이더리움 창시자 비탈릭 부테린이 최근에 《거버넌스 제2장: 금권정치 – 여진히 나쁜》이란 제목으로 EOS블록체인의 DPoS 합의 매커니즘을 폭격하는 글을 올렸다.
이에 EOS블록체인의 창시자 댄 라리머 또한 《암호경제학 거버넌스의 한계》란 제목으로 반박글을 올렸다.
필자는 비탈릭 부테린과 댄 라리머의 브로맨스와 키보드 배틀을 지켜본 지 몇년은 된다. 한때 BitShares 도 마켓캡 4위 암호화폐였고 라이트코인 잡기 바로직전이었던 리즈시절이 있었으며, 이더리움도 화이트 페이퍼 한장일 뿐일 때도 있었다. 댄과 댄의 아버지가 《비토크인과 로봇 3원칙》이란 암호화폐 역사의 획기적인 글을 발표해 DAC(“DAO”의 오리지널 이름) 개념을 제출한 얼마 뒤, 비탈릭 부테린은 당시 여전히 주필을 맡고 있던 Bitcoin Magazine 에서 《DAC 부트스트래핑하기》 란 시리즈 글로 사이좋게 받아쳤었다. 그리고 이 모든 것은 DAO (“The DAO” 따위가 아닌), DAC, DApp 이론들의 시조가 된다.
두사람은 컨퍼런스 같은데서도 자주 마주쳐 의견교환을 자주 하는 그런 사이였다.
비탈릭 또한 DPoS를 비평해온지 오래 됐고, 댄도 비탈릭의 이더리움 스케일링 솔루션을 비평해온지 오래다.
두사람 모두 자산 1조원 이상의 부자가 이미 됐는데 여전히 스타트업 창업자처럼 열심히 일한다. 댄은 맨날 열심히 코딩하고 기술 팀 관리하느라 바쁘다 (키보드배틀도 틈틈히 하고) (연관 있는지는 잘 모르겠지만 살도 많이 쪘다). 비탈릭은 젊은 나이에 부자가 됐는데 여전히 한국에 강연하러 올 때도 이코노미 클래스 타고 온다고 하더라. 둘 모두 부자가 되었지만, 이 세상에 하고 싶은 말은 이제 금방 시작한 것만 같다.
암호경제학에 대해서만큼은 둘의 의견이 좀처럼 좁아질 수 없을 것 같다. 비탈릭은 케인즈경제학파 신도이고 댄은 오스트리아 경제학파의 신도이다. 케인즈학파도 많이 봤고 오스트리아 학파도 많이 봤는데, 이 두 세상의 사람들은 마치 평행우주에 사는 것처럼 의견차를 좁힐 수 없는 것 같더라.
필자는 비탁릭도 좋아하는 편이지만, 댄의 팬이다. 그리고 연관관계가 있는지는 모르겠지만 오스트리아 경제학파의 신도다. 필자는 이더리움 프로젝트라는 실험도 후원하고 있지만 EOS란 프로젝트에 더욱 많은 지분을 할애하고 있다. 두 프로젝트 모두 문샷(Moonshot) 프로젝트이고 실패해야 정상이다(우리 스스로도 종종 하이프에 취해버리지만, 정신을 똑바로 차리자). 성공하면 기적인거다.
Coin holder voting, both for governance of technical features, and for more extensive use cases like deciding who runs validator nodes and who receives money from development bounty funds, is unfortunately continuing to be popular, and so it seems worthwhile for me to write another post explaining why I (and Vlad Zamfir and others) do not consider it wise for Ethereum (or really, any base-layer blockchain) to start adopting these kinds of mechanisms in a tightly coupled form in any significant way.
I wrote about the issues with tightly coupled voting in a blog post last year, that focused on theoretical issues as well as focusing on some practical issues experienced by voting systems over the previous two years. Now, the latest scandal in DPOS land seems to be substantially worse. Because the delegate rewards in EOS are now so high (5% annual inflation, about $400m per year), the competition on who gets to run nodes has essentially become yet another frontier of US-China geopolitical economic warfare.
