Paxos Gold (PAXG) — A crypto-based option for physical gold ownership

For many years, my non-crypto portfolio has been the Golden Butterfly, which holds a 20% allocation to gold.

Why so much? It’s a slight modification of the Harry Browne “Permanent Portfolio”, which is based on the forward thinking idea that the economy can be in one of four states, and that a sound portfolio would hold equal amounts of the asset class that reacts most dramatically in each of these economic states, and then capture gains through both appreciation and rebalancing.

As mentioned, the Golden Butterfly is a slight modification, tilting the allocation ever so slightly towards stocks:

  1. Prosperity → Stocks (40%)
  2. Deflation → Long-term US bonds (20%)
  3. Inflation → Gold (20%)
  4. Recession → Cash (20%)

When people look at this portfolio, they almost universally respond in horror. With low interest rates, long-term bonds are surely going to get crushed! Gold and cash earn no yield! Only 40% stocks?

What they’re missing is that the magic is in the uncorrelated relationship between the classes. It’s the package that matters, and for as long as we have data, this allocation has proven to be one of the most stable in times of both growth and drawdown of any mainstream portfolio.

So that’s why I hold gold. Now let’s talk about how I own it.

In the early years, I had accounts with BullionVault and GoldMoney, where you purchase title to physical, redeemable gold. Working with these firms, however, felt archaic. BitGold emerged, and brought the user experience of owning gold into the 21st century, but then dropped much of their fantastic user experience, when they merged with GoldMoney. Eventually, I moved away from GoldMoney, to purchasing the iShares Gold Trust ETF, IAU.

Owning an ETF is convenient for rebalancing, but it’s still a paper form of ownership, and so I’ve been keeping my eye open for alternatives. One did appear a few years ago, Vaultoro, a Berlin-based physical gold provider. My main hangup there, however, was that it’s bitcoin-based, i.e. you can’t deposit and withdraw fiat, making rebalancing within a larger portfolio a bit inconvenient.

A new solution to gold ownership has recently emerged that looks to have all the characteristics I’ve been looking for—and more! And that solution is Paxos Gold.

Paxos is the New York regulated company that issues the PAX USD stablecoin, whose market cap recently passed TrustToken’s TUSD. Pax Gold, or PAXG, is their new stablecoin product, in which each token is backed by one ounce of physical gold in a Brink’s vault in London.

Here’s what I find attractive about PAXG:

  • Trust. — Paxos is a New York regulated Qualified Custodian and financial services company, with a solid track record. (Binance, for example, chose Paxos to custody and issue their new USD stablecoin, BUSD.)

  • Physical ownership. — Each token is backed by physical gold, and is redeemable. At the Paxos website, you can even trace each token to the serial number of the London-vaulted 400 oz gold bar to which it corresponds.

  • Accessibility. — As an ERC-20 token on the Ethereum network, PAXG can be freely moved and traded as a bearer-instrument 24/7. You can choose to custody it at the Paxos website, where you can redeem it for cash or gold, or you could custody it yourself, say in a hardware wallet, and sell it on a public exchange.

  • Low fees. — Depending on volume, purchase fees can range between 0.03% and 1.00%, and Paxos additionally make money on Ethereum network transactions (0.02%). During their launch sale, however, there’s no purchase fees, and even a 2% rebate, on the first 7,000 tokens sold.

But perhaps most exciting about PAXG, is that it opens the door, for the first time, to earn yield on your held gold. For example, Nexo have already announced plans to add PAXG to the list of deposited stablecoins on which they pay 8% per year in-kind interest.

Of course, lending your gold, like lending anything, introduces third-party risks which one would need to take into consideration, but it’s very exciting to know that options to earn yield on held gold are being enabled through technological innovations like PAXG.

At the time of this writing, during its launch week, roughly $2.4M of PAXG has already been minted. With the benefits listed above, I’m excited to keep an eye on PAXG as a fascinating option for my gold holdings. (And if I end up going with PAXG, I guess I’ll have to stop referring to it as my “non-crypto” portfolio!)

The one in which BitPico makes an arrogant fool of himself, and tries to erase his tracks

There’s a twitter user named @BitPico, who claims to be a “developer, miner and investor”. At some point I must have respected BitPico, given the fact I follow them. This morning, however, I lost all respect for this person.

You see, BitPico got a little confused about how the Ledger Live app and the Nano S & X hardware devices work together. In the course of the conversation below, he actually makes the claim that the password you enter in the Ledger Live app is the 25th seed word on the hardware device.

There’s no fault in being ignorant. There is something wrong with being arrogant and condescending in the context of ignorance. But worst of all, and the reason I’m taking the time to post this, is that when BitPico realized he was wrong, he didn’t have the balls to own his mistake (and certainly wouldn’t ever apologize) — No, instead, he went and deleted all his tweets!

The importance of plausible deniability in crypto products

One of the most important, yet overlooked, features of any crypto currency product is support for plausible deniability. This feature is best understood by example.

The Ledger and Trezor hardware wallets, like nearly all crypto wallets, are secured with a 24-word seed phrase. Access to the wallet is then secured with a four-digit PIN code. Most of us are familiar with this model by now.

