WBTC Changes and Risk Mitigation - 10 August 2024

WBTC Changes and Risk Mitigation - 10 August 2024

Background

Yesterday on 9 August, Bitgo announced it is planning to transfer control of the WBTC product to a joint venture with BiT Global. This will result in custody being split across multiple jurisdictions including Hong Kong and Singapore, compared with current US based custody. Bitgo has disclosed that this change implements a partnership with Justin Sun and the Tron ecosystem; as such we can infer that Justin Sun will have significant influence or control over the joint venture managing WBTC. This change in control is expected to take place in 60 days.

This bears some similarity to the previous situation concerning control of the TUSD stablecoin, which was discussed in the Maker forum here. Since TUSD was placed into Justin Sun’s control, it has seen market deterioration in operational processes and transparency, including the resignation of the previous management team, suspension of real time proof of reserves, and several significant depegs caused by interruptions in redemption service. We have also seen other Sun affiliated projects show worrying signs of possible misappropriation, such as the substitution of Huobi’s USDT reserves with stUSDT, a Sun controlled RWA project that purports to hold a reserve of US treasury bills but has not provided clear audits or evidence that the backing exists. On the whole, we find that Sun’s involvement as a controlling interest in the new WBTC joint venture presents an unacceptable level of risk.

We also note that Bitgo itself seems to have had some negative developments recently, including a failed acquisition by Galaxy Digital where Galaxy backed out for undisclosed reasons. This, along with the unexpected decision to divest from the WBTC product, may be indications of financial distress within Bitgo, and reflects negatively on Bitgo’s counterparty risk. While some of the risk factors are somewhat speculative, it makes sense to err on the side of caution given the critical role WBTC collateral plays within defi.

Recommended Actions

Given the upcoming change in control, BA Labs believes WBTC collateral integrations on Maker and SparkLend present an elevated level of risk. BA Labs recommends the Stability Facilitator to propose the following immediate actions to limit growth of WBTC exposure, to be included in the next upcoming executive vote on Monday 12 August:

• Core vaults:
  • WBTC-A DC-IAM line (max DC): Decrease for 500M from 500M to 0
  • WBTC-B DC-IAM line (max DC): Decrease for 250M from 250M to 0
  • WBTC-C DC-IAM line (max DC): Decrease for 500M from 500M to 0
• SparkLend:
  • Disable WBTC borrowing
  • Reduce WBTC LTV from 74% to 0%

If Bitgo or other responsible persons cannot convincingly demonstrate that maintaining current collateral integrations are safe, we will consider further recommendations for parameter changes to protect the protocol and mitigate counterparty risks, up to and including potential full offboarding of all Maker and Spark WBTC collateral integrations.

The Ecosystem Team, acting as the Stability Facilitator, approves the proposed parameter changes to be included in the next available Executive vote.

This seems to be more a reaction to the Justin Sun name than to facts. We too were concerned that some would react this way to his name, which is why we made sure to announce his involvement up front, even though he won’t actually have the ability to move any funds arbitrarily. We also wanted to ensure the community have ample time (60 days) to discuss and do diligence before anything happens.

I’d encourage you to meet with the BiTGlobal team to hear how the custody will be secured along with BitGo. The underlying security is the same as what you have today, with https://wbtc.network continuing to provide near-real-time proof of reserves. If that ever changes, you’ll know in real time. Further, BitGo is still co-signing all transactions using the same technology it always had; BitGo simply will not sign a transaction that does not have the corresponding mint (BTC deposit) or burn (token ownership). Merchants also still exist. This leaves the remaining risk of the underlying treasury itself, with keys now being separated across parties in a way they never were before. It is true that if BiTGlobal is fully compromised (just like if BitGo had ever been compromised) the treasury could be at risk; however this is being safeguarded by a regulated entity and again the same cold-storage technology with keys offline.

With regard to BitGo and Galaxy, the split was because Galaxy was unable to list as a public company in the US, and payment to BitGo was required to be with Galaxy US-listed shares. To this day (over 2 years now), Galaxy still is unable to list its stock in the US markets and its applications remain pending. BitGo’s balance sheet is strong and we’d be happy to prove this with appropriate attorneys if that is really an issue.

This seems like a rather extreme action.

If the entire debt backed by WBTC on Maker was dumped in a single txn, it doesn’t look like a problem given the LTV of the three WBTC ilks. While this secondary liquidity exists, the underwriting of the vault risk parameters is supposed to be based on that, isn’t it?

Screenshot 2024-08-10 at 1.10.05 PM1096×798 47.4 KB

Based on market conditions, BA Labs just two days ago recommended a rate cut for all WBTC vaults.

This doesn’t seem consistent with how other assets with centralized issuers are treated, where the primary market is what the vaults are underwritten against.

That’s not to say change of control shouldn’t be monitored and Bitgo provide as much information as possible, but preventing any new debt + threatening “full offboarding” seems a bit extreme when looking at the facts.

