Following the collapse of Terra in May of 2022, cryptocurrency markets experienced a period of extreme fear. The talk was ‘contagion’ as institution after institution appeared to have been exposed to Terra in ways that left them underwater. One of the largest such institutions was Celsius. Besides participating heavily in Terra, they also took part in a wide array of other DeFi applications, including on-chain lending markets on Ethereum. Their lending positions and liquidation levels were publicly viewable and publicized. This is not unique to Celsius: all liquidation levels on Ethereum and other blockchains are out in the open. While this level of transparency can be a boon to markets in turmoil, it can also create unfavorable adversarial dynamics. It influences market participants in hard-to-predict ways and gives a clear target to liquidation hunters to attempt to push the price towards in order to profit off liquidations.
Using Configurable Asset Privacy (CAP), we can design a new type of lending market that shields users’ collateral, allowing them to protect their liquidation threshold from the public, trading off some transparency so the system might more resilient to manipulation. This lets us retain the advantages of having over-collateralized protocols that are safe from going under-water while reducing the surface area of attack for would-be market manipulators.
An overview of a CAP-enabled lending
A lending protocol called CAP2Lend (C2L) opens a lending market using CAP with private participants and collateral with shielded value, with the option of configuring viewing capabilities for select users. C2L has two markets, one for USD tokens and one for Ethereum tokens. Lenders can supply liquidity to C2L by depositing either shielded or unshielded tokens, which other users can borrow from. Borrowers can deposit shielded tokens as collateral into C2L in order to take out a loan. As in most DeFi lending markets such as Aave or Compound, loans must abide by a loan-to-value ratio (LTV) when being opened and risk liquidation when their collateral reaches a certain threshold set by the protocol. Because collateral is shielded, this liquidation threshold is private within C2L.
To enable C2L to function without defaulting on loans a couple more steps are added to the lending protocol. First, a user provides a zero-knowledge proof (ZKP) that they have enough collateral to satisfy the LTV ratio during their loan origination process. The user also provides a range proof showing that their liquidation threshold is below a certain price point. This process is illustrated in the flowchart below.
The protocol now knows a users’ loan is safe up to some level provided by the range proof. If this level is reached, a user has two options. They can either provide a new range proof with a level closer to their actual liquidation threshold or they can repay their loan. Failure to do either of these will result in the users’ collateral being programmatically frozen and the application minting a minimum amount of tokens back to the protocol to make lenders whole. To achieve the best privacy, a user would always increment their range proof by 1 right before their level is reached, however for better usability they may want to increment by a larger amount to reduce the frequency with which they need to provide new range proofs.
For example, in the diagram below, if a user fails to provide a new range proof once the Eth price hits $900, their collateral will be frozen. We can then know they had at least enough collateral to not be liquidated until Eth hit $900. In this scenario, the application would mint around 0.061 Eth, or about $55 worth, to repay the lenders and pay out a small bonus to whomever reported the position. The remaining 0.039 Eth remains frozen but can be unlocked if the borrower chooses to reveal their exact position.
To summarize, this was a high-level overview of a lending market that can support shielded collateral and protected liquidation levels. With some extra steps it is possible to allow re-hypothecation of a fraction of collateral which is known via range proofs published by borrowers in C2L, thereby increasing capital efficiency to be more competitive with other lending markets in terms of borrowing costs.
Espresso Systems, which launched a product called CAPE (Configurable Asset Privacy for Ethereum) earlier this year, is creating an ecosystem for blockchain applications with flexible privacy. Whether you are a developer, VASP, regulatory agency, analytics service, or general user of blockchain privacy tools, please get in touch if you are interested in learning more about how we can meet the needs of both privacy and risk management or exploring collaboration. Follow us on Twitter or join us on Discord for more.