What many people don’t realize is that these devices don’t just support one single wallet behind one single PIN, but rather support any number of wallets secured behind any number of PIN codes.

This feature, known as the “25th word feature”, allows you to add additional words to the seed—i.e. 25th words—thereby creating additional wallets, which you can then secure with additional PIN codes. And since there can be any number of 25th words, these devices support any number of wallets! Take a moment to think about the implications of that.

This feature provides both convenience and plausible deniability:

  • Convenience, in that you can have a default wallet, containing a small amount of currency that you use for day to day transactions, without having to expose your larger holdings.

  • Plausible deniability, in that if you were forced to open the wallet, you can open your default wallet containing a small amount of funds, and it would be impossible to know whether you have additional wallets, where you’d maintain your larger cold storage funds, secured behind additional PIN codes.

In my view, plausible deniability should be a core feature of crypto products, presented and promoted front and center. Uunfortunately, it’s often considered too complex by some products, and poorly implemented by those that do support it. Let’s look at at few more examples.

Mobile Wallets

The Secure Enclave makes iOS devices surprisingly good platforms for secure wallets. But I would never use my iOS device to store significant amounts of crypto currency because nearly none of the current wallets support plausible deniability, and the one that does, doesn’t support it well from a UX perspective.

TrustWallet, BRD and Edge are all high-quality mobile wallets, and all of them support the interaction of launching with a prompt for a PIN code. None of them, however, support multiple wallets, secured behind multiple PIN codes.

I once spoke with BRD about this, and their view was that plausible deniability was too advanced for their users. At the same time, however, they argued for using BRD as one’s primary crypto storage, due to the security of the Secure Enclave. That would be a terrible recommendation, for a product that supports only a single wallet.

(Note that all of these products claim to technically support multiple wallets, by the fact that you can restore any number of wallets from different 24-word seeds. That’s terribly impractical, however, from a UX perspective.)

Ledger Nano X

Since the recently-launched Nano X, which does support multiple wallets secured by multiple PINs, is accompanied by an iOS app, Ledger Live, I was hopeful that plausible deniability would finally be supported in a useful way on a mobile device. Unfortunately, the implementation is such that it’s nearly as unwieldy as restoring a 24-word seed in the other wallets.

The Ledger Live mobile app supports “accounts”, which are individual currencies within a given wallet. If you had two sets of wallets behind two PINs on your Nano X, each of which held BTC and ETH, you would either have to have all four “accounts” always visible in Ledger Live—say, “BTC”, “BTC Cold”, “ETH” and “ETH Cold”—which, of course, defeats the whole purpose of plausible deniability, or you would need to add your cold storage accounts only when needed, and then have to remember to delete them from the app when done. (Deleting them in the app doesn’t affect their presence on the hardware device.)

So, unfortunately, the Nano X, combined with the Ledger Live mobile app, doesn’t move us forward in terms of usable plausible deniability on mobile devices.

Portfolio Tracking Apps

It would be great to track my full crypto portfolio in an app like Blockfolio.

Again here though, Blockfolio doesn’t support plausible deniability. As with mobile crypto wallets, Blockfolio could launch with the presentation of a PIN interface, behind which multiple portfolios are managed—i.e. my real portfolio, and then a shadow portfolio I’d open if forced. But since this isn’t supported by Blockfolio, or any of its competitors, I’m left to track my crypto holdings in a spreadsheet, locked away inside a hidden encrypted disk image.


My hope in publishing this article is to bring more awareness to the need for supporting plausible deniability as a core feature of crypto products, and for those that do support it, surface it in the user interface as a primary function of the product, rather than hiding it away behind the “Advanced” settings.

For further reading, and a great example of how beneficial plausible deniability can be in general, be sure to see my article about the Espionage product for Mac OS X.

How to use MakerDAO and DAI to create a leveraged long investment in ETH

In mid-2018, having learned how futures trading works on Bitmex, I opened a 2X leveraged perpetual ETH contract. The idea was to generate a boosted return on ETH, at a leverage level I felt was “acceptably” safe. Unfortunately, later in the year, the price of ETH moved downward so dramatically that my position ended up getting liquidated, and I lost my entire collateral.

Recently, I’ve discovered an alternative way to implement a leveraged long position in ETH, involving the MakerDAO system to borrow DAI—a stablecoin that should maintain a value of $1 USD—through the creation of a “Collateralized Debt Position” (CDP). (For a good general introduction to the MakerDAO system, see this article.)

The basic idea is—we can deposit ETH collateral with MakerDAO, borrow some DAI, and then use that DAI to buy more ETH. If our ETH increases in USD value in the future, our gains are leveraged, since we get to keep some of the ETH we purchased after selling enough to repay the DAI.

The best way to understand this, is to walk through a hypothetical example (which isn’t that hypothetical, since I did it myself this morning to figure out how everything works!)

MakerDAO network

To understand our hypothetical investment, we’ll need some data from the MakerDAO network, which we can get from the Maker System Overview page.


