a16z Podcast - a16z Podcast: Voting, Security, and Governance in Blockchains and Cryptonetworks
Episode Date: February 10, 2019with Phil Daian (@phildaian) and Ali Yahya (@ali01) Whether in corporations, boardrooms, or political elections, voting is something we see in all kinds of social systems... including blockchains. It'...s the natural human tendency for how to organize decisions, and in distributed systems without centralized middlemen, it's the only clear Schelling point we can come up with. But too many people design voting mechanisms in distributed systems in isolation -- sometimes naively "porting over" assumptions from the real world or from simple cryptoeconomic models without thinking through the economic adversaries present in a larger, more rational (vs. "honest") game-theoretic system. So how are blockchain systems different from real-world paper and electronic voting systems? How can such systems be gamed, and what are the implications for cryptoeconomic security... as well as the governance of distributed organizations? This hallway-style episode of the a16z Podcast covers all this and more. Recorded as part of our NYC roadtrip, it features Cornell Tech PhD student and software engineer Phil Daian, who researches applied cryptography and smart contracts -- and who also wrote about "On-chain Vote Buying and the Rise of Dark DAOs" in 2018 (with Tyler Kell, Ian Miers, and his advisor Ari Juels). Daian is joined by a16z crypto partner Ali Yahya (previously a software engineer and machine learning researcher at GoogleX and Google Brain), who also recently presented on crypto as the evolution -- and future -- of trust. The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments and certain publicly traded cryptocurrencies/ digital assets for which the issuer has not provided permission for a16z to disclose publicly) is available at https://a16z.com/investments/. Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information.
Transcript
Discussion (0)
The content here is for informational purposes only, should not be taken as legal business, tax, or investment advice, or be used to evaluate any investment or security and is not directed at any investors or potential investors in any A16Z fund. For more details, please see A16Z.com slash disclosures.
Hi, everyone. Welcome to the A6 and Z podcast. I'm Sonal. Today's episode is all about blockchain-based voting systems, which has implications for crypto-economic security and,
for governance. Especially when you think about the differences, both good and bad, between real
world and online systems for coordinating groups of people to vote on something, whether it's
a decision in a boardroom or an election or anything else. This episode was recorded as part
of our New York City podcast Road Show, and so it features Phil Dayon, a PhD at Cornell Tech,
working with Ari Jules there. His research focuses on broad questions of security of distributed
systems, specifically blockchains. He also wrote a post last year with Tyler Kell, Ian Mears,
and R.A. Jules, on-chain vote buying and the rise of dark DAOs. Joining Phil in this hallway
style jam to discuss these topics is Ali Yaya, who was previously a software engineer and machine
learning researcher at Google Ax and Google Brain. He also gave a talk at A6 and Z Summit on
crypto and the evolution of trust, which you can find on our website. And he's a partner on A6 and Z
crypto. Speaking of, please note that the content here is for informational purposes only,
should not be taken as legal business tax or investment advice
or be used to evaluate any investment or security
and is not directed at any investors or potential investors in any fund.
For more details, please also see A6NZ Crypto.com slash disclosures.
The conversation that follows covers ways in which blockchain systems
are different from real-world voting systems,
ways the system can be gamed and what that means for security,
as well as possible solutions, and more importantly questions,
all blockchain system designers should think about
instead of making naive assumptions.
But first, Phil and Ali began by very briefly
summing up the issues in real-world elections
and electronic voting systems.
The first voice you'll hear is Phil's, followed by Elise.
So one challenge people have seen is straight up hacking.
Of course, if there's electronic voting and use,
just tampering with the integrity of the election itself
or the integrity of the registration.
Another challenge that people have been worried about in the past
is vote buying and selling.
So if I want you to vote a certain way, maybe I directly bribe you to do so, or maybe even in the current system, I can indirectly do it.
But it's very difficult to bribe someone in person and sort of understand how they're going to act in an election.
Yeah, you have this great example of how if the price of a vote is a beer and you take me out for a beer and say, Ali, I want you to vote for ex-candidate, I can drink your beer and then go to the poll and like submit whichever ballot I want.
You have no real mechanism to enforce my vote in one way or another.
And you then point out how this is not so much the case when you go to the world of electronic voting.
Yes, the price of the vote as a beer is actually kind of realistic.
Like, vote buying in general is empirically pretty cheap for two reasons.
Number one, it's actually the poorest and least advantage people that are the most inclined to sell their votes.
And number two is most people are disinterested in most elections.
So this actually makes vote buying pretty cheap.
And in electronic voting, this is a big problem because with many electronic voting protocols, you can actually tell at the end of the protocol how someone voted.
