The a16z Show - a16z Podcast: Voting, Security, and Governance in Blockchains and Cryptonetworks

Episode Date: February 10, 2019

with Phil Daian (@phildaian) and Ali Yahya (@ali01) Whether in corporations, boardrooms, or political elections, voting is something we see in all kinds of social systems... including blockchains. It'...s the natural human tendency for how to organize decisions, and in distributed systems without centralized middlemen, it's the only clear Schelling point we can come up with. But too many people design voting mechanisms in distributed systems in isolation -- sometimes naively "porting over" assumptions from the real world or from simple cryptoeconomic models without thinking through the economic adversaries present in a larger, more rational (vs. "honest") game-theoretic system. So how are blockchain systems different from real-world paper and electronic voting systems? How can such systems be gamed, and what are the implications for cryptoeconomic security... as well as the governance of distributed organizations? This hallway-style episode of the a16z Podcast covers all this and more. Recorded as part of our NYC roadtrip, it features Cornell Tech PhD student and software engineer Phil Daian, who researches applied cryptography and smart contracts -- and who also wrote about "On-chain Vote Buying and the Rise of Dark DAOs" in 2018 (with Tyler Kell, Ian Miers, and his advisor Ari Juels). Daian is joined by a16z crypto partner Ali Yahya (previously a software engineer and machine learning researcher at GoogleX and Google Brain), who also recently presented on crypto as the evolution -- and future -- of trust. The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments and certain publicly traded cryptocurrencies/ digital assets for which the issuer has not provided permission for a16z to disclose publicly) is available at https://a16z.com/investments/. Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information. Stay Updated:Find a16z on YouTube: YouTubeFind a16z on XFind a16z on LinkedInListen to the a16z Show on SpotifyListen to the a16z Show on Apple PodcastsFollow our host: https://twitter.com/eriktorenberg Please note that the content here is for informational purposes only; should NOT be taken as legal, business, tax, or investment advice or be used to evaluate any investment or security; and is not directed at any investors or potential investors in any a16z fund. a16z and its affiliates may maintain investments in the companies discussed. For more details please see a16z.com/disclosures. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

Transcript
Discussion (0)
Starting point is 00:00:00 The content here is for informational purposes only, should not be taken as legal business, tax, or investment advice, or be used to evaluate any investment or security and is not directed at any investors or potential investors in any A16Z fund. For more details, please see A16Z.com slash disclosures. Hi, everyone. Welcome to the A6 and Z podcast. I'm Sonal. Today's episode is all about blockchain-based voting systems, which has implications for crypto-economic security and for garbara. especially when you think about the differences, both good and bad, between real world and online systems for coordinating groups of people to vote on something, whether it's a decision in a boardroom or an election or anything else. This episode was recorded as part of our New York City podcast Road Show, and so it features Phil Dayon, a PhD at Cornell Tech, working with Ari Jules there. His research focuses on broad questions of security of distributed systems, specifically blockchains. He also wrote a post last year with Tyler Kell, Ian Mears, and Ari Jules,
Starting point is 00:01:00 on-quote, on-chain vote-buying and the rise of dark DAOs. Joining Phil in this hallway style jam to discuss these topics is Ali Yaya, who was previously a software engineer and machine learning researcher at Google Ax and Google Brain. He also gave a talk at A6 and Z Summit on crypto and the evolution of trust, which you can find on our website, and he's a partner on A6 and Z crypto. Speaking of, please note that the content here is for informational purposes only, should not be taken as legal business tax or investment advice or be used to evaluate any investment or security and is not directed at any investors or potential investors in any fund.
Starting point is 00:01:37 For more details, please also see A6NZ Crypto.com slash disclosures. The conversation that follows covers ways in which blockchain systems are different from real-world voting systems, ways the system can be gamed and what that means for security, as well as possible solutions and more importantly questions all blockchain system designers should think about instead of making naive assumptions. But first, Phil and Ali begin by very briefly summing up the issues in real-world elections
Starting point is 00:02:06 and electronic voting systems. The first voice you'll hear is Phil's, followed by Elise. So one challenge people have seen is straight up hacking. Of course, if there's electronic voting in use, just tampering with the integrity of the election itself or the integrity of the registration. Another challenge that people have been worried about in the past is vote buying and selling. So if I want you to vote a certain way, maybe I directly bribe you to do so.
Starting point is 00:02:30 Or maybe even in the current system, I can indirectly do it. But it's very difficult to bribe someone in person and sort of understand how they're going to act in an election. Yeah, you have this great example of how if the price of a vote is a beer and you take me out for a beer and say, Ali, I want you to vote for ex-candidate. I can drink your beer and then go to the poll and like submit whichever ballot I want. You have no real mechanism to enforce my vote in one way or another. And you then point out how this is not so much the case when you go to the world of electronic voting. Yes, the price of the vote as a beer is actually kind of realistic. Like vote buying in general is empirically pretty cheap for two reasons.