  • CurrentPrice — is the current value of ETH in USD.
  • LiquidationRatio — is set by Maker, and establishes the collateralization level at which your CDP would be closed and enough collateral removed to repay the DAI loan.
  • StabilityFee — This is an annualized fee charged by MakerDAO for the loan. It’s a running fee computed continually, so that a correct pro-rata charge can be made whenever you close the position.
  • LiquidationPenalty — This is an additional fee charged by MakerDAO, based on your DAI loan amount, if your CDP has to be liquidated.
  • PET — This is calculated by MakerDAO, and is the ratio of “Pooled ETH” to “Wrapped ETH” in the network. (I’m not sure what that means, but it doesn’t seem to matter for what we’re doing here.)

Loan, Fees & Investment

In this section we’re going to look at securing a DAI loan, which starts by connecting a hardware wallet, like the Ledger Nano S, to the Maker Collateralized Debt Position Portal. (It seems like they’ll also let you create a web wallet, if you prefer.) Once connected, you deposit some ETH, generate some DAI, which you can then transfer away, and then later repay the DAI to close the CDP.

  • CollateralETH — This is the amount of ETH I deposited as collateral.
  • CollateralUSD — This is the USD value of that collateral at the time of CDP creation.
  • DAI — The amount of DAI I created (borrowed).
  • CollateralizationRatio — The value of my DAI relative to my collateral. The current minimum ratio is 150% (and the website warns you if you go that low, you can immediately get liquidated with even a small drop in the price of ETH). In my case, I’m using 300% collateralization.
  • PurchasedETH — With my 20 DAI, I was able to purchase 0.166 ETH. This is done elsewhere, of course, at an exchange supporting DAI and ETH. I did it within the Edge Wallet, which is useful, because I can create an ETH wallet just for this investment, which makes it easy to compare its current value with the amount of DAI used for the purchase.

Here is what the MakerDAO CDP Portal shows me after I’ve created my loan:

  • Since ETH has slightly increased since this morning, my CollateralizationRatio is slightly higher.
  • As you can see, I can still withdraw ETH from my collateral or generate additional DAI given that my CollateralizationRatio is still above the minimum of 150%. If I were to actually try to generate another 20 DAI, however, the platform warns me that I’m at risk of immediately losing my collateral.

So at this point, I’ve deposited 0.5 ETH, to borrow $20 in DAI, which I used to buy 0.166 ETH, meaning for each 1% increase in the price of ETH, I’ll be earning 1.33%.

The liquidation case

Let’s now look at what happens should the price of ETH drop to around the liquidation level.

  • PETH — This is a term used in the MakerDAO ecosystem that refers the amount of ETH I’ve “staked” in this loan. It’s simply the amount I deposited, minus the fee I’m charged, and is what I’ll get back after repaying the loan.
  • LiquidationPrice — This is the market price of ETH at which the CDP would be closed, and enough collateral removed to cover the outstanding DAI debt, plus the liquidation fee. (As you can see from the screenshot earlier, there’s a slight inaccuracy of few dollars in my model for determining the liquidation price. The MakerDAO liquidation formula say it’s an “estimate”, so I suppose the actual liquidation price must be more complex.)
  • CoverETH — This is how much ETH I’d need to buy (or have set aside), in order to repay the loan to avoid the liquidation fee. (I could also add ETH to the CDP to increase the LiquidationRatio again.)
  • RecoveredETH — This is PETH returned to me in paying off the loan, minus the ETH I had to spend to purchase enough DAI to repay it.
  • RemainingETH — This is my net ETH left over, which is the above RecoveredETH plus the ETH I bought with my DAI loan.

An important point to note here is that liquidation doesn’t consume all my collateral, as it does at Bitmex. There, as you approach liquidation, it’s hardly worthwhile to close the position. As the price of ETH is dropping, due to the settlement process between longs and shorts, liquidation is simply the point at which your position is worthless.

Liquidation stats

Let’s look at a few numbers of general interest, related to the liquidation case.

  • Allocation — If this were a serious investment I were making, this is the total amount I’d allocate to it. It’s the amount of collateral (0.5 ETH), plus the ETH I’d need to buy enough DAI to avoid liquidation (e.g. CoverETH, or 0.33 ETH).
  • LiquidationPriceDrop — This is the percentage by which the ETH price would need to drop to trigger liquidation. (50% might seem “safe”, but as I learned in my Bitmex experiment, that’s not safe in crypto.)
  • MaxLoss — This is the percent I’d lose on my investment (my collateral), in the case of repaying the loan just prior to liquidation.

Concluding thoughts

I hope you’ve enjoyed this walkthrough of using MakerDAO to borrow some DAI, which you can use to leverage your ETH position. I don’t pretend to be an expert in the Maker system by any means, but I wanted to publish this guide, since I didn’t find anything similar (including a calculation model), when I was trying to understand it.

The Bitmex experience reinforced a saying that in the investment world has proven its wisdom time and time again:

Don’t just do something; stand there!

So I don’t know whether I’ll actually create a significant leveraged position in ETH using MakerDAO, even though I have a long-term conviction around ETH. But it’s good to finally understand how the system works!

If you’ve enjoyed the article, or find any corrections that need to be made, please drop me a note in the comments. Thanks for reading!

Comparison of cryptocurrency exchange service rates

For those interested in trading cryptocurrencies, and wishing to avoid complex interactions with an exchange like Binance, a number of easy-to-use online cryptocurrency changer services exist, as well as in-wallet changers.

