Tesseract: Real-Time Cryptocurrency Exchange Using Trusted Hardware Iddo Bentov Yan Ji Fan Zhang Yunqi Li Xueyuan Zhao Cornell University Cornell University Cornell University SJTU SJTU Lorenz Breidenbach Philip Daian Ari Juels ETH Zurich¨ and Cornell Tech Cornell Tech Cornell Tech Abstract Section 3.1). In a number of high-profile incidents, funds have been stolen when exchanges were breached or other We propose Tesseract, a secure real-time cryptocurrency forms of malfeasance took place, e.g., [25,6, 38, 52]. exchange service. Existing centralized exchange Permissionless blockchains, however, are designed designs are vulnerable to theft of funds, while specifically to eliminate trust assumptions between decentralized exchanges cannot offer real-time cross- transacting parties by avoiding centralization. A chain trades. All currently deployed exchanges are trust-free cryptocurrency exchange can be realized for also vulnerable to frontrunning attacks. Tesseract transactions across such blockchains in the form of overcomes these flaws and achieves a best-of-both- atomic intra-chain or cross-chain swaps (ACCSs) [16], worlds design by using Intel SGX as a trusted transactions that exchange cryptocurrencies between execution environment. Furthermore, by running pairs (or among sets) of users in a fair, all-or-nothing a consensus protocol among SGX-enabled servers, manner. ACCSs, though, require users to wait many Tesseract mitigates denial-of-service attacks. Tesseract minutes (in fact, often hours) for a trade to execute. supports not only real-time cross-chain cryptocurrency Additionally, atomic swaps in general aren’t sufficient trades, but also secure tokenization of assets pegged to realize an exchange: A mechanism for matching to cryptocurrencies. For instance, Tesseract-tokenized orders or otherwise performing price discovery is also bitcoins can circulate on the Ethereum blockchain necessary. (Since ACCSs serve as a useful reference for use in smart contracts. We provide a reference point, we elaborate on the concept and its limitations in implementation of Tesseract that supports Bitcoin, Section2.) Ethereum, and similar cryptocurrencies. The systemic risk of theft in centralized exchanges has led to the rising popularity of decentralized exchanges 1 Introduction such as EtherDelta [64] and the soon-to-be-implemented 0x [81], AirSwap [57], and Kyber Network [46]. The rise of Bitcoin [54] has spawned many hundreds These systems hold traders’ funds and settle transactions of other cryptocurrencies as well as application-specific in smart contracts, eliminating the risk of theft in units of value known as crypto “tokens.” This diverse centralized exchanges. Unfortunately, they have other ecosystem of assets has in turn led to a large and dynamic drawbacks. Their on-chain settlement means that they array of cryptocurrency exchanges, platforms that allow cannot support real-time trading. Additionally, while users to trade different cryptocurrencies against one their use of smart contracts conveys an appearance another and/or for fiat currencies. At the time of writing, of trustworthiness, they are vulnerable to various the aggregate daily trading volume of cryptocurrency frontrunning attacks by exchanges and other users. exchanges exceeds $25 billion. Achieving the best of both worlds has been a standing Unfortunately, cryptocurrency exchanges suffer from challenge, but a seemingly elusive one. An ideal a variety of security problems. Currently, the cryptocurrency exchange would be real-time like a most popular exchanges are centralized, meaning that centralized exchange, meaning that participants can they hold traders’ assets while trades are executed. respond to price fluctuations and alter their positions with Such exchanges support real-time trading and often low latency. It would support even traders that choose to automatically match buy and sell orders. They are utilize automated programs for high frequency trading vulnerable, however, to theft of traders’ funds (cf. and arbitrage (cf. [7]), who may wish to modify their 1 positions in milliseconds. At the same time, such an funds. We express a theoretical solution to these exchange would be trust-free, protecting against theft network attacks in terms of an ideal functionality in the way that decentralized exchanges do, but also called a refundable multi-input transaction (RMIT). eliminating frontrunning attacks that exploit blockchain RMIT provides a conceptual springboard for securely latencies. architecting a secure cross-chain exchange. We present In this work, we present Tesseract, a cryptocurrency a highly efficient realization of RMIT in Tesseract, in a exchange that achieves this ideal set of properties. protocol involving a network of multiple SGX-backed