Starting point is 00:03:10 Number one, it's actually the poorest and like least advantage people that are the most inclined to sell their votes. And number two is most people are disinterested in most elections. So this actually makes vote buying pretty cheap. And in electronic voting, this is a big problem because with many electronic voting protocols, you can actually tell at the end of the protocol how someone voted. So it becomes much easier for me to bribe you because I can just say, essentially, I'll give you a beer if I check afterwards and you voted with my candidate, rather than sort of trusting you to go in the polling booth and make the right decision
Starting point is 00:03:37 where socially I can't follow you into that booth and look over your shoulder. Exactly. Yeah, you point out how in the world of human voting, there are three things that tend to make vote buying a little bit more difficult. And it's the inefficiencies of the human world that actually work to your advantage here. So the first is that in the human world, it's a crime to buy votes and that itself kind of can serve as a deterrent, which doesn't really exist so much in the jurisdictionalist crypto world. The second one was that ballots sent to be cast in secrecy. So there's no way of me to produce a proof that I voted in one way or another, which makes
Starting point is 00:04:08 the buying of the vote difficult to enforce. And the third one you mentioned is that if you tell me that you're going to pay me, in the future for voting one direction or another, I have a hard time trusting you that you will actually, in the end, pay me. And so there's sort of counterparty risk. And so in the same way that sort of blockchains mitigate trust and improve coordination for good purposes, they can also be used to improve coordination for sort of malicious purposes, in this case, vote buying.
Starting point is 00:04:37 So it's like a double-edged sword. Blockchains can be used to increase the efficiency and effectiveness of bribery and vote. buying. In the traditional world, there's been a long line of academic research. So very early on, people said we want to vote electronically. It'll make tallying cheaper. It can maybe use cryptography to increase the integrity of our elections, so we don't rely on these pieces of paper sort of with this weird chain of human custody and things like that. But early schemes sort of suffered from this receipt property where I could produce a proof that, like, here is the outcome and here is what I actually voted to lead to this outcome. So there was a wide range of work early on on how to
Starting point is 00:05:11 sort of solve this issue and create voting schemes that are receipt-free, which means that after the fact I cannot produce a receipt or a proof to tell you which way I voted, and it's sort of equally likely from your perspective that I voted in any direction. Later work sort of said that this is not strong enough. Essentially, the high level is if you're looking over my shoulder electronically, like you have a virus on my computer or you're just physically looking over my shoulder, at the time that I'm voting, even receipt freedom is not enough because you might be able to see in real time the direction in which I'm voting. and enforce my vote that way. So that led to an even stronger property called coercion resistance, which is that even if you compromise me for some period of time, you still are not able to get me to vote a certain way
Starting point is 00:05:52 in a way that you can trust. Yeah, that's very interesting. So let's connect this to the blockchain world. These questions of electronic voting have existed for decades and predate the world of blockchains and crypto networks. But now there's like a resurgence of research in this direction
Starting point is 00:06:07 because so many blockchain and crypto network projects want to use on-chain voting for all sorts of purposes. So, I mean, in blockchain networks in general, you often need to make decisions. That's, like, part of the attractive point of blockchains that it makes coordinating group decisions among actors who don't trust each other
Starting point is 00:06:24 a little bit easier. And to make these decisions sort of a natural response is just vote, right? That's something you see in the real world. It's something you see in corporations with stockholders. It's something you see in boardrooms. It's something you see in political elections
Starting point is 00:06:37 and all sorts of other social systems. So it's just, I think, a natural human tendency when asking sort of how to organize these things, that voting is the only real clear shilling point answer that we can come up with. So I think an important distinction on why this stuff really matters in the blockchain world is that the blockchain world and the real world
Starting point is 00:06:54 don't operate in the same models. If you're going to a boardroom with someone, you're sitting next to the person, right? We're sort of operating in this model of social honesty where people can see each other face to face. And you have shared interests in the company, you sort of know their history at least somewhat. Whereas in blockchains,
Starting point is 00:07:08 you're operating in an economic, sort of an economically rational game theoretic model. So you need much stronger guarantees from your systems. Your systems need to be strong, even in the presence of economically motivated adversaries, and they need to be secure assuming people are rational rather than honest. So we don't get to lean on this sort of honesty that we have in the real world in blockchains. And I think that's where a lot of the mechanisms that people try to sort of port over naively break down.
Starting point is 00:07:32 Right. And this is especially important because in most of the crypto networks that are actually interesting, the model is one where anyone can participate. And people refer to this as the permissionless setting and that anyone can connect to the network. Anyone can sort of participate in the decisions that are made through the governance processes of the crypto network, which makes the environment a very hostile one, because anyone anywhere can opt to participate and they have an economic incentive to do so, because if they can game the system or if they can sort of subvert it in some way, then they could potentially profit. Exactly.
