[feature] Cold Vaults
#Overview
Cold Vaults are wallets (which could be a ledger or trust wallet) that secure exogenous capital for THORChain. These wallets contribute to network security (bond) and allow a higher value of TVL by reducing the amount of capital a sybil attack can steal (as funds are moved from Asgard aka "hot wallets" to "cold wallets"). In fact, it's possible that the value of the exogenous capital can exceed the value of the validator bond and still remain economically secure. Cold vaults can only interact with active Asgard vaults (to and from), and any gas spent to send/receive funds are paid for by the cold vault bond.
90% of the funds of liquidity pools are not needed day-to-day (10% required for +/- 20% price changes). This system simply offshores some ratio (50%) of pool capital to remotely-secured cold vaults, using interest rates to claw back funds when required to top up hot vaults. All vaults 2:1 or greater secured via a bond; if required, bond can be liquidated back to L1 asset when needed, skipping the cold vault's participation.
In other words, cold vaults allows RUNE holders to earn RUNE on their RUNE with no technical requirement and low capital requirement.
Participation
Individuals bond with RUNE, and the network sends at most 50% of that bond value back to the user in L1 asset. The user can opt for a higher ratio, ie 3:1 if desired.
eg: cold:BTC.BTC:bc1xxxx:5000
with MsgDeposit/THOR.RUNE
means they are bonding RUNE and L1 BTC sent back to their BTC address, and would be 200% secured.
The more L1 asset they are securing, the more rewards they earn. There is a liquidation risk if bond:vault
value drops to 110% (mimir limit). Operators can bond more or send back some of their L1 asset to an active asgard vault (no memo required as the network will identify the address as a cold vault and infer intent, Savers not permitted from Cold Vaults).
Cold Vault Operators have a near-zero technical requirements (you don't have to run any hardware/software at all), and low min bond size (10k RUNE? TBD). (Don't want the number of cold storage wallets to be so large that it becomes a drain on the network to track that many addresses.)
Security
This concept makes Asgard(s) the "hot wallet", and this new system the isolated "cold wallet" of the network. The protocol itself cannot instruct Cold Vaults to send funds back (thus cannot attack Cold Vaults, like Asgards can attack Asgards/Yggdrasils). The Cold Vaults are 100% offline. Vault Operators only manage interest rates and liquidation risk passively, deciding when and how to send funds back to Asgards, or to top up.
The balance between hot vs cold is controlled by rewards (incentive pendulum). The less of an asset that hot storage has, the less the rewards to store it in cold storage. Operators can even have negative interest rates if cold storage > hot storage.
Rewards
Bond rewards would be split into two buckets (hot and cold vault rewards). The first bucket, hot rewards, goes to validators (functions the same as it does today). This bucket always starts with 50% of the bond rewards. The second half is divided between the first and second buckets. This division is based on how much exogenous capital is in hot vs cold storage.
- 100% hot, 100% rewards for cold storage, 0% for validators
- 50% hot, 0% rewards for cold storage, 100% validators
- 0% hot, -100% rewards for cold, 100% validators, 100% reserve
This math is calculated on a per-gas asset basis.
Yield Math
Positive Yield
T = total bond reward
R = total pooled rune
r = total rune in a specific pool
H = asset in hot wallets (asgard) (in asset)
C = asset in cold wallets (in asset)
bal = balance of cold assets (in basis points)
b1 = validator rewards
b2 = cold node rewards
# calculate the amount of bond rewards applied for this asset
reward = (T / (10_000 / bal)) / (R / r)
b2 = max(reward - (reward / (((hot+cold) / (10_000 / bal)) / hot)), 0)
b1 = T - b2
# calculate specific cold node rewards
o = amount of asset specific cold node has
O = amount of total asset in all cold nodes
cold_node_reward = b2 / (O / o)
Negative Yield
TODO
Interest Rates
In addition to the Cold/Hot Pendulum of rewards, each individual vault is charged an interest rate starting at 200% and below. The sum of Interest Rate + Rewards is the total reward received.