So it becomes much easier for me to bribe you because I can just say, essentially, I'll give you a beer if I check afterwards and you voted with my candidate rather than sort of trusting you to go in the polling booth and make the polling booth and make the right decision where socially I can't follow you into that booth and look over your shoulder.
Exactly.
Yeah, you point out how in the world of human voting, there are three things that tend to make vote buying a little bit more difficult.
and it's the inefficiencies of the human world that actually work to your advantage here.
So the first is that in the human world, it's a crime to buy votes and that itself kind of can serve as a deterrent, which doesn't really exist so much in the jurisdictionalist crypto world.
The second one was that ballots sent to be cast in secrecy, so there's no way of me to produce a proof that I voted in one way or another, which makes the buying of the vote difficult to enforce.
And the third one you mention is that if you tell me that you're going to pay me in the future for voting one direction or another, I have a hard time.
you that you will actually, in the end, pay me. And so there's sort of counterparty risk.
And so in the same way that sort of blockchains mitigate trust and improve coordination
for good purposes, they can also be used to improve coordination for sort of malicious
purposes, in this case, vote buying. So it's like a double-edgedged sword. Blockchains can be
used to increase the efficiency and effectiveness of bribery and vote buying. Yes.
In the traditional world, there's been a long line of academic research.
So very early on, people said we want to vote electronically.
It'll make tallying cheaper.
It can maybe use cryptography to increase the integrity of our elections, so we don't rely on
these pieces of paper sort of with this weird chain of human custody and things like that.
But early schemes sort of suffered from this receipt property where I could produce a proof
that, like, here is the outcome and here is what I actually voted to lead to this outcome.
So there was a wide range of work early on on how to sort of solve this issue and create
voting schemes that are receipt-free, which means that after the fact I cannot produce it
receipt or a proof to tell you which way I voted, and it's sort of equally likely from your
perspective that I voted in any direction. Later work sort of said that this is not strong enough.
Essentially, the high level is if you're looking over my shoulder electronically, like you have
a virus on my computer or you're just physically looking over my shoulder, at the time that I'm
voting, even receipt freedom is not enough because you might be able to see in real time the
direction in which I'm voting and enforce my vote that way. So that led to an even stronger
property called coercion resistance, which is that even if you compromise me for some
period of time, you still are not able to get me to vote a certain way in a way that you can
trust. Yeah, that's very interesting. So let's connect this to sort of the blockchain world.
These questions of electronic voting have existed for decades and predate the world of
blockchains and crypto networks. But now there's like a resurgence of research in this direction
because so many blockchain and crypto network projects want to use on-chain voting for all sorts
of purposes. So, I mean, in blockchain networks in general, you often need to make decisions. That's
like part of the attractive point of blockchains, that it makes coordinating group decisions
among actors who don't trust each other a little bit easier. And to make these decisions,
sort of a natural response is just vote, right? That's something you see in the real world. It's
something you see in corporations with stockholders. It's something you see in boardrooms. It's something you see
in political elections and all sorts of other social systems. So it's just, I think, a natural
human tendency when asking sort of how to organize these things, that voting is the only
real clear shelling point answer that we can come up with. So I think an important distinction
on why this stuff really matters in the blockchain world is that the blockchain world and
the real world don't operate in the same models. If you're going to a boardroom with someone,
you're sitting next to the person, right? We're sort of operating in this model of social
honesty where people can see each other face to face. And you have shared interests in the
company, you sort of know their history at least somewhat. Whereas in blockchains, you're
operating in an economic, sort of an economically rational game theoretic model. So you need
much stronger guarantees from your systems. Your systems need to be strong even in the presence
of economically motivated adversaries. And they need to be secure assuming people are rational
rather than honest. So we don't get to lean on this sort of honesty that we have in the real
world in blockchains. And I think that's where a lot of the mechanisms that people try to sort
of port over naively break down. Right. And this is especially important because in most of the
crypto networks that are actually interesting, the model is one where anyone can participate,
and people refer to this as the permissionless setting, and that anyone can connect to the network,
anyone can sort of participate in the decisions that are made through the governance processes
of the crypto network, which makes the environment a very hostile one, because anyone anywhere
can opt to participate, and they have an economic incentive to do so, because if they can
game the system, or if they can sort of subvert it in some way, then they could potentially profit.
