of several notable disasters in the last decade – the failure of Enron, the wholesale bankruptcy of banking in 2007 financial crisis, the collapse of AIG, none of which auditors rang the bell for.
Auditors, as well as being conflicted, are also expensive. If governments come in and regulate Bitcoin they will require exchanges to pay for quarterly or annual external audits, which will dramatically increase costs without much benefit.
We should be able to find a more effective and less costly alternative.
Let me introduce YOU, the user, also know as “The Public.”
You, the Public, do not have a conflict of interest, in that it is your value at risk, and you have a strong interest in seeing that the other four parties are doing their jobs properly.
Yet, how can the public audit anything when audit almost by definition means seeing that which cannot be seen?
The answer is to make that which was previously unseen, seen. Make the net balances of the internal books and the reserve assets visible to the public. (We are not suggesting that customer accounts be exposed.) The public only needs to see the total net liabilities of the internal accounts, to compare them to the assets in the reserve accounts.
Some examples of digital currencies that have supported public audit include:
- e-gold published a real time balance sheet of their digital issuance.
- GoldMoney publishes monthly reports and regular audits.
- Bitcoin publishes the blockchain.
- Ricardo publishes the balances of the Trustee and Manager accounts.
Most Bitcoin exchanges already have public API’s used for automated trading. It should be trivial to add a query to their API that allows the public to ascertain the net balance on the internal books in real time.
The addresses of the Bitcoin cold storage accounts should also be made public. This allows the public to compare the asset reserve to the internal book value that has been issued. If the internal book balance is higher than the asset reserve, there has been a breach of contract.
The Five Parties Model Applied to Bitcoin Exchange
The Five Parties Model is just and exactly that – a model. This means there are variations, and a business must modify it to suit. For example, many businesses in the space have not one but two bases of value to control: an underlying asset and a digital issuance. Bitcoin exchanges fall into this category.
When an Issuer is backing the digital currency with a reserve asset, both of these assets need to be protected. To do this, we utilise two instances of the Five Parties Model in a mirrored pair. In each, the Issuer and the Public act as parties on both sides, whereas the Trustee, the Operator and the Manager may be duplicated (or not). Figure 2 shows an application of the Five Parties Model to a Bitcoin Exchange.
An exchange supporting many currency pairs requires a somewhat more complicated regime. For every one of their assets – BTC, Altcoins, USD, EUR, JPY, etc, they must delegate operators, trustees and managers.
However, this model can still be managed for multiple currency types with only two trustees – one for the internal book value, and one for the external reserve assets.
Where MtGox Went Wrong
Now that we have explained the Five Parties Model and why it is important, let’s look at where MtGox failed.
MtGox as the Issuer of Internal Book Value
In the present case, MtGox was the contractual party that guaranteed to deliver an exchange of value, and in the mean time keep escrowed funds and/or BTC secure.
As can be seen from the following screen capture (Figure 3) taken from the Internet Archive, MtGox did in fact have a contract with the users to fully reserve their internal Bitcoin and currency accounts:
As an Issuer MtGox failed to implement internal controls to ensure that their contract conditions were honored at all times.
Furthermore, recent revelations (by a former MtGox insider who is now a competitor) allege that MtGox management may have knowingly operated the exchange on a fractional reserve basis since a major Bitcoin theft in 2011. If that proves to be true, then sadly, the management may have compounded the initial crime committed against them by secretly operating in breach of contract instead of simply reporting the theft and filing for bankruptcy. That followed by rise in the value of Bitcoin since 2011 has multiplied the impact of the original theft by one-hundred fold.
MtGox Failed to Separate the Roles
MtGox appears to have had the same trading desk or Manager controlling both the creation of value on the internal books and the release of assets in the reserve accounts.
By merging two roles that should have been separated — Manager and Trustee — MtGox allowed the Manager to transfer out the reserve assets without first destroying an equivalent amount of internal value on their books.
If MtGox had been following the Five Parties Model from the beginning, it would have been impossible for a security breach or malleability attack to have stolen any more than the Manager’s hot wallet balance. The customers’ funds would not have been jeopardized and the discrepancy would have become immediately apparent.
The failure of MtGox to separate the asset reserve from the Manager’s trading accounts precipitated an epic disaster.
MtGox Failed to Arrange for Audit
MtGox did not make their internal Bitcoin balances public, and did not have a quarterly third party audit in place, either. Consequently they operated as the largest Bitcoin exchange for three years with no one checking their books. That is like driving while blindfolded.
Ideally, MtGox would have displayed a balance sheet with references to cold wallets on one side, and their internal Bitcoin/Altcoin balances on the other side. The former is verifiable via the blockchain, while the latter could be made available by the operator via the API, and periodically audited by a third party to ensure the code providing the balance query was accurate.
MtGox Failed Because Nobody Was Watching Them
With the information above, you the Public as individuals or as media or other observers could have verified that things were as they should be, and if not, sound the alarm! That’s what Twitter and media sites such as CoinDesk and Bitcoin Magazine are for.
As MtGox did not have a sufficient governance model in place, the public was startled to learn that more than $300 million worth of Bitcoin managed to disappear.
However, we the account holders may ultimately blame our own failure to insist on good governance for any losses we suffered from the failure of MtGox.
How To Prevent MtGox From Happening Again
If the digital currency community does not self-regulate, we will find ourselves placed under government regulations. (Which may well happen anyway.) Government regulations drive up operation costs, but ultimately do not provide additional safety or security. Consider how government regulation utterly failed to prevent the 2007 banking crisis.
Instead of regulation, the digital currency community should demand and apply the Five Parties Model of governance.
Public transparency is consistent with the ideals of Bitcoin’s public blockchain, and can be expected to greatly improve the stability and reliability of the digital currency community.
Applying the Five Parties Model to Bitcoin exchanges need not be expensive. All it takes is for any exchange to appoint two trustees to control the reserve assets and the internal book value, limit the accounts the Trustees can transfer value to, and publish an API allowing public query of the total balance of their internal books.
We have websites such as blockchain.info and bitcoincharts.com that can easily support realtime charts using the information from the APIs of participating Bitcoin exchanges. Instead of merely providing price data, these websites can play an integral part of the governance of the Bitcoin community by collecting and displaying data concerning the reserve assets and total liabilities of exchanges and escrow services.
The media also play a very important part of the governance equation. Publications that cover the digital currency sector like Bitcoin Magazine, DGC Magazine, and CoinDesk should be asking hard questions of new and old exchanges about their governance procedures.
The Bitcoin Foundation and other industry associations would be well advised to encourage the development of an industry standard for governance of exchanges and escrow services using the Five Parties Model.
You, the public, should demand it.
To voice your support for the Five Parties Model, please use the hashtag #5PModel.
Update – As this article was going to press, BitQuick became the first Bitcoin exchange to move towards implementing the Five Parties Model by making its internal balance and Bitcoin reserve addresses public through their API. (Perhaps that’s why they are called Bit QUICK.)
Ian Grigg and Ken Griffith are the co-founders at Dinero Limited, which provides a secure multi-instrument platform for digital currency exchange. Since 1995 we have built real-time trading exchanges for precious metals, securities and digital currencies. Dinero’s trading platform is a complete solution ideal for hosting crypto-currency exchanges.
This article is a modified version of the paper “HOW MTGOX FAILED THE FIVE PARTIES GOVERNANCE TEST” first published at FinancialCryptography.com on 2014-02-26.
