Session 7B: Blockchain III CCS ’19, November 11–15, 2019, London, United Kingdom Tesseract: Real-Time Cryptocurrency Exchange Using Trusted Hardware Iddo Bentov Yan Ji Fan Zhang Cornell Tech Cornell Tech Cornell Tech Lorenz Breidenbach Philip Daian Ari Juels ETH Zürich and Cornell Tech Cornell Tech Cornell Tech ABSTRACT are executed. Such exchanges support real-time trading of various We propose Tesseract, a secure real-time cryptocurrency exchange cryptocurrencies and fat currencies. They are vulnerable, however, service. Existing centralized exchange designs are vulnerable to to theft of traders’ funds (cf. Appendix A.1). In a number of high- theft of funds, while decentralized exchanges cannot ofer real-time profle incidents, funds have been stolen when exchanges were cross-chain trades. All currently deployed exchanges are also vul- breached or other forms of malfeasance took place [21, 46, 67, 76]. nerable to frontrunning attacks. Tesseract overcomes these faws Permissionless blockchains, however, are designed specifcally to and achieves a best-of-both-worlds design by using a trusted exe- eliminate trust assumptions between transacting parties by avoid- cution environment. The task of committing the recent trade data ing centralization. A trust-free cryptocurrency exchange can be to independent cryptocurrency systems presents an all-or-nothing realized for transactions across such blockchains in the form of fairness problem, to which we present ideal theoretical solutions, atomic intra-chain or cross-chain swaps (ACCSs) [31, 59], transac- as well as practical solutions. Tesseract supports not only real-time tions that exchange cryptocurrencies between pairs of users in a cross-chain cryptocurrency trades, but also secure tokenization of fair, all-or-nothing manner. ACCSs, though, require users to wait assets pegged to cryptocurrencies. For instance, Tesseract-tokenized many minutes (in fact, often hours) for a trade to execute. Addition- bitcoins can circulate on the Ethereum blockchain for use in smart ally, atomic swaps in general aren’t sufcient to realize an exchange: contracts. We provide a demo implementation of Tesseract that a mechanism for matching orders or otherwise performing price supports Bitcoin, Ethereum, and similar cryptocurrencies. discovery is also necessary. Since ACCSs serve as a useful reference point, we elaborate on the concept and its limitations in Appendix B. KEYWORDS The systemic risk of theft in centralized exchanges has led to the rising popularity of exchanges such as EtherDelta [92], Cryptocurrency Exchanges; Frontrunning; Trusted Hardware decentralized 0x [107], and Kyber Network [70]. These systems hold traders’ funds ACM Reference Format: and settle transactions in smart contracts, eliminating the risk of Iddo Bentov, Yan Ji, Fan Zhang, Lorenz Breidenbach, Philip Daian, and Ari theft in centralized exchanges. Unfortunately, they have other draw- Juels. 2019. Tesseract: Real-Time Cryptocurrency Exchange Using Trusted backs. Their on-chain settlement means that they cannot support Hardware. In 2019 ACM SIGSAC Conference on Computer and Communi- real-time trading. Moreover, while their use of smart contracts cations Security (CCS ’19), November 11–15, 2019, London, United Kingdom. conveys an appearance of trustworthiness, they are vulnerable to ACM, New York, NY, USA, 19 pages. https://doi:org/10:1145/3319535:3363221 various frontrunning attacks by miners and other users [40]. 1 INTRODUCTION Achieving the best of both worlds has been a standing challenge, but a seemingly elusive one. An ideal cryptocurrency exchange The rise of Bitcoin [81] has spawned many hundreds of other cryp- would be like a centralized exchange, meaning that par- tocurrencies as well as application-specifc units of value known as real-time ticipants can respond to price fuctuations and alter their positions crypto “tokens.” This diverse ecosystem of assets has in turn led to with low latency. It would support even traders that utilize auto- a large and dynamic array of cryptocurrency , platforms exchanges mated programs for high frequency trading and arbitrage (cf. [22]), that allow users to trade diferent cryptocurrencies against one who may wish to modify their positions in fractions of a second. another and/or for fat currencies. At the time of writing, the ag- At the same time, such an exchange would be , protecting gregate daily trading volume of cryptocurrency exchanges exceeds trust-free against theft in the way that decentralized exchanges do, but also $10 billion. eliminating frontrunning attacks that exploit blockchain latencies. Unfortunately, cryptocurrency exchanges sufer from a variety In this work, we present Tesseract, a cryptocurrency exchange of security problems. Currently, the