Exactly. When Satoshi released his white paper in 09 and academics first started looking at Bitcoin and its success in its rise and asking like what is actually the interesting lesson to be learned here from what we've been doing for the last 20 years, there was a whole space of consensus protocols and Byzantine fault-tolerant protocols that came to consensus on something even in the presence of malicious users. But what was really new about Bitcoin is that it let anyone join and leave the network at any time. And these people didn't need to ask the people who are already participating in the network.
whether they can join or not. So in most consensus protocols, you have a sort of quorum that's
coming to decisions. And if you want to join, you need to ask the quorum to join because the quorum
needs to agree on who's in the quorum. So they need to sort of come to consensus on the fact
that you're allowed to join. Whereas in something like Bitcoin, if you want to start mining
Bitcoin, you just turn on your rig. And as soon as you succeed, people will accept that
mathematically. They don't need any sort of membership proof or anything like that. What I think is
relevant to voting is that fundamental to the permissionless model if you're going to use
cryptography, which all blockchains do, is that if I can join and leave at any time, I need to be
able to, like, generate my own key and join at any time. Right. I mean, the uses of,
uh, on-chain voting, we're voting within, uh, blockchain projects range all the way from
setting the parameters, like some parameter in the protocol that may be, maybe something minor,
kind of like the price of gas, for example, all the way over to like sort of some intermediate level
where people use governance and voting to decide how to allocate funds.
And then this goes all of the way over to actually deciding how to change the protocol itself.
So there are projects that are sort of self-amending and that they use governance as a way of proposing updates to the protocol and then deciding on which updates should go through and which updates should not.
And so the stakes are high and that if you have a governance system that can be gamed, then all of these use cases may end up being vulnerable to that kind of attack.
One way of thinking of governance that I quite like that I think was proposed by Vitalik
is the coordination model of governance and that really all governance decisions are, in
essence, a way of coordinating collective action.
He talks about how there are multiple layers to governance, right?
The bottom layer is like what's closest to the real and physical world.
Yeah.
So maybe let's go bottom up on everywhere you have voting in blockchains.
At the very base level, all consensus mechanisms are a vote.
So proof of work itself is a form of voting on which block.
is valid in which history is accepted by the network.
So you have voting at that layer.
Then that half layer up, like you said, is this governance layer of how do blockchains actually
change their underlying code and respond to attacks or new situations or new technology
or whatever it may be.
Traditionally, this has sort of gone with the fork model where you just sort of spin up
new code and try to lobby everyone to just run this new system instead of the old one.
This model has seen a lot of political strife, a lot of inefficiency, a lot of sort of lobbying
and traditional politics-like nastiness in the blockchain space.
You can look at the Bitcoin block-sized debate,
whether to change the one to a two,
which spawned like a year-long rift between the communities
that ended up in like several summits and agreements
and eventually a permanent split.
So some people look at that and say,
maybe we can make this more efficient by just using voting
and allowing the coin holders to express their preference
and sort of just going with that.
And then another layer up from that,
you have the application layers like you were saying.
So these are your DAOs, these are your smart contracts that want to use voting to make decisions.
They could be, for example, on how to allocate funds.
They could be on how to change parameters within their own smart contract.
So you really have voting throughout the blockchain stack.
A lot of projects are using it, and it has a very sort of wide impact as a general problem.
So one observation that comes out of all of this is that today's governance systems and sort of
blockchains and crypto networks, the way that they exist today will likely devolve into
plutocracy simply because the mechanisms for vote buying are so effective, as you've described.
And some proponents of on-chain governance will argue that plutocracy may not actually be that
bad of a thing. They may be a bad thing for democracies, but not so much for blockchains.
In the blockchain world for a crypto network, it's not so much a bad thing because it's,
in a sense, incentive-compatible, at least at a surface level. If they are voting using their
coins for any one upgrade to the protocol, they will want to vote.
vote in the interest of other people who also hold the coins in the interest of the network
because they own it and they have a stake in it. And also their incentive to protect the network
is proportional to how many coins they own. So like larger voters or stakeholders who have more
coins in the network, have an even greater incentive to protect the network. What are your
thoughts there? So I think every blockchain project should take a step back and ask, do we want
plutocracy? Do we want vote buying in our system? And what are the consequences of that? For many of them,
maybe it's more acceptable than for others.
For example, if you have like a small, closed sort of contract that has a few shareholders,
something like an investment firm, and you have like one guy who decides whether people get in or not,
maybe you're not so concerned about vote buying in that kind of a scheme.
Or if you have even like some sort of closed setting where you can say things about the participants,
maybe you're not so concerned about vote buying.
