Unchained - Rune Christensen of MakerDAO Part 1: How to Keep a Crypto-Collateralized Stablecoin Afloat - Ep.104
Episode Date: January 29, 2019Rune Christensen, CEO and cofounder of MakerDAO, explains the intricacies of the MakerDAO system, which includes the stablecoin Dai, which is pegged to $1, backed by collateral, and whose governance i...s managed by holders of the MKR token. He describes how the current version of "single-collateral" Dai, is backed by ether, how Dai is created with a collateralized debt position and what happens when the value of the collateral falls too low. He also talks about the roles of various players in the system, such as keepers, oracles and MKR token holders. We also cover how the system handles black swan events or other emergencies. The MakerDAO system is so complex, however, that we will reconvene for a part 2 to describe the rest of the system and how a multi-collateral Dai will function. Thank you to our sponsors! Tokensoft: https://www.tokensoft.io Microsoft: https://twitter.com/MSFTBlockchain CipherTrace: http://ciphertrace.com/unchained Episode links: MakerDAO: https://makerdao.com/en/ Rune Christensen: https://twitter.com/RuneKek Previous Unchained episode on stablecoins with Rune and Philip Rosedale of High Fidelity: https://unchainedpodcast.com/why-its-so-hard-to-keep-stablecoins-stable/ Unconfirmed episode with Rune on Andreessen Horowitz's $15 million investment: https://unchainedpodcast.com/rune-christensen-of-makerdao-on-its-15-million-from-andreessen-horowitz-ep-039/ MakerDAO white paper: https://makerdao.com/en/whitepaper/ Decreasing the stability fee: https://medium.com/makerdao/decreasing-the-stability-fee-1f9fe50cf582 Unchained episode on generalized mining with Jake Brukhman and Tushar Jain: https://unchainedpodcast.com/coinfunds-jake-brukhman-and-multicoins-tushar-jain-on-generalized-mining-ep-92/ Laura's TEDx talk: https://unchainedpodcast.com/lauras-tedx-talk-how-crypto-could-allow-more-people-to-be-their-own-boss-ep-047/ USD Coin's banking partners: https://support.usdc.circle.com/hc/en-us/articles/360015278272-Who-are-the-banking-and-financial-partners-you-are-using-for-USDC- TrueUSD's trust companies and their correspondent banks: https://blog.trusttoken.com/who-are-the-correspondent-banks-and-trustee-partners-for-trueusd-e12508f0d5a2 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Hi, everyone. Two quick notes before we dive into today's podcast. First, there's an update to last week's
episode with Cameron and Tyler Winklevoss. During the show, they said that no other stable coins
have named their banking partners. At the time, I did mention that at least Tether had named some
of its banking partners, but I also wanted to note that Circles USD coin has several banking partners,
including Silvergate Bank and U.S. Bank Corp Asset Management, and True USDA has named its trust
companies and their correspondent banks. I've appended an update to last week.
episode and show notes as well. Second, I've launched a weekly newsletter. If you aren't getting it yet,
be sure to go to unchainedpodcast.com, where you can sign up for the newsletter at the top of the
homepage. Again, the website is unchainedpodcast.com. That's all my news. Now on to today's show.
Hi, everyone. Welcome to Unchained, your no-hype resource for all things crypto.
Sorry, wait, wait, wait. I just started over again. Okay. Hi, everyone. Welcome. Welcome to Unchained. You're no hype resource for all things crypto.
again. Okay. Hi everyone. Welcome to Unchanged. Your no hype resource for all things crypto. I'm your
host, Laura Shin. If you've been enjoying Unchanged, pop into iTunes to give us a top reading
room.
Wait. No, don't do that. That's so cruel. If you've been to join Unchained, pop in the iTunes
to give us a top rating review that helps other listeners find the show, which would be great
because we endured the worst sound check you could ever possibly.
imagine to bring you this episode. Do you have an idea for a blockchain app but are worried about
the time and cost it will take to develop? The folks at Azure have you covered. The new Azure
blockchain dev kit is a free download that gives you the tools needed to get your first
app running in less than 30 minutes. Learn more at AKA.m.m.m. Or by following them on
Twitter at MSFT blockchain. Within months, cryptocurrency anti-money laundering regulation
go global. Are you ready? Avoid stiff penalties or blacklisting by deploying effective anti-money
laundering tools for exchanges and crypto businesses, the same tools used by regulators. CipherTrace is
securing the crypto economy. Considering using digital securities as a way to grow in 2019,
Tokensoft's trusted platform provides the security and compliance tools to leverage blockchain
technology and enter new markets with confidence. Visit us at Tokensoft.com.
I.O or on Twitter at TokenSoft Inc.
My guest today is Rune Christensen of MakerDAO. Welcome, Roon.
Thanks so much for having me.
And thank you for enduring that crazy sound check.
All right. So you were on the podcast before talking about stable coins generally.
And that's when we did describe MakerDAO in that episode.
But it's a pretty complex system.
So I felt like there was plenty more we could discuss so much so.
In fact, that I actually have to warn listeners that the MakerDAO system has a lot of nuances and a lot of special terminology.
So you may have to do a lot of rewinding.
It honestly preparing for this reminded me a little bit of the DYDX episode where I was having to listen to my pre-interview with Antonio on 0.6 speed.
Anyway, so Roon, for listeners who didn't hear the episode, why don't you give us a short overview of what MakerDAO is and how it works?
Yeah, so at the very basic, MakerDAO is a decentralized platform on Ethereum that creates a stable coin called Dai.
And being a stable coin means that one die is worth $1.
And this is really useful, right, and sort of a new frontier in crypto, because once you have stability and once you have money in crypto that just has value that you're used to, you can actually start using it for real stuff and more than just speculation.
And there's a second token also in the Maker-Dow system. Can you talk about that a little bit?
Yeah. So in addition to dye the stable token, there's also MKR, which is like the governance token and sort of a speculative token that gives holders of it exposure to the system as a whole.
