Can Merkle Trees prove that your #Bitcoin is safe on an exchange?
Are they fool (or crook, in recent cases) proof as a method to verify your balances?
Excellent questions that need answers ASAP.
Time for a collateral 🧵👇
Are they fool (or crook, in recent cases) proof as a method to verify your balances?
Excellent questions that need answers ASAP.
Time for a collateral 🧵👇
#️⃣ What is a Hash?
I’m no coder, and I don’t expect you are either
So, let’s walk through this nice and easy today
Get you a bit smarter on the collateral side of the decentralized world, shall we?
I’m no coder, and I don’t expect you are either
So, let’s walk through this nice and easy today
Get you a bit smarter on the collateral side of the decentralized world, shall we?
To start, a secure hash algorithm or SHA, is just a mathematical formula
It transforms and compresses a string of data from any size into a fixed-size, completely different than the original data
The most common place we see the use of hashes is in the encryption of passwords.
It transforms and compresses a string of data from any size into a fixed-size, completely different than the original data
The most common place we see the use of hashes is in the encryption of passwords.
This way, the server that’s checking the password only has to keep track of a user’s *hash* value, rather than the actual password itself
So, if a company’s database is hacked, it will only reveal the hashes and not the actual passwords.
So, if a company’s database is hacked, it will only reveal the hashes and not the actual passwords.
Hashes can be extremely effective because of what we call the avalanche effect
i.e., altering just a few characters can produce a huge change in the encrypted output
Notice how output values are all the same size, but *completely different* below:
(Wikipedia):
i.e., altering just a few characters can produce a huge change in the encrypted output
Notice how output values are all the same size, but *completely different* below:
(Wikipedia):
Bitcoin uses SHA-256, a hash function within the SHA-2 (Secure Hash Algorithm 2) family
SHA-256 was developed by the NSA in 2001 to solve problems with SHA-1
SHA-256 has never been compromised and is an extremely secure cryptographic hash function.
SHA-256 was developed by the NSA in 2001 to solve problems with SHA-1
SHA-256 has never been compromised and is an extremely secure cryptographic hash function.
Hash functions and SHA-256 are a one-way street of information, making it impossible to recreate a hash’s input from the output
SHA-256 and the Bitcoin network, is widely considered the most secure hash algorithm in the world
Which brings us to the hash tree or *Merkle Tree*
SHA-256 and the Bitcoin network, is widely considered the most secure hash algorithm in the world
Which brings us to the hash tree or *Merkle Tree*
🌳 What is a Merkle Tree?
First, a Merkle Tree is simply a hash tree, a concept patented by Ralph Merkle in 1979
See, in decentralized, peer-to-peer transactions, data verification is imperative.
First, a Merkle Tree is simply a hash tree, a concept patented by Ralph Merkle in 1979
See, in decentralized, peer-to-peer transactions, data verification is imperative.
In decentralized systems, if data is changed in one place, it must be changed everywhere
These changes must be verified as consistent everywhere
Yet it can fast become overwhelming to check the entirety of every single file across an entire system when checking for consistency.
These changes must be verified as consistent everywhere
Yet it can fast become overwhelming to check the entirety of every single file across an entire system when checking for consistency.
But we can use hashing to minimize the amount of data that needs to be checked, right?
Turn data into hashes and list those instead (just like passwords)
Exactly
And this is where the Merkle or hash tree comes into play.
Turn data into hashes and list those instead (just like passwords)
Exactly
And this is where the Merkle or hash tree comes into play.
Hash trees ensure blocks sent between peers are unaltered and undamaged, allowing us to verify data stored in or transferred between computers in a peer-to-peer network
A hash tree is a tree of hashes, where the leaves (or nodes) are hashes of blocks of data in a file.
A hash tree is a tree of hashes, where the leaves (or nodes) are hashes of blocks of data in a file.
Nodes toward the top of the tree are hashes of their respective *children*
See below: Hash 1 is the hashing concatenation (fancy programming word for combination) of the two hashes below it on the tree
Hash 1 = Hash (hash 1-0 + Hash 1-1)
(Wikipedia):
See below: Hash 1 is the hashing concatenation (fancy programming word for combination) of the two hashes below it on the tree
Hash 1 = Hash (hash 1-0 + Hash 1-1)
(Wikipedia):
The top hash (aka root) sits at the top of the tree
Any received branch, etc. can be checked against the trusted top hash for verification
Instead of transmitting entire files, we can just send a hash of the file, and check it against the root to see if it’s been compromised.
Any received branch, etc. can be checked against the trusted top hash for verification
Instead of transmitting entire files, we can just send a hash of the file, and check it against the root to see if it’s been compromised.
✅ Merkle Tree Proof of Reserves
In traditional financial accounting, we use books and records and balance sheets
A balance sheet is a summary of what a company owns and owes, the books and records show all the transactions that add up to the balance sheet.
In traditional financial accounting, we use books and records and balance sheets
A balance sheet is a summary of what a company owns and owes, the books and records show all the transactions that add up to the balance sheet.
Books and records and balance sheets are reviewed and verified by a third party
The auditor
And if an auditor finds something that doesn’t add up, they’ll flag it and refuse to vouch for the books validity until the discrepancy is resolved.
The auditor
And if an auditor finds something that doesn’t add up, they’ll flag it and refuse to vouch for the books validity until the discrepancy is resolved.