And that’s not my own interpretation; I quote from this article (original in Chinese):
EOS supernode voting: multibillion-dollar profits leading to crypto community inter-country warfare
Looking at community recognition, Chinese nodes feel much less represented in the community than US and Korea. Since the EOS.IO official Twitter account was founded, there has never been any interaction with the mainland Chinese EOS community. For a listing of the EOS officially promoted events and interactions with communities see the picture below.
With no support from the developer community, facing competition from Korea, the Chinese EOS supernodes have invented a new strategy: buying votes.
The article then continues to describe further strategies, like forming “alliances” that all vote (or buy votes) for each other.
Of course, it does not matter at all who the specific actors are that are buying votes or forming cartels; this time it’s some Chinese pools, last time it was “members located in the USA, Russia, India, Germany, Canada, Italy, Portugal and many other countries from around the globe”, next time it could be totally anonymous, or run out of a smartphone snuck into Trendon Shavers’s prison cell. What matters is that blockchains and cryptocurrency, originally founded in a vision of using technology to escape from the failures of human politics, have essentially all but replicated it. Crypto is a reflection of the world at large.
The EOS New York community’s response seems to be that they have issued a strongly worded letter to the world stating that buying votes will be against the constitution. Hmm, what other major political entity has made accepting bribes a violation of the constitution? And how has that been going for them lately?
The second part of this article will involve me, an armchair economist, hopefully convincing you, the reader, that yes, bribery is, in fact, bad. There are actually people who dispute this claim; the usual argument has something to do with market efficiency, as in “isn’t this good, because it means that the nodes that win will be the nodes that can be the cheapest, taking the least money for themselves and their expenses and giving the rest back to the community?” The answer is, kinda yes, but in a way that’s centralizing and vulnerable to rent-seeking cartels and explicitly contradicts many of the explicit promises made by most DPOS proponents along the way.
Let us create a toy economic model as follows. There are a number of people all of which are running to be delegates. The delegate slot gives a reward of $100 per period, and candidates promise to share some portion of that as a bribe, equally split among all of their voters. The actual N delegates (eg. N = 35) in any period are the N delegates that received the most votes; that is, during every period a threshold of votes emerges where if you get more votes than that threshold you are a delegate, if you get less you are not, and the threshold is set so that N delegates are above the threshold.
We expect that voters vote for the candidate that gives them the highest expected bribe. Suppose that all candidates start off by sharing 1%; that is, equally splitting $1 among all of their voters. Then, if some candidate becomes a delegate with K voters, each voter gets a payment of 1/K. The candidate that it’s most profitable to vote for is a candidate that’s expected to be in the top N, but is expected to earn the fewest votes within that set. Thus, we expect votes to be fairly evenly split among 35 delegates.
Now, some candidates will want to secure their position by sharing more; by sharing 2%, you are likely to get twice as many votes as those that share 1%, as that’s the equilibrium point where voting for you has the same payout as voting for anyone else. The extra guarantee of being elected that this gives is definitely worth losing an additional 1% of your revenue when you do get elected. We can expect delegates to bid up their bribes and eventually share something close to 100% of their revenue. So the outcome seems to be that the delegate payouts are largely simply returned to voters, making the delegate payout mechanism close to meaningless.
But it gets worse. At this point, there’s an incentive for delegates to form alliances (aka political parties, aka cartels) to coordinate their share percentages; this reduces losses to the cartel from chaotic competition that accidentally leads to some delegates not getting enough votes. Once a cartel is in place, it can start bringing its share percentages down, as dislodging it is a hard coordination problem: if a cartel offers 80%, then a new entrant offers 90%, then to a voter, seeking a share of that extra 10% is not worth the risk of either (i) voting for someone who gets insufficient votes and does not pay rewards, or (ii) voting for someone who gets too many votes and so pays out a reward that’s excessively diluted.