I believe MakerDAO should seriously consider transitioning to ckBTC. It represents a comprehensive full-stack solution for Bitcoin, addressing not only scalability but also offering robust end-to-end on-chain integration.

This solution is designed to be tamper-proof and devoid of backdoors, providing a secure and reliable framework.
Adopting ckBTC could significantly enhance MakerDAO’s infrastructure, ensuring both increased efficiency and security.

So the vote will be held on the 12th, and a few days later WBTC becomes unusable as collateral?
This seems like a huge overreaction and unfairly punishing to your users who have active loans against WBTC.

Bitgo has stated that there will be 60 days before any changes are made. Regardless of your opinions on this issue, this executive vote timeframe is completely unreasonable when there is still plenty of time before the change takes effect.

To clarify, this initial set of parameter changes will prevent new borrowing against wbtc collateral, but will not have any immediate impact on existing users. There are no changes to borrowing costs or liquidation ratio / liquidation threshold.

Mike -

I appreciate you jumping into this thread and trying to explain the thinking behind this decision. I think we can all say that direct communication with the ecosystem is very helpful to work through changes like this.

Here’s the issue though -

The community is right to be skeptical. I’ve been doing chain forensics since before it was ever a mainstream thing. I’ve spoken to two other high level, indie researchers who share the same conclusion. In very layman’s terms, just read Ergo’s thread on the issue - x.com

Ergo, in a later tweet, brings up the crux of the issue - “Absence of evidence is not evidence of absence, but none of this would be necessary if the TRC20 BTC custodian was transparent.” As far as many of us are concerned, until any evidence is presented that the TRC20 BTC actually exist and I don’t know why any of us should take any statement regarding his involvement at face value.

Without actual proof that these reserves exist, reserves that many of us have actively looked for and could not find easily (which in of itself is an issue), I don’t see why any statement of trust should be accepted. The reason why you were able to anticipate the reaction to the announcement including his name is not anything malicious towards Justin. It’s the simple fact we want to know where the 60k BTC are.

Until then, I don’t know why anyone should, when they have a choice, invite the wolf into the hen house.

• CHC

Thanks for your response.

I agree everyone should get comfortable with this transition on their own terms and some may opt out. We’re here to describe what is happening so you can make that call.

With regard to the TRC-20 BTC link you provided, I have no idea what that is, but it’s not related to WBTC in any way. You should talk to the people that own that.

I am happy to tell you all about WBTC, how it works, have you scrutinize the technology, the regulatory structure, the backing, etc.

About the only thing I can’t help you with is justifying the validity random other projects…

Mike

Just so people are aware, there are two collateralization parameters for the Aave V3 codebase which SparkLend uses. LTV which is used when a loan is generated and Liquidation Threshold for triggering a liquidation. With these parameter changes the LTV will be lowered to 0 to prevent any new loans being issued against WBTC, but existing positions are unaffected as the Liquidation Threshold is unchanged.

Hey all, it’s been a while!

I’m one of the founders of tBTC, a decentralized BTC bridge to Ethereum, Arbitrum, Base, Optimism, and Solana operated by the Threshold network.

tBTC has been around for nearly 5 years now without major incident. Over the years, we’ve upgraded the network to scale, providing what I believe is the best balance of security and flexibility across the space.

tBTC has been onboarded as collateral for crvUSD, and is in the process of onboarding with Aave. We’d love to offer the MakerDAO community an alternative BTC collateral, and would be happy to donate developer time and audits for integration and anything else users need to migrate.

I have a ton of respect for @mikebelshe and the team at BitGo. I don’t know the details around this move, and expect there will be more clarity in the coming weeks. I’m hoping for a positive outcome for WBTC holders and DAI borrowers.

In the meantime, we have a credible alternative and we’re eager to get to work. If anyone has the bandwidth to help champion tBTC as a collateral asset on MakerDAO, I’d love to connect.

Your announcement was quite sparse on details, which makes it difficult to assess risk of the new arrangement. If you or new owner representatives could provide the following details I think it would help the Maker community determine if WBTC will remain suitable to use as collateral:

• BiT Global company details, including domicile and company number, registrations, etc
• BiT Global directors and officers
• BiT Global ownership structure, including ultimate beneficial owners (natural persons)
• Details on key management, including how officers/directors/owners control key materials
• Strategic reasoning for acquisition/joint venture and Justin Sun’s involvement
• Any other details that substantiate the safety and soundness of the new ownership/management structure

Looking forward to your response.

Maker community,

My name is Aki and I co-founded dlcBTC, a safer wrapped Bitcoin. Unlike custodied wBTC or bridged tBTC, dlcBTC is minted by merchants from self-custody.

We are not a Bitcoin L2 and thus do not require any changes to Bitcoin. Instead, we implement Discreet Log Contracts (DLCs), which were invented at MIT 6 years ago by the creator of the Lightning Network (read whitepaper). Similar to an if-then statement, DLCs use pre-funding transactions to conditionally move Bitcoin using input from an off-chain oracle.