In this post, dated January 11, 2019, and which I hope to periodically update, I present a comparison of the ones I know about. For each, I’m comparing the BTC→ETH rate, and using CoinMarketCap as a reference.

Changer1 BTC → ETHPercent Loss
CoinMarketCap (Reference)28.78830.00%
Edge Wallet (Changelly)28.4513(1.17%)
Exodus Wallet27.6682(3.89%)

Of course, some exchanges require accounts, while others are anonymous, and so other factors may be involved in one’s choice than rate alone.

(PS: If you know of other services I should add to the list, please mention them in the comments, and I’ll add them to future updates.)

Usability issue in the Edge wallet

Despite being my favorite multi-currency mobile wallet, Edge has a terribly frustrating UI/UX issue, that I’ve been unable to communicate to the team though text on Twitter. So here it is, documented visually.

When launching the app, it will periodically prompt the user to double-check that they still know the app password. (I hate this feature. Once I demonstrate I have the password in my password manager, I don’t need or want periodic checks that I still have it. I’m a responsible adult.)

Anyway, here’s the UX problem:

If you have the password on the clipboard—which will be the case for probably 99% of the users—the iOS touch action to initiate a paste is a double tap into the password field. However, the instant you tap once, the iOS keyboard appears, and which shifts the screen upward so that the second tap registers into the “I forgot, change password” field.

Why does this happen? Because when the screen shifts upward, the “Change password” button ends up in the same vertical position previously occupied by the password field. You can see this visually:

And even knowing this happens, it’s still very difficult to avoid. In fact, it’s happened the last three times I’ve faced this unwanted password verification workflow.

Anyway, that second tap into the change-password button takes the user to this screen:

After a bit of confusion about how you ended up here, the user will naturally want to go back to the password check screen, and so he taps the back link in the upper left. Unfortunately, instead of being returned to the password-check screen, he’s taken to the settings screen!

This means that the next time he launches the wallet app, he’s going to be once again prevented from using the wallet due to the annoying password-check workflow, and will probably run into this same issue again. (It has happened to me four times in a row now.)

So, here is a summary of the problems:

  1. Tapping into the password filed on the first screen frequently ends up registering a tap into the “Change password” button because of the instant shift upwards as the keyboard appears.

  2. From the next screen, it’s impossible to get back to the previous!

Hope this explanation helps the team at Edge.

Understanding Zerocoin

This article was first published on the Veil blog.

In this article, we’ll describe the Zerocoin protocol—one of the beautiful technologies underlying the strong anonymity you’ll find in the Veil currency.

History of Zerocoin

The Zerocoin protocol was conceived in 2013 by John Hopkins researcher Matthew D. Green1, as an extension of Bitcoin, providing for optional anonymity in the Bitcoin network. We say “optional” anonymity since the Zerocoin model involves converting public bitcoins to anonymous zerocoins, and back.

So the first concept to understand is that in Zerocoin networks, there are two types of tokens (coins)—public tokens, known as basecoins, and anonymous tokens, known as zerocoins. (Misunderstanding of this concept is a common source of confusion in networks such as PIVX, where one finds “PIV” and “zPIV” coins.)

In Veil, the on-chain coins are called Basecoin Veil, and the anonymous coins are called Zerocoin Veil. Since the Veil wallet automatically converts basecoins to zerocoins, however, the general use of “Veil” is meant to imply the anonymous coin.

(You’ll notice that for Basecoin Veil, we used the term “on-chain”, rather than “public”, since in the Veil network, Basecoin transactions are also anonymized using “RingCT” technology, but explanation of that will be saved for another post.)

The logic behind Zerocoin

Imagine we’re considering how to design an extension to the bitcoin network that would allow us to convert bitcoins to zerocoins, and then be able to spend them later anonymously.

In order that the bitcoin monetary supply remains auditable, the creation of zerocoins can’t be anonymous, i.e. when we bring a zerocoin into existence, through a process known as minting, we necessarily have to take a bitcoin out of circulation, in a process known as burning, and since bitcoin is a public token, its removal (burning) also has to be public.

Therefore, if I minted 1.73458 zerocoins—something we’ll later see isn’t technically possible, but for the moment we’ll ignore that—by burning 1.73458 bitcoins, and if the world can know, since bitcoin is public, that I owned those 1.73458 bitcoins, then the world will also know that I now control 1.73458 zerocoins.

So the challenge in a network like this is:

If my creation of zerocoins is public, how can I later spend those zerocoins anonymously?

Fixed denominations

The above example already presents the very first challenge. If I created such a precise amount of zerocoins in the past, like 1.73458, then when that precise amount of zerocoins gets spent in the future, it wouldn’t be very hard to assume that the spend came from me. Why? Because there simply won’t be very many other zerocoin address “outputs” out there holding precisely 1.73458 coins.

Considering this problem, Green may have thought, “What if zerocoins only existed in fixed denominations, like cash bills or casino chips? If there only existed denominations of, say, 1 zerocoin, 10 zerocoin, 100 zerocoin, and 1,000 zerocoin, then maybe I could design a system in which, if you spend a 10 zerocoin, the network won’t know which of all the 10 zerocoins you spent.”

This idea of fixed denominations was ultimately implemented in the Zerocoin protocol, and made to work through the concepts of accumulators and zero-knowledge proofs.