Sidenote: Bitshares DPOS used approval voting, where you can vote for as many candidates as you want; it should be pretty obvious that with even slight bribery, the equilibrium there is that everyone just votes for everyone.
Furthermore, even if cartel mechanics don’t come into play, there is a further issue. This equilibrium of coin holders voting for whoever gives them the most bribes, or a cartel that has become an entrenched rent seeker, contradicts explicit promises made by DPOS proponents.
Quoting “Explain Delegated Proof of Stake Like I’m 5”:
If a Witness starts acting like an asshole, or stops doing a quality job securing the network, people in the community can remove their votes, essentially firing the bad actor. Voting is always ongoing.
From “EOS: An Introduction”:
By custom, we suggest that the bulk of the value be returned to the community for the common good – software improvements, dispute resolution, and the like can be entertained. In the spirit of “eating our own dogfood,” the design envisages that the community votes on a set of open entry contracts that act like “foundations” for the benefit of the community. Known as Community Benefit Contracts, the mechanism highlights the importance of DPOS as enabling direct on-chain governance by the community (below).
The flaw in all of this, of course, is that the average voter has only a very small chance of impacting which delegates get selected, and so they only have a very small incentive to vote based on any of these high-minded and lofty goals; rather, their incentive is to vote for whoever offers the highest and most reliable bribe. Attacking is easy. If a cartel equilibrium does not form, then an attacker can simply offer a share percentage slightly higher than 100% (perhaps using fee sharing or some kind of “starter promotion” as justification), capture the majority of delegate positions, and then start an attack. If they get removed from the delegate position via a hard fork, they can simply restart the attack again with a different identity.
The above is not intended purely as a criticism of DPOS consensus or its use in any specific blockchain. Rather, the critique reaches much further. There has been a large number of projects recently that extol the virtues of extensive on-chain governance, where on-chain coin holder voting can be used not just to vote on protocol features, but also to control a bounty fund. Quoting a blog post from last year:
Anyone can submit a change to the governance structure in the form of a code update. An on-chain vote occurs, and if passed, the update makes its way on to a test network. After a period of time on the test network, a confirmation vote occurs, at which point the change goes live on the main network. They call this concept a “self-amending ledger”.
Such a system is interesting because it shifts power towards users and away from the more centralized group of developers and miners. On the developer side, anyone can submit a change, and most importantly, everyone has an economic incentive to do it. Contributions are rewarded by the community with newly minted tokens through inflation funding. This shifts from the current Bitcoin and Ethereum dynamics where a new developer has little incentive to evolve the protocol, thus power tends to concentrate amongst the existing developers, to one where everyone has equal earning power.
In practice, of course, what this can easily lead to is funds that offer kickbacks to users who vote for them, leading to the exact scenario that we saw above with DPOS delegates. In the best case, the funds will simply be returned to voters, giving coin holders an interest rate that cancels out the inflation, and in the worst case, some portion of the inflation will get captured as economic rent by a cartel.
Note also that the above is not a criticism of all on-chain voting; it does not rule out systems like futarchy. However, futarchy is untested, but coin voting is tested, and so far it seems to lead to a high risk of economic or political failure of some kind – far too high a risk for a platform that seeks to be an economic base layer for development of decentralized applications and institutions.
So what’s the alternative? The answer is what we’ve been saying all along: cryptoeconomics. Cryptoeconomics is fundamentally about the use of economic incentives together with cryptography to design and secure different kinds of systems and applications, including consensus protocols. The goal is simple: to be able to measure the security of a system (that is, the cost of breaking the system or causing it to violate certain guarantees) in dollars. Traditionally, the security of systems often depends on social trust assumptions: the system works if 2 of 3 of Alice, Bob and Charlie are honest, and we trust Alice, Bob and Charlie to be honest because I know Alice and she’s a nice girl, Bob registered with FINCEN and has a money transmitter license, and Charlie has run a successful business for three years and wears a suit.
