Dynamic Pricing for Non-fungible Resources
Public blockchains implement a fee mechanism to allocate scarce computational resources across competing transactions. Most existing fee market designs utilize a joint, fungible unit of account (e.g., gas in Ethereum) to price otherwise non-fungible resources such as bandwidth, computation, and storage, by hardcoding their relative prices. Fixing the relative price of each resource in this way inhibits granular price discovery, limiting scalability and opening up the possibility of denial-of-service attacks.
  • Theo Diamandis,
  • Alex Evans,
  • Tarun Chitra,
  • Guillermo Angeris
  • Basics
 08.16.22
Optimal Routing for Constant Function Market Makers
We consider the problem of optimally executing an order involving multiple cryptoassets, sometimes called tokens, on a network of multiple constant function market makers (CFMMs). When we ignore the fixed cost associated with executing an order on a CFMM, this optimal routing problem can be cast as a convex optimization problem, which is computationally tractable. When we include the fixed costs, the optimal routing problem is a mixed-integer convex problem, which can be solved using (sometimes slow) global optimization methods, or approximately solved using various heuristics based on convex optimization. The optimal routing problem includes as a special case the problem of identifying an arbitrage present in a network of CFMMs, or certifying that none exists.
  • Guillermo Angeris,
  • Tarun Chitra,
  • Alex Evans,
  • Stephen Boyd
  • MEV
 12.01.21
Replicating Monotonic Payoffs Without Oracles
In this paper, we show that any monotonic payoff can be replicated using only liquidity provider shares in constant function market makers (CFMMs), without the need for additional collateral or oracles. Such payoffs include cash-or-nothing calls and capped calls, among many others, and we give an explicit method for finding a trading function matching these payoffs. For example, this method provides an easy way to show that the trading function for maintaining a portfolio where 50% of the portfolio is allocated in one asset and 50% in the other is exactly the constant product market maker (e.g., Uniswap) from first principles. We additionally provide a simple formula for the total earnings of an arbitrageur who is arbitraging against these CFMMs.
  • Guillermo Angeris,
  • Alex Evans,
  • Tarun Chitra
  • DeFi
 09.01.21
Constant Function Market Makers: Multi-Asset Trades via Convex Optimization
The rise of Ethereum and other blockchains that support smart contracts has led to the creation of decentralized exchanges (DEXs), such as Uniswap, Balancer, Curve, mStable, and SushiSwap, which enable agents to trade cryptocurrencies without trusting a centralized authority. While traditional exchanges use order books to match and execute trades, DEXs are typically organized as constant function market makers (CFMMs). CFMMs accept and reject proposed trades based on the evaluation of a function that depends on the proposed trade and the current reserves of the DEX. For trades that involve only two assets, CFMMs are easy to understand, via two functions that give the quantity of one asset that must be tendered to receive a given quantity of the other, and vice versa. When more than two assets are being exchanged, it is harder to understand the landscape of possible trades. We observe that various problems of choosing a multi-asset trade can be formulated as convex optimization problems, and can therefore be reliably and efficiently solved.
  • Guillermo Angeris,
  • Akshay Agrawal,
  • Alex Evans,
  • Tarun Chitra,
  • Stephen Boyd
  • Basics,
  • DeFi
 07.01.21
Replicating Market Makers