In a wider system where, let's say, the whole world is participating in it eventually,
I think the fundamental point is that most people are disinterested in
most votes, and the utility they get from the system is not directly sort of correlated with
whether they vote A or B on this given issue. Nonetheless, there are certain groups of people
who are extremely interested in whether people vote A or B on a certain issue, and these
are often pretty moneyed groups. So in this way, that kind of governance does sort of degenerate
into plutocracy. And if that's acceptable for your system, that's fine. I think for many systems,
it's not. You need to care about these attacks, and you need to reason about why your system is
secure against this and why your system actually doesn't degenerate to plutocracy. People have
tried to get around this in two ways in blockchains. The first one is they add some sort of
identity. So they have a third party service that like you send your cell phone number or something
like that and it sends you a text and sort of anti-sibbles you that way. And then you're able to
participate in a vote. So at least you can you can sort of attach some entity to the person and
then count votes per entity rather than per coin. This actually still degenerates into plutocracy
because of the way the Dark Dow works,
because as long as these identities are keys
that people can sort of generate at any time,
they can be bought and sold
and using the Dark Dow model,
and you can essentially sell people like the right to your identity,
or you can sell people the right to a certain vote
using your identity or even more specific things than that.
So that kind of doesn't work,
unless you have a strong social protection
where the person has to come in very often
and the network sort of authenticates
that they're human or something like that.
That becomes very complicated and steps much more
into the messy world of real world elections
and maybe doesn't work for a global blockchain
community. Another way people
have tried to get around it, which also
kind of requires identity, is this new line of work
by Vitalik, Glenn Whale,
and a few other people, which is quadratic
voting, where you actually allow vote buying,
so you allow people to buy boats,
but only at an exponentially increasing
price. And this may kind of look like
plutocracy because you're allowing people to buy votes,
but if you actually do the math on the incentives,
it turns out that through this increasing
function, essentially people will express their true preferences in the end.
And one rich person who really cares about A versus B won't be able to sort of overwhelm a
disinterested majority that weakly prefers A, and maybe each don't have as many funds as that
one individual.
So this fixes some known pathologies in real-world voting systems and also blockchain voting
systems.
But it does require identity, and it's extremely vulnerable to manipulation.
If this one rich person can pretend that they're two rich people or something like that,
the gig is sort of up.
and that's what these new coordination mechanisms allow.
Yes, I think this dependence on identity that you are pointing out is very important
because, as you pointed out, anyone can pretend to be more than one person.
They can generate 10 different sets of key pairs or hundreds of sets of key pairs
and pretend to be hundreds of people.
Yeah, and the only thing you can do is wait by coins, basically.
Exactly.
In that world, you end up with unfair representation of you're trying to assign a single vote to a key pair.
So proponents of on-chain coin holder governance, which means that,
that one coin gives you one vote, we'll argue, it's at the very least civil resistant,
which means that if you have like 10 million coins staked on one particular vote, they're
basically used to vote for one particular outcome. It's very hard to argue that those 10 million
coins come from trolls that are trying to sway the election because there's real weight and
real capital that's staked in one in one direction or another. Whereas if you're not using
coin voting, then that becomes more possible. And so if you have a mechanism for identity,
wherein you securely associate one human to one vote or something like that,
then more sophisticated voting schemes become possible.
I think today, because we lack that kind of a mechanism,
people end up gravitating towards this simple and somewhat, perhaps somewhat naive,
one coin, one vote model, which is vulnerable to this vote buying attack.
Yeah, and this opens up a range of other issues.
So one problem that people have when they analyze blockchain systems
and they sort of design these mechanisms
is that they look at their mechanism
and reason about its security properties,
but they do that in isolation.
And an important point is that none of these systems
really exist in a vacuum, right?
So take a look at any sort of blockchain
that uses coinholder voting
to decide the outcome of its consensus rules.
And there's at least two such blockchains
that are sort of using this model.
If these two very large projects
are approximately the same size,
or one is a little bit bigger than the other one,
or one is twice as big as the other one
or something like that,
it's in the economic interests of everyone who holds coins in the bigger project to buy up coins on the smaller project and influence votes in ways that are sort of counter-competitive.
And maybe even if they can't buy up enough of a block to influence votes, they can sow chaos and confusion and things like that.
So while one of these systems, you may say in isolation, like, okay, the coin holders' interests are represented by this plutocracy, that doesn't really work when you have a whole world around it that's full of money that can frictionlessly enter and exit the system at end.
any time. There's no guarantee whatsoever that the people who are economically in right to second
have an interest in that system, especially when there are much bigger systems that are competing
with it. So I think that's a very important point that people overlook. And again, we mentioned
that there's this sort of stack of voting, even at the consensus layer, that has implications on
the whole stack. So if you have a fork that's like 10% of the size of a project, and this fork
could potentially impact the price of the larger project, it's absolutely in the interest of that
larger project to launch attacks on that base layer proof of work vote.
and do things like censorship, use some small percentage of their hash power to do 51%
attacks or denial of service or whatever they need to do to make sure that that network goes down
in price. And that attack might even be profitable, especially if there are mechanisms to short
that sort of smaller project. Yeah, that's a very good point. I think most proponents of
coinholder voting would argue that it is just not in your interest to sell your vote because
you'd be damaging the value of the asset that you hold. And you hold a coin. And if you sell,
if you sell the votes associated with that coin,
and that might reduce the value of the coin
in some way that sort of results in a net loss for you.