Starting point is 00:08:05 When Satoshi released his white paper in 09 and academics first started looking at Bitcoin, and its success in its rise and asking, like, what is actually the interesting lesson to be learned here from what we've been doing for the last 20 years? There was a whole space of consensus protocols and Byzantine fault-tolerant protocols that came to consensus on something even in the presence of malicious users. But what was really new about Bitcoin is that it let anyone join and leave the network at any time. And these people didn't need to ask the people who are already participating in the network whether they can join or not. So in most consensus protocols, you have a sort of quorum that's coming to decisions. and if you want to join, you need to ask the quorum to join
Starting point is 00:08:42 because the quorum needs to agree on who's in the quorum. So they need to sort of come to consensus on the fact that you're allowed to join. Whereas in something like Bitcoin, if you want to start mining Bitcoin, you just turn on your rig, and as soon as you succeed,
Starting point is 00:08:53 people will accept that mathematically. They don't need any sort of membership proof or anything like that. What I think is relevant to voting is that fundamental to the permissionless model if you're going to use cryptography, which all blockchains do, is that if I can join and leave at any time,
Starting point is 00:09:06 I need to be able to generate my own key and join at any time. Right. I mean, the uses of on-chain voting, we're voting within blockchain projects, range all the way from setting the parameters, like some parameter in the protocol that may be something minor, kind of like the price of gas, for example, all the way over to like some intermediate level where people use governance and voting to decide how to allocate funds. And then this goes all of the way over to actually deciding how to change the protocol itself. So there are projects that are sort of self-amending and that they use governance as a way of
Starting point is 00:09:42 proposing updates to the protocol and then deciding on which updates should go through and which updates should not. And so the stakes are high and that if you have a governance system that can be gamed, then all of these use cases may end up being vulnerable to that kind of attack. One way of thinking of governance that I quite like that I think was proposed by Vitalik is the coordination model of governance and that really all governance decisions are, in essence, a way of coordinating collective action. He talks about how there are multiple layers to governance, right? The bottom layer is like what's closest to the real and physical world. Yeah. So maybe let's go bottom up on everywhere you have voting in blockchains. At the very base level, all consensus mechanisms are a vote. So proof of work itself is a form of voting on which block is valid and which history is accepted by the network. So you have voting at that.
Starting point is 00:10:33 that layer. Then that half layer up, like you said, is this governance layer of how do blockchains actually change their underlying code and respond to attacks or new situations or new technology or whatever it may be. Traditionally, this has sort of gone with the fork model where you just sort of spin up new code and try to lobby everyone to just run this new system instead of the old one. This model has seen a lot of political strife, a lot of inefficiency, a lot of sort of lobbying and traditional politics-like nastiness in the blockchain space. can look at the Bitcoin block size debate, whether to change the one to a two, which spawned like a year-long rift between the communities that ended up in like several summits and agreements and
Starting point is 00:11:13 eventually a permanent split. So some people look at that and say, maybe we can make this more efficient by just using voting and allowing the coin holders to express their preference and sort of just going with that. And then another layer up from that, you have the application layers like you were saying. So these are your DAOs, these are your smart contracts that want to use voting to make decisions. They could be, for example, on how to allocate funds. They could be on how to change parameters within their own smart contract. So you really have voting throughout the blockchain stack. A lot of projects are using it, and it has a very sort of wide impact as a general problem. So one observation that comes out of all of this is that today's governance systems and sort of
Starting point is 00:11:52 blockchains and crypto networks, the way that they exist today will likely devolve into plutocracy, simply because the mechanisms for vote buying are so effective, as you've described. And some proponents of on-chain governance will argue that plutocracy may not actually be that bad of a thing. They may be a bad thing for democracies, but not so much for blockchains. In the blockchain world for a crypto network, it's not so much a bad thing because it's, in a sense, incentive-compatible, at least at a surface level. If they are voting using their coins for any one upgrade to the protocol, they will want to vote in the interest of other people who also hold the coins and the interest of the network
Starting point is 00:12:31 because they own it and they have a stake in it. And also their incentive to protect the network is proportional to how many coins they own. So like larger voters or stakeholders who have more coins in the network have an even greater incentive to protect the network.