We present a method for constructing Constant Function Market Makers (CFMMs) whose portfolio value functions match a desired payoff. More specifically, we show that the space of concave, nonnegative, nondecreasing, 1-homogeneous payoff functions and the space of convex CFMMs are equivalent; in other words, every CFMM has a concave, nonnegative, nondecreasing, 1-homogeneous payoff function, and every payoff function with these properties has a corresponding convex CFMM. We demonstrate a simple method for recovering a CFMM trading function that produces this desired payoff. This method uses only basic tools from convex analysis and is intimately related to Fenchel conjugacy. We demonstrate our result by constructing trading functions corresponding to basic payoffs, as well as standard financial derivatives such as options and swaps.
  • Guillermo Angeris,
  • Alex Evans,
  • Tarun Chitra
  • DeFi
 03.01.21
A Note on Privacy in Constant Function Market Makers
Constant function market makers (CFMMs) such as Uniswap, Balancer, Curve, and mStable, among many others, make up some of the largest decentralized exchanges on Ethereum and other blockchains. Because all transactions are public in current implementations, a natural next question is if there exist similar decentralized exchanges which are privacy-preserving; i.e., if a transaction’s quantities are hidden from the public view, then an adversary cannot correctly reconstruct the traded quantities from other public information. In this note, we show that privacy is impossible with the usual implementations of CFMMs under most reasonable models of an adversary and provide some mitigating strategies.
  • Guillermo Angeris,
  • Alex Evans,
  • Tarun Chitra
  • Privacy
 02.01.21
Optimal Fees for Geometric Mean Market Makers
Constant Function Market Makers (CFMMs) are a family of automated market makers that enable censorship-resistant decentralized exchange on public blockchains. Arbitrage trades have been shown to align the prices reported by CFMMs with those of external markets. These trades impose costs on Liquidity Providers (LPs) who supply reserves to CFMMs. Trading fees have been proposed as a mechanism for compensating LPs for arbitrage losses. However, large fees reduce the accuracy of the prices reported by CFMMs and can cause reserves to deviate from desirable asset compositions. CFMM designers are therefore faced with the problem of how to optimally select fees to attract liquidity. We develop a framework for determining the value to LPs of supplying liquidity to a CFMM with fees when the underlying process follows a general diffusion. Focusing on a popular class of CFMMs which we call Geometric Mean Market Makers (G3Ms), our approach also allows one to select optimal fees for maximizing LP value. We illustrate our methodology by showing that an LP with mean-variance utility will prefer a G3M over all alternative trading strategies as fees approach zero.
  • Guillermo Angeris,
  • Tarun Chitra,
  • Alex Evans,
  • Stephen Boyd
  • DeFi
 01.04.21
Liquidity Provider Returns in Geometric Mean Markets
Geometric mean market makers (G3Ms), such as Uniswap and Balancer, comprise a popular class of automated market makers (AMMs) defined by the following rule: the reserves of the AMM before and after each trade must have the same (weighted) geometric mean. This paper extends several results known for constant-weight G3Ms to the general case of G3Ms with time-varying and potentially stochastic weights. These results include the returns and no-arbitrage prices of liquidity pool (LP) shares that investors receive for supplying liquidity to G3Ms. Using these expressions, we show how to create G3Ms whose LP shares replicate the payoffs of financial derivatives. The resulting hedges are model-independent and exact for derivative contracts whose payoff functions satisfy an elasticity constraint. These strategies allow LP shares to replicate various trading strategies and financial contracts, including standard options. G3Ms are thus shown to be capable of recreating a variety of active trading strategies through passive positions in LP shares.
  • Alex Evans
  • DeFi
 06.01.20
Back