And yeah, I mean, this really gets into this what you were talking about, right? There's a lot of, there's a very advanced system sort of under the hood that powers the stability of dye.
and the MKR token is basically like the ownership and the control over this this underlying system.
And so in the previous episode where we described stable coins generally,
we talked about how there were multiple different models to use where you, you know,
that you could use to create a coin that had a stable value.
So what is the model that MakerDA uses?
Yeah.
So there's generally considered to be three types.
the stable coins. And Maker and Die falls in the crypto collateralized model. So what that means
is the stability of die comes from the fact that there is collateral. So there are valuable
assets that are sitting in smart contracts on the Ethereum blockchain and are essentially
available to buy back die. And in that way, prop up the price and keep it stable at $1.
All right. Great. Yeah. And just so people know,
right now, it's started with what's called single collateral die, which is backed by ether,
but you're going to be moving to a multi-collateral die system, which is going to be backed by
many different types of assets. I mean, they all have to be crypto-informed, but some of them
could even be real-world assets such as like crypto versions of real estate or gold or something
like that. Yeah. And even other types of stable coins as well. Oh, right, right, right, which I
think I asked you about before.
But anyway, okay, so let's now dive into the details of how all this works.
And we're going to just walk through the simplest scenario with dye, which is that we have a
single collateral die and a user decides to create this single collateral die for themselves.
And so listeners should know that what can happen is that if you, if the value of the collateral
that you put up falls below a certain minimum threshold,
then your dye and the collateral that you put up will be liquidated.
Your position will be liquidated.
However, let's just walk through the simplest scenario
in which somebody creates dye for themselves,
but their position is never liquidated.
How do they create the dye and then how do they get their collateral back?
Yeah.
So whenever I talk about this,
I really like to compare it to a moment.
mortgage and like taking out a loan, we're using your house as the collateral from the bank,
right? Because this is actually something a lot of people do. And so basically, the first part
of interaction is putting the collateral into the system, right? So this is kind of equivalent
to go into the bank and saying, here's my house and here's the claim on my house. And then you,
like then this system, you know, gives you basically an amount that you can borrow based on the value of
your collateral and then
sends you the die and gives you the money
basically. And over
time, so now, so basically now
you have the, you have the die, you have the
stable coin that you borrowed that you can then go and
spend on something. And you also
have what's called the CDP,
the collateralized debt position.
And this is effectively,
this is something like, you know,
like when you own your house, but
the bank has a lien on it, right?
So you own your collateral, but
the collateral is locked behind debt.
and you can only get, you can only retrieve the collateral out of the system again by paying back the debt.
And let's say if you wait a year before you, you pay back your debt because you wanted to spend your money.
And then after a year, maybe the price of Ethereum has gone up and you want to, to like lock in some of those profits.
Then you also have to pay a stability fee.
So this is basically the interest rate you have to pay to the bank as well, right?
This is a similar logic.
So you pay down the debt and then you pay the, the, the, the, the, the, the, the, the, the, the,
stability fee, which right now has to be paid with the MKR token.
So the speculative governance token I was talking about earlier.
And when you paid, the system actually burns the token and resulting in more scarcity
of the MKR token.
And that's sort of what drives the value of MKR.
And then in the end, you can retrieve your Ethereum collateral out of the system again.
So this is really like you pay, you know, when you've, after you finish paying off your
mortgage to the bank, the house is just yours, right?
and the bank can't come and take it.
And what is the stability fee and why does that have to be paid through MKR?
Yeah, I mean, so the stability fee is really equivalent to the risk premium of the loan, right?
So the stability fee sort of exists to protect the system against the risk that the collateral will crash to nothing
and the system will have to recapitalize because there's, you know, because now there's not enough collateral to back die.
So the stability fee depends on how risky the collateral asset you're using is.
And of course, in single collateral die, so the current version that's running live on Ethereum right now, there's only one type of collateral.
And so there's just one stability fee set for that, for a set for Ethereum.
Which is one amount?
Yeah, so right now it is 0.5%.
And what's interesting is it's actually been changing quite a lot.
And it's been changing based on our decentralized governance process.
So it is actually the mkr holders that come together and then vote directly on the blockchain with their mkr to change the stability fee.
And yeah, and then again, the way it's like when you paid, you actually paid with the mkr as well.
So if you're if you're like a regular user when you want to to close your CDPs and when you want to pay back your loan and just retrieve your collateral,
you have to go and buy a tiny amount of mkr and then give that to the system and the system will then burn that mkr.
and to date about 500 MCR has been burned this way
which is equivalent to something like we think that's
less less than 1% of the total supply right so it's not really
actually it's about 0.1% of the total supply
that has been burned so far in total
but that kind of represents what gives the system value
and kind of keeps it going because it means that as the system runs
and as people use it,
the value of MKR grows, right? Because
MKR becomes more and more scarce. And this, in turn, creates the incentive that's necessary
for MKR holders to actively engage with the system and govern it and make sure it remains stable.
And in a way, I guess, paying that through MKR, it's sort of like, it kind of helps ensure
the safety of it in a way. Do you know what I mean? And that it creates an incentive to,
or it sort of pays, I guess, the people who are governing it for governing well.
Yeah.
So it aligns the incentives of the users of a system and those who, like I guess you can say
the workers, right, those who operate the system.
Yeah, and actually isn't the right verb.
It's more like the value of their MKR rises as long as they govern it well.
Yeah.
And people are paying back.
Yeah.
Okay.
And in the multiple.
multilateral version of the system. So in the next
release that really is, like,
that we really consider to be like the full version,
right? And the current version we consider to be
a beta.
This will be abstracted away. So when you
pay down your debt,
the stability fees actually
paid and die. And you don't even know,
like you don't even have to worry about what's the
principal debt? What's the stability fee? Like,
you just have an amount of debt that you
have to pay to get access to your collateral.
And the system then automatically
sort of takes out the
portion of what you're paying back that is equivalent to stability fee and takes that die
and automatically buys MKR with it and then burns it. So it becomes more convenient for the end
user, but the system still has that dynamic of buying and burning MKR and thus making sure that
as users use the system, those who regulate and protect the system are continuously rewarded
to align the incentives. All right. So now let's move to the next scenario, which is a little
bit more complex than the single collateral die that's just redeemed and doesn't get liquidated.
