November 13, 2023
The Booming BTC Ecosystem: Exploring Opportunities and Risks in Derivative Protocols
In the first half of this year, the Ordinals protocol and BRC20 gained significant traction, injecting fresh vitality into the Bitcoin ecosystem. In May, Beosin and SUSS NiFT collaborated on a research report titled “In-Depth Analysis: Bitcoin’s New Era — Opportunities and Risks of BRC-20,” providing a detailed examination of the origins, development, value, and risks associated with the Ordinals protocol and BRC20.
Starting from October, with the momentum of Bitcoin ETF news driving the resurgence of Bitcoin value, various derivative protocols have rapidly evolved within its ecosystem. UniSat launched BRC20-swap, Atomicals protocol and ARC20 went live, Taproot Assets integrated with the Lightning Network released v0.3 alpha version, and Tether’s issuer, Tether Limited, plans to issue USDT on the RGB protocol. In this article, Beosin will introduce common Bitcoin derivative protocols, helping readers understand their potential value and hidden risks.
1. The Resurgence of Ordinals and BRC20
The Ordinals protocol, introduced by Bitcoin core contributor Casey Rodarmor, allows the creation of Bitcoin NFTs by assigning different “attributes” to each Satoshi. Similarly, it enables the creation of homogeneous Bitcoin tokens by providing a uniform “format” and “attributes.” Inspired by the Ordinals protocol, Twitter user @domodata created the BRC20 token standard on March 8, 2023, utilizing ordinal inscriptions of JSON data to deploy token contracts, mint tokens, and transfer tokens.
After a year of bursts, lulls, and resurgence, major exchanges have announced support for the BRC20 protocol. Many BRC20 tokens have reached new highs in prices, with Ordi’s market capitalization exceeding $400 million and daily trading volume reaching $800 million. UniSat’s BRC20-swap has provided decentralized trading with enhanced liquidity for leading BRC20 tokens.
Amidst the bustling trading activities, the following security risks associated with the BRC20 protocol should not be overlooked:
(1) Fake Recharge/Double Spending Attacks
On the evening of April 23, a BTC address starting with bc1pw executed a double spending attack on UniSat’s BRC20 Marketplace. It forged transfers of Ordinals NFT, attempting to transfer 5000 Ordi and 35000 Ordi successively to its own address while trying to trade the fictitiously forged Ordi inscriptions on the market. Subsequently, UniSat suspended BRC20 inscriptions services for investigation, and Beosin promptly used Beosin KYT to analyze and trace the address:
UniSat later retrieved the inscriptions, recovering 70 affected transactions and preventing potential losses of millions of dollars.
(2) Centralization Risks
The BRC20 protocol treats inscriptions as a ledger, recording the deployment, minting, and transfer of BRC20 tokens. As smart contracts cannot run on Bitcoin, BRC20 tokens cannot query the current token-related information through program execution. Consequently, BRC20 utilizes centralized servers to retrieve Bitcoin blocks, recording all deployment, minting, and transfer operations of BRC20 tokens.
This centralized settlement process may lead to different platforms providing different results for querying the token balance of a specific account. Despite recording all operations on-chain, the verification of these operations is the responsibility of a particular client. The entire BRC20 ecosystem needs to implement decentralized indexing services.
2. Atomicals and ARC20
The Atomicals protocol uses the smallest unit of Bitcoin, satoshis’ UTXO (Unspent Transaction Outputs), to represent tokens. UTXO, or Unspent Transaction Outputs, constitutes the fundamental unit of Bitcoin transactions. When verifying Atomicals transactions, it is only necessary to query the corresponding satoshis’ UTXO on the Bitcoin network. This way, the transactions of ARC20 tokens are entirely processed by the Bitcoin network, minimizing issues associated with centralized retrieval services.
Currently, there are only 11 types of ARC20 tokens, with a total transaction volume significantly lower than BRC20. The leading token, ATOM, has a market capitalization of $31 million. Its derivative ecosystems, Realm (domains) and Collection (NFT), are in very early stages, with Atommap being a notable project requiring users to mint NFTs through proof-of-work, imposing a relatively high entry barrier for users.
Due to the early stage of the Atomicals protocol, users have previously fallen victim to scams in over-the-counter (OTC) transactions. Beosin KYT has marked fraudulent addresses and continues to track their fund flow:
Apart from guarding against OTC scams, the Atomicals protocol’s ecosystem, including wallets and trading markets, is not yet fully developed, and users should be aware of the following risks:
(1) Unaudited Atomicals Wallet
The Atomicals wallet plugin is developed based on the UniSat wallet and is currently open-source but has not undergone a security audit. Previously, the Atomicals wallet plugin was delisted from the Google Store and has now been relisted.