Sampling for Proximity and Availability

11.08.24

In blockchains, nodes can ensure that the chain is valid without trusting anyone, not even the validators or miners. Early blockchain design can achieve this by having each of these nodes download and re-execute all transactions itself. The inefficiency of this approach motivated the adoption of fraud and validity proofs. While these proofs provide assurances that the underlying state transitions of the blockchain were computed correctly, malicious block producers may still withhold the data required to compute the latest state. (In other words, while a node without this data may ensure that every change performed to the state was valid—since the proofs verify—the node may not be able to know what the underlying state actually is.) Such an attack could prevent users from composing valid transactions (e.g., to withdraw assets from some pool) or could prevent other nodes from constructing proofs of their own. The simplest way to ensure that the data needed to construct the underlying state can be downloaded is, of course, to try and download it. This is the approach most current blockchains take. The downside of this approach is that, as usage increases, every node must download all the data, which, in turn, puts strain on the network and its available bandwidth.

Data availability sampling. In response, [ASB181] introduced data availability sampling (DAS). This technique allows resource-constrained nodes (referred to as light nodes) to probabilistically verify the availability of data without downloading the entire block. That work roughly shows that, under some trust assumptions, if (a) the block data that we wish to make public is encoded via some error correcting code and (b) if enough people are sampling small parts of the encoded data, then the data must be available in that either it can be directly downloaded or, failing that, it can be reconstructed from the samples that have been collected by others in the network. This sampling procedure can ensure the data is available if two basic properties, which we describe next, hold.

Requirements. First, for DAS to work, there must be some way of guaranteeing that the data that was sampled is correctly encoded. Second, there must be ‘enough’ nodes actively sampling. In particular, the number must be chosen to ensure that these nodes, collectively, have enough symbols of the encoding to reconstruct the original data. DAS protocols in production today (such as those of [ASB18]) handle the former either through fraud-proofs or through KZG commitments. Fraud proofs are extremely efficient for the encoder but impose latency as well as an additional trust assumption: each light node is assumed to be connected to at least one honest full node. KZG commitments obviate this trust assumption, but require a trusted setup and are very expensive to compute, at least relative to computing the encoding itself. (Which is roughly the cost of the fraud-proof based encoding.)

Hashing-based proofs. Recent excellent works [HSW232, HSW243] have pointed to a third potential approach: instead of using KZG, it is possible to adapt computationally efficient hashing-based proofs such as those of [AHIV174] and [BBHR5] to establish that the encoding has been correctly computed. While these constructions have a number of desirable properties, including more efficient provers, weaker cryptographic assumptions, and no trusted setup, the constructions do feature large commitment sizes. As this commitment needs to be downloaded by all light nodes, the resulting overhead makes these constructions impractical.

This post. In this post, we’ll discuss a simple way to significantly reduce this overhead. We argue that if enough samples are requested and verified by a light node during DAS, these samples can also be used to ensure correctness of the encoding. We show that merging samples to establish both availability and integrity of the encoding results in more efficient DAS constructions.

Sampling for both proximity and availability

FRIDA construction. In FRIDA, the prover first encodes some data using a Reed–Solomon code and commits to the resulting entries of the vector via a Merkle tree commitment. The prover then uses the proving algorithm of the FRI protocol to produce a non-interactive proof that this vector is indeed within unique decoding of a Reed–Solomon codeword (a ‘proof of proximity’). The proof includes $L$ queries of the original vector on which the FRI verification procedure is run, where $L$ is chosen to achieve a given security level. (For the those less familiar with FRI, the exact details of this procedure are not important, though we will reference $L$ later.) The resulting proof (with the $L$ queries) is shared with light nodes as part of the commitment to the data. Each light node downloads the commitment, verifies the non-interactive proof, and makes $Q$ additional (interactive) random queries which are used as samples in the DAS scheme. An important observation of FRIDA is that running the FRI verification procedure on these additional queries implies that these received symbols correspond exactly to symbols of the closest codeword (which we have just proved exists via the initial $L$ queries). To summarize, the non-interactive proof of proximity (which contains $L$ queries) proves to light nodes that the vector the prover committed to is close to a unique Reed–Solomon codeword. These $L$ queries are the same for all nodes. Running the FRI verification procedure for the $Q$ additional queries proves to nodes that (verified) responses their specific queries, which are sampled independently and randomly across nodes, are symbols of that same (unique) codeword. As a result, one can decode the data by assembling enough queries with proofs, as required for a secure DAS scheme. The sketch below summarizes this protocol for $N=2$ light nodes making $Q=1$ queries each with $L=9$ non-interactive queries appended to the commitment. Each light node has to download $L+Q=10$ samples in total, or $1/3$ of the encoded data. (Note that at most two of these samples can be unique, since the $L$ samples are the same for both nodes.) If we’re using a rate of $1/2$ and a message of size $15$, the nodes need at least $15$ samples to decode the message. In other words, if these nodes put their samples together, they will not ever have enough data to be able to reconstruct the message, unless they request additional samples. (Or, alternatively, assume more nodes are also sampling.)

