Know-Your-Transaction (KYT) Canister
Overview
Since all transactions on the Bitcoin blockchain are publicly accessible, it is possible to trace individual outputs and investigate the activities of Bitcoin addresses. Exchanges make use of so-called know-your-transaction (KYT) services that analyze Bitcoin transaction to identify outputs and addresses potentially associated with illicit activities so that they can take appropriate actions.
The KYT canister on the Internet Computer makes it possible for canisters to perform the same kind of checks. The KYT canister is used by the ckBTC minter to make sure that ckBTC tokens are only minted for KYT-checked outputs and bitcoins are only transferred out to KYT-checked Bitcoin addresses.
The following figure provides an overview of the process. After the user has transferred bitcoins to the ckBTC minter and requests the minting of ckBTC tokens (using the update_balance
endpoint) or the user has sent a request to retrieve bitcoins, the ckBTC minter issues a KYT check request to the KYT canister whose response contains alerts, if any, for the provided output or address. The response also indicates the KYT provider whose key was used for the KYT check (see below for more details.
The canister ID of the KYT canister (used by the ckBTC minter) is pjihx-aaaaa-aaaar-qaaka-cai
.
Technical Details
The KYT canister cannot analyze the Bitcoin blockchain itself. Instead, it uses HTTPS outcalls to query external KYT service providers.
Since these services have a subscription-based model, an access key is required. The KYT canister addresses this challenge as follows. External parties with a subscription can be registered as maintainers through an NNS upgrade proposal that adds the principal ID of the maintainer to the KYT canister. As soon as the maintainer is registered, a secret API key can be set inside the KYT canister using the set_api_key
endpoint.
As mentioned above, the response for each KYT check contains the principal ID of the maintainer whose access key was used to query the external KYT service provider. The ckBTC minter uses this information to determine how much of the collected KYT fees it owes to each of the registered maintainers.
The candid file of the KYT canister is available here.
KYT Check for UTXOs
The KYT canister exposes the endpoint fetch_utxo_alerts
to enable KYT checks for unspent transaction outputs. The request must specify the output, that is, the transaction ID and output index (vout
), and also the principal ID of the caller.
The response contains an external ID for the request provided by the external KYT service provider, a list of alerts, and the principal of the maintainer whose key was used for the request.
If there are no alerts, the output is considered clean. If there are alerts, each alert specifies a level (Severe
, High
, Medium
, and Low
) and other information, which can be used to make an informed decision as to whether or not the output can be accepted.
KYT Check for Bitcoin Addresses
There is also the endpoint fetch_withdrawal_alerts
, which is conceptually identical to the fetch_utxo_alerts
endpoint. The main difference is that a Bitcoin address is provided instead of a UTXO and the response contains alerts, if any, for the given Bitcoin address.