most popular exchanges are that achieves this ideal set of properties. Tesseract is . , meaning that they hold traders’ assets while trades real time centralized Traders can rapidly observe the alterations in the buy (a.k.a. “bid”) Permission to make digital or hard copies of all or part of this work for personal or and sell (a.k.a. “ask”) orders on the exchange, as well as external classroom use is granted without fee provided that copies are not made or distributed events (e.g., [112]), then modify their trading positions in millisec- for proft or commercial advantage and that copies bear this notice and the full citation on the frst page. Copyrights for components of this work owned by others than ACM onds. By performing fast price discovery, they can drive price con- must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, vergence so that the gap (a.k.a. “spread”) between bids and asks to post on servers or to redistribute to lists, requires prior specifc permission and/or a fee. Request permissions from [email protected]. is small, leading to efcient markets like those in major fnancial CCS ’19, November 11–15, 2019, London, United Kingdom systems. Tesseract also prevents theft of users’ funds by exchange © 2019 Association for Computing Machinery. operators and hackers as well as a variety of frontrunning attacks ACM ISBN 978-1-4503-6747-9/19/11...$15.00 present in centralized and decentralized exchanges. https://doi:org/10:1145/3319535:3363221 1521 Session 7B: Blockchain III CCS ’19, November 11–15, 2019, London, United Kingdom Tesseract supports cross-chain trading in which assets are ex- within-enclave blockchain monitoring to prevent eclipse attacks changed across distinct blockchains. Trades within a single block- and use of a consensus group of TEE-backed nodes that can chain, e.g., exchange of tokens and Ether within Ethereum, can also enforce and/or cancel transactions in the case that the main be important (cf. [36, 37, 88, 93]). While this use case can be achieved (asset-holding) exchange node becomes unavailable. at least in part using smart contracts, a signifcantly simplifed vari- • We implement proof-of-concept of Tesseract, describing our pa- ant of Tesseract can ofer the added beneft of real-time trading, rameter and design choices. which smart contracts cannot support. Tesseract also supports a tokenization scheme that allows pegged tokens to circulate across 2 THE TESSERACT DESIGN blockchains, without relying on a human element for security (see In this section we frst specify our assumptions and then present an Appendix E). overview of the operation of Tesseract, describing how it achieves Tesseract relies on a trusted execution environment (TEE, cf. [87, its security and performance goals. Specifcally, Section 2.3 presents 115]). This technology allows applications to execute within a pro- defense against powerful network adversaries that can eclipse the tected environment called an enclave, that ensures confdentiality host; Section 2.4 gives the mechanism that prevents malicious ad- and software integrity. It enables Tesseract to behave like a trusted ministrators from mounting frontrunning attacks; Section 2.5 gives third party, controlling funds without exposing them to theft while a defense-in-depth mitigation to TEE attestation failures. preventing frontrunning by the exchange operator. Our security and trust assumptions are quite conservative, cf. Section 2.1. Our reference implementation is built using SGX, which provides 2.1 Threat Model a TEE via an instruction-set architecture extension in recent-model The Tesseract exchange achieves its security and performance goals Intel CPUs [14, 60, 61, 75]. While side-channel attackss [110] on SGX by relying on a trusted execution environment (TEE), i.e., a hardware have been demonstrated, prominently Foreshadow [106] (that was architecture that enables code execution in an isolated, tamper-free later patched [39]), TEE technologies evolve as well. In particular, environment. The TEE can also attest [61] that an output represents the Keystone project [62] is developing an open-source TEE. the result of such an execution, and allows remote users to make The main challenge in the design of Tesseract is dealing with sure that the attestation is correct. The remote attestation feature is powerful network adversaries. Such adversaries can perform an essential for Tesseract, for reasons that will soon become clear. We assume a strong network adversary (potentially the exchange eclipse attack in which an exchange is presented with fake block- chain data. We show how to address this problem by checkpointing operator) that can gain complete physical access to the host in trustworthy blocks within the Tesseract application