In Zerocoin networks, an “accumulator” exists for each denomination supported by the network. So if the Bitcoin network supported denominations of, say, 10, 100 and 1,000 zerocoin, it would have three accumulators.

Conceptually, most people think of accumulators as “buckets”, holding all the coins of a particular denomination. But in reality, as we’ll see later, an accumulator is actually a single number, that cryptographically embeds knowledge of the existence of each outstanding zerocoin in that particular denomination.

As you might imagine, the particular choice of denominations in a Zerocoin network has to be carefully considered, and the trade-off is between convenience and anonymity.

To understand this, consider that when I spend a 10 zerocoin token, its traceability back to me—i.e. back to my minting of a 10 zerocoin token—is a function of the total number of 10 zerocoins that exist. If there’s only five 10 zerocoins in existence, and I spend one of them, it might not take much sleuthing to figure out it was me. On the other hand, if there are five million 10 zerocoins in circulation, the problem becomes much more difficult, if not impossible.

For this reason, a network that only has six denominations would likely provide greater anonymity than one that has a hundred different denominations (all other things being equal). For the Veil network, there will exist four denominations, and hence, four “accumulators”: 10, 1000, 1000 and 10000 Zerocoin Veil.

Zero-knowledge proofs

Zero-knowledge proofs2, to most mortals, are akin to black magic. We won’t get close to the math behind them, but here’s what a zero-knowledge proof is in practice:

A ZK proof is a method by which one party can prove to another that a given statement is true, without conveying any additional information apart from the fact that the statement is indeed true.

Mind blowing, I know. Don’t get scared!

How the Zerocoin protocol works

With all that as background, we can now proceed to explain how the Zerocoin protocol works in practice.

Let’s start by walking through the process of what happens when you mint zerocoin by burning basecoin—something that happens automatically in the Veil wallet.

Burning & Minting

Say you received an incoming payment of 10.73458 Basecoin Veil. Looking at that number, your wallet would know that it can convert 10 of those to a single 10 Zerocoin Veil token. (The remaining 0.73458 Basecoin Veil would stay as Basecoin Veil in your wallet.)

To create your new 10 Zerocoin Veil token, your wallet creates a unique serial number, that we’ll call “S”, and a random number, that we’ll call “V”. Your wallet then performs what’s known as a “one-way” cryptographic calculation known as the Pedersen Commitment, that takes V and S, and computes a number called, “C”:

C = comm(S,V)

This formula simply means that “comm” is a mathematical function—the Pedersen Commitment—that takes S and V as inputs, and produces the number C as an output. It’s “one-way” in the sense that S and V can’t be back-calculated from C.

Having computed C, our wallet now “burns” 10 Basecoin Veil—taking them out of circulation—in a blockchain-recorded transaction in which the value “C” is publicly recorded.

The “10 Zerocoin Veil” network accumulator number is then updated cryptographically to embed knowledge of the newly introduced “C” value.

By burning 10 Basecoin Veil in this way, we have also “minted” a brand new 10 Zerocoin Veil token, that is associated with the recorded number “C”, which is linked to me, and to the unique serial number, S, which at this point is only known to my wallet!

Before moving on, let’s review where we are:

  • We have burned 10 Basecoin Veil in a blockchain transaction that minted the creation of a 10 Zerocoin Veil token, recorded with the number, C.

  • Since the burned Basecoin Veil is public (or for Veil, more precisely “on-chain”), the number C is publicly visible.

  • Only our wallet knows the random number, V, used along with S, in the calculation of C.

  • Only our wallet knows the serial number, S, which is the unique identifier of our particular 10 Zerocoin Veil token, among all the tokens.

Spending anonymously

Now comes the interesting part: How do we later spend those 10 Zerocoin Veil anonymously? To do that requires that the spend can’t be linked back to the mint. Let’s look at how that’s done.

When I’m ready to spend my 10 Zerocoin Veil, my wallet calculates two zero-knowledge proofs, the first of which can be used independently, and the second which can only be used in tandem with the first.

In the first ZK proof, I mathematically prove that the coin I want to spend (the 10 Zerocoin Veil) exists in the 10 Zerocoin Veil accumulator, without revealing which coin that is. Mathematically, I have to prove that the value “C” I wrote to the blockchain during my mint exists in the accumulator, without revealing the particular value of “C” I’m proving—since that would point directly back to me!

To do this, I compute the Pedersen Commitment function using C and another random value, R, that I choose and is only known to me, to produce the output Y.

Y = comm(C,R)

(The inclusion of a random number R is critical, because if I just computed comm(C) to produce Y, then by computing comm(C) on all the recorded C’s in the blockchain, you could easily figure out which C I’m proving!)

When I provide the value Y to the network, the network can validate my proof using Y and the current accumulator number to confirm that, yes, I do control a particular coin in the accumulator, but without knowing which one, i.e. the network doesn’t know which “C” I used in the computation of Y.

Then, I publicly reveal the unique serial number, S, corresponding to my particular 10 Zerocoin Veil, and provide a second ZK proof demonstrating that I know some random value V, that, in turn, proves I control the still-unrevealed “C” used in the first proof.

