Kyle Samani says zero-knowledge proofs have their place, just not in DeFi. “I’m fairly confident ZK is not the correct answer for privacy on-chain.”
Proving to someone that an individual is old enough to buy alcohol without revealing personal details like an address? “That maps to ZK extraordinarily well,” he says.
“That’s literally what a zero-knowledge proof does,” he says. “If the goal is to preserve privacy, proving something about yourself, that works very well.” But that’s not the case if the goal is privacy in the context of DeFi, Samani explains.
On the Lightspeed podcast (Spotify/Apple), Multicoin Capital’s Kyle Samani explains why ZK rollups are not practical solutions for privacy in DeFi.
DeFi requires the notion of a “shared state,” Samani explains. “There’s an LP pool and a limit order… and you have people crossing the spread and you have people doing interactions and there’s now math happening between people.”
“In the world in which people are submitting ZK things to a blockchain to do these kinds of financial transactions, there is no notion of global state,” he says. “Therefore, if there is no notion of global state, you cannot reason about global state.”
Reasoning from the top-down
Samani suggests thinking about the basic premise of ZCash (ZEC), the privacy-based cryptocurrency, to illustrate the problem. In ZCash, he explains, the proof of any transaction states that a series of UTXOs (unspent transaction outputs) have been sent to a series of private addresses in an “encrypted blob.”
In the example Samani gives, he says, “the total number of UTXOs I have received is less than the number of UTXOs I have sent out, including the current transaction.”
“Basically, you’re just saying my balance is larger than zero,” he says.
Theoretically, ZCash should never exceed a circulation of 21 million since it is a fork of Bitcoin built with the same supply limit, but there’s no way to audit the supply due to its privacy-based design, according to Samani.
It’s been a fundamental property of ZCash since “day one,” Samani says. He points to what could have been a catastrophic bug, reported and remediated by the ZCash team in 2019, whereby someone might have been able to mint an unlimited number of ZCash in the encrypted pool.
“No one believes that it was taken advantage of, but it was discovered, it was patched and then disclosed afterwards by the Electric Coin Company, which further highlights the fact that there was no way to audit the system from the top-down.” In other words, it’s impossible to know with certainty that the supply of ZCash is still fixed at 21 million.
Samani relates the incident to attempts to implement zero-knowledge solutions in DeFi. “If you can’t reason about the system from the top-down, then DeFi, at least DeFi as we know it right now, doesn’t work.”
“There is no XYK. You don’t know what K is, and therefore you don’t know what X and Y are.”
“Collateral management, and are you solvent, and your health factor and all this stuff — those concepts don’t work when everyone is submitting a bunch of private proofs to the chain.” DeFi requires a top-down view to function, Samani says, “And that fundamentally doesn’t map to a bunch of encrypted ZK transactions.”
A number of teams are working at enabling zero-knowledge SDKs, Samani says, “but they’re all dealing with this very basic logic problem.”
Samani suggests the right way to get to privacy in DeFi is via FHE, or fully homomorphic encryption. Contracts would be encrypted end-to-end, with state transitions applied by validators. “The validators don’t need to actually know what any of the balances are to apply the transitions and run the comparative ‘if statements’ and such.”
“The beauty of that system is that the core logic of the system is preserved,” he says. “That strikes me as the right way to solve the problem.”