So, if you deposit money at JP Morgan, there’s a clear record of you sending money from your bank to JP Morgan, and it is put on on their books
JPM’s account managers, accountants, comptrollers, CFO, & auditors all agree your deposit is there and is now a JPM liability to you.
JPM’s account managers, accountants, comptrollers, CFO, & auditors all agree your deposit is there and is now a JPM liability to you.
What about decentralized exchanges without the same human monitored chain of custody and account oversight?
i.e., if you sent BTC to Binance, how can you tell your deposit, a few hours, days, or months later is still there?
That is wasn’t lent out or moved by a bad actor?
i.e., if you sent BTC to Binance, how can you tell your deposit, a few hours, days, or months later is still there?
That is wasn’t lent out or moved by a bad actor?
It would seem absurd for Binance to publish a list of every single balance of every account for individuals to check their balance against, right?
Small privacy problem there. So, what’s the solution?
You got it. The Merkle Tree.
Small privacy problem there. So, what’s the solution?
You got it. The Merkle Tree.
And so Binance just announced they will be using a Merkle Tree to verify assets are 1:1 and “allow people to verify their assets within the platform”
Here’s a photo of the Merkle Tree that Binance now has on the Proof of Reserves page of their website:
Here’s a photo of the Merkle Tree that Binance now has on the Proof of Reserves page of their website:
Awesome
So you can check that your balances are indeed still there, and that they have not been moved or misappropriated
All good. The verification of reserves problem is solved, end of story, right?
Right?
So you can check that your balances are indeed still there, and that they have not been moved or misappropriated
All good. The verification of reserves problem is solved, end of story, right?
Right?
🔍 What’s Missing?
One small issue
In order for the Merkle Tree proof of reserves to be a valid way to check your balances, the company must also include any liabilities to demonstrate solvency
And it must be verified by a trustworthy third-party auditor.
One small issue
In order for the Merkle Tree proof of reserves to be a valid way to check your balances, the company must also include any liabilities to demonstrate solvency
And it must be verified by a trustworthy third-party auditor.
In other words, proof of reserves (through Merkle Tree or any other trusted method) is simply a proof of *assets*
And proof of assets + audited liabilities = proof of solvency
(h/t @jespow)
And proof of assets + audited liabilities = proof of solvency
(h/t @jespow)
Because solvency (and verification of asset to liabilities ratio above 1:1), as many seem to be learning the hard way these days, is all that really matters when verifying that your assets are safe on an exchange or other decentralized platform.
But then we're back to trusting human sources of information. I mean, look at how many people were complicit in the FTX fraud this month
They all said FTX was solvent and safe. People trusted them. People got hurt.
Some people lost their life’s savings.
They all said FTX was solvent and safe. People trusted them. People got hurt.
Some people lost their life’s savings.
Of course, there's a much more trustworthy method of ensuring your balances are safe and secure
Many of you reading this already preach it continuously
But for those who do not and have not done it yet, it’s a simple solution.
Many of you reading this already preach it continuously
But for those who do not and have not done it yet, it’s a simple solution.
Take your coins off the exchanges, and put them in a wallet secured by you
Take possession of your own assets. That’s the point of Bitcoin’s peer-to-peer trustless protocol, after all
Self sovereignty.
Take possession of your own assets. That’s the point of Bitcoin’s peer-to-peer trustless protocol, after all
Self sovereignty.
That, my friends, is the only way you can truly be certain that your balances are secure
If you’re seeking extra yield by pledging your Bitcoin (or other) holdings on an exchange, please recognize the risk you are taking
Make sure you understand this now, before it's too late.
If you’re seeking extra yield by pledging your Bitcoin (or other) holdings on an exchange, please recognize the risk you are taking
Make sure you understand this now, before it's too late.
You are trusting someone else to hold and secure your money
Period
There’s no other way to put it.
Period
There’s no other way to put it.
And so, if you’re just too scared to self custody, try to do it in steps (easy as 1, 2, 3):
1. Buy a @Ledger or @Trezor or@COLDCARDwallet, always directly from the manufacturer and never from Amazon or eBay or other reseller
1. Buy a @Ledger or @Trezor or@COLDCARDwallet, always directly from the manufacturer and never from Amazon or eBay or other reseller
2. Watch YouTube videos on the steps to move your coins from exchange to the wallet
• My good friend Ben (@BTCSessions) has some phenomenal and easy to follow videos on how to do this (it is exactly how I learned),
• My good friend Ben (@BTCSessions) has some phenomenal and easy to follow videos on how to do this (it is exactly how I learned),
3. Then just move a tiny bit the first time to see how it works and to get comfortable with the process
You will soon feel confident, trust yourself, and move it all.
You will soon feel confident, trust yourself, and move it all.
And this is truly the only way to be sure your balances are safe and secure from bad actors, fraud, or worse…
Total theft.
Total theft.
This thread is a summary of a recent 🧠Informationist Newsletter. If you enjoyed it, make sure to:
1. Follow @jameslavish to see more investment related content
2. Subscribe to The Informationist to learn one simplified concept weekly: jameslavish.substack.com
1. Follow @jameslavish to see more investment related content
2. Subscribe to The Informationist to learn one simplified concept weekly: jameslavish.substack.com
Loading suggestions...