So in this, this is, you know, a version of which someone does create single collateral die,
but then the value of their collateralized debt position does fall below that minimum threshold.
At that point, what happens?
Yeah.
So right now, the liquidation ratio, so that minimum threshold of collateral value is,
set at 150%.
And on average, actually, most people keep it at 300%.
So most people, they have, for every $1 of debt, they actually have $3 of
Ethereum collateral.
But that doesn't protect some people from being a little bit, taking a little bit too
much of risk and getting really close to that point.
And yeah, so if you hit that 150% level, so that basically means, let's say if you have
you have $100 in debt,
if the value of your Ethereum collateral
hits $150 in value,
the system will detect this
through its price feed oracles
and will then trigger a liquidation.
And that really just means that it takes all your collateral
and it sells it off on the market
to try to recapitalize and get in enough die.
And then when it gets enough die,
it pays down your debt,
takes also a penalty that's kind of there
to incentivize people to not get into this, like not rely on this mechanism, but rather make
sure that they maintain their own CDP, like on their own. And then whatever's left over,
if anything is left over, is then given back to the user. And so for this penalty, which is the
liquidation penalty, how, what percentage is that? That is actually at 13% right now, which I think
is quite high. But I think
an interesting dynamic that we have seen
is that as over the past year
as the Ethereum price
has completely crashed, like completely
cratered, right? But
during this time, DIA has been backed only
by Ethereum. And what's interesting is
that as CDP holders
keep getting closer to
their liquidation point,
they're very good at like
topping up with Ethereum collateral because
they don't want to get hit by that 13
percent penalty. So it's a
very, it's like a very strict penalty that is in place right now, but also it has a very healthy
sort of effect on the behavior of the users. And why do you have the liquidation penalty?
I mean, I understand you said earlier, it's to incentivize people to not get liquidated,
but why is that important for the maker down system if essentially you, the system should always
at least remain whole? Yeah, I mean, this is, so, like, this actually gets into some
of the deeper governance and risk theory that we spend a lot of time talking about in the community.
And basically, the thing is that Maker is designed to not fail under normal circumstances,
right?
Like, it's fine if Ethereum falls, let's say, 90% over a year.
That's not really, like, that is actually an expected scenario, right?
And similarly, if there just are like fluctuations in the market and there's like a big crash
or something, that's still also enough.
for these parameters to deal with.
But kind of the only real risk to,
to like a financial infrastructure,
like Maker is,
you know,
it's like really like a systemic type of sleepwalking
where everyone is kind of ignoring what's going on.
And people are just like counting on whatever.
Like,
like, oh yeah, it'll be,
it'll be fine kind of.
And, you know,
so actually it's almost like a,
you know,
it's almost more than just a financial phenomenon.
It's like a cultural phenomenon, right?
which I think is something like if you look at something like the 2008 financial crisis,
that's like an example of when it really, when complacency really sets in,
that's when you can get these kind of like crazy crashes that actually can catch even the most,
you know, diligent risk model of God.
So we, so the goal is basically that we really want to ensure that, you know,
the users understand that, you know, that they're playing with leverage, which is some,
credit is actually something
and credit risk is something to take seriously.
So if you don't know,
like if you're not actively managing your own position,
you're not actively know what's going on in the system,
you should use a service that, you know,
holds your hand kind of that helps you actually do this.
And so right now, a few of those services exist.
But basically in the future,
we expect it to be a much, you know,
bigger and healthier ecosystem of many types of, you know,
like front end services that that for instance will help liquidate users position in advance
so they don't hit the limit, like so they don't hit sort of the system level.
And just in general, ensure that the system as a whole runs more smoothly because the people
who use it actually, you know, are watching the market right now, actually watching what's going
on rather than just, you know, levering up and then, you know, hoping everything will be fine.
Yeah.
I love what you said about the cultural shift because I feel like this is yet another example of how people have to learn with crypto that it really is like digital or it can function like digital cash and that this money just performs really differently or acts really differently from the kinds of money that we're used to.
And it's like yet another example of the mind shift that somebody has to undergo if they're going to take control of their private keys.
And there's actually more I want to ask you about that later.
But another thing that I wanted to ask you was, so why is it 13%?
Because you even yourself admitted that was high.
Yeah, I mean, it's actually because, I mean, so the reason why I think 13% was high and kind of, I mean, because in hindsight, we actually think that we've seen, I mean, that in a way we can justify that it maybe makes sense in a system like this to have a very, have a very punishing penalty like that.
just because we saw that good behavior out of it, right?
So it's actually because, just like for technical reasons in single collateral die,
it's implemented in a way where its liquidation function is just not very, it doesn't,
it's not very good, basically.
So it's very inefficient.
And for that reason, that's like, so just to, I mean, it's not, I mean, I guess it's not,
it's not like, it's, you know, it's just like, it could be a lot better.
and it will be a lot better in multilateral dye.
And basically because that's the case,
we just decided to really, really err on, you know,
significantly on the side of caution and just put something we thought was like,
yeah, this is really, really high.
We're going to put it at 13 percent.
And then there's no way that we will actually run into issues,
you know, derive from the fact that the liquidation function
is implemented in a more simple way.
And then why is the minimum threshold for,
collateral. Why is that 150%?
That's actually just an arbitrary number.
Like, that is, I mean, it's, I guess it's the, like, what we've been looking,
what we looked at when we came up with that completely arbitrary number is things like
other stable coins, like, you know, Bitchairs has this BitUSD stable coin that die
really is inspired by and is sort of an evolution of that whole design.
and that actually had a similar
like had risk parameters that were similar to that
although their risk runners work slightly differently.
And then another example is when you look at
the various margin trading platforms
that allow people to margin trade Ethereum for instance,
what we saw is those that we consider to be kind of like
the legit ones, I guess you can say,
like the not ones that are like full-on
but more like actually are providing leverage to sophisticated professional traders that know what they're doing.