Starting point is 00:12:46 What are your thoughts there? So I think every blockchain project should take a step back and ask, do we want plutocracy? Do we want vote buying in our system? And what are the consequences of that? For many of them, maybe it's more acceptable
Starting point is 00:12:57 than for others. For example, if you have like a small, closed sort of contract that has a few shareholders, something like an investment firm, and you have like one guy who decides whether people get in or not, maybe you're not so concerned about vote buying in that kind of a scheme. Or if you have even like some sort of closed setting where you can say things about the participants, maybe you're not so concerned about vote buying. In a wider system where, let's say, the whole world is participating in it eventually, I think the fundamental point is that most people are disinterested in most votes, and the utility they get from the system is not directly sort of correlated with whether they vote A or B on this given issue. Nonetheless, there are certain groups of people
Starting point is 00:13:36 who are extremely interested in whether people vote A or B on a certain issue, and these are often pretty moneyed groups. So in this way, that kind of governance does sort of degenerate into plutocracy. And if that's acceptable for your system, that's fine. I think for many systems, it's not. You need to care about these attacks, and you need to reason about why your system is secure against this and why your system actually doesn't degenerate to plutocracy. People have tried to get around this in two ways in blockchains. The first one is they add some sort of identity. So they have a third-party service that like you send your cell phone number or something like that and it sends you a text and sort of anti-cibles you that way. And then you're able to participate in a vote.
Starting point is 00:14:11 So at least you can you can sort of attach some entity to the person and then count votes per entity rather than per coin. This actually still degenerates into plutocracy because of the way the dark Dow works. Because as long as these identities, are keys that people can sort of generate at any time. They can be bought and sold and using the dark down model, and you can essentially sell people like the right to your identity, or you can sell people the right to a certain vote using your identity or even more specific things than that. So that kind of doesn't work unless you have a strong social protection where like the person has to come in very often and the network sort of authenticates that
Starting point is 00:14:47 they're human or something like that, that becomes very complicated and steps much more into the messy world of real world elections and maybe doesn't work for a global blockchain community. Another way people have tried to get around it, which also kind of requires identity, is this new line of work by Vitalik, Glenn Whale, and a few other people, which is quadratic
Starting point is 00:15:05 voting, where you actually allow vote buying, so you allow people to buy boats, but only at an exponentially increasing price. And this may kind of look like plutocracy because you're allowing people to buy votes, but if you actually do the math on the incentives, it turns out that through this increasing function, essentially people will express their true preferences in the end.
Starting point is 00:15:22 And one rich person who really cares about A versus B won't be able to sort of overwhelm a disinterested majority that weekly prefers A, and maybe each don't have as many funds as that one individual. So this fixes some known pathologies in real-world voting systems and also blockchain voting systems. But it does require identity, and it's extremely vulnerable to manipulation. If this one rich person can pretend that they're two rich people or something like that, the gig is sort of up.
Starting point is 00:15:48 And that's what these new coordination mechanisms allow. Yes. I think this dependence on identity that you are pointing out is very important. Because as you pointed out, anyone can pretend to be more than one person. They can generate 10 different sets of key pairs or hundreds of sets of key pairs and pretend to be hundreds of people. Yeah. And the only thing you can do is wait by coins, basically. Exactly. In that world, you end up with unfair representation of you're trying to assign a single vote to a key pair.
Starting point is 00:16:13 So proponents of on-chain coin holder governance, which means that, that one coin gives you one vote, we'll argue, it's at the very least civil resistant, which means that if you have like 10 million coins staked on one particular vote, they're basically used to vote for one particular outcome. It's very hard to argue that those 10 million coins come from trolls that are trying to sway the election, because there's real weight and real capital that's staked in one in one direction or another. Whereas if you're not using coin voting, then that becomes more possible. And so if you have a mechanism for identity, wherein you securely associate one human to one vote or something like that,
Starting point is 00:16:53 then more sophisticated voting schemes become possible. I think today, because we lack that kind of a mechanism, people end up gravitating towards this simple and somewhat, perhaps somewhat naive, one-coin, one-vote model, which is vulnerable to this vote-buying attack. Yeah, and this opens up a range of other issues. So one problem that people have when they analyze blockchain systems and they sort of design these mechanisms is that they look at their mechanism and reason about its security properties, but they do that in isolation. And an important point is that none of these systems really exist
Starting point is 00:17:25 in a vacuum, right? So take a look at any sort of blockchain that uses coinholder voting to decide the outcome of its consensus rules. And there's at least two such blockchains that are sort of using this model. If these two very large projects are approximately the same size, or one is a little bit bigger than the other one, or one is twice as big as the other one or something like that, it's in the economic interests of everyone who holds coins in the bigger project to buy up coins on the smaller project and influence votes in ways that are sort of counter-competitive. And maybe even if they can't buy up enough of a blocked influence votes, they can sow chaos and confusion and things like that.