That’s a mouthful, but is why the second proof is only meaningful in tandem with the first.

So in summary:

  • Proof 1 proves that I control one of the coins in the accumulator, corresponding to the minting recorded with C on the blockchain, but without revealing which C that is.

  • Proof 2 allows me to reveal the unique serial number, S, corresponding to my particular coin, without revealing which burn and mint transaction, C, it corresponds to.

Or said another way:

Zero-knowledge proofs have allowed me to prove that I control a specific token among all the 10 Zerocoin Veil tokens, without any connection to the specific blockchain transaction that created that coin.

At this point, my spend transaction will be recorded on the blockchain:

  • The transaction will publicly record my unique serial value, S, so that that coin can’t be double spent in the future.

  • 10 fresh Basecoin Veil will be put into circulation and delivered to the destination address of my transaction, and my 10 Zerocoin Veil can not be re-spent due to the public recording of its unique serial number, S.

And so, through the use of zero-knowledge proofs, I have spent my 10 Zerocoin Veil anonymously!


In this article, we’ve described the Zerocoin protocol—one of the beautiful technologies underlying the strong anonymity you’ll find in the Veil currency3.


  1. See 
  2. See 
  3. Thanks to Veil developer Random.zebra for helping me wrap my head around the concepts like zero-knowledge proofs described in this document, and to Veil team members for editing feedback. 

The morality of Proof-of-Work

Previously, my German cloud-hosting provider disallowed cryptocurrency mining, given that mining is a process that consumes 100% of a computer’s CPU capacity, and their virtual servers (VCPUs) share a common pool of computing resources.

Recently, however, they announced the availability of virtual servers with dedicated resources (dVCPUs), and so I emailed them asking whether, on those servers, mining is acceptable. I expected a positive response, since mining is acceptable at other dVCPU providers, but they responded that their policies on crypto mining would remain unchanged, given that:

We do actually care about our environment.

I had three immediate reactions to this, which I sent them by email:

  1. You, as an organization, are making a judgement that one use of energy is morally acceptable, while another is not. I lived in Germany for many years, and that seems contrary to the cultural value I understood, that moral judgements should be left to the individual.

  2. There is a valid argument to be made that the benefits to humanity of a censorship-proof form of money justifies the energy required to provide for that censorship resistance. More energy efficient mechanisms have been proposed (PoS, etc.), but nobody can say with absolute certainty whether they will ultimate prove to be equally secure. The global market, however, continually casts its vote, and for the moment, it trusts Proof-of-Work.

  3. You are a private organization, and I respect your right to implement any policy you want. So don’t interpret the above as any kind of insistence that you change.

I’d like to ask you, the reader, for your opinion. Should hosting providers disallow crypto mining, on the moral arguments around justified use of energy?

Introduction to Bitcoin futures markets and the purpose of daily settlement

I’ve recently been learning about crypto currency futures trading, and am finally grasping some of the core concepts. In this article, I’m going to explain how futures markets work, and in particular the logic of why contracts are settled daily, by building on a simple farmer and baker example I read about at Investopedia.

Imagine it’s January, and a wheat farmer and a baker both need some predictability about the price of wheat on May 1. The baker needs 5,000 bushels of wheat, which is what the farmer needs to sell. They can come to an agreement today to exchange that wheat in May at today’s price of $4 per bushel, and the formalization of that agreement would be called a futures contract.

The baker would be said to be on the long side of the agreement (he has the obligation to buy the wheat) and the farmer would be said to be on the short side of the agreement (she has the obligation to sell the wheat.) The contract price would be $4, and the settlement date would be May 1.

Now lets imagine that on May 1 the market price—usually referred to as the spot price—of wheat is $5 per bushel. Rather than physically delivering 5,000 bushels of wheat, the farmer and baker simply agree to settle the contract in cash. The baker owes the farmer the $20,000 agreed in January (i.e. $4 per bushel for 5,000 bushels), and the farmer owes the baker $25,000 so that he can purchase 5,000 bushels of wheat in the current market (since it now costs $5 per bushel). As a net result, the farmer gives the baker the difference of $5,000.

By doing a cash settlement, instead of physical delivery, both parties retain the outcome of the original contract.

  • The baker gets 5,000 bushels of wheat for their originally planned $20,000, i.e. his original $20,000 plus the additional $5,000 given to him by the farmer to buy the wheat in the market today

  • The farmer gets $20,000 for 5,000 bushels of wheat, i.e. $25,000 received from selling his wheat in the market at today’s price of $5, minus the $5,000 she gave to the baker.

Now, rather than arranging this contract directly, let’s imagine there’s a business that runs a futures marketplace—called an exchange—where the May 1 wheat contract is bought and sold by farmers and bakers (or others who need wheat) who don’t know each other. And to avoid dealing with the contractual physical delivery of commodities, let’s imagine the exchange implements cash settlement.

How could this work?

For starters, the exchange needs to address the risk that the buyers and sellers don’t default on their agreements, regardless of what happens to the price of the commodity over time. The exchange operator could do this by requiring that buyers and sellers deposit some cash that the exchange holds as collateral. Let’s imagine that in the case of our particular farmer and baker, who want to enter into a contract that today is worth $20,000, the exchange requires each to deposit $10,000. In modern futures exchanges, this collateral is called margin.