Social trust assumptions can work well in many contexts, but they are difficult to universalize; what is trusted in one country or one company or one political tribe may not be trusted in others. They are also difficult to quantify; how much money does it take to manipulate social media to favor some particular delegate in a vote? Social trust assumptions seem secure and controllable, in the sense that “people” are in charge, but in reality they can be manipulated by economic incentives in all sorts of ways.
Cryptoeconomics is about trying to reduce social trust assumptions by creating systems where we introduce explicit economic incentives for good behavior and economic penalties for ban behavior, and making mathematical proofs of the form “in order for guarantee X to be violated, at least these people need to misbehave in this way, which means the minimum amount of penalties or foregone revenue that the participants suffer is Y”. Casper is designed to accomplish precisely this objective in the context of proof of stake consensus. Yes, this does mean that you can’t create a “blockchain” by concentrating the consensus validation into 20 uber-powerful “supernodes” and you have to actually think to make a design that intelligently breaks through and navigates existing tradeoffs and achieves massive scalability in a still-decentralized network. But the reward is that you don’t get a network that’s constantly liable to breaking in half or becoming economically captured by unpredictable political forces.
The Limits of Crypto-economic Governance
Vitalik recently made claims that Delegated Proof of Stake (DPOS) results in rule by plutocracy (government by the wealthy). He then goes on to argue for governance by cryptoeconomics, the use of economic incentives and cryptography to govern.
My entire mission in life is based upon finding crypto-economic solutions for securing life, liberty, property, and justice for all. Vitalik and I are fundamentally striving for the same end goal: minimizing corruption and maximizing freedom in society. The primary difference between us are our fundamental assumptions.
There are three incontrovertible premise upon which I base my work:
- The vast majority of people have good intentions
- You cannot prove a negative
- There is no such thing as a closed economic system
Vitalik is looking for a cryptoeconomic blackbox that assumes you cannot rely voting whether by stake (plutocracy) or by individual (democracy). This blackbox needs to dispense candy for good inputs and electric shocks for bad inputs. The premise is that if we could only put the right algorithm inside the box then man can be free from rule of the wealthy. Vitalik is looking for the preverbal Dues ex Machina (God from the machine) to save mankind from its own tragic corruption.
I, on the other hand, am looking to create tools to be used by competing groups of good people where at least 2/3 are honest. I believe people are fundamentally good. Let’s look at the practical reality. The more effective a group is at maintaining its integrity as it grows, the larger the group will grow. The more corrupt a group is the faster it will die. Creating tools for competition in the free market recognizes the reality of open economic systems which is the foundation of true decentralization.
Blockchain as a Radio Station
A blockchain can be viewed as a radio station that everyone in the world subscribes to and records. On this radio station anyone can broadcast cryptographic statements and everyone will process these statements via a deterministic state machine to arrive at consensus.
The challenge we all face is determining which radio stations we care about, who gets to broadcast, and when do they get to broadcast.
Proof of Work systems as used by Bitcoin and Ethereum rely upon the loudest transmitter. Those with the most money have the power to broadcast over everyone else. Those without access to the physical resources to broadcast (power generation and transmission towers), must buy the air time from those with the resources. Furthermore, those with 51% of the transmitter power can jam those with 49%. This is rule by plutocracy.
Proof of Stake systems give each person a percentage of the air time proportional to the amount of stake they have. This eliminates the need for a massive power station to override everyone else’s signal, but still requires you to have the ability to operate your transmitter 24/7 so it is ready to transmit when the time arrives. Those without the technological ability to operate a transmitter must buy airtime from those with ability. Those with 51% of the stake can ignore those with 49%. This is rule by plutocracy.
