The Misha Zharov.
TL;DR: Coinbase is a leader in the security of Crypto assets. As part of our proactive approach to security we introduce a new security control that provides guarantees about our transactions..
In Computer Science, an invariant is a property of a system that holds true during some of the operations performed by the system.. Invariants are important for ensuring that a given system is acting the way it was designed to be.
Coinbase has certain invariants that we enforce to provide guarantees about how transactions are processed.. For example, when a client submits a withdrawal request, the system that processes the transaction could have an invariant that says that the destination of the withdrawal cannot change after the client has submitted it.. Such a variable would allow us to securely process the transaction.
But what happens when an invariant is broken? This could lead to a bug that degrades the performance of our platform or perform an action that does not meet the customer intent. For example, if the previously discussed invariant was broken, the customers could be misallocated the funds.
In order to keep invariants, we have a system called ‘IVy’ (Integrity Verification) that enforces these ground truths and notifies the team when they are violated.. Its job is to make sure that transactions are not modified in unexpected ways while other systems are processing them and to act as a central validation framework. This reduced the complexity of existing systems and created an extensible framework for implementing new invariants as needed.
It is critical that we broadcast transactions accurately because if we do not, the funds will not be allocated properly. Additionally, the complexity of dealing with a variety of fields used by different cryptocurrencies greatly increases the number of validation steps required and we want to avoid duplicating this logic everywhere. We designed IVy in a way that allows clients to sign their payloads once and then validate these payloads anywhere.. In general, because different currencies have a lot of differences in what is valid versus what is not (like some currencies have memo fields), we decided to centralize the validation logic for transactions in one place so we can implement invariants once and use them everywhere.
We designed this security control as a standalone service with a simple API.. The endpoints can be used by other services to feed data to our service and query whether a transaction is valid.. The Integrity Verification system would use information provided by other systems to verify that the transaction has not been tampered with and that it is not malicious..
This security control records on the backend the withdrawal request of the customer as soon as it is submitted.. This is shown in figure 1-2. , which describes how immutability of the withdrawal transactions is preserved..
Clients need to be able to interact with the service for it to be useful and effective.. As a result, we have designed a robust API on top of gRPC. gRPC allows us to have flexibility in the future when we want to update the API because the Client Middleware code can be easily regenerated.. As a result we can store a customer intent to later check as follows :.
After a service would like to check if a signed payload matches the user intent, we can use Rosetta to parse the signed transaction and compare it to the user intent.
Before broadcasting, we verify the immutability invariant for transactions by executing signed transactions to IVy. Since we have previously registered the user intent with IVy we are able to compare it with the signed copy. This ensures that transactions have not been modified in undesirable ways..
The way we implemented the comparison/validation logic yields some usability/flexibility benefits.. Each currency has its own validator that enforces the necessary rules for that currency.. There are also some general utilities which can be used by each validator to perform common checks. Also, all the Parsers conform to the same interface, which allows us to generically integrate with them on the backend.. As a result of these ideas, the parsers are light and easy to review.. Since parsers have a very narrow scope, they are easy to write, which gives flexibility in how new currencies will work or to make changes to a specific subset of currencies without affecting others..
As a result of our design, we were able to verify the invariants for our backend systems. This security control eliminates an entire failure mode class and makes our platform more reliable..
As IVy develops, additional transaction properties and policies will be developed and enforced. These properties and policies will become a core component of the integrity and customer intent at Coinbase.
If you are interested in crypto-economy, Coinbase is hiring.