Starting point is 00:18:02 So while one of these systems, you may say in isolation, like, okay, the coin holders' interests are represented by this plutocracy, that doesn't really work when you have a whole world around it that's full of money that can frictionlessly enter and exit to system at any time. There's no guarantee whatsoever that the people who are economically in right to second have an interest in that system, especially when there are much bigger systems that are competing with it. So I think that's a very important point that people overlook. Right. And again, we mentioned that there's this sort of stack of voting, even at the consensus layer, that has implications on the whole stack. So if you have a fork that's like 10% of the size of a project, and this fork
Starting point is 00:18:36 could potentially impact the price of the larger project, it's absolutely in the interest of that larger project to launch attacks on that base layer proof of work vote and do things like censorship, use some small percentage of their hash power to do 51% attacks or denial of service or whatever they need to do to make sure that that network goes down in price. And that attack might even be profitable, especially if there are mechanisms to short that sort of smaller project. Yeah, that's a very good point. I think most proponents of coin holder voting would argue that it is just not in your
Starting point is 00:19:07 interest to sell your vote because you'd be damaging the value of the asset that you hold. and you hold a coin, and if you sell the votes associated with that coin, then that might reduce the value of the coin in some way that sort of results in a net loss for you. But that analysis happens entirely in a vacuum. It happens sort of assuming that there aren't any kind of external mechanisms via which you could profit from the loss of value of this particular coin. Like, for example, what you're mentioning, competition between blockchains. If I'm a stakeholder, a much larger stakeholder in a competing network, then I might have a strong interest in reducing the value of this particular coin.
Starting point is 00:19:41 and that that's associated with this one competing crypto network because it may result in a larger profit outside of the system. And so I think, yeah, the incentive structures that are built in aggregate tend to be far more complex, and they kind of interact in ways that tend to be difficult to analyze and could result in complexity that could ultimately result in attacks. In your post, you talk a little bit about what you refer to as the dark DAO, which sounds like a fairly dark picture for what could end up being the case.
Starting point is 00:20:09 In your view, what is the worst case? here? How could this unfold in a bad way? Yeah, so there's a lot of different variants of the Dark Dow, which have different assumptions in the post. Some of them require trusted hardware. Some of them don't. But the ultimate point of the Dark Dow is that it's a private smart contract for attacking a vote, for vote buying, that essentially hides from the rest of the world how much money is committed to this contract, who is participating in the vote buying contract, and sort of how far along the contract is. But sort of is a way to frictionlessly and permissionlessly form a vote-buying cartel for a particular vote. And this could be sort of a funding pool. Anyone can
Starting point is 00:20:43 come contribute money to it. So if it's outcome-specific, it could be funded by anyone who's interested in such an outcome, whether it be other blockchain projects, users on the system, outside groups, whatever it may be. So once this dark DAO is funded, what it does is sort of offer up vote buying to people in the system. And if people in the system come take this vote buying, they retain access to their funds, they keep using their wallet as they normally do, but they're sort of shackled by the dark DAO, that for this particular vote, they can only vote in this certain way. And this is trustless because both sides have some guarantees. So the vote buyers, or vote buying network or whatever it may be, has guarantees that potentially no one
Starting point is 00:21:19 will find out who's being bought or sold and how much money is pledged to it. They're guaranteed that if they pay for a vote, this vote will actually be executed in the protocol, even if the protocol does have the classic properties of coercion resistance. Another sort of sidebar of the dark Dow is that trusted hardware, which is a new technology, sort of breaks all classical coercion resistance voting schemes in the blockchain world and in the regular election world. So once they launch this attack and they start buying and selling people's votes, they have a number of options available to them. One cool thing you can do is you can tell everyone in the cartel when a certain threshold
Starting point is 00:21:51 is reached, let's say when like 70% of the or 10% of the votes are locked into this DAO. And you can do this in a way that's deniable, such that everyone inside the cartel can check, yes, 70% is reached, but no one outside the cartel has any way of knowing that this is actually reached. So you can enforce an information asymmetry that allows for profiting through things like shorting. You can also enforce stronger information asymmetry, so not even allow the people who are being bribed to know at any time how much money is in it, or even potentially whether they voted at all if the scheme is receipt-free. So it's a very, very powerful class of attack. You can spin it up however you want, it allows people to pool their money and buy votes in a way that they can
Starting point is 00:22:32 keep any part of that secret to any group of people that they want. And the outside system has no way of knowing sort of how far along the attack is. In some ways, it also represents a credible threat. If I were to launch a dark Dow, I might not even need to necessarily have people participate in it. Just its existence might be enough to shake people's confidence in that underlying vote. So when we published that blog post, we've had a lot of reactions from voting projects and other people in the space. And I think there is a good question of why haven't we seen this already. But at the end of the day, these systems are tiny, right? Blockchains today are a drop in the bucket of, like, the world financial system. And the incentives just aren't there
Starting point is 00:23:06 yet. But if we are to use these technologies and if we are to scale things, I think these are absolutely realistic scenarios and potentially nightmare scenarios. Yeah, that sounds insane. And that's definitely an outcome that is to be prevented. And I think, I mean, this matters because if we just take a step back and think about why is governance so topical and so important in the world of crypto and blockchains today. It is because so much of what drives the space forward and what is sort of the underlying philosophical motivation is that power over these networks is decentralized. And so decentralization here refers to a bunch of different things at the same time. Like people talk about decentralization as it refers to sort of consensus, like who gets to,
Starting point is 00:23:46 who gets to decide, like who modifies the underlying ledger, but also decentralization applies to who gets to modify the code. These networks are decentralized in that they're kind of like self-governing organizations. And they don't have, at least philosophically, any central points of control where any one individual can decide how to, how to sort of modify the code or make it work in any particular way. And so all of these initiatives to try to build in governance into the protocols are an effort to try to sort of decentralize even that aspect and to try to make it so that the code itself can evolve in a way that is still community driven and not, and not kind of centrally controlled by the core developer, developer team.