And they seem to, I mean, typically they would allow up to 5x leverage in many cases.
And also 3x is pretty common.
So we basically said 3X was going to be our absolute sort of like upper bound for how much leverage users would be able to take.
So we just ensure the system stays sort of on the safe side.
but yeah but there's actually more nuanced to this because in reality you can't really like in reality
the this liquidation ratio is actually not a fixed like a fixed point but rather it's a function of
what this stability fee is so this you know this the interest rate you have to pay due to the
inherent risk of your of your collateral of your loan so in multiple lateral die it'll actually be a lot
Like, it'll be kind of like choose your own liquidation ratio, depending on how much you want to pay instability fee.
And then those two things are related on a curve.
Oh, wow.
This, yeah, I mean, there's a lot of comparisons one could make to something like a lending club, like a peer-to-peer loan.
But that I definitely think of as another parallel that I'm seeing.
I actually think this sort of brings up the role of keepers.
So can you describe who they are?
in the community?
Yeah.
So keepers are,
I guess you can say,
they're kind of,
they are rational agents
who are completely independent
from the system
and who can be like anonymous
and basically can be anyone.
And any person can run a keeper
by just going to a keeper repository
and GitHub and get the open source code.
And what they basically do is they are,
yeah,
they're like external independent agents
that exploit various profit opportunities in the system.
Now, the most obvious and sort of like the reason why the keeper concept was invented was to arbitrage the liquidations in the system, right?
So when a keeper sees, like so keepers are constantly looking for CDPs that reach the liquidation point.
And if it finds one that has reached a liquidation point, then the keeper is actually the one that sort of triggers the function in the system that actually runs the liquidation.
And the keeper then also will buy the collateral out of the system during the liquidation, for instance,
and then immediately go and sell it on some market elsewhere.
So keepers are kind of, in a way, you can a little bit like the glue that holds the system together.
And they're also kind of like the rational capital that interact with the system to, for instance,
stabilize dye in the short term based on the incentives that are built in for the long term.
and ultimately the more keepers there are, the more regular users the system can handle.
And also, like, depending on how efficient or inefficient the system is, that determines how much you can make as a keeper.
Yeah, the role of keeper reminds me a little bit of miners in Bitcoin or Ethereum or really any other role or this new trend that I discussed on the podcast with Jake Brookman.
charging of generalized mining where now you're seeing that these software networks basically can
employ people or machines. And it's something I talked about in my TEDx talk a little bit.
But as long as the incentives are designed correctly, then the people who take on these roles
can make money doing them. So one thing that you mentioned, though, is that they kind of help
keep the price, you know, in the right, you know, near the peg or at the peg?
How does that part work?
Yeah.
So, and I really like what you're saying about the simulums of mining, because when we first came
up with the, the name keeper, we actually was like thinking like, how do you, how do you
explain what it is?
Maybe something like mining 2.0.
And then, and then one of the, so the, so the other key thing to a keeper, other than
the keepers exploit profit opportunities is.
also if you're a keeper and you're already doing one thing where you're sort of scanning the
blockchain and exploiting a profit opportunity, you may as well also do everything else that sort of
is, you know, now you've already got this secure setup that's performing some sort of profitable
function. You may as well also look for other similar things you can do, right? And so the other,
the other really obvious thing to do, like as a keeper that's already scanning maker for liquidation
opportunities is to, for instance, arbitrage the price of dye across decentralized exchanges,
right? So if you can find something, like you can find an order on two different exchanges
that actually cross, but that just haven't matched because they're in two different orderbooks,
then you can buy one and sell the other, for instance, right? But they're really advanced
and also the most profitable activity that a keeper can do is market making. Right. So really just
providing liquidity to the market. And this is where they, I mean, and this and this is, and this is,
This is what can really in a way be described as exploiting the most fundamental mechanism of the maker system,
which is the governance mechanism that keeps dye stable around one US dollar.
And so basically what a keeper will do is a keeper will just bet that if the price of dye is, you know, deviates from one dollar.
That's a profit opportunity because you can either then buy die and expect it to go back to $1 and sell it again for some profit.
Or you can sell it above $1 and expect it.
to go down to $1 and then buy it to also similarly make a profit.
Yeah, I find this whole system pretty incredible.
The more I learned about it, the more I was really amazed.
And I honestly was proud because like you, I taught English in Asia early in my career.
And so I was pretty impressed that you had led the charge to come with this system.
All right, another role that I want to discuss is oracles.
What do oracles do?
Who are they?
So the term Oracle is, it's a pretty old term.
I think probably like those kind of things.
I feel like it's something that was made up by Italic.
I think it's very likely.
I mean, I feel I remember him making a blog process on part in early days.
But anyways, the oracles is like, yeah,
it's a generalized term for external actors that provide trusted data onto the blockchain.
So for Maker, it's this, like, oracles play this very crucial role of telling the system what the price of Ethereum is, for instance.
So the system knows when a CDP is supposed to be liquidated, right?
Because you can actually find that, like, the blockchain doesn't see the outside world, right?
So, you know, you actually need to have some sort of link and there needs to be some element of trust when you get in some data.
because you can't just have anyone submitting any data they want, right?
Then that'll immediately, that just won't work.
You actually need to, like, define and advance who do you trust
and, like, what kind of sources do you trust for your data?
And the Oracle problem, as many like to call it, right,
is really one of the most fundamental issues in, like, smart contracts and decentralization.
And the good news is nowadays there's some really cool solutions.
And so the solution we're currently using with Maker is,
just a relatively simple
like diversification scheme
essentially. So basically
rather than using one source
for the price feed into
Maker, the MKR holders
they actually choose a whole set
of oracles. So they will choose
like so right now it's 14 different
Ethereum addresses. So like 14
different like people
basically around the world
that have been chosen
through an MKR vote when the system was launched.