We’ve seen in the previous example that the price of wheat in May was $5, which resulted in the farmer transferring $5,000 to the baker to cash settle their contract. In this case, the farmer’s $10,000 of margin in her exchange account would have been sufficient for the exchange to settle this contract.

But what would happen if the May 1 market price of wheat was $7, in which case the farmer owed the baker $15,000? The exchange could ask the farmer to deposit an additional $5,000, but what if she didn’t?

How can the exchange address this kind of risk? Through the mechanism of daily settlement.

Rather than wait until May 1 to settle the contract, what if the exchange did a settlement of the contract every day, until May 1? Let’s see how the farmer’s account would look over a contract of, say, five days (just to make the following table shorter), and settled daily:

  • Day, Market Price, 1-Day Change, Settlement, Account Balance
  • 0, $4.00, $0.00, $0.00, $10,000
  • 1, $3.80, ($0.20), $1,000, $11,000
  • 2, $3.60, ($0.20), $1,000, $12,000
  • 3, $4.20, $0.60, ($3,000), $9,000
  • 4, $4.50, $0.30, ($1,500), $7,500
  • 5, $5,00, $0.50, ($2,500), $5,000

For a futures contract of 5,000 bushels at today’s price of $5, that settles daily, we see the same net effect for the farmer—i.e. a total transfer of $5,000—as if the contract settled at the end.

With daily settlement, if the price goes against the farmer for a while, such that her margin (collateral) drops to a dangerous level, the exchange can request that she add additional margin to her account. This is known as a margin call. If she doesn’t, and her margin reaches zero, the exchange can simply close out her position, an event called liquidation, and let another farmer in the marketplace pickup and carry on with the contract.

Since this market model for the trading of commodities doesn’t actually involve the physical delivery of commodities, financial investors began participating simply for the opportunity to speculate on the future price change of the underlying commodity. And naturally, today we have platforms like Bitmex and Deribit that let crypto currency investors speculate on the future prices of currencies like Bitcoin.1

This article has explained the fundamentals of futures markets. Here’s some additional comments and issues I’ll address in future articles:

  • In crypto currency futures markets, contracts are cash settled in bitcoin. This is unique in that the contract is settled in a difference currency from that in which it is priced.

  • Some crypto currency futures markets allow you to enter long and short positions up to 100 times the amount of collateral you’ve deposited, thereby allowing you to amplify both your potential gains and losses. This is called leverage. The risk associated with using leverage, however, is that a small movement of price against you can result in a liquidation and loss of collateral.

  • Some futures exchanges now offer “perpetual” futures contracts that settle daily, and have no future expiration date. In order to incentivize these contracts to track the spot price, these exchanges have implemented a mechanism by which a small amount of funds are transferred daily between long and short participants depending on the daily movement of the contract and spot prices.

  • In the case of contango, there’s a particular strategy in which a participant goes short, and buys the physical commodity, that result in earning the current premium that exists between the contract and spot prices. I posted another article detailing how this work.

  • To provide for their services, exchanges charge a fee to participate in a futures transaction, for example 0.05% on entering and leaving a position.

  1. Those links contain my referral code, so I’ll receive some benefit if you signup through those. 

An example of earning contango premium with bitcoin futures

This is the first in a series of articles I’ll be posting as I learn about trading crypto currency futures, available on platforms like Bitmex and Deribit.1

On this page of the Bitmex documentation, in which they discuss market conditions known as contango and backwardation, the following is stated:

A trader can use this as a trading strategy: a futures contract trading at a large premium can be sold and the underlying asset bought so that the trader is market neutral and will thus earn the basis if they hold till settlement.

In this post, I want to walk through a numerical example to clarify how the above actually works. But first, we need to define some terms.

What is a bitcoin futures contract?

When you buy a bitcoin futures contract, you own the right to buy bitcoin, on a particular date known as the settlement date, at a particular price. This is known as taking a long position.

Conversely, when you sell a bitcoin futures contract, you own the right to sell bitcoin on the settlement date, at a particular price. This is known as taking a short position.

On platforms like Bitmex and Deribit, when the settlement date arrives and the contract is settled, the price difference is transferred by the platform, and paid in bitcoin. If I own the right to buy 1 BTC at $10,000 on the settlement date, and you are the counter-party, with the right to sell 1 BTC for $10,000 on the settlement date, and the spot price of bitcoin is $11,000, then Bitmex, on that date, will transfer $1,000 worth of bitcoin from your account to mine.

As you can imagine, a futures contract that settles tomorrow will probably trade today pretty close to the spot price, but a contract that settles three months from now will trade today at the price the market believes the spot price will be in three months.

If the 3-month contract price is higher than the current spot price, then the market is said to be in contango, and the price difference, referred to as the “basis” or “premium”, is positive. If the 3-month contract price is less than the current spot price, then the market is said to be in backwardation, and the premium is negative.

Now let’s look at that strategy…

With all that as background, let’s return to the trading strategy mentioned at Bitmex, and walk through a numerical example to see if this actually works.

Given this point, a trader can use this as a trading strategy: a futures contract trading at a large premium can be sold and the underlying asset bought so that the trader is market neutral and will thus earn the basis if they hold till settlement.