Starting point is 00:24:26 Yeah, I think the promise of a lot of these systems is sort of this crypto economic security, right? You have this mechanism, and because the mechanism works and the incentives are set upright, everyone comes together harmoniously and produces something that is bulletproof and very strong because of the incentives in the mechanism. An example of this is Bitcoin. Because of the money paid to miners, people are burning a small country's worth of electricity to try to secure this transaction ledger that has actually worked fantastically so far. So when you design these systems, there needs to be some sort of underlying mechanism
Starting point is 00:24:56 and some sort of reasoning about the security of that mechanism. But what these technologies like the DarkDow and private smart contracts allow you to do is use external money to sort of alter the incentives inside that game and alter the security properties that people are actually getting from their project in a permissionless and trustless way. So this does sort of speak to the fundamental coordination of blockchains, right? Like how do we design these games to coordinate people to make choices in a way that's not controlled by one particular individual, as you said, or some social trust
Starting point is 00:25:29 hierarchy, but by the economics of the system itself. And in that model, if you can't be secure against economic attacks, then you're sort of building something that doesn't make much sense, in my opinion. And so I guess that's a lot of what my work is looking at. Right. What do you think are the implications of vote buying on proof of stake? So proof of work is where people use hardware to sort of solve hard problems. And if they solve the problem, then they can post a block to the network. Rather than using this mechanism, proof of stake allows people to vote using their coins. So they lock up their coins for some long period of time, and they can use any number of protocols to do this. The core idea here is that instead of proof
Starting point is 00:26:06 of work, where the economic security you get is because people are doing this useless computation problem that is sort of burning money, and there's some costs associated with doing this, is that people are paying liquidity costs to lock up these coins for a long, long period of time, and they're also taking risks that they may incur penalties if they misbehave in the protocol. And with these liquidity costs, they're taking massive volatility risks in cryptocurrencies, right? So if they do something that crashes the system, well, their coins are locked up and they're going to lose money. If the network decides they misbehaved, well, they can get rid of all their coins and they're going to lose money. So it's this idea of bootstrapping the economic security of the network from the coins rather than from some external hardware source.
Starting point is 00:26:45 Obviously, that comes with a lot of tradeoffs that are maybe beyond the scope of this discussion. but at the end of the day, it's also a voting protocol. You have these people with coins, they decide how to vote. So where does vote buying come in here? Well, obviously, this proof of stake protocol has an outcome. It decides what history of the network is valid. And this outcome has all sorts of economic implications. It decides who gets to send money to who. It decides who is censored in the system. It decides what order transactions happen in canonically, according to everyone in the system. And with that comes a lot of profit opportunity. So I can potentially profit by censoring you, or I can profit by putting my transactions in front of yours when you want to execute an order on a decentralized exchange, or I can profit in sort of any number of different ways by manipulating this vote. So what you can do with the Dark DAO is to start a staking pool where I say, like, you know, let me do my algorithmic trading and decide what order of transactions makes me the most money. You don't necessarily care if someone who's doing a transaction on a decks gets front run and loses like $5, right? So you say, okay, I'll happily participate in this.
Starting point is 00:27:43 It'll still keep the value of my coins high, especially if I don't have a lot of coins and you're paying me like twice as much as any other staking pool. So it sort of opens these coordination mechanisms for attacks on the underlying transaction history and the underlying consensus. Do you think that there's a way of making a proof-of-stake network secure? It depends on your definition of secure. I think it really depends on the type of security you want, I guess. Yeah. And this all gets to the broader question of economic security of a blockchain. And in the case of proof of stake, the resource that's used to secure the blockchain is internal to the network. In the case of proof of work, it's sort of electricity and like hardware that's used external to the network to secure the ledger.
Starting point is 00:28:21 And there are many other kind of approaches. Like people are experimenting with doing useful work. Instead of burning electricity uselessly as you do in proof of work, people try to build a sort of proof of space or proof of space time protocols where, like, for example, you're able to store files and storage becomes the resource that people use to then secure the network. What do you think of that kind of approach? So fundamentally to vote buying, it doesn't actually matter what resource you're using. Vote buying works for proof of work too. So I could use dark DAO-like technology to start the mining pool. And the properties of the mining pool would be, you come, you mine here, I'll pay you more than we're making because I have some external incentive to censor someone or reorder transactions or whatever.