And they all
individually provide data into, like they all individually continuously update what they sort of
like observe to be the current price of Ethereum on the market. And then there is a like a fully
autonomous smart contract that takes in all of these data. So it basically takes 14 different
data points in real time and then takes the median of those different data points and then pushes
that median into Maker itself. So that mean and taking the median of the data points is pretty
important because that actually gives us some resilience
because it means that
if just like let's say some
of the oracles get compromised and start
setting crazy numbers, it's going to be completely ignored
by the system. Only if
51% of the oracles are
compromised and start sending bad data
do we actually have a problem where
that's going to get pushed into the core of the system.
So there also
have to be some secondary mechanisms to
kind of protect against
like compromised oracles.
And that is, that's fundamental
the fact that oracles always can, in theory, be compromised is sort of the fundamental
thing about the Oracle problem.
We're going to keep discussing oracles in a moment, but first a quick word from our fabulous
sponsors.
Issuing a digital security on the blockchain can be a significant undertaking, particularly
to ensure compliance requirements are met.
Tokensoft's trusted platform provides security in a world of uncertainty by working with
top legal and financial experts so that your digital.
assets are secure. Tokensoft leads the market in providing technological tools to support tax, banking,
and securities regulations for issuers of digital assets. We are honored to have supported leading
companies in 2018. To learn more about issuing digital securities successfully, visit tokensoft.io,
or follow them on Twitter at Tokensoft, Inc. Within months, cryptocurrency anti-money laundering
regulations go global. Are you ready?
Avoid stiff penalties or blacklisting by deploying effective anti-money laundering tools for exchanges and crypto businesses, the same tools used by regulators.
CipherTrace is securing the crypto economy.
Face it, regulations can stall or kill a fast-moving crypto business.
New Financial Action Task Force and European Union cryptocurrency AML laws are coming soon.
You could be hit with stiff fines or blacklisted, no matter where your servers are in the world.
Prepare now. Deploy the same powerful cipher trace tools used by regulators.
Protect your assets, streamline your compliance programs, and keep your exchange or crypto business
out of the regulators' crosshairs. Learn how effective anti-money laundering tools help keep your
crypto business safe and trusted. Learn more at ciphertrace.com slash unchained.
Ciphertrace is securing the crypto economy.
Getting your blockchain app off the whiteboard and into production can be a big undertaking.
From connecting user interfaces to integrating disparate systems and data,
blockchain app development can be time-intensive and costly.
Well, the folks at Azure have you covered.
With a few simple clicks, the Azure Blockchain Workbench can create a blockchain network for you,
pre-integrated with the cloud services needed to build your app.
And with their new development kit, users can extend their app to ingest messages from bots,
edge devices, databases, and more.
It's free to download and gives you the tools you need to get your first app running in less than 30 minutes.
To learn more about the dev kit and how to get started, visit aka.m.m.m.combed or follow them on
Twitter at MSFT blockchain. Back to my conversation with Roon Christensen of MakerDAO.
So I totally understand everything you're saying about how the oracle problem is a fundamental problem.
And I understood this part about the 51% attack.
But if that's all the case, then why are there so few oracles?
All you have to do is get eight people to collude and they can totally corrupt the system.
That seems like a really kind of vulnerable position to be in.
Yeah.
So right now with single adult eye and the way the system is set up currently,
we are really relying a lot on the fact that the people who are running these oracles
currently are actually some very longstanding community members.
Some of them are even oracles from other projects in the past, including Bit Shares,
which is like one of the first or possibly the first project that started using oracles in this way.
and then they're also like their identity is actually not known they're like a like the foundation
runs this whole oracle sort of anonymization scheme where it's it's only very few people who
actually know who the oracles are and so ultimately it's it's definitely i mean what it is
it's really a system that's robust enough for the beta for single who that all die because
it's not really it's you know it's in its current state it's not really something i can be compromised by
like a normal actor.
You know, maybe some state level actor would be able to, to penetrate the way it currently
works.
But we definitely consider it safe enough for, you know, for like the relatively limited
scale of single blood will die.
And then our main focus is how to make it better, right?
And actually, the absolute key thing that must be solved is, in fact, like, I mean,
the Oracle problem fundamentally just needs to be solved.
In fact, you can't actually ever accept that regardless of what the chance is that the oracles get compromised.
Like, it doesn't matter what that change is.
As long as it's not zero, that's not acceptable, right?
You're not going to actually be able to build a full financial infrastructure on top of it.
So we actually have a solution that we believe actually, I mean, of course you can't, like, you can never like solve something like or you can never sort of guarantee anything with complete certainty, right?
but we're sort of approaching, you know, like 99.99% confidence with this approach.
And basically the idea is that, so alongside this median, like this function that sort of takes in all the different inputs and then takes the median of those inputs.
So to ensure that even if some of them are compromised, it doesn't matter because as long as the majority of are clean, then it won't get contaminated.
But then the next step is that instead of pushing this sort of, you know, the fully processed data directly into the system, there's actually a delay in post on that data.
So, and this is through something we call the Oracle Security module.
So basically the oracles, like sort of the processed data from the Oracle is put into the Oracle security module.
And it then sits there for an hour and just waits.
And it's basically available for everyone to see so everyone can see, okay, in one hour, this will.
be the new Oracle input.
But, you know, we can see it now and we don't like, like it's not like we can actually react.
We have a full hour to react.
And it is, and then if the value is something crazy like, you know, 99999 or whatever or zero or something, right?
So, so basically if the oracles are compromised and they're trying to attack the system by sending
in malicious data, then the sort of the second layer and very strong, powerful defensive mechanism can then
like activate.
And this is where
this is probably actually the most important feature of the whole system.
It's called the emergency shutdown.
So basically it is a way to,
for the system to actually shut down in the event of some sort of negative,
you know, external or whatever.
I mean, it could even be if the system got hacked
or it could be if the market went completely crazy
or like there was some sort of crazy crash
or if there's some sort of crypto economic attack,
like on the Oracle infrastructure.
And what an emergency shutdown does is it sort of freezes a system at its last
known safe state.
So if there's currently some bad data on its way through the Oracle security module,
then the emergency shutdown will sort of rely on the last, on the Oracle data point that
was before that, right?