We’ve taken this general concept and have implemented what we call “self-wrapping:” our merchants lock Bitcoin with themselves. They move their BTC into a multisig that can only pay out to them. When they deposit, they pre-sign their wallet address as the only possible outcome. Thus, the protocol is theft-proof, as the BTC cannot be redirected to a third-party. And, the DLC is secured by the full hashrate of the Bitcoin network.

A network of relay nodes that we call “DLC Attestors” pass mint/burn messages between the two chains. However, unlike custody nodes at bridges (tBTC, ckBTC, sBTC, BTC.B, etc.), dlcBTC’s relay nodes cannot receive Bitcoin. The security assumptions around attestors are described on our blog, but the advantage is clear: keeping the BTC with the original depositor, and instead relaying messages which are verifiable by any third-party (including Chainlink Proof of Reserve), is preferable to adding a chain, bridge or any other intermediary layer.

Our view is that bridges are too dangerous. When users send their BTC to a set of nodes, they’ve abandoned BTC security and fully rely on the design of the bridge. As they say: not your keys, not your Bitcoin. A single erroneous commit could put the BTC at risk.

We’ve only launched a few weeks ago (to Arbitrum, to start) but have been seeing great initial results. We are in process of listing on AAVE (see completed TEMP_CHECK and our work-in-progress ARFC report) and are in process of listing on Curve Lend/crvUSD and elsewhere.

At some point in the near future, we will also be submitting an application for dlcBTC to be onboarded as collateral on MakerDAO. In the meantime, we’d love to hear from you and answer your questions. Please visit our website, join our Discord or DM me.

Mike,

Yes, doing diligence is a must. Can you please answer two questions:

• There are arround 10k TCSP licence holders in Hong Kong. Why did BitGo choose BiTGlobal?

• Is Justin Sun or his related company your investor in BitGo’s latest fundrasing round in 2023 Aug?

It’s totally legitimate to ask these questions. It feels less legitimate to ask these questions when you didn’t ask them about weETH (4 of 7 msig) or (s)USDe (company controlled).

Just to assure everyone this isn’t shooting from the hip based on vibes rather than professional analysis, can you please confirm that these questions are important enough that you asked EtherFi and Ethena, where secondary market liquidity is considerably less developed than WBTC, but BA Labs recommended hardcoding oracles 1:1 with the advertised exchange rate (while WBTC takes live market pricing)?

This feels like a rush to judgement that isn’t treating WBTC on the same basis it treats other centralized asset issuers.

Hey Monet-Supply -

I do want to answer all of your questions. But these questions require precise security, legal and regulatory details and confidential information which is not pragmatically answerable in a public forum.

I’m not trying to dodge your questions. If you’ve done professional, legal due diligence before, I know you understand.

To get more answers, I would propose MakerDao appoint an attorney to conduct diligence under NDA with BiTGlobal. That attorney can then summarize findings back to the community here. I don’t know who you are or if you’re even related to the DAO, but I assume the DAO has a way to engage legal resources to help with this sort of thing.

But some questions I can answer easily.

Again, I sense that your meta-question is simply “is Justin Sun involved.” Look, he is not in the management team of BiTGlobal nor does he have any key material access. But he is materially involved, which is why we stated that in the very first announcement. We can confirm details with your attorney. If his involvement alone is enough for you to not want to use WBTC, then you should not use WBTC

Additionally, you should have your attorney confirm that BiTGlobal is a licensed TCSP in Hong Kong and in good standing. This is easy to do. You should have your attorney describe for you what it means to be a custodian under that license. In general, as a custodian, it means the client’s assets (in this case the WBTC treasury) is not the property of BiTGlobal, it is not on the balance sheet of BitGlobal, and that BitGlobal is not allowed to lend, use, rehypothecate the assets, or send them out to others like JS or anyone else. They also must keep the assets separate from the assets of other clients. Failure to properly safeguard could have legal and criminal consequences for the individuals at BiTGlobal. The community here should think long and hard about the value of this legal & regulatory structure, as it is one of the key strengths of WBTC and none of the would-be WBTC competitors have it at all. With every one of the competing products, they could lend out your assets or decide to “generate a yield” and you’d have no recourse. That is not possible with WBTC under BitGo or BiTGlobal.

Finally, with regard to the technology, the smart contract is the same smart contract for WBTC that exists today, which you can fully review. The key setup will be the same as it is today except that BiTGlobal operates in HK and Singapore, whereas BitGo operates in South Dakota. You should review that setup, and then if you have further questions, have your attorney confirm them with BitGlobal too.

Here are some threads where WBTC was discussed previously here:

• April 2020: [WBTC] - WBTC Collateral Request For Comment
• Nov 2023: Spark Parameter Change: [Mainnet] Reactivate WBTC

This was not an answer to questions, but just an attempt to divert the dialogue. Do you have no answers or are these answers so bad that they will turn users away from WBTC?

WBTC is good, but technical solution should upgrade.

https://x.com/0xkevinhe/status/1822702151589933159