Starting point is 00:29:02 And then you get the dark DAO privacy properties of no one knows how much hash power is participating in this pool or who's getting paid or things like that. So these certainly also apply to systems that use things like files and other useful, work properties. I think there's a whole class of other questions on the economic security of those systems. So you have to be really careful about where the economic security comes from. I think you have to be really careful with what useful means, whether the fact that it's useful also introduces any external incentives to mess with it. So you could imagine if the useful thing the network was doing was like powering a search engine or something, right? Those results are valuable and they bring external actors in who want to manipulate that. And there's sort of
Starting point is 00:29:42 this feedback loop between the mechanism securing the protocol and the utility of what the protocol is actually providing. There's definitely some people in the community that look at that and say, this is all way too complicated, this is never going to work, you have to have it be useless because there's no external incentives and messy things that way. Yeah. I personally think that's an open question. Yeah, there's this argument that people make that if the resource that is used to secure
Starting point is 00:30:05 the network is very commoditized and just generally exist in the world in the world in sort of plentiful quantities, that for example, that, for example, that. example, the case of storage, your storage is the resource that's used to secure the network, then anyone with a bunch of storage could presumably attack the network. Whereas in the case of a network, like say Bitcoin, where you have A6s that are specific to the network, in order to attack the network, you have to get your hands on those A6, and those A6 aren't useful for anything but mining Bitcoin. So people would argue the security of that kind of, the economic security of that kind of model is better. Yeah, and Joe Bonneau has a fascinating line of work on these
Starting point is 00:30:40 problems. So if you Google Goldfinger attacks, he has a paper and a presentation. There's also the question of like buying versus renting. So if something is very commoditized, you may be able to rent it, which substantially subsidizes the tax. You may be able to buy it, perform the attack, and then resell it into the commodity market, which again substantially subsidizes the attack. So these are all open and very complex questions. But people will build the systems and we'll see. This is sort of a classic pattern you see in traditional finance. And then you'll have sort of black swan and tail risk-like events that surprise people. So we've talked a lot about governance in general,
Starting point is 00:31:15 but you obviously are working on a ton of interesting stuff to generally with respect to economic security for cryptocurrencies and blockchain, just the computer security. What are some of the other interesting ideas or sort of lines of work that you're exploring? So one that I'm extremely personally interested in is fairness guarantees for users around these systems.
Starting point is 00:31:35 A lot of what attracted me to them in the first place was this promise of sort of eliminating the middleman and making things in control of the user. Like be your own bank. You don't need these institutions to tell you how to set your money supply or how to route your transactions or what exchange to use,
Starting point is 00:31:49 et cetera, et cetera. I look a lot at those guarantees and sort of the ways in which modern blockchain solutions are failing to meet those guarantees. So one example of that is in the decentralized exchange space. That's something that's seen a lot of promise from people who want to build these exchanges
Starting point is 00:32:02 that aren't vulnerable to hacks and other user fund theft. Unfortunately, the way these mechanisms that people are building interact with the blockchain is very complex and opens the door for external actors to make a lot of money from front-running them and make a lot of money from doing algorithmic trading on the network and everything that you see in the traditional financial world. So some of my work is around how large is that economy and what are the failures of those guarantees?
Starting point is 00:32:27 What are some interesting results so far on that front? So it's actually probably a bigger market than you think, even though Dexas have not seen substantial volume. So this is a big problem for users. It also highlights a lot of weird quirks of these systems, such as allowing for typos that end up costing users a lot of money when programmatic actors swoop in and sort of take advantage of these inefficient mechanisms. And it also raises fundamental questions about, I guess,
Starting point is 00:32:53 whether we'll be able to do something that's different from the current financial system. Because there are still these information asymmetries that come up, and this is a worldwide network. And at the end of the day, someone is still ordering transactions. So is this rent sort of implicit to all blockchains? How large is it? And does it threaten the security of the overall blockchain, which I think it may. So I think one very interesting line of work that you did was around gas token and tokenizing gas on the Ethereum network.
Starting point is 00:33:20 So this sort of came out of this arbitrage project. We wrote a blog post very early on last, I think, October, November, essentially saying decentralized exchanges are flawed. You can just run this 20-line Python script and you can profit off of users in a way that was maybe not foreseen and is not sort of explicitly stated to them because of how inefficient these mechanisms are. And before we wrote this blog post, we were actually doing this to test it, right? And we said, we made X dollars, whatever. After we wrote the blog post, sort of this cottage industry spawned of like a few dozen people who are competing in sort of this market and trying to outbid each other to get their transactions first in that mind order and take advantage of these opportunities.