Figure 1: Samples of a codeword in vanilla FRIDA. Grey squares denote noninteractive samples that are in common between the nodes (i.e., $L=9$ samples). Red squares denote the $Q=1$ sample from the first light node, while blue denotes the $Q=1$ sample from the second one.

Leveraging interaction. In a simple amendment to this construction, we can have each light node interactively request and run FRI verification on an independent set of $L$ samples, instead of sending the same non-interactive proof of size $L$ to each node. (The parameter $Q$ is ignored in this setting.) This fully interactive procedure corresponds to running the query phase of FRI with interactive randomness, which is no less secure for the light node. In this case, the two nodes will, with high probability ($>99\%$, by choice of $L$) sample enough data ($\ge 15$ unique squares) to decode. In this second sketch, purple squares correspond to unlucky entries that both nodes redundantly sampled. The ‘bad’ case where they sample at least nine such redundant squares occurs with tiny probability, roughly $2^{-28}$, as opposed to probability $1$ when using non-interactive randomness. In other words, the grey (non-interactive) samples are ‘pure overhead’ in that they do not provide additional information to the network (i.e., information that can help reconstruct the original message) after the first node downloads them.

Figure 2: Samples of a codeword in interactive FRIDA. Red squares denote samples which only the first light node has, while blue denotes samples that only the second light node has. Purple squares denote samples that are in common between the nodes.

Efficiency. This simple change can make the resulting DAS scheme much more efficient. If we use $80$ bits of security, as in the original FRIDA paper, we require $L=128$. For the same level of security, a scheme that makes $128+1$ queries interactively requires two orders of magnitude fewer light nodes than one where each node issues one sample in addition to downloading a non-interactive proof with $L=128$. In short, sampling for proximity and availability in the same protocol significantly improves efficiency.

Comparisons. There is one tradeoff. In the interactive case, nodes must sample without replacement to match standard FRI security analyses. In seeking to define simple, modular primitives for DAS, the constructions in [HSW23, HSW24] allow for more flexibility in the sampling strategy of nodes. However, for practical protocols, we suspect the efficiency gained is worth the restriction.

Future work. While we’ve shown that interactive queries increase DAS efficiency when using FRIDA, significant overheads remains. Standard FRI verification utilizes correlated queries across rounds. Since queries to a given FRI oracle perfectly correlate with queries in the original oracle, they seem to yield no useful information to the network. A question in this case, remains: is it possible to have a protocol whose proofs all yield information that can be used to both prove a correct encoding and whose contents can be used to decode the original data?

Stay tuned for the next post.

Acknowledgements

We’d like to thank Kobi Gurkan, John Adler, Nashqueue, and Sanaz Taheri for useful discussions regarding data availability, its requirements, and possible constructions. (On the other hand, any mistakes or silliness in this post are completely ours.)

Citations

  1. [ASB18] Mustafa Al-Bassam, Alberto Sonnino, and Vitalik Buterin. Fraud proofs: Maximising light client security and scaling blockchains with dishonest majorities. CoRR, abs/1809.09044, 2018. ↩︎
  2. [HSW23] Mathias Hall-Andersen, Mark Simkin, and Benedikt Wagner. Foundations of data availability sampling. Cryptology ePrint Archive, Paper 2023/1079, 2023. ↩︎
  3. [HSW24] Mathias Hall-Andersen, Mark Simkin, and Benedikt Wagner. FRIDA: Data availability sampling from FRI. Cryptology ePrint Archive, Paper 2024/248, 2024. ↩︎
  4. [AHIV17] Scott Ames, Carmit Hazay, Yuval Ishai, and Muthuramakrishnan Venkitasubramaniam. Ligero: Lightweight sublinear arguments without a trusted setup. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 2087–2104, Dallas Texas USA, October 2017. ACM. ↩︎
  5. [BBHR18] Eli Ben-Sasson, Iddo Bentov, Yinon Horesh, and Michael Riabzev. Fast Reed–Solomon Interactive Oracle Proofs of Proximity. pages 1–17, 2018. ↩︎
Share
Contents