Imagine the Dec 28 contract is trading at $7,000, with spot BTC trading at $6,500. We’re in contango, and the premium is $500. So in this strategy, I sell 1 BTC of futures contracts, giving me the right to sell 1 BTC on Dec 28 for $7,000. And then I go buy 1 physical BTC at the spot price of $6,500. I’ve paid a total of $13,500.

Dec 28 arrives, and BTC spot is trading at $10,000. I lose $3,000 on my BTC short contract, but I make $3,500 on my physical BTC, netting me $500, which is exactly the premium in play three months earlier.2

What about the case in which the spot price of BTC is lower on Dec 28, for example if BTC spot is trading at $5,000? In that case, I make $2,000 on my contract, and I lose $1,500 on my BTC, again netting myself exactly the premium of $500.

And we see that, yes, this strategy does work (and in the process, we beginners now understand futures a little better.)

What about using leverage?

When you deposit 1 BTC at Bitmex or Deribit, you’re not limited to buying or selling futures contracts limited to 1 BTC. Depending on the platform, you can actually buy or sell contracts of up to 100 BTC or 50 BTC, respectively! This is called leverage.

Leverage allows you to amplify both your potential gains and losses. Say with your 1 BTC of collateral, you buy 2 BTC of futures at $6,500. And let’s say the spot price drops such that at settlement date BTC is trading at $5,000. In that case, you’d lose $3,000 (corresponding to 2 BTC) rather than $1,500, had you not used leverage. Vice-versa if the price of BTC goes up.

In addition to loss amplification, leverage also carries the risk of liquidation. The platform, at all times, has to ensure your 1 BTC is sufficient to cover your losses, meaning that in the above example, at anytime between purchase and the settlement date, the market price of BTC drops to a level at which your 1 BTC collateral couldn’t cover further losses, the platform will immediately settle your contracts, and you’ll lose your collateral.

With that disclaimer, let’s look at a contango example with leverage.

The Dec 28 contract is trading at $7,000 and spot at $6,500. We use our 1 BTC deposited at Bitmex to sell 2 BTC of bitcoin short futures, meaning the right to sell 2 BTC on Dec 28 at $7,000. Then we buy 2 physical BTC at $6,500. Our total cost is $20,000.

Dec 28 arrives, and the BTC spot is $8,000. We lose $2,000 on our futures contracts, and gain $3,000 on our physical BTC, netting a total of $1,000, or twice the $500 premium existing at purchase time.

The liquidation risk is that at some point prior to settlement date, the spot price of BTC goes to $14,000, such that the contract position loss on a 2 BTC position is $14,000 or 1 BTC. In that case, your short position would be liquidated, and you would lose your 1 BTC collateral (worth $14,000). However, you’d have the 2 physical BTC you purchased for $13,000, now worth $28,000. If you immediately sold those, your net would be $28,000 – $13,000 – $14,000 = $1,000.

In this way, it would seem to me that when the market is in contango, it would be sensible to use as much leverage as you can support purchasing of the physical commodity (bitcoin), to maximize the multiple of premium you can earn.

What the experts say…

I asked a couple of my favorite Twitter friends for feedback on the above, and wanted to include their essential insight:

From @notsofast:

So you have basically described hedged futures trading, or time arbitrage. It’s worth noting that a lot of traders don’t want to tie up that much capital for that long, just to capture that premium, even though it’s low-risk. They would rather base trades on TA on either futures or spot, and have them unhedged or naked.

There’s also the inherent assumption that the premium, or your profit window, will stay fairly constant right up until settlement or your stop is triggered; in practicality, well-capitalized entities go stop hunting when market short or long interest is unbalanced (as we recently saw with the massive percentage of shorts vs. longs at bitmex). That is, they will push the spot market up higher to force these shorters to cover at their stop losses, then let the market trickle back (or in the recent case, violently return) back to where it was.

Sometimes the futures do not move correspondingly. So your conclusion about it being risk-free to leverage the maximum possible in order to capture that guaranteed premium, may be correct in theory but doesn’t account for manipulative decoupling in short term stop hunting tactics or periods of imperfect correlation between futures and spot (for instance intervening pivot dates like ETF approvals)

The implication is that the manipulators– or it could be, just better capitalized traders monitoring the market and pushing it in the directions they want– know that it will cost them less to buy up the market to trigger the cascade of forced buys covering shorts, than they’ll lose when the market falls back down again. So they buy the market up, provide the liquidity for the forced buys to either cover their longs in profit and/or enter shorts at even better pricing, and then let the market return to equilibrium. And when I say “manipulators” it’s not so much a tinfoil hat accusation as it is, a better capitalized player exercising advantage. It’s like a card game where a player with a hand full of trump suit can force wins out of every other player.

And from @paul_btc:

You can buy the spot btc and use it as collateral in bitmex to short futures, which makes the initial quantity needed less than $13.5k. Also, it could be that you in theory should earn money with the trade, but fees take away the profit or actually make you negative, if the price differential is not big enough. Always, always, always take into account the fees.

  1. Those links contain my referral code, so I’ll receive some benefit if you signup through those. 
  2. You won’t get exactly this premium, given that you’ll pay trading fees.