Tesseract is real time. Traders can rapidly observe the nodes running Paxos. While only one node handles alterations in the buy (a.k.a. “bid”) and sell (a.k.a. assets directly, others can execute or cancel transactions “ask”) orders on the exchange, as well as external should the main node fail. This protocol enforces a events (e.g., [85]), then modify their trading positions key fairness property we define called all-or-nothing in milliseconds. By performing fast price discovery, settlement. they can drive price convergence so that the gap (a.k.a. Our security assumptions around Tesseract are quite “spread”) between the bids and asks is small, leading to conservative. We assume that an adversary (potentially efficient markets like those in major financial systems. the exchange operator) can gain complete physical Tesseract also prevents theft of users’ funds by exchange access to the host in which the funds are stored and operators and hackers as well as a variety of frontrunning complete control of its network connections. We do attacks present in existing cryptocurrency exchanges. assume that the code that we run inside the SGX enclave Tesseract relies on SGX, a trusted execution is secure against side-channel attacks [84], but this code environment supported by an instruction-set architecture is constant-time and constant-memory. In a sense, the extension in recent-model Intel CPUs [1, 34, 51]. Tesseract exchange still relies on a trusted party in the SGX allows applications to execute within a form of the hardware manufacturer, because the private protected environment called an enclave that ensures key that resides inside CPU (and generates signatures for confidentiality and software integrity. It enables remote attestation) is provisioned by the manufacturer. It Tesseract to behave like a trusted third party, controlling can be argued that a weaker yet similar form of trust is funds without exposing them to theft while preventing required in a practical instantiation of any cryptographic frontrunning by the exchange operator. Additionally, protocol, since the manufacturer may be able to attack Tesseract provides mitigation against denial-of-service the protocol by embedding malicious logic into the (DoS) attacks via a consensus protocol among SGX- hardware. We also, however, incorporate a scheme of enabled nodes. double attestation (Section 4.3) that provides an extra Tesseract supports cross-chain trading in which assets layer of defense against a corrupt manufacturer. Thus, are exchanged across distinct blockchains. Trades within Tesseract still requires trust, but to a significantly lesser a single blockchain, e.g., exchange of tokens and Ether degree than centralized exchanges and other possible within Ethereum, can also be important (cf. [67, 18, 60, real-time exchange schemes (cf. Section3). 19, 15]). While this use case can be achieved at least In summary, our contributions in this paper are as in part using smart contracts, a significantly simplified follows: variant of Tesseract can offer the added benefit of real- time trading, which smart contracts cannot support. • We introduce Tesseract, an SGX-backed Tesseract also supports a tokenization scheme that allows cryptocurrency exchange that can support a pegged tokens to ciculate across blockchains, without wide variety of transaction types, with cross-chain relying on a human element for security (see Section7). trading as its primary application. The main challenge in the design of Tesseract is • We consider attacks by powerful network dealing with powerful network adversaries. Such adversaries that may seek to mount eclipse adversaries can perform an eclipse attack in which an attacks or suppress transactions to achieve unfair exchange is presented with fake blockchain data. We settlement and thus theft of funds. We define a key show how to address this problem by checkpointing fairness property called all-or-nothing settlement trustworthy blocks within the Tesseract application and and show how to realize an exchange that achieves having it monitor the cumulative difficulty of newly this property using as a conceptual building block furnished blocks. A network adversary can also suppress an ideal functionality called RMIT. messages / transactions issued by the exchange in an attempt to interfere in on-chain settlement of trades, e.g., • We present practical techniques to achieve all-or- permitting partial settlement in which cryptocurrency nothing settlement in Tesseract. These techniques flows to the adversary from a counterparty but not include within-enclave blockchain monitoring to from the adversary, resulting in the adversary stealing prevent eclipse attacks and use of a consensus 2 group of SGX-backed nodes that can enforce and/or Protocol P cancel