TL;DR

Utilizing publicly available cryptographic information to confirm identity and enable decentralized administration of financial transactions has numerous benefits - not least of which is the lack of a centralized honey-pot of user login credentials, which are frequently exposed to attackers and nefarious actors, with significant costs to end users. 

Problem statement

Many exchanges and platforms hold onto passwords and similar secrets in databases that have a frustrating tendency of suffering security vulnerabilities; essentially because some private key exists somewhere that gives admin, read or create/update/delete access to the database. 

APIs enable businesses to seamlessly integrate and share data with one another; they also present the risk of a very efficient means of siphoning sensitive data away from it’s rightful owners in the event of the keys becoming publicly visible or otherwise in the hands of those looking out for their own interests as opposed to those of the data owners. 

Towards the end of 2022 crypto trading firm 3Commas suffered a massive API key leak via a hack. Some 100,000 API keys were published online and 3Commas CEO confirmed that these keys were indeed obtained from their service. This hack would cost traders on the platform something of the order of $22 million. Enabling the execution of cryptocurrency transactions via the issuance of API keys, coupled with a centralized repository of such keys, is a recipe for disaster. 

Solution

A trading platform/exchange in which even the marketplace’s frontend never sees the API secret. The Deepwaters exchange API will enable market participants to engage in various transactions on Deepwaters, such as placing an order or canceling a position. When users interact with the Deepwaters exchange API, their browser is used to generate a secret (private) key (which is never sent to the Deepwaters backend!). Anyone so inclined as to inspect Deepwaters’ front-end code can verify this fact, providing there is also some working knowledge of the basics of public key cryptography. 

So although it is very possible to configure the Deepwaters platform such that a user can manually input their own API key, which they manage independently, this is not how the exchange will initially be setup - instead users will benefit from browser generated API keys which are kept secret even from the Deepwaters backend. 

Alternative Forms of Key Generation

While private keys can be generated in any number of ways, a common approach is to use something called a Hierarchical Deterministic (HD) Wallet. An HD wallet essentially works by starting from a seed phrase (often 12) random words which are each mapped to one of ~2047 numbers. Ordered combinations are called permutations in mathematics and the number of possible such outcomes for selecting 12 random words, in a specific order, from 2047 is functionally high enough to provide these wallets with a meaningful degree of security. 

Deepwaters API secrets take the same form as private keys (similar to those mapping to Ethereum or Bitcoin addresses). 

The Deepwaters exchange API can in theory be configured such that the user can bring us an API key for which they have, and keep, the secret. The user proves to Deepwaters that they have the API secret by signing a message, via the following flow:

  • The message that the user (preprocessed and) signed,

  • The signature made using the API secret == secp256k1 private key,

  • The API key == Ethereum-style address associated with the API secret,

The API Key can be registered to the user. 

Keep it Secret, Keep it Safe

Regardless of the exact mechanics used to instantiate the Deepwaters API, the unchanging element of the implementation is going to revolve around provably private keys. Without a centralized honeypot of sensitive, and powerful, user data, the Deepwaters platform stands to prove itself considerably more secure than well-adopted market participants hence. 

Sign up for our newsletter.