But that analysis happens entirely in a vacuum.
It happens sort of assuming that there aren't any kind of external mechanisms via
which you could profit from the loss of value of this particular coin.
Like, for example, what you're mentioning,
competition between blockchains.
If I'm a stakeholder, a much larger stakeholder in a competing network,
then I might have a strong interest in reducing the value of this particular coin.
and that that's associated with this one competing crypto network
because it may result in a larger profit outside of the system.
And so I think, yeah, the incentive structures that are built in aggregate
tend to be far more complex,
and they kind of interact in ways that tend to be difficult to analyze
and could result in complexity that could ultimately result in a tax.
In your post, you talk a little bit about what you refer to as the dark DAO,
which sounds like a fairly dark picture for what could end up being the case.
In your view, what is the worst case in our case?
here? How could this unfold in a bad way? Yeah. So there's a lot of different variants of the
Dark Dow, which have different assumptions in the post. Some of them require trusted hardware.
Some of them don't. But the ultimate point of the Dark Dow is that it's a private smart
contract for attacking a vote, for vote buying, that essentially hides from the rest of the
world how much money is committed to this contract, who is participating in the vote buying
contract, and sort of how far along the contract is. But sort of is a way to frictionlessly
and permissionlessly form a vote-buying cartel for a particular vote. And this,
could be sort of a funding pool, anyone can come contribute money to it. So if it's outcome
specific, it could be funded by anyone who's interested in such an outcome, whether it be
other blockchain projects, users on the system, outside groups, whatever it may be. So once this
dark DAO is funded, what it does is sort of offer up vote buying to people in the system. And if
people in the system come take this vote buying, they retain access to their funds, they keep using
their wallet as they normally do, but they're sort of shackled by the dark DAO, that for this
particular vote, they can only vote in this certain way. And this is trustless because both
sides have some guarantees. So the vote buyers or vote buying network or whatever it may be has
guarantees that potentially no one will find out who's being bought or sold and how much money
is pledged to it. They're guaranteed that if they pay for a vote, this vote will actually be
executed in the protocol, even if the protocol does have the classic properties of coercion
resistance. Another sort of sidebar of the dark Dow is that trusted hardware, which is a new
technology, sort of breaks all classical coercion resistance voting schemes in the blockchain world
and in the regular election world.
So once they launch this attack
and they start buying and selling people's votes,
they have a number of options available to them.
One cool thing you can do
is you can tell everyone in the cartel
when a certain threshold is reached.
Let's say when like 70% of the,
or 10% of the votes are locked into this DAO.
And you can do this in a way that's deniable,
such that everyone inside the cartel can check,
yes, 70% is reached,
but no one outside the cartel
has any way of knowing
that this is actually reached.
So you can enforce an information asymmetry
that allows for profiting through things like shorting.
You can also enforce stronger information asymmetry,
so not even allow the people who are being bribed
to know at any time how much money is in it
or even potentially whether they voted at all
if the scheme is receipt-free.
So it's a very, very powerful class of attack.
You can spin it up however you want.
It allows people to pool their money
and buy votes in a way that they can keep any part of that secret
to any group of people that they want,
and the outside system has no way of knowing
sort of how far along the attack is.
In some ways, it also represents a credible threat.
If I were to launch a Dark Dow, I might not even need to necessarily have people participate in it.
Just its existence might be enough to shake people's confidence in that underlying vote.
So when we publish that blog post, we've had a lot of reactions from voting projects and other people in the space.
And I think there is a good question of why haven't we seen this already.
But at the end of the day, these systems are tiny, right?
Blockchains today are a drop in the bucket of, like, the world financial system.
And the incentives just aren't there yet.
But if we are to use these technologies and if we are to scale things, I think these are absolutely
realistic scenarios and potentially nightmare scenarios.
Yeah, that sounds insane and that's definitely an outcome that is to be prevented.
And I think, I mean, this matters because if we just take a step back and think about why is
governance so topical and so important in the world of crypto and blockchains today.
It is because so much of what drives the space forward and what is sort of the underlying
philosophical motivation is that power.
over these networks is decentralized.
And so decentralization here refers to a bunch of different things at the same time.