(2) Liquidity Risk
According to Atomical Market data, there are approximately 5000 users holding ARC20 tokens. Many ARC20 tokens have poor liquidity, with minimal trading activity. Due to liquidity issues, the price of the leading ARC20 token, ATOM, experiences exceptionally volatile fluctuations. Therefore, users should manage their FOMO emotions carefully and be cautious about the insufficient liquidity problem.
3. Taproot Assets Integrated with the Lightning Network
Taproot Assets is a protocol released by the Lightning Labs development team, utilizing various information written into UTXO scripts on the Bitcoin network to record assets. Consequently, Taproot Assets can be used for issuing tokens, NFTs, and various other assets.
Currently, NostrAssets has issued two tokens, Trick and Treat, based on the Taproot Assets protocol, and is set to launch the Fairmint feature, enabling users to independently issue tokens.
It’s important to note that assets issued by Taproot Assets must be deposited into the Lightning Network for transactions. Therefore, users must run their own Bitcoin full node and Taproot Assets client or use third-party services. The transaction records of tokens also rely on third-party indexers, introducing potential centralization risks.
4. The Slow Progress of RGB Protocol
The RGB protocol, introduced on the Lightning Network, adds smart contract functionality to Bitcoin. Based on zero-knowledge proof state channel protocols, it allows users to conduct privacy-protected transactions off-chain. Since its proposal in 2016, the RGB protocol has progressed very slowly, with the official launch of RGB v0.10 in April 2023 due to its inherent design complexity.
All data for RGB smart contracts is entirely stored off-chain and managed by RGB nodes. The protocol utilizes UTXOs to store state transition proofs, allowing tracking and verification of smart contract states. Users/validators can confirm the correctness of smart contract states by scanning the UTXOs on the Bitcoin network.
Currently, the RGB protocol is still undergoing continuous updates and has not formed a fully developed ecosystem. In the future, it is expected to primarily be used for asset issuance and transactions, with Tether Limited actively promoting the issuance of USDT using the RGB protocol.
5. Introducing Smart Contracts to BTC Layer2
Due to Bitcoin’s inherent limitation in supporting smart contracts, hindering the development of more complex ecosystem businesses, various Bitcoin sidechains and Layer2 solutions have emerged. The most market-focused Bitcoin Layer2 is Stacks, which executes smart contracts on the Stacks network while settling transactions on the Bitcoin network, inheriting the security of the Bitcoin network. For a detailed analysis, refer to Beosin’s June release, “What is Stacks and what challenges may this BTC Layer2 Network face?”
Currently, Stacks has released the developer version of sBTC, allowing developers to test application integration with sBTC in a local environment. The DeFi project Hermetica within the Stacks ecosystem has integrated sBTC for testing, suggesting that BTC’s DeFi ecosystem may become a focal point in the future. Beosin KYT is set to support the Stacks network, providing address analysis and tracking services.
While Stacks is steadily developing, it may face the following risks:
(1) Stacks Protocol Vulnerabilities
On April 19th, a vulnerability was identified in the stacks-increase function within Stacks’ consensus contract, leading to certain addresses receiving more STX token rewards than theoretically calculated. Additionally, Stacks employs the relatively immature smart contract development language Clarity, with calls within the developer community for improvements to Clarity.
(2) sBTC Risks
sBTC is Stacks’ attempt to achieve decentralized BTC custody and anchoring by using a threshold signature wallet to manage BTC locked in the Bitcoin network and minting sBTC 1:1 on the Stacks network through smart contracts. The threshold signature and smart contract need rigorous audits to prevent the exploitation of malicious vulnerabilities.
BRC20, ARC20, Taproot Assets, and RGB all serve as asset issuance protocols, while BTC Layer2 solutions like Stacks address Bitcoin’s inability to execute smart contracts. The BTC ecosystem is currently in its early stages, and users should pay attention to this space while being mindful of the mentioned risks to avoid potential asset losses.
If you need any blockchain security services, welcome to contact us:
Related Project Secure Score
Guess you like
What security issues should developers consider when building Solana projects?
November 09, 2023
Poloniex under Justin Sun Hacked for Over a Billion Dollars, Raft Project Loses $3.4 Million
November 14, 2023
How to Identify Cryptocurrency Traps? EagleEye Deciphers the Schemes
November 20, 2023
Beosin Unveils New Blockchain Solution for Financial Regulation and Security at SFF
November 20, 2023