That was still a safe data point.
And then it will settle every single use of the system at the net asset value.
They're entitled to.
So what that means is as a dieholder, like the worst thing I can happen to you as a dieholder is that the system stops, like the service sort of stops running, right?
The system stops working.
But you can now just like what that means to your dye is your dye is now just becomes a claim on one dollar worth of collateral.
Right.
So you're not longer have a stable coin that's that keeps, that remains stable at one dollar, but your current stable coins, you can go and you can exchange them directly in a system for like the equivalent.
value in ETH of one dollar at the time that this emergency shutdown was done.
And then there is this very highly redundant infrastructure of what's called emergency
oracles.
So basically a different type of Oracle that just watches out for like Oracle attacks.
And actually there's also another kind of attack is relevant with it, which is the MQI
holders getting naughty and trying to use their powers maliciously.
And in both cases, the emergency oracles are able to do.
detect this. And then everything like and then it's like a very redundant and also very I guess
you can say trigger happy infrastructure. Right. So like even a single emergency Oracle is able to
on its own unilaterally trigger an emergency shutdown. And there is actually layers beyond that.
So even if all emergency oracles fail, MQI holders themselves are actually with like with a
relatively small minority, able to also directly trigger an emergency shutdown.
And ultimately all of this together is how we get to that.
So, you know, we can't guarantee with total, like total certainty that an attack will be, will be, you know, mitigated with an emergency shutdown.
But we can guarantee it with like, you know, 99.999, like kind of like as close as you possibly can get to total certainty.
And this, we believe, is then a strong enough deterrent that it actually makes it just totally economically and viable for someone to try to attack a system anyway, right?
because launching an attack would be very expensive,
and the probability of success is just,
it doesn't register, basically.
Wow, this is really intense.
Just so I can be clear that I understood,
so a single emergency Oracle can trigger a shutdown,
and also MKR holders can single-handedly trigger shutdowns?
Yeah, and it's a very, it's kind of like,
like it's kind of like that logic of, you know,
it's better to,
to imagine, like, it's better to see an imaginary tiger than to, you know, fail to see a real tiger, you know.
So, so basically it's, you know, so it's very easy to trigger an emergency shutdown and even a small, like a minority of MKR holders.
So actually a very small percentage of MKR holders able to do it.
Now, of course, the problem is like, there's the flip side to this, right?
And this is emergency shutdown.
It's a very terrible, like, well, I mean, it's, it's definitely.
like it's not really a desirable thing, right?
I mean, ideally it never happens.
And that's actually also why it's called.
It used to have a different name,
but we changed the name to emergency shutdown
to really like signify that this is not actually like a feature
you should expect to ever happen,
but it's more like, you know,
it's almost like a game theoretic device
that sits there to prevent stuff from happening,
but hopefully never has to be used.
However, if it did have to be used,
there are, you know,
there's a lot of infrastructure
in place to ensure that you can actually just do a smooth sort of redeployment and
kind of like immediately restart the system and get everything back to normal.
So in the end, what kind of like what we call a troll shutdown, right?
So someone like abusing the power of being able to trigger an emergency shutdown in the
event of attack and instead just using it to, you know, just like cause disruption.
What that would really mean for an end user is that in their like in their wallet or something
like that, they would have, like, they would be, they would have to click a button. And they wouldn't
even have, they wouldn't even need to know why that was, like, what is going on behind the scenes.
But then that would be sort of, that would be the only thing that would really be felt by the end users.
And, and the system and the governance is then able to, to sort of handle the entire migration
on the back end. So, yeah. So in, like, in an end, it's kind of, it really is kind of like,
you know, the nuclear deterrent in a way, right?
kind of like mutually a sure destruction. And ideally, it never actually is used in real
life, except in one circumstances, which is upgrades. So you also use it when you want to
upgrade the system, right? Then you exist to, you can shut down the infrastructure and you can
transition to a new one. And actually, when we upgrade from single collateral die to multilateral die,
it is by by eventually triggering an emergency shutdown on single collateral die.
And I'm sorry, in the case of a troll
shutdown emergency
emergency shutdown, how is that person punished?
Yeah, so
that's my favorite part.
So there's actually a whole bunch of,
like so we also have a whole bunch of game theory around that, right?
But I mean,
but there's basically two types of actress
that can trigger an emergency shutdown, right?
There is,
so there are the centralized emergency oracles
that are,
I mean,
in the long run,
they are basically going to be institutions of some sort that are chosen by MQI holders and given the power to trigger an emergency shutdown.
In the short run, they will be multiple sort of multiple independent divisions within the foundation.
So the foundation will run like a very sophisticated security infrastructure that then also has the power to do the emergency shutdown.
And basically the way to prevent trolling from, you know, centralized legal entities is pretty simple.
it's just using the legal system, right?
So they will actually be, like, you know,
there'll be legal agreements in place that ensure that someone who abuses that power
can actually be, you know, like can be pursued legally.
And then the other, so, so that's, that, like,
that should serve as a deterrent, but of course it's not guaranteed to do so.
And ultimately, but, but wait, when you say pursued legally,
like, like, what law would be broken and there's different jurisdictions.
So how do you, that just sounds.
Yeah, I mean,
Like, let's say, like, I mean, this is actually different depending on which jurisdiction the emergency Oracle operates in, right?
So, but, but typically it would like, I mean, basically it will be an agreement between like the emergency Oracle and then something like, like, like, well known entities and institutions in that jurisdiction that are sort like, you know, that the community ultimately trusts that if we look at this entire network here and they all have agreements with this emergency.
Oracle that if they, you know, that if they abuse their, their emergency Oracle powers,
they can be, you know, there's some sort of liability there.
Then, like, that's, at some point, there's, there is going to be enough guarantees in place
that the community actually feels comfortable, you know, wide listing that particular
emergency Oracle with the power to trigger an emergency shutdown.
And then if, like, of course, it's still not, it's not guaranteed.