Like, people talk about decentralization as it refers to sort of consensus, like who gets
to, who gets to decide, like, who modifies the underlying ledger, but also decentralization
applies to who gets to modify the code.
These networks are decentralized in that they're kind of like self-governing organizations,
and they don't have, at least philosophically, any central points of control where any one
individual can decide how to sort of modify the code or make it work.
in any particular way.
And so all of these initiatives
to try to build in governance
into the protocols
are an effort to try to sort of
decentralize even that aspect
and to try to make it so that the code itself
can evolve in a way that is still community driven
and not kind of centrally controlled
by the core developer team.
Yeah, I think the promise
of a lot of these systems
is sort of this crypto economic security, right?
You have this mechanism
and because the mechanism works
and the incentives are set upright,
everyone comes together harmoniously
and produces something that is bulletproof and very strong because of the incentives and the mechanism.
An example of this is Bitcoin. Because of the money paid to miners, people are burning a small
country's worth of electricity to try to secure this transaction ledger that has actually worked
fantastically so far. So when you design these systems, there needs to be some sort of underlying
mechanism and some sort of reasoning about the security of that mechanism. But what these technologies
like the Dark Dow and private smart contracts allow you to do is use external money to sort of alter
the incentives inside that game and alter the security properties that people are actually getting
from their project in a permissionless and trustless way. So this does sort of speak to the fundamental
coordination of blockchains, right? Like how do we design these games to coordinate people to make
choices in a way that's not controlled by one particular individual, as you said, or some social
trust hierarchy, but by the economics of the system itself? And in that model, if you can't be
secure against economic attacks, then you're sort of building something that doesn't make much
sense, in my opinion. And so I guess that's a lot of what my work is looking at.
Right. What do you think are the implications of vote buying on proof of stake?
So proof of work is where people use hardware to sort of solve hard problems. And if they
solve the problem, then they can post a block to the network. Rather than using this mechanism,
proof of stake allows people to vote using their coins. So they lock up their coins for some
long period of time. And they can use any number of protocols to do this.
The core idea here is that instead of proof of work where the economic security you get is because people are doing this useless computation problem that is sort of burning money and there's some costs associated with doing this, is that people are paying liquidity costs to lock up these coins for a long, long period of time, and they're also taking risks that they may incur penalties if they misbehave in the protocol.
And with these liquidity costs, they're taking like massive volatility risks in cryptocurrencies, right?
So if they do something that crashes the system, well, their coins are locked up and they're going to lose money.
If the network decides they misbehaved, well, they can get rid of all their coins and they're going to lose money.
So it's this idea of bootstrapping the economic security of the network from the coins rather than from some external hardware source.
Obviously, that comes with a lot of tradeoffs that are maybe beyond the scope of this discussion.
But at the end of the day, it's also a voting protocol.
You have these people with coins, they decide how to vote.
So where does vote buying come in here?
Well, obviously, this proof of stake protocol has an outcome.
It decides what history of the network is valid.
And this outcome has all sorts of economic implications.
It decides who gets to send money to who.
It decides who is censored in the system.
It decides what order transactions happen in canonically, according to everyone in the system.
And with that comes a lot of profit opportunity.
So I can potentially profit by censoring you, or I can profit by putting my transactions in front of yours when you want to execute an order on a decentralized exchange,
or I can profit in sort of any number of different ways by manipulating this vote.
So what you can do with the dark DAO is to start a staking pool where I say, like, you know, let me do my algorithmic trading.
decide what order of transactions makes me the most money. You don't necessarily care if someone
who's doing a transaction on a Dex gets front run and loses like $5, right? So you say, okay, I'll
happily participate in this. It'll still keep the value of my coins high, especially if I don't
have a lot of coins, and you're paying me like twice as much as any other staking pool.
So it sort of opens these coordination mechanisms for attacks on the underlying transaction
history and the underlying consensus. Do you think that there's a way of making a proof of
stake network secure? It depends on your definition of secure. I think it really, it really
depends on the type of security you want, I guess.
Yeah, and this all gets to the broader question of like economic security of a blockchain.
And in the case of proof of stake, the resource that's used to secure the blockchain is internal to the network.
In the case of proof of work, it's sort of electricity and, like, hardware that's used external to the network to secure the ledger.
And there are many other kind of approaches.
Like people are experimenting with doing useful work.
Instead of burning electricity uselessly as you do in proof of work, people try to build a sort of proof of, like,
space or proof of spacetime protocols where, like, for example, you're able to store files
and storage becomes the resource that people use to then secure the network.
What do you think of that kind of approach?
So fundamentally, to vote buying, it doesn't actually matter what resource you're using.
