Everstrike features a Trustless Withdrawal operation. Trustless Withdrawal is a 100% permissionless and 100% censorship-resistant withdrawal type, which does not require the cooperation of the operator of Everstrike. Trustless Withdrawal relies on an innovative innocent-until-proven-guilty model. To submit a Trustless Withdrawal, the user is required to present an up-to-date state receipt. The state receipt is a simple datastructure, which contains the following properties:
- Nonce
- User Signature
- Operator Signature
- User Balance
- User Positions
The user is issued a new state receipt after performing (or being subject to) an operation that modifies the user's balance. These operations include (but are not limited to) the following:
- Order submission
- Order cancellation
- Trade
- Funding Transaction
- Deposit
- Withdrawal
Consider the state receipt a rolling agreement between the user and the operator of Everstrike, on the current balance and positions of the user.
When the user wants to initialize a Trustless Withdrawal, they simply submit their latest state receipt to the Everstrike.sol contract on the blockchain. Also included in the request is their desired withdrawal amount. Now the operator is granted 24 hours to prove that the user is behaving fraudulently. To do so, the operator needs to present a state receipt with a higher nonce than the one provided by the user. If the operator manages to do so, the Trustless Withdrawal is cancelled, and the user is punished with a Dishonesty Fee (100 USDT, or 10% of the withdrawal amount, whichever is higher). If the operator cannot present a state receipt with a higher nonce prior to the deadline, the Trustless Withdrawal is declared a success, and Everstrike.sol processes the withdrawal on behalf of the user.
While Trustless Withdrawal is completely trustless and censorship-resistant, there are some inherent restrictions associated with the operation:
- After submitting the Trustless Withdrawal, the user cannot trade until at least one of the following are true: 1) the operator has approved the withdrawal, or 2) the 24 hour deadline is up. If the user decides to trade prior to this, the operator is granted a chance to declare the Trustless Withdrawal invalid, and claim the Dishonesty Fee from the user.
- Cross Margin cannot be active, while a Trustless Withdrawal is processing. If the user has open positions, the user is encouraged to switch to Isolated Margin, prior to initializing the Trustless Withdrawal operation.
- The state receipt must have an up-to-date nonce. This prevents the user from re-using expired state receipts.
Order Flow
Prior to submitting a new order, the user must sign a state receipt presented by the operator. The operator must not accept the order prior to the user signing the receipt, or the user could potentially trick the operator.
Once the state receipt has been signed, and the order has been accepted by the operator, the operator will sign the receipt themselves, and deliver a copy of the signed receipt to the user.
The signed receipt will be stored in three places:
- Locally, on the users device
- With the operator
- Within Everstrike.sol
If the user loses their receipt, they can simply retrieve it from the operator. If the operator refuses to provide the receipt, they can retrieve it from the blockchain, by interacting directly with Everstrike.sol.
Trustless Withdrawal Abuse
To prevent abuse of the Trustless Withdrawal operation (flooding the operator with requests, and making it impossible for the operator to disprove all of the requests in time), each Trustless Withdrawal requires the user to stake a Dishonesty Fee. The Dishonesty Fee remains staked until the Trustless Withdrawal is successfully completed, after which it will reimbursed to the user. If the Trustless Withdrawal is declared invalid, the Dishonesty Fee is claimed by the operator. The Dishonesty Fee is set to 10% of the withdrawal amount, or 100 USDT, whichever is higher. Trustless Withdrawal is also subject to a non-refundable Withdrawal Fee of 20 USDT.
Why does Trustless Withdrawal work?
The state receipt constitutes a rolling agreement between the user and the operator on the balance and positions of the user. The user is guaranteed to always be able to claim the balance amount specified in the latest state receipt. Simultaneously, the Dishonesty Fee incentivizes the user to act in a honest way, and not disrespect the Trustless Withdrawal process, by claiming more than they are entitled to.
Should the user always use Trustless Withdrawal?
It is important to note that Trustless Withdrawal is an escape-hatch. As long as the operator acts in good faith, it is not needed. It is only when the operator acts fraudulently, and censors specific withdrawals, that the user is required to use Trustless Withdrawal.
What are the risks of using Trustless Withdrawal?
From a user POV, the only risk is that you accidentally sign a new state receipt prior to the Trustless Withdrawal completing. The Everstrike frontend will make it impossible for you to do so.
What is the minimum Trustless Withdrawal?
Due to the fees involved (20 USDT non-refundable Withdrawal Fee, and 100 USDT fully-refundable Dishonesty Fee), Trustless Withdrawals are not designed for smaller amounts. It is recommended to use Trustless Withdrawal only for amounts exceeding 100 USDT, and only when you really need it (i.e. when the operator is suspected to be behaving maliciously).
Can Trustless Withdrawal be extended to other operations, such as Unstaking?
Yes. Everstrike V2 will also feature a Trustless Unstaking (Redemption) operation. The operation will work in the same way as Trustless Withdrawal. Any operation that relies on the cooperation of the operator can be made Trustless.
What about UX? Will I need to sign every order?
Optionally, you can grant the operator to access to a session key. This is a short-lived and revocable key that will allow the operator to sign orders on your behalf. You can customize the session key with fine-grained permissions and duration, and if you believe the operator is behaving maliciously, you can instantly revoke it. Enabling the session key functionality provides superior UX at a (slight) decrease in security.
The operator won't issue me a state receipt
If the operator refuses to issue you a new state receipt, you should stop trading immediately, and begin a Trustless Withdrawal as soon as possible (using your latest state receipt). It may be a sign that the operator intends to act maliciously.
Can the operator sign a state receipt on my behalf?
No. The operator never has access to your private key. The operator has your public key, which allows them to verify that you signed a specific state receipt. The public key is also stored within Everstrike.sol, on the blockchain. Your private key lives locally within your wallet, and is never disclosed to third parties.
What prevents the operator or the user from faking a state receipt?
The state receipt must be signed by both the user and the operator.
Can someone else start a Trustless Withdrawal on my behalf?
No. Initializing a Trustless Withdrawal requires access to your private key, which only you have access to.