It really is for sure not going to be abused.
but then again, the key is that again, if it is actually abused, it's still, like, you know, it's not the end of the world.
It is just like a UX annoyance, basically.
And the next time that, like, once you then have a troll emergency shot down in such a scenario and you do the redeployment after,
then, of course, you just make sure to not make the same mistake, right, and exclude that emergency oracle.
And in general, can add more like strict checks and balances on who gets to have that power.
Yeah, I mean, one other thing that I was thinking is it's more than just a UX annoyance because the people who have collateralized at 3X will recoup much less money than the people who've collateralized at 1.5.
So in that regard, the people who are kind of being safer with their collateralized at positions, they get punished more in that scenario, right?
No, I mean, if you do, if you go from from one live system and then do an emergency shutdown and then a redeployment process and transition over, you will be the exact same.
Like you click a button and your CDP will be exactly like it was before.
There are actually some efficiency losses.
I thought with the emergency shutdown, everybody's position basically, well, I don't know if it gets liquidated, but people only receive $1.
they only get a value that's equivalent to the amount of dye that they had.
Isn't that correct?
Yeah, well, yeah, sorry.
I mean, no, it's an asset value, right?
So if you're a die holder, you get value equivalent to the dye you have.
If you're a CDP holder, you get value equivalent to sort of the, you know, the free collateral that you have.
So let's say you have a CDP with $200 of collateral and $100 of debt, right?
Then you would get $100 of collateral.
And you would then immediately be able to go to the next.
system and and use that $100 of collateral to then again collateralize a 200% collateralization
CEP where you also take out 100 debt and use that to purchase an additional $100 worth
of Ethereum.
But rather than having to do this manually, there will, you know, there's a process in place
that we will showcase the first time when we do the single collateral to multi-collateral upgrade
where you actually just click one button once and then all of this stuff happens sort of
automatically on the back end, and you just see now your CDP has been migrated over from one
system to another.
Okay.
And I wanted to ask more about the oracles.
How often do they give their prices?
Because as we know, the crypto prices can be very volatile.
So if it's, you know, within long enough time periods, then the price can really have varied
a lot, even in the interim between when they have to give their price updates.
Yeah, so right now they actually give it very often.
Right now it's something like, well, actually right now they don't, they don't really look at, you know, they don't have a fixed frequency.
They just have a, like they update any time they see a change of, I think it's something like 1%.
But actually they're sort of deliberately said to be scrambled.
So it's, but in the end, it does give a pretty regular cadence of updates currently.
Which is what?
But actually, I mean, which is something like every, well, it's hard to say actually, because it depends on how much the price is swinging.
So like, but I guess it's, I mean, at least every minute or something, you know, like it, it stays very up to date in that sense.
But actually what's interesting is.
So it's like people running algorithms essentially that are the oracles.
Well, yeah, it's, it's, so what is it's processes on on servers around the world that basically,
hook up to various APIs of exchanges
and then like minus to them and then run some sort of algorithm
on the different prices that they see from different exchanges
and then ultimately come up with some like some some some you know some aggregate
number that they then or you know some media number or something that they then push
into maker and they actually all use different algorithms for you know for the sake of
diversification so they all have like a slightly different approach on how they
you know how they obtain the the current market price of it
Ethereum.
But actually one thing...
Oh, go ahead.
Yes.
Yes.
One thing that's interesting,
you were talking about is how this thing about the...
Like, how there needs to be very frequent Oracle updates, right?
Because that was actually also our initial thought, right?
And that's why we engineered the oracles the way they currently run.
But what we've since come to realize is that the opposite is actually true and that the system
doesn't actually need very regular Oracle updates.
And that's why...
why we have that, you know, we have that whole security mechanism where, so basically in
multiple lateral die, there will only be updates every hour. Yeah. And fundamentally, like the short
version of the reason, like the reason why that is okay to do is because you can compensate
for that via the risk parameters, basically. So you can actually take it into your overall risk
assessment that the Oracle isn't in real time, but rather is, you know, has this one hour delay.
But then the second part is that in multiple collateral diet, the way liquidations are done are through auctions.
And these auctions are like based on, like, doing the preliminary calculations on it, basically.
It turns out that these, these auctions typically should have a duration that's like something like six hours or more, basically,
to really probably, you know, be able to access all the arbitrar, you know, arbitrar sure's and liquidity across the whole market.
marketplace in ecosystem. So once you have that as a context, right, if the auctions take six hours
anyway, then, you know, like an oracle duration of one hour doesn't actually really change
much because that just means you could, okay, if you were going to make the auction duration
six hours and the Oracle frequencies, one hour, you can just cut down the auction duration
to five hours instead. And you still get sort of an overall end-to-end cycle of six hours.
Okay, I'm having a little bit of trouble following this. So I think, though, this may relate to a question that I had for the oracles.
Dye went live after the ether flash crash on G-Dax in the summer of 2017. But at that time, let's say that Dye had been live, then what would have happened is that the oracles all would have thrown out the 10-cent prices and whatever on G-Dak.
Dax because it takes the median.
Is that how that would have worked?
Yeah.
So the oracle's actually like so the way the median is implemented on the blockchain,
on the smart contract side.
And it's a very simple process, right?
It just takes the median of the of its inputs.
But actually the Oracle, you know, clients themselves,
so like the actual servers that are sitting there and sort of pulling data from different
exchanges, they actually have a lot more sophisticated signal.
processing logic built into them.
So they actually are just able to like detect this is a flash crash, just totally ignore that.
So of course the problem is, the question is when is something a flash crash and when is
a real quash that, you know, and basically if there was, you know, a major crash across all
exchanges at once and it actually was sustained.
So it wasn't just like, you know, it goes to zero and then it goes back up after like a few
seconds or a few minutes.
But if it actually, if there's like a huge crash and it's sustained for like,
you know, like many minutes or maybe even an hour or something.
Then at that point, there's no way to basically detect that this is just a flash crash.
And then the system would really just register those numbers.
So the risk of that, of something like that happening basically has to be accounted for
in the risk models themselves, right?
Because that's like something like that can always happen, right?