Vote buying works for proof of work, too.
Right.
So I could use dark DAO-like technology to start the mining pool.
And the properties of the mining pool would be, you come, you mine here.
I'll pay you more than we're making because I have some external incentive to censor someone
or reorder transactions or whatever.
And then you get the dark DAO privacy properties of no one knows how much hash power is participating in this pool or who's getting paid or things like that.
So these certainly also apply to systems that use things like files and other useful work properties.
I think there's a whole class of other questions on the economic security of those systems.
So you have to be really careful about where the economic security comes from.
I think you have to be really careful with what useful means whether the fact that it's useful also introduces any external incentives to mess with it, right?
So you could imagine, like, if the useful thing the network was doing was like powering a search engine or something, right?
Those results are valuable and they bring external actors in who want to manipulate that.
And there's sort of this feedback loop between the mechanism securing the protocol and the utility of what the protocol is actually providing.
Right.
But there's definitely some people in the community that look at that and say, this is all way too complicated.
This is never going to work.
You have to have it be useless because there's no external incentives and messy things that way.
Yeah.
I personally think that's an open question.
Yeah, there's this argument that people make that if the resource that is used to secure the network is very commoditized and just generally exists in the world in the world in sort of plentiful quantities, that for example, the case of storage, your storage is the resource that's used to secure the network, then anyone with a bunch of storage could presumably attack the network.
Whereas in the case of a network, like say Bitcoin, where you have ASICs that are specific to the network.
In order to attack the network, you have to get your hands on those ASICs and those ASICs aren't useful for anything but mining Bitcoin.
So people would argue the security of that kind of, the economic security of that kind of
model is better.
Yeah.
And Joe Bono has a fascinating line of work on these problems.
So if you Google Goldfinger attacks, he has a paper and a presentation.
There's also the question of like buying versus renting.
So if something is very commoditized, you may be able to rent it, which substantially
subsidizes the tax.
You may be able to buy it, perform the attack, and then resell it into the commodity market,
which again, substantially subsidizes the attack.
So these are all open and very complex.
questions. But people will build the systems and we'll see. This is sort of a classic pattern you
see in traditional finance. And then you'll have sort of black swan and tail risk like events
that surprise people. So we've talked a lot about governance in general, but you obviously are
working on a ton of interesting stuff to generally with respect to economic security for
cryptocurrency and blockchain, just computer security. What are some of the other interesting
ideas or sort of lines of work that you're exploring? So one that I'm extremely personally
interested in is fairness guarantees for users around these systems. A lot of what attracted me to them
in the first place was this promise of sort of eliminating the middleman and making things in control
of the user. Like be your own bank. You don't need these institutions to tell you how to set your money
supply or how to route your transactions or what exchange to use, etc., etc. I look a lot at those
guarantees and sort of the ways in which modern blockchain solutions are failing to meet those
guarantees. So one example of that is in the decentralized exchange space. That's something
that's seen a lot of promise from people who want to build these exchanges that aren't
vulnerable to hacks and other user fund theft. Unfortunately, the way these mechanisms that people
are building interact with the blockchain is very complex and opens the door for external
actors to make a lot of money from front-running them and make a lot of money from doing
algorithmic trading on the network and everything that you see in the traditional financial
world. So some of my work is around how large is that economy and what
the failures of those guarantees.
What are some interesting results so far on that front?
So it's actually probably a bigger market than you think, even though Dexas have not seen
substantial volume.
So this is a big problem for users.
It also highlights a lot of weird quirks of these systems, such as like allowing for typos
that end up costing users a lot of money when programmatic actors swoop in and sort of
take advantage of these inefficient mechanisms.
And it also raises fundamental questions about, I guess, whether we'll be able to do something
that's different from the current financial system
because there are still these information asymmetries
that come up and this is a worldwide network
and at the end of the day, someone is still ordering transactions.
So is this rent sort of implicit to all blockchains?
How large is it?
And does it threaten the security of the overall blockchain,
which I think it may?
So I think one very interesting line of work
that you did was around gas token
and tokenizing gas on the Ethereum network.
So this sort of came out of this arbitrage project.
We wrote a blog post very early,
on last, I think, October, November, essentially saying decentralized exchanges are flawed.
You can just run this 20-line Python script and you can profit off of users in a way that was maybe
not foreseen and is not sort of explicitly stated to them because of how inefficient these mechanisms
are.
And before we wrote this blog post, we were actually doing this to test it, right?
And we said, we made X dollars, whatever.
