Announcing GRVT

We’re excited to announce our partnership with GRVT, a Singapore-based crypto exchange built on the first zkSync hyperchain.

GRVT has raised over $9 million and amassed a community of over 500,000 followers. They aim to combine the efficiency of centralized exchanges (CEXs) with the non-custodial features of decentralized exchanges (DEXs). With over 2.4 million waitlist registrations and support from prominent investors like Matrix Partners, Delphi Digital, Susquehanna Investment Group, CMS Holdings, ABCDE, Hack VC, 500 Startups, Folius Ventures, and Matter Labs (developers of zkSync), GRVT is set to offer significant liquidity on day one and a new trading experience for both professional and retail investors.

To make crypto more accessible and user-friendly, GRVT is launching GRVT Wallets within the exchange using Dfns' embedded wallet infrastructure. These non-custodial wallets are secured by state-of-the-art cryptography and NIST-compliant key management ensuring that no GRVT employee can interfere with sensitive user actions such as creating a wallet, transferring funds, or adding new authentication credentials. This is crucial in preventing the commingling of funds and unauthorized asset movements.

“GRVT is designed to prevent another FTX event from happening by never holding client funds. With an easy-to-use Web2 interface, we serve both sophisticated and retail users. Fully self-custodial, GRVT stores funds on smart contracts and further secure our platform with multi-layered Web2 (passwords, 2FA) and Web3 (private keys) controls.”
– Hong Yea, CEO of GRVT.

‍

Lessons learned from FTX

The billion-dollar collapse of FTX was a shocking event for the entire crypto industry. It raised serious questions about the intentions, capabilities, and trustworthiness of every company dealing with digital assets and blockchain technology. This immediate mistrust was a natural reaction to discovering how deceptive FTX had been. From the outside, people thought, "If FTX is a scam, then every crypto company might be." It was devastating.

For a long time, the crypto world has touted "trustlessness" as the ultimate form of trust, ensured not by humans, but by verifiable code and cryptography. This promise quickly crumbled when FTX faced a liquidity crisis and halted all withdrawals because they couldn't provide the funds people had deposited in good faith. The money had been misused by individuals who shouldn't have been trusted. Hopes and dreams were shattered, and we all suddenly realized a harsh truth: social trust is unavoidable.

Once withdrawals were blocked, users realized that FTX was just a traditional exchange platform, possibly even more centralized than say the NASDAQ itself, as it didn't even adhere to the same regulatory requirements. It had the flaws but not the controls of a regulated exchange, which led many to believe that DeFi was doomed from the start. Despite the high public profile of FTX – they even had Miami’s basketball arena named after them – the management, led by Sam Bankman-Fried, ignored accountability and ownership due to their misguided sense of success. The depth of the mismanagement at FTX’s headquarters in the Bahamas is hard to describe, but tweets from CFA Genevieve Roch-Decter and summaries of their Chapter 11 First Day Affidavit provide insight. In the affidavit, John Jay Ray III, the restructuring CEO who managed Enron's bankruptcy, describes FTX's case as the worst of his career.

Many causes of the FTX collapse were due to human greed and incompetence, but technology, or the lack of it, also played a big role. In this post, we'll ignore human behavior and focus on the technical security flaws that caused this collapse, leading the crypto industry to a period of serious reflection. When comparing centralized exchanges (CEX) and decentralized exchanges (DEX), three key aspects are to be considered:

• Custodial Risk: CEXs require users to trust the exchange to secure their assets. If the exchange is hacked or commits fraud, users can lose their funds. DEXs are non-custodial, meaning users control their private keys and funds. Transactions happen directly between users, reducing the risk of losing assets due to exchange issues.
• Transparency: CEXs may lack transparency about their operations, reserves, and processes, leading to trust issues and potential financial instability. DEXs operate on public blockchains, making all transactions and smart contract codes transparent and auditable, which increases trust and security.
• Liquidity Risks: CEXs can face liquidity problems if they mismanage funds or experience sudden large withdrawals. DEXs use automated market makers (AMMs) and liquidity pools to provide liquidity in a decentralized way, reducing the risk of sudden liquidity crunches.