I mean, there are many instances of like true like Black Swan events in the real world
where there are assets that just have huge crashes.
And this really also speaks to the reason why you've got to have multiple collateral types, right?
You can't keep all your X in one basket.
Right.
But so then let's say that there was something like maybe there was some vulnerability found in the Ethereum blockchain
and suddenly the question of whether Ethereum itself was viable.
Let's say that that happened.
like something really even bigger than, you know, when Vodalek was rumored to have died and, you know, whatever, just something where it's like, oh my God, a theorem may not work anymore.
So in that case, I guess this is just another way of me asking about what you were saying about how you actually don't need frequent updates.
Let's say that that was, it was thought that that was the case.
and then maybe like an hour or two later,
people realized that for whatever reason,
this didn't mean the end of Ethereum
and suddenly people were buying back ether.
Then, so how would,
why is it that the oracles don't need to be updated as frequently?
I still don't understand that point.
I mean, I actually don't, like, I mean,
I think a better example to look at is just like an asset just crashing
extremely fast, right?
And the system not basically registering this fast enough to start triggering liquidations itself.
So once it starts triggering those liquidations, the price is already zero.
And maybe if, like, I mean, now I'm sort of making the argument for why you think that you would have really fast oracles, right?
I mean, if you have ultra-fast oracles, you could imagine a scenario where, you know, the liquidations actually happened during that incredibly fast crash.
And the system would actually have been able to get some of the money back.
right because it it would have been lucky enough to still sell to like a greater fool kind of who was willing to to buy all the way down to zero but i mean like and that is that is sort of i mean there is a there is a real like there is sort of an argument to be made that this is a this is good behavior but there's actually also like there's also reasons why you don't want that right because and that is actually kind of the scenario you talked about right i mean where what if it goes to zero and it is a zero for you know 20 minutes and then it goes back to the price it was before right or or or
or some scenario like that, right?
In some cases,
you don't want to just, like, be super neurotic
and immediately react to the data.
But the most important thing is that fundamentally,
like, this doesn't, like, whichever way you do it,
don't really matter in the grand scheme of things.
Because Mega ultimately has to be able to not just deal with,
like, really, really fast crashes,
but with literally instant crashes, right?
like with a crash that's literally like from one like the government seizes this entire like tokenized
you know link into all the gold or something that is tokenized in some vault right so the gold
token is now from the very second that that happens that token is now totally worthless right
so no it doesn't matter how fast the oracles are the price is is completely has gone to zero now
and and that kind of scenario is something the system also needs to be able to handle right
And the way you deal with that is really just through the fundamental risk management of the system.
So the system must have very diversified collateral and must have, you know, like different kinds of stability in it and sort of like uncorrelated assets that provide many different types of value and ultimately provide many different types of income streams to MKR holders, right?
So a lot of stability fees that constantly go to MKR to buy MKR and burn it so that.
if one of these many different types of collateral suddenly disappears and just goes poof and it's gone,
the system as a whole is able to absolve that loss. So kind of like, you know, basically like insurance, right?
Like that everything is paying and then suddenly there's a disaster in one point. And basically,
the payments from every other point sort of makes up for the fact that there is a huge disaster.
There's a huge shortfall here. But ultimately, as a whole, the system is able to absolve that
and keep going.
And that also, I mean, that's also an interesting mechanism, right?
Because the way that actually happens in practice is that the MKR token is inflated.
So just like the MKR token is burned and deflates in good times, it actually inflates and
goes out on the market in the event of this kind of massive crash that undercollateralize
the parts of the system.
And ultimately, that's sort of the fundamental dynamic of the governance, right?
It is all about trying to get in fees in good times and by all means and at all costs
prevent these kind of like crazy crashes that result in inflation.
Yeah, I'm having a lot of flashbacks to the financial crisis.
And I'm realizing in a way what you're saying reminds me of how everybody says that
when there's a market crash, the smartest thing to do is to not sell.
Of course, everybody does sell, which is why there's a market crash.
But it's only, you know, when you sell that you lock in your losses.
So in the scenarios that you're describing where there's a crash, but then there's a recovery, it is better for the system to have not sold.
However, as we were talking about before, you don't want the MKR holders to become complacent.
And so that's why if they do manage the system in a way where it is exposed to these risks and therefore is harmed by the risk that they take, then their MKR holdings get diluted.
So, okay, Roon, so we're now starting to sort of talk about multi-collateral die and yet we're
approaching the end of the hour. And it's kind of crazy that we have not even discussed that or any
of the many other things going on in MakerDAO. And I had a feeling this was going to happen actually
when I went into the episode because, I mean, it's the case with pretty much every episode where I
generally have more questions than I have time to ask. But this episode definitely,
took the cake and since we had a sound check that lasted longer than a typical episode.
I think I'm just going to make this a two-parter and we will release the second hour with
my gazillion other questions next week. So listeners, I would like for you to tune back in
next week. And in the meanwhile, Roon, it's been so great having you in the show. Where can people
learn more about you and Maker Dow?
I mean, the main place to go is to a website, right?
MakerDot.com.
It has the white paper.
It has our team page and a lot of really good resources.
And then we have our subreddit, which is Reddit.
com slash R slash Megadow as well as our community chat room if people really want to get involved,
which is, yeah, you can find that on website, but it's also on chat.makerdao.com.
Great.
Well, thanks for coming on Unchained.
Thanks so much for having me.
And to listeners, thanks so much for joining us today.
To learn more about Rune and Maker Dow, check out the show notes inside your podcast player.
New episodes of Unchained come out every Tuesday.
If you haven't until ready, rave review and subscribe on Apple Podcasts.
If you liked this episode, share it with your friends on Facebook, Twitter, or LinkedIn.
And if you're not yet subscribed to my other podcast, Unconfirmed, I highly recommend you.
Check it out and subscribe now.
Unchained is produced by me, Laura Shin, without from Rayling Gallup Holly, Frasel Recording,
Jenny Josephson, Corned Fife, and Daniel Ness. Thanks for listening.