The Liquid Federation uses an 11-of-15 multisig wallet to process peg-ins and peg-outs and secure bitcoin held in the federation wallet. Additional timelocks are used to provide an emergency withdrawal procedure.
Peg-Ins
During the peg-in process, a user sends bitcoin to an address secured by the federation’s 11-of-15 multisig. The 15 Liquid functionaries each hold one key, which is stored in their specialized HSM hardware.
The high key threshold for the federation's multisig wallet provides a high level of Byzantine fault tolerance: compromising the wallet’s multisig functionality would require at least five functionaries to stop operating at the same time.
Functionaries are operated by incorporated cryptocurrency companies that are known to each other and distributed around the world. They have economic incentives to operate the functionaries in the network’s best interest. Therefore the possibility of a scenario where a large portion of the federation simultaneously stops operating is very low.
Peg-Outs
When a Liquid Federation member performs a peg-out, the federation functionary units verify that the peg-out transaction has been sent to a whitelisted address (PAK list) and the corresponding amount of L-BTC has been burned by the member performing the peg-out. Then, using 11 of the federation’s 15 multisig keys (held on the functionary HSMs) the federation signs the peg-out transaction.
Emergency Withdrawal Procedure
In addition to multisig, the federation’s wallet implements an Emergency Withdrawal Procedure (EWP) by using timelocks. A timelock is a smart contract feature implemented at the Bitcoin protocol-level that disables bitcoin from being spent according to certain conditions until a specified point in time or block height.
In Liquid, after the expiry of a timelock, a set of emergency backup keys can be used to spend the associated bitcoin (in addition to the regular 11-of-15 multisig keys). This ensures that the funds in the federation wallet cannot be locked up indefinitely in the unlikely event that a third or more of the federation members permanently loses access to their multisig keys and the threshold required for the 11-of-15 multisig isn’t met.
Timelock Refresh
Upon peg-in, a timelock of 4,032 blocks (28 days) is set for each UTXO. To ensure that the emergency backup keys do not become active while the network is operating correctly, the timelocks are refreshed on a regular basis. There are two ways that timelocks are refreshed:
- Peg-outs: When a member performs a peg-out, any change that comes back to the federation wallet is returned to an address that uses a new 2016-block timelock (14 days).
- Automatic: For any timelocks that have not been refreshed through the peg-out process within 1008 blocks (7 days), the system will automatically refresh the timelock by spending the UTXO back to the federation wallet.
This process provides a failsafe measure allowing seven days for the Liquid Federation to react in the event that the network stops operating. After 7 days of network inactivity, the oldest timelocks would start expiring and those UTXOs would be spendable by the emergency backup keys. After 28 days of network inactivity, all timelocks will have expired, and the entire federation wallet would be spendable.
Emergency Backup Keys
The Liquid Network’s emergency backup keys are held by Blockstream. The emergency backup keys also use a multisig model (but no timelocks) and are held offline in deep cold storage, distributed around the world, with limited staff access.
The emergency backup keys are only intended to recover the network’s funds and return the funds to the owners in the event that the network becomes inactive for an extended period.
Upcoming Dynamic Federations Update
To reduce the Liquid Network’s reliance on Blockstream in the future, our engineering team has been working on deploying the Dynamic Federations update (DynaFed) in a phased roll-out.
In addition to a wide range of improvements to the Liquid Network, DynaFed will introduce the following changes to the network’s multisig model:
- Expand the maximum number of multisig keys for the federation wallet (currently limited to 15).
- Enable the Liquid Federation to reassign or disable the emergency keys.
- Enable the Liquid Federation to lengthen the timelock parameters to extend the safety buffer.