However, while DEXs have many benefits, they also face challenges like scalability issues, higher transaction fees during network congestion, smart contract security risks, limited liquidity, higher user error rates, and other complexities compared to centralized exchanges. The GRVT team asked, "Can we combine the best of both worlds?" That's what they aimed to achieve.

‍

Hybrid exchanges, the new solution?

We now have the chance to learn from our mistakes and improve. Some might say that decentralized exchanges are the solution, as they survived the collapse of the crypto industry caused by FTX. In fact, many DeFi supporters pointed out on X that funds could still be withdrawn from DEXs, proving that DeFi wasn't affected by the FTX failure.

There's no denying: DEXs have emerged as an alternative, allowing users to maintain full control of their funds and (partially) removing the need for intermediaries. However, they have their own challenges. DEXs often struggle with large transactions and complex trades, and they can be confusing and user-unfriendly. They also bring new issues like smart contract vulnerabilities, trade manipulations, and front-running because of the transparent nature of onchain trading data. While DEXs are praised for self-custody and eliminating single points of failure, they also suffer from a poor user experience. Managing private keys, bridging, and depositing funds from external sources are significant barriers to wider adoption by both individual users and institutions.

GRVT wanted to retain the best aspects of centralized exchanges while addressing their shortcomings. This led to the creation of "hybrid exchanges." GRVT is at the forefront of this transformation, challenging the dominance of centralized exchanges with their hybrid exchange model, which combines blockchain security with the efficiency of centralized exchanges. It starts with the launch of Central Limit Orderbook (CLOB) trading for crypto options and perpetuals, and the introduction of Request For Quote (RFQ) trading for derivative combination blocks.

Think of GRVT as a decentralized version of Robinhood, where users have self-custodial funds and wallets like Uniswap. This is achieved through a mix of offchain order matching and onchain settlements. Orders are matched offchain using GRVT's central limit order book with sub-second latency, and trades are finalized onchain for transparency and accuracy, facilitated by smart contracts on zkSync Era, a high-performance Layer-2 blockchain leveraging open-source code. GRVT operates as an appchain using the ZK Stack, connecting to all decentralized applications in the zkSync ecosystem, including other hyperchains via hyperbridge.

The ZK Stack is a gateway for enterprises, platforms and institutions to enter the crypto ecosystem. Its customizable and modular design fosters innovation, with each chain powered by shared provers and fractal scaling. GRVT chose Hyperchains for their high throughput, low latency, and user experience similar to centralized finance while allowing users to self-custody.

GRVT can also scale its infrastructure horizontally by using different orderbooks as dedicated appchains, potentially reaching up to 600,000 trades per second. This addresses a key issue with traditional AMM-style DEXs, where market makers struggle to provide liquidity as they would on a centralized exchange. Additionally, sensitive information like margin balances and liquidations can be hidden using Validiums on a private Hyperchain, storing trading data offchain and encrypting it to prevent front-running and market manipulation.

This setup enables GRVT to compete with Binance in trading speed, liquidity, capital efficiency, fees, and regulatory compliance. Note that GRVT holds a VASP license in Lithuania, a Bermuda license, and is pursuing additional licenses in Europe and the Middle East.

‍

Decentralized finance at the tip of your fingers

GRVT is a small revolution in decentralized finance as they are making it more accessible and user-friendly. Financial freedom and capital efficiency should be easy to achieve in our times. In the 1990s, Apple masterfully showed the world that computers didn’t have to be complicated or unattractive, which sparked a tremendous focus on user experience (UX) for mass adoption. In the same vein, for crypto to grow beyond its current base of ~20,000 engineers and 560 million users (6.8% of the global population), crypto apps must become easier to use.

That's why GRVT is launching GRVT Wallets using Dfns' infrastructure. Now, when you visit grvt.io, you can either connect your existing wallet or create a new one within GRVT without needing to download additional apps.

The difference is huge when you take a moment to pause. New users have to go through several steps: (1) reading about what a wallet is online, (2) choosing from hundreds of options, and (3) setting it up by downloading, securely storing the key and backup, and creating rules to protect their funds. This process might seem like something a Chief Information Security Officer at a bank would do, but it's too complicated for the average user or even a savvy financial expert.

