Risk Manager for tBTCv2

When tBTCv2 launches and starts creating wallets, users will be able to deposit bitcoin into these wallets. This underlying bitcoin secured by the operators represents risk - all of the deposits that users are making to mint TBTC.

In order for the system to properly function, we need to maintain a supply peg, which means that we need the amount of underlying bitcoin to always be equal to the amount of TBTC [1].

There are a few main things that can go wrong here, to represent this risk:

  • The operators running the clients can disconnect, leaving the wallet without enough signers to perform redemptions. This can happen intentionally, through negligence, or through disaster (whether local or global).

  • The operators running the clients can unintentionally sign a bad transaction that sends funds to the wrong place, and loses some or all of a wallet’s funds. This can happen because the client software that the core devs puts out is faulty or buggy (we’ll endeavor extremely hard to make sure this isn’t the case and we have auditors checking).

  • The operators running the clients can intentionally sign a bad transaction that sends funds to the wrong place, and loses some or all of a wallet’s funds. This can happen because the adversary has managed to claim a dishonest majority of the wallet with enough modified clients to steal funds.

When one of these “loss events” happens, the system will de-peg. There will no longer be an equal amount of underlying bitcoin as outstanding TBTC. In order to re-peg, we have two options:

  • Buy+Burn TBTC

  • Buy+Donate BTC

This is the purpose of the Risk Manager! It is the Risk Manager’s job to analyze a loss event and market conditions and decide whether or not to cover the loss (hopefully it is covered), how much of the loss to cover (hopefully all of it), and how to cover it.

The “who” of the Risk Manager is completely up to the community: whether that’s a token vote, the treasury council, etc. Likewise, the “how” is also up to the Risk Manager, though I’m happy to talk shop about ideas!

To provide an initial seed for covering loss events, we have a coverage pool coming soon, though the size of an average v2 wallet will quickly pass the size of the coverage pool unless the coverage pool grows.

[1] At the beginning there will just be TBTC, but eventually the plan is to have the bridged BTC create a balance, and TBTC would just be one of the products you could use your balance for. We’re launching with the balance concept, but it’ll be behind-the-scenes.

1 Like

Thanks for that explanation of what the Risk Manager is and what functions it will be responsible for. I recall a community call a while back where you discussed the Risk Manager, however, it wasn’t clear to me that it could be a person or group of people. In theory, I like the idea of the treasury guild taking on this role, however, I think an adverse event leading to a depeg would be an emergency and high priority event, requiring swift action to reestablish the peg. The geographic dispersion of the current members may be a hinderance, but nothing that cannot be overcome.
What are your thoughts regarding the size of the group that should shoulder this responsibility?

If you go back about a year in AllTheKeeps (page 6), you start seeing Liquidated deposits, like 0x1d and 0x6a. Both represent a loss event (the v1 operators were unable/unwilling to transfer the underlying bitcoin), and so a depeg happened. The v1 system used an automated buy+burn strategy by selling the operator’s bonded eth collateral in a falling-price auction.

Here’s when the 0x1d auction starts at 02:32:29, and then wraps up at 03:15:35pm, so the system was depegged for ~45 minutes.

Similarly, the 0x6a auction starts at 03:23:09 and then wraps up at 09:52:42, so the system was depegged for 6h37m.

Most of the v1 loss events (if you look through) are a lot faster, but I think it should be okay for v2 Risk Manager to respond not-instantly. A big advantage here relative to v1 is that the v1 auction either had to be extremely sophisticated or ended up having to sell ETH at disadvantageous times, or during high gas spikes, etc.

With regards to the size of the group, I also would prefer a smaller, skilled task force. Some examples would be the 6-of-9 treasury council, a subset of that, or a new similarly sized group with some overlap. Since responding relatively swiftly is important, I would also prefer that these folks be sleep-interruptible in these cases (like on-call system admins), and know what they’re getting into.

One of the things that @jakelynch also mentioned on the treasury guild call where I initially brought this up is whether or not this group wants to be legally isolated somehow. This is well out of my area of expertise; just wanted to flag it!

1 Like

What sort of timeframe does the risk manager need to reach a decision / take action in the event of a loss to be effective?

It’s tricky to give concrete numbers here, so instead hopefully I can give some general ideas.

Say that v2 is in steady state, and the system has been up for ~6 months. We’re currently configuring wallets to gracefully close themselves and split their funds to other wallets after 6 months (this is governable), so if we’re making a wallet every week, the system will see at max ~25 wallets. The steady state number will probably be slightly less - say ~22.

There’s currently 237,193 wBTC. Say that at the time of a loss event we have a 1% market share of that (hopefully more eventually, but let’s use 1% for now), so 2.4k TBTC. At steady state, each of those 22 wallets would be holding 2400/22 = 109 BTC each.

Then, we lose one of those wallets, and either need to buy+burn 109 TBTC or buy+donate 109 BTC.


What I would think happens in this case is that there is some degree of loss-of-faith in TBTC and some folks move to exit the system. This can be done in three main ways: swapping TBTC for other wrapped BTC like wBTC, selling it for some other token entirely (ETH, USDC, etc), or redeeming it.

Either way, I would expect the immediate effect is for the price of TBTC to fall to below a bitcoin somewhere. For example, if lots of folks are swapping TBTC for wBTC and both of them were originally priced exactly at BTC, then now TBTC is below the price of BTC and wBTC is above the price of BTC.

Once this sufficiently happens, there’s an arbitrage opportunity.


Say that BTC is $16k, TBTC is now $15k, and now WBTC is $17k. An arbitrageur with $15k in USDC can buy TBTC, redeem it for BTC, mint WBTC, and sell that for $17k. They’d be up $2k before gas, exchange fees, and bridge fees. The result of the arb is that there would be 1 more wBTC and 1 less TBTC floating around, but the price of TBTC and WBTC both get a little closer to BTC.

The ability to perform this arbitrage in general is necessary. It’s why we have a supply peg instead of a price peg. The existence of arbitrage is the only thing making TBTC track the price of BTC. When we have a loss event, the arbitrage keeps working unless, the system runs out of redeemable BTC before the price has rebalanced.

In that context, we can talk about variables!


If we expect there to be a high loss of faith after a loss event (big TBTC price decrease), then arbing TBTC becomes very profitable. This essentially creates a bank run on the redemption system because if the Risk Manager doesn’t react quickly enough, then when the arbitrageurs go to redeem, there won’t be anything left to redeem and chaos will ensue. I expect that there will be real-time dashboards that folks will be watching to see how much reserve the wallets have that influence the loss of faith and system flight velocity.

If we expect trading liquidity to be low, then arbing TBTC would quickly fix the problem. As in, the more liquidity there is, the less of a price impact arbitrage has. The sooner TBTC equals BTC, the sooner the crisis is over. If we equalize before we run out of redeemable funds in the other 21 wallets, then there’s a good chance that the Risk Manager has days to weeks before it has to act. Though, failing to act might be seen as bad faith, and re-trigger loss of faith and causing a new cycle.


Predicting markets is hard. You have more time the less the price of TBTC moves (which is influenced by community faith and how much TBTC is lost), and how much trading liquidity there is.

1 Like