Delegated Proof of Stake systems give each stakeholder the power to vote for the people who control the transmitter. This voting process is also stake weighted, but due to the nature of approval voting simply having a large stake is not sufficient to guarantee you some control over the transmitter. You must have approval by the majority of the voting stake to have control over the transmitter, this is a significantly higher threshold of approval than pure proof of stake. Unlike, pure Proof of Stake, it is possible for the voters to create a system where airtime cannot be purchased, but where the elected transmitters are expected to give everyone their fair share of air-time based upon their stake.
There is a clear separation between those with control of the transmitter and those with stake and no one gets monopoly power to charge bribes to use the transmitter. Attempts to take bribes (fees) will result in loss of community support and removal. Stakeholders who support the corrupt transmitters can also be removed from the community.
Limits of Crypto-economic Governance
Cryptography can only be used to prove logical consistency. It cannot be used to make subjective judgment calls, determine right or wrong, or even identify truth or falsehood (outside of consistency).
The goal of all consensus algorithms is to determine the order of events. Due to the limits of speed of light and space time, every person will see events in a unique order. Two events generated at the same absolute time will be perceived at two different times depending upon how far away they originated. This means that all consensus depends upon selecting certain people to testify to an order of events. These people can be the ones with the largest transmitters, the ones with the most stake, the ones with the most stake-weighted votes, or the ones with the most democratic votes. They could be a benevolent notary, a committee, or any other group that people can agree on.
The one thing that cryptography will never be able to prove is censorship. You cannot objectively prove that someone received your message unless said person cooperates by generating a cryptographic proof. Therefore, you cannot punish them for failing to include your transaction using objective cryptographic proofs.
This has HUGE implications for the design of Ethereum’s scaling solutions which rely upon cryptographic “challenge periods” during which “proof of bad behavior” can be submitted. The proof must first get approval of the radio transmitter or it will never be factored into consensus. If the radio transmitters are corrupt, then they can simply ignore the cryptographic evidence. Someone attempting to steal all the funds from a side-chain could simply bribe the transmitters with 50% of the take to censor a challenge proof. There would be no objective proof of the censorship and no way to slash the transmitters using crypto-economic means within the system.
Reliance on Strong Artificial Intelligence
If you are unwilling to trust any group of people to make judgments over subjective matters, then that implies that you are relying on artificial intelligence. This intelligence needs to be programmed with some definition of “right” and “wrong” and that definition must be measurable. Unless the AI system is omniscient, it must derive its conclusions from the potentially byzantine subjective inputs of individuals.
No Closed Economic Systems
The heart of cryptoeconomics is the ability to impose an economic gain or loss on an individual based upon cryptographic evidence. For such a system to work it must have cryptographic proof of the an individual’s internal and external positions, an impossibility. For example, in bond-weighted voting the assumption is that a person will be truthful for fear of losing their bond. The reality is that it is not possible to “prove” the economic exposure of an individual because they might have more to gain or lose outside the system than inside.
Vitalik and I are both attempting to solve some very challenging problems in human governance. I have chosen to recognize certain realities regarding the limits of objective proofs and accept reality that each community might have its own definition of “right and wrong” which can only be measured by a poll of the subjective opinions of community members. The true goal is to lower the barrier to entry for the creation of new communities and allow free market competition to reward the most effective communities and punish the most corrupt.
The only way to maintain the integrity of a community is for the community to have control over its own composition. This means that open-entry systems built around anonymous participation will have no means expelling bad actors and will eventually succumb to profit-driven corruption. You cannot use stake as a proxy for goodness whether that stake is held in a bond or a shareholder’s vote. Goodness is subjective and it is up to each community to define what values they hold as good and to actively expel people they hold has bad.
The community I want to participate in will expel the rent-seeking vote-buyers and reward those who use their elected broadcasting power for the benefit of all community members rather than special interest groups (such as vote-buyers). I have faith that such a community will be far more competitive in a market competition for mindshare than one that elects vote buyers.