Instead, GRVT simplifies everything. Users just need to enter their email address, scan their face, and bingo, a secure wallet is created. Transferring funds is just as easy: scan your fingerprint, and the money is sent and received in seconds. Adding new beneficiaries, changing settings, or any other sensitive action is straightforward—enter your PIN code, password, or use other two-factor authentication, and you're the only one accessing your crypto funds.

We’re excited to introduce the new GRVT wallet iframe, a groundbreaking development in DeFi. This is the first WebAuthn-based wallet iframe in the industry, created by Dfns with world class engineers and cryptographers over the past two years. It's the most secure, fully PKI-based wallet iframe available, perfect for decentralized applications that want to remain non-custodial and protect user funds. GRVT chose Dfns for our expertise in creating robust key management services, built through extensive testing and experience. The GRVT Wallets have been uniquely designed to safeguard against both external hackers and personal mistakes.

Dfns was founded on the idea that blockchains come with a significant risk of losing digital assets without a way to recover them. Our security approach acknowledges that human errors are inevitable, and both individuals and businesses will frequently lose keys. To encourage blockchain adoption and enjoy their benefits, blockchains should not harshly penalize human mistakes. Therefore, Dfns makes it easier for GRVT developers and users to manage digital assets with confidence. We act as a safety net, providing a margin for error and protection against irreversible mistakes.

Security is complex, so we believe people shouldn't carry keys on devices like phones. Private keys are sensitive and need to be stored in specialized, secure environments per NIST recommendations. This approach makes us rethink traditional digital asset ownership, differing from the original cypherpunk ideas of crypto. Our view on key management opposes the "not your keys, not your coins" belief. We think asset owners should approve asset movements but shouldn't have to safeguard private keys themselves. However, to avoid issues like those that led to the FTX collapse, there are several challenges that need to be properly addressed.

To solve this problem, Dfns has separated key security from governance. For security, we distribute the management of private keys, so no single entity controls them. A network of carefully vetted, secure, and compliant participants is responsible for protecting private keys and authorizing transactions upon asset owners' requests. These participants cannot compromise the network or defy asset owner requests on their own. We use Multi-Party Computation (MPC) to create five partial keys stored in isolated instances within Tier 3+/4 data centers across different regions. The Threshold Signature Scheme (TSS) requires three out of five partial keys to perform operations like creating wallets and signing transactions. To enhance robustness, neutrality, and availability, we regularly integrate independent third-party partners, including private cloud providers, electric utilities, insurance companies, and telcos, into our infrastructure. This careful design prevents Dfns from falling victim to incidents like the  $74 million hack that Fireblocks experienced in 2021, as they prefer letting clients secure keys on their own. 

From a governance perspective, we decided to give clients a unique signing authority through the API instead of directly exposing the private key. To access the private keys, clients must use Dfns' API with passkey authentication. This system maintains control over the key management network, which protects these private keys. We have implemented passwordless login using advanced WebAuthn (W3C/FIDO2) technology, offering options like facial scans, PIN codes, TouchID, and Yubikey, to cater to both individual and institutional needs. This approach not only enhances user experience but also improves security, making wallets easier for users and employees. By using authentication credentials as signing keys, abstracting the private key, we ensure clients retain ownership of their assets in a foolproof way. This dual-layered security model protects against key loss and enhances digital asset management. In simple terms, with GRVT Wallets, you won't lose your private keys if you lose your passkey credentials. The Dfns key management service includes built-in recovery and continuity, providing total peace of mind.

References

• Click-through demo of GRVT (Dfns)
• Matter-labs/zksync-era on GitHub
• Introduction to Hyperchains (Matter Labs)
• Introduction to Validium (Ethereum Foundation)
• Stakehound Accuses Fireblocks of Losing $74M of ETH (The Defiant)
• Fireblocks CEO Denies Negligence In $75 Million Ether Loss (Forbes)
• Recommendation for Key Management: Part 1 (NIST)

‍