Starting point is 00:33:59 So we've been studying that market for quite a while and competing against these guys. And unfortunately at some point they started out competing us. So we started competing on what's called gas, which is the price you're willing to pay per unit of transaction. The way it works is you make a typo, Ali. It puts a million dollars on the table for anyone who can get their order in ahead of that typo and sort of take advantage of your typo. And then I would like to do a $5 transaction to take advantage of Ali's mistake, right? And then maybe someone else is willing to do a $10 transaction because it's a million dollar opportunity, right? So we sort of get into this bidding war of like, minor, please pick me first.
Starting point is 00:34:32 Minor, please pick me first. That's inherent to how these transactions are ordered by miners. And what we notice is that when you have like 10 of these, we were rarely profiting because we didn't have the best latency. We didn't have the best infrastructure. And they were getting their bids out faster. They were getting them two miners faster.
Starting point is 00:34:46 And they were willing to bid up higher than we were to essentially take these opportunities. So that's where gas token came in. It's a way to sort of store this gas for the longer term rather than just paying for it when you do your transaction. So gas is the transaction fee. and usually you say, okay, I'm willing to pay $100 fee for this transaction. Instead, what you could do is sort of bank a transaction's worth of gas,
Starting point is 00:35:06 and then just deploy that bank gas and not pay as much fee for the transaction you are doing. And that works by taking advantage of this fundamental issue in Ethereum's resource model, which has to do with how you pay to sort of incentivize people to clean up after themselves. So in Ethereum, you actually give people a refund in gas if they delete something they stored in the network previously, to incentivize them to not leave garbage around that everyone has to store it forever. So what we do is when gas is cheap, we fill the Ethereum state with junk,
Starting point is 00:35:35 and then when it's expensive, we delete this junk, which gives us a refund at that higher price that we can use to subsidize these arbitrage transactions, which often cost thousands and thousands of dollars in fees. Like, people are bidding multiple thousands, even tens of thousands in fees on these transactions. Right. And so to clarify, for those not already familiar,
Starting point is 00:35:51 so gas is basically the resource that you use to pay for computational resources on the Ethereum. blockchain. And so if you want it to buy computation, say instructions that miners will execute for you, you pay for those in gas. If you wanted to buy a storage, you similarly also pay for storage in gas. And the current model of
Starting point is 00:36:08 Ethereum is that you buy some storage on the blockchain for a fixed price up front, and then that storage sort of remains on the blockchain forever. And the Ethereum blockchain has this mechanism that if you were to delete that storage, if you were to free it, then you will receive a
Starting point is 00:36:24 refund for the amount that you paid. some refund for what you paid originally for that amount of storage. And so you're basically saying that when gas is very cheap, you can sort of fill storage on the blockchain and then reclaim a refund later once gas is expensive. And sort of the gas will be worth more at that point than it was when you start it. And you could sort of leverage that to kind of increase the amount of gas that's available to you. Yeah. And our fundamental observation was that this is basically a derivative on gas.
Starting point is 00:36:54 It's like a call option on some gas. It led to the broader question of how are these resources actually priced? Like, how do people choose how much is paid for storage? How do people choose how much is paid for computation? And in what ways are these suboptimal? So you mentioned the current model of pay once, store forever. That's something we certainly address in our work, proposing more of a rentful scheme where you have to pay for ongoing costs at market rate.
Starting point is 00:37:17 There's also the issue of who's getting the payment. So the fact that the miners get payment for storage when the miners actually don't need to store the whole state, and it's the full nodes that bear the cost. So this sort of asymmetry between who's bearing the cost, like where the externality is and who's actually profiting, is super important to study. It leads to a sort of tragedy of the commons in the worst case where the miners are happy to take payment
Starting point is 00:37:38 for as much storage as you want because they don't have to store it and they don't care. As long as they don't break the whole network, they'll happily push out as many full nodes as they can. So these are broader questions. We have a broader initiative called Project Chicago, which you can see at projectchicago.io, that basically is studying these questions of crypto commodities.
Starting point is 00:37:56 What are the underlying commodities behind blockchains? For example, computation, relay network, and storage. How are these commodities priced? How can you exploit these commodities? How can you exploit like the relay network to get information about people's transactions earlier or the computation layer to sort of, I don't know, do this kind of gas refund or something like that? So there's a lot of interesting work in that direction. Yeah.
Starting point is 00:38:19 By the way, why is it called Project Chicago? So it's called Project Chicago, because our inspiration is sort of the Chicago Mercantile Exchange. That's how businesses hedge against volatility and sort of price commodities in real world markets. So we think of this as sort of exploring something similar on blockchains and asking, like, is that the right model or can we do better now that we have all these decentralized tools at our disposal? Fascinating. Well, thank you so much for coming on the podcast. Yeah, thanks for having me.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.