- 200%: 0% interest Rate (so rewards are full)
- 110%: -100% interest Rate.
Their bond is decremented every evaluation cycle. This pushes every Cold Vault to be maintained at 2:1, with an increasing urgency to top up as it approaches the liquidation point of 110%.
Liquidation
If the value of the bond is 110% or lower than the value of the vault asset, the network liquidates the bond into the reserve, then sends the value of the asset into the pool (as RUNE). This causes the L1 asset to be overvalued in the pool, causing an inflow of new L1 assets into Asgard from Arb Bots, topping up the missing value:
- Cold Vault: L1 value 0'd
- Bond: Sold into RUNE, 0'd
- Reserve: +RUNE from bond value
- Reserve: -RUNE from vault value
- Pool: +RUNE from vault value (L1 now overvalued)
- Asgard: +L1 into Hot Vaults (from arbs)
For highly performant, fast, single-block liquidations, cold storage vaults maintain a record in the kvstore where the ratio between asset and bond is the key value (which is always 18 characters long, this is so iterating alphabetically is the same as numerically)
vn/BTC.BTC/0019485757
The network would iterate over this "directory" per asset, and break
when it reaches a cold storage vault that doesn't need to be liquidated. This means the network is only doing one lookup per pool + number of liquidations (which is very efficient).
Infrastructure
Optionally, an individual can run their own infrastructure to manage their cold vault position, if desired. This would auto-send back asset when getting close to liquidation risk, in addition to withdrawing (closing the storage) when the yield gets too low.
Infrastructure requirements would be quite low, even running on a raspberry pi. There would be a provided daemon that a person could run which would query a public (or private) THORChain full node for current data.
TVL Hard Cap
When calculating whether or not the network has hit the TVL hard cap we look at the effective security compared against the value in the asgard vaults.
Is this just lending?
Since the operator sends in collateral, then receives an L1, it could be seen as a lending tool. Ie, a large RUNE holder could send in a large amount of RUNE collateral, receive 50% L1 BTC, then never pay it back, getting liquidated in the future. This can be mitigated by:
- mandating that funds do not leave cold vaults, unless back to Asgard
- mandating that Bond not returned until after a cooldown (3-7 days)
- charging negative interest rates below 200% CR
Failures and Risks
- L1 assets in the cold wallet are worth more than the bond
- The protocol is unable to liquidate when needed due to the pool price being far from the market price. This can be caused by arbs not being willing or able to arb (ie trading paused)
- The network allows a bond provider to unbond in an amount that makes the L1 valued less than the total cold node bond
- During a FUD event, cold nodes prefer to hold on to the L1 asset instead of returning it to the hot wallets at times when it needs it.
- A malicious cold node operator can "rug" his/her bond providers, due to the L1 in his/her wallet is more than their personal bond
- A malicious actor price manipulates the L1 pool triggering a waterfall of liquidations
- A malicious actor price manipulates the L1 pool right before bonding, causing more L1 asset to be sent to malicious actor than should be sent
Invariants
- cold nodes + asgard vaults == pooled assets
- bond > L1 assets
- rune in cold module >= total cold bond
Mimirs
- ColdBondInRuneMin - minimum rune needed to bond
- ColdCollateralizationRatioMin - target ratio between bond and L1 asset
- ColdMinOutboundThreshold - when sending L1 to a cold node, we don't want dust amounts, this set a min size relative to max gas
- ColdBondMaturity - minimum number of blocks before a bond can unbonded since its last bond
- ColdLiquidation - when a cold position should get liquidated (in basis points), (example 1100)
- ColdMinDepth - cold nodes should only be available with pools that have a minimum depth (no need to have cold storage for shallow pools)
Further Features
- Can bond with THOR.BTC instead (won't get liquidated)
- Means can earn BTC on BTC yield when Savers yields are low (Since would be earning on the Node side of pendulum)