After we wrote the blog post, sort of this cottage industry spawned of like a few dozen people
who are competing in sort of this market and trying to outbid each other to get their
transactions first in that mind order and take advantage of these opportunities. So we've been studying
that market for quite a while and competing against these guys. And unfortunately, at some point,
they started out-competing us. So we started competing on what's called gas, which is the price you're
willing to pay per unit of transaction. The way it works is you make a typo, Ali. It puts a million
dollars on the table for anyone who can get their order in ahead of that typo and sort of take
advantage of your typo. And then I would like to do a $5 transaction to take advantage of Ali's
mistake, right? And then maybe someone else is willing to do a $10 transaction because it's a
million dollar opportunity, right? So we sort of get into this bidding war of like,
miner, please pick me first, minor, please pick me first. That's inherent to how these transactions
are ordered by miners. And what we notice is that when you have like 10 of these, we were
rarely profiting because we didn't have the best latency. We didn't have the best infrastructure.
And they were getting their bids out faster. They were getting them two miners faster.
And they were willing to bid up higher than we were to essentially take these opportunities.
So that's where gas token came in.
It's a way to sort of store this gas for the longer term rather than just paying for it when you do your transaction.
So gas is the transaction fee, and usually you say, okay, I'm willing to pay $100 fee for this transaction.
Instead, what you could do is sort of bank a transaction's worth of gas and then just deploy that bank gas and not pay as much fee for the transaction you are doing.
And that works by taking advantage of this fundamental issue in Ethereum's resource model, which has to do with how you pay to sort of incentive
people to clean up after themselves. So in Ethereum, you actually give people a refund in gas
if they delete something they stored in the network previously to incentivize them to not leave
garbage around that everyone has to store it forever. So what we do is when gas is cheap, we fill
the Ethereum state with junk, and then when it's expensive, we delete this junk, which gives
us a refund at that higher price that we can use to subsidize these arbitrage transactions,
which often cost thousands and thousands of dollars in fees. Like people are bidding multiple
thousands, even tens of thousands in fees on these transactions.
Right. And so to clarify, for those not already familiar, so gas is basically the resource that
you use to pay for computational resources on the Ethereum blockchain. And so if you want
to buy computations, say, instructions that miners will execute for you, you pay for those
in gas. If you wanted to buy storage, you similarly also pay for storage in gas. And the current
model of Ethereum is that you buy some storage on the blockchain for a fixed price up front,
and then that storage sort of remains on the blockchain forever.
And the Ethereum blockchain has this mechanism that if you were to delete that storage,
if you were to free it, then you will receive a refund for the amount that you paid.
Some refund for what you paid originally for that amount of storage.
And so you're basically saying that when gas is very cheap,
you can sort of fill storage on the blockchain and then reclaim a refund later once gas is expensive.
and sort of the gas will be worth more at that point than it was when you store it.
And you could sort of leverage that to kind of increase the amount of gas that's available to you.
Yeah, and our fundamental observation was that this is basically a derivative on gas.
It's like a call option on some gas.
It led to the broader question of how are these resources actually priced?
Like, how do people choose how much is paid for storage?
How do people choose how much is paid for computation?
And in what ways are these suboptimal?
So you mentioned the current model of pay once, store forever.
That's something we certainly address in our role.
work proposing more of a rentful scheme where you have to pay for ongoing costs at market rate.
There's also the issue of who's getting the payment. So the fact that the miners get payment for
storage when the miners actually don't need to store the whole state, and it's the full nodes
that bear the cost. So this sort of asymmetry between who's bearing the cost, like where the
externality is and like who's actually profiting, is super important to study. It leads to a sort
of tragedy of the commons in the worst case where the miners are happy to take payment for as
much storage as you want because they don't have to store it and they don't care.
As long as they don't break the whole network, they'll happily push out as many full nodes as they can.
So these are broader questions.
We have a broader initiative called ProjectChicago, which you can see at ProjectChicago.io.
That basically is studying these questions of crypto commodities.
What are the underlying commodities behind blockchains?
For example, computation, relay network, and storage.
How are these commodities priced?
How can you exploit these commodities?
How can you exploit, like, the relay network to get information about people's transactions earlier,
or the computation layer to sort of, I don't know, do this kind of gas refund or something like that.
So there's a lot of interesting work in that direction.
Yeah.
By the way, why is it called Project Chicago?
So it's called Project Chicago because our inspiration is sort of the Chicago Mercantile Exchange.
That's how businesses hedge against volatility and sort of price commodities in real world markets.
So we think of this as sort of exploring something similar on blockchains and asking, like, is that the right model or can we do better now that we have all these
decentralized tools at our disposal.
Fascinating. Well, thank you so much for coming on the podcast.
Yeah, thanks for having me.