RenVM, the burgeoning cross-chain value transfer protocol, is apparently a lot less decentralized than its users thought.
Security analysts and renBTC users started asking questions yesterday in response to an August 26 Medium post by Wanchain editor Ni Li outlining alleged contradictions between the RenVM documentation and the actual operations of the protocol.
The upshot? Although RenVM says it is “powered by decentralized virtual machines,” all of the user funds for the project—more than 9,000 Bitcoin—sit in a single wallet controlled by the RenVM team. Moreover, the company currently controls all the nodes to its network, as it is still transitioning away from a centralized system.
But as of today, can you acknowledge that $100m+ of BTC is being entrusted to you personally and the other humans of Ren?
You could, **theoretically**, collude tonight to take the 9000 BTC and disappear into the night? We are just trusting you not to?
— Chris Blec (@ChrisBlec) August 26, 2020
Some users allege that level of access increases risks from hacking or malicious activity by the Ren team, allowing them to make off with the funds in question. Since the company currently controls all of the nodes in the project, it also makes an enticing target for hackers looking for a quick buck.
The Wanchain post revealed that while Ren documentation suggested that cross-chain asset accounts are periodically changed to enhance security, the renBTC locking account has never been changed, and even the Ren team admits they have full control over the funds.
The Ren team responded today with a Medium post of their own, outlining the path laid out for achieving decentralization while navigating the risks and challenges of setting up brand-new technology responsible for hundreds of millions in crypto value. Ren says it is strongly incentivized to operate in good faith until it can transition to the more decentralized structure it’s planned all along.
In the Ren response, CTO Loong Wang concedes that the Ren team does in fact run all of the nodes in the protocol’s “Greycore,” a network built to distribute digital assets holdings to reduce the risk of theft or exploitation. The post states that five or more nodes in the network of 13 distributed around the globe would need to be compromised for malicious actors to gain access to any funds.
That part actually is not new. A company blog post from March indicated that it planned to run its own nodes for two epochs so that it could respond quickly to any security failures. Ren has plans to distribute nodes in the Greycore network to industry players including Polychain Capital, Infinite Capital, and Curve Finance at an undetermined point in the future.
More broadly, the Ren post argues that the centralized nature of the protocol has generated better outcomes for developers and users getting to know the relatively new system. Moreover, it says that full decentralization does not automatically equal greater security.
In an email to Decrypt, a Ren team member noted that, with regards to the Wanchain report, “There are a few very important technical nuances regarding sMPC and how a network (of nodes) can control one private key via sMPC.”
He explained, “The important part about sMPC tech is that no one node knows the private key, the info is hidden from everyone, including the nodes themselves.”
Furthermore, in terms of the node operation, he said, “We’ve had our phase documentation published and started conveying this to our users in Sept. 2019…The fact that Wanchain was not aware of our key rotation mechanism or how sMPC works (with one private key address), could be seen as negligence.”
Issues with coordinating responses to issues with protocol design can lead to user losses, including Yam Finance and tBTC earlier in 2020. Ren argues that projects like Compound, which was built and tested with a centralized team and only later distributed governance to its users, have a better chance of surviving long-term.
Ren has grown rapidly in popularity in the world of DeFi through its renBTC cross-chain bridge, which uses smart contracts and (eventually) decentralized custody to secure cross-chain transfers. RenBTC supply (the amount of Bitcoin locked in the Ren system), grew more than 200% in August, and the protocol recently scored an integration with web-based MyEtherWallet alongside current DeFi king Aave.
Editor’s note: This article has been updated to include comments from Ren.