Torus v1.0: The Path to Decentralized Custody
Launching Out of Beta
Today, we are excited to announce our successful migration to a new node-set, with operators who are both foundational to the blockchain ecosystem and have the mission to see it grow. Operators in the network include Binance, ENS, Etherscan, Matic Network, Ontology, Skale, Tendermint Core, and Zilliqa. We’re delighted to have them on board and contributing to the security of the network.
At Torus, we strongly believe that blockchains have the power to democratise many aspects of the society that we live in, levelling the playing field for all — be it accessing financial services, controlling your own data, or breaking out of societal circumstances. And it is Torus’ mission to see that realised by ensuring that every individual has access to the blockchain.
Where We’re at Today
For the uninitiated, the Torus Network uses an MPC style key management system that does the hard work of generating a user’s key with respective shares and securely distributing them to independent node operators. It also maps these keys to “verifier” accounts (e.g. Google, Reddit), allowing users to authenticate with these accounts. After a predefined period, it will migrate these keys across nodes, allowing for a dynamic node-set.
Since the launch of our beta last year, the team has worked tirelessly towards the main goal of security and robustness of the system. In order to secure the front-end, we have implemented integrity checks for all released versions of our wallets and open-sourced the wallet code, ensuring that no malicious code is ever injected into DApps that are integrated with us.
On the back-end, we have optimised the performance of our network, allowing us to generate more than 500,000 new keys a day, with key retrievals reaching native database read speeds. We have also improved our continuous integration process to run network simulations that simulate scenarios such as malicious behaviour for nodes, node failures, node restarts, and even key migrations across different releases.
We have had to overcome several hurdles while building decentralized infrastructure on top of Web2.0 standards to ensure that Torus (or anyone) never have custody of user’s keys. For example, the OAuth2.0 standard typically requires a redirect of the authentication token to a server, allowing this server to impersonate the user. The Torus client circumvents it through service worker redirects, ensuring that the authentication tokens never reach this server. Another example is that we have also deliberately avoided “auto-updates” of our front-end wallet, even though this is a norm in the software industry, in order to ensure that malicious over-the-air updates cannot be injected into existing wallets. We also don’t compromise by choosing to use popups instead of modals for user confirmations, since modals are insecure against clickjacking. Although some users may be comfortable with weaker security assumptions, at Torus, we take security seriously.
And as a decentralized system necessitates, every part of the system is open-source, from the front-end client that users load up, to the code run by operators on the backend. Each of the operators in the node-set shares the same mission to see growth in the blockchain ecosystem and have been audited for their DevOps procedures. The nodes are incentivised financially through a portion of revenue that comes in through logins and reputationally which arguably is a larger factor. Naturally, the node-list is public — so users also know exactly what and who they’re trusting.
If you’d like to contribute to the security of the Torus Network through node operation do reach out here, the next selection of node operators would be done via a voting process.
The Torus team strongly believes in decentralization and the launch of Torus v1.0 marks our next step in our journey towards full decentralized custody.
Trust as a Threshold
So what’s next for the network?
While some subset of devs still run their own SMTP servers, the large majority of users in the world use user-facing clients like Gmail. There is a reason why we all don’t just keep gold in our sock drawer but instead storing our assets in banks and other institutions. For most users, it’s safer, more secure and relatively convenient. Similarly in the blockchain space, the numbers show that most users keep their funds on custodial solutions, and centralized exchanges. It’s clear to us that custody is here to stay. But then isn’t custody contrary to decentralization?
We believe in Trust as a Threshold. We all have our own internal barometers of whom or what we trust, and we are all swayed by a mix of different factors. These factors can be social; many trust in Binance’s custody solution because of CZ’s honest and straightforward leadership, and I’m sure many Ethereum supporters were sold by Vitalik’s principles and intellect even before they understood the intricacies of Ethereum. On a more personal level, we would always trust loved ones to act in our best interests, more so than any entity. These factors can also be circumstantial; some trust in their governments’ systems, or academia and the value it outputs, or the economics surrounding every blockchain.
Wherever it is derived from, this trust has value. And what we aim to do moving forward, is to build a comprehensive system for decentralised key management that leverages this network of trust. Beyond storing keys across nodes in the Torus Network, in the future, any exchange, foundation, bank, or even individuals themselves, will be able to run a node, stake and/or charge a fee for their services. Fees will be determined by each node individually and users of the network would be able to choose whom to park their shares with, depending on how much they trust each node. A user could pick just two entities or n-many to hold their keys for the desired level of security they require, migrating their private keys to different node sets as they see fit. The future of custody may well be social via individuals and their relationships, with a mix of institutions.
We’re excited to be taking this next step in our journey. Join our community for updates on its progression and drop us a line on any of our social channels if you’d be keen on joining us to see this materialize
Twitter, Telegram, Facebook, LinkedIn, Instagram, YouTube, Reddit
What is Torus?
Torus provides one-click logins for DApps through the user’s Google, Facebook, Reddit, Discord or Twitch accounts in a single step, with no additional installations. With Torus, users can interact with Google emails, Reddit usernames and Discord IDs on the blockchain, regardless of whether the recipient has logged into Torus before.
Try it out at https://app.tor.us