AI transcript
0:00:03 – The content here is for informational purposes only,
0:00:05 should not be taken as legal business tax
0:00:07 or investment advice or be used to evaluate
0:00:10 any investment or security and is not directed
0:00:14 at any investors or potential investors in any A16Z fund.
0:00:18 For more details, please see a16z.com/disclosures.
0:00:22 – Hi everyone, welcome to the A16Z podcast, I’m Sonal.
0:00:25 Today’s episode is all about blockchain-based voting systems
0:00:29 which has implications for crypto economic security
0:00:32 and for governance, especially when you think
0:00:34 about the differences, both good and bad,
0:00:36 between real world and online systems
0:00:38 for coordinating groups of people to vote on something,
0:00:40 whether it’s a decision in a boardroom
0:00:42 or an election or anything else.
0:00:44 This episode was recorded as part
0:00:46 of our New York City podcast road show
0:00:49 and so it features Phil Dayan, a PhD at Cornell Tech,
0:00:51 working with Ari Jules there.
0:00:53 His research focuses on broad questions
0:00:55 of security of distributed systems,
0:00:56 specifically blockchains.
0:00:58 He also wrote a post last year
0:01:00 with Tyler Kell, Ian Mears and Ari Jules
0:01:05 on quote, “On-chain vote buying and the rise of dark DAOs.”
0:01:06 Joining Phil in this hallway style jam
0:01:09 to discuss these topics is Ali Yaya,
0:01:10 who was previously a software engineer
0:01:13 and machine learning researcher at Google X and Google Brain.
0:01:16 He also gave a talk at A16Z Summit on crypto
0:01:18 and the evolution of trust, which you can find
0:01:22 on our website, and he’s a partner on A16Z Crypto.
0:01:24 Speaking of, please note that the content here
0:01:26 is for informational purposes only,
0:01:29 should not be taken as legal business tax
0:01:32 or investment advice, or be used to evaluate
0:01:34 any investment or security and is not directed
0:01:38 at any investors or potential investors in any fund.
0:01:39 For more details, please also see
0:01:42 A16ZCrypto.com/disclosures.
0:01:44 The conversation that follows covers ways
0:01:46 in which blockchain systems are different
0:01:48 from real-world voting systems,
0:01:50 ways the system can be gamed
0:01:52 and what that means for security,
0:01:54 as well as possible solutions
0:01:56 and more importantly, questions
0:01:58 all blockchain system designers should think about
0:02:01 instead of making naive assumptions.
0:02:04 But first, Phil and Ali began by very briefly summing up
0:02:06 the issues in real-world elections
0:02:08 and electronic voting systems.
0:02:11 The first voice you’ll hear is Phil’s, followed by Ali’s.
0:02:14 – So one challenge people have seen is straight up hacking.
0:02:17 Of course, if there is electronic voting in use,
0:02:19 just tampering with the integrity of the election itself
0:02:21 or the integrity of the registration.
0:02:23 Another challenge that people have been worried about
0:02:26 in the past is vote buying and selling.
0:02:27 So if I want you to vote a certain way,
0:02:30 maybe I directly bribe you to do so
0:02:32 or maybe even in the current system,
0:02:34 I can indirectly do it.
0:02:37 But it’s very difficult to bribe someone in person
0:02:39 and sort of understand how they’re going
0:02:40 to act in an election.
0:02:42 – Yeah, you have this great example of how
0:02:44 if the price of a vote is a beer
0:02:45 and you take me out for a beer and say,
0:02:48 “Ali, I want you to vote for ex-candidate.”
0:02:50 I could drink your beer and then go to the poll
0:02:53 and submit whichever ballot I want.
0:02:56 And you have no real mechanism to enforce my vote
0:02:58 in one way or another.
0:03:01 And you then point out how this is not so much the case
0:03:03 when you go to the world of electronic voting.
0:03:04 – Yes, the price of the vote as a beer
0:03:06 is actually kind of realistic.
0:03:09 Like vote buying in general is empirically pretty cheap
0:03:10 for two reasons.
0:03:11 Number one, it’s actually the poorest
0:03:13 and least advantaged people that are the most inclined
0:03:15 to sell their votes.
0:03:17 And number two is most people are disinterested
0:03:18 in most elections.
0:03:20 So this actually makes vote buying pretty cheap.
0:03:22 And in electronic voting, this is a big problem
0:03:25 because with many electronic voting protocols,
0:03:26 you can actually tell at the end of the protocol
0:03:27 how someone voted.
0:03:30 So it becomes much easier for me to bribe you
0:03:31 because I can just say essentially I’ll give you a beer
0:03:34 if I check afterwards and you voted with my candidate
0:03:36 rather than sort of trusting you to go in the polling booth
0:03:38 and make the right decision where socially
0:03:40 I can’t follow you into that booth
0:03:41 and look over your shoulder.
0:03:42 – Exactly.
0:03:44 You point out how in the world of human voting,
0:03:47 there are three things that tend to make vote buying
0:03:48 a little bit more difficult.
0:03:49 And it’s the inefficiencies of the human world
0:03:51 that actually work to your advantage here.
0:03:53 So the first is that in the human world,
0:03:55 it’s a crime to buy votes and that itself
0:03:57 kind of can serve as a deterrent,
0:03:59 which doesn’t really exist so much
0:04:01 in the jurisdiction-less crypto world.
0:04:03 The second one was that ballots
0:04:04 tend to be casted in secrecy.
0:04:06 So there’s no way of me to produce a proof
0:04:08 that I voted in one way or another,
0:04:11 which makes the buying of the vote difficult to enforce.
0:04:13 And the third one you mentioned is that if you tell me
0:04:15 that you’re going to pay me in the future
0:04:16 for voting one direction or another,
0:04:18 I have a hard time trusting you
0:04:20 that you will actually in the end pay me.
0:04:22 And so there’s sort of counterparty risk.
0:04:25 And so in the same way that sort of blockchains
0:04:30 mitigate trust and improve coordination for good purposes,
0:04:34 they can also be used to improve coordination
0:04:36 for sort of malicious purposes.
0:04:38 In this case, vote buying is like a double-edged sword.
0:04:41 Blockchains can be used to increase the efficiency
0:04:44 and effectiveness of bribery and vote buying.
0:04:45 Yes.
0:04:46 In the traditional world,
0:04:48 there’s been a long line of academic research.
0:04:51 So very early on people said we want to vote electronically.
0:04:52 It’ll make tallying cheaper.
0:04:54 It can maybe use cryptography
0:04:55 to increase the integrity of our elections.
0:04:57 So we don’t rely on these pieces of paper
0:05:00 sort of with this weird chain of human custody
0:05:01 and things like that.
0:05:03 But early schemes sort of suffered from this receipt property
0:05:06 where I could produce a proof that like here is the outcome
0:05:09 and here is what I actually voted to lead to this outcome.
0:05:11 So there was a wide range of work early on
0:05:12 on how to sort of solve this issue
0:05:15 and create voting schemes that are receipt free,
0:05:17 which means that after the fact,
0:05:19 I cannot produce a receipt or a proof
0:05:20 to tell you which way I voted.
0:05:22 And it’s sort of equally likely from your perspective
0:05:24 that I voted in any direction.
0:05:27 Later work sort of said that this is not strong enough.
0:05:29 Essentially the high level is
0:05:31 if you’re looking over my shoulder electronically,
0:05:33 like you have a virus on my computer
0:05:35 or you’re just physically looking over my shoulder,
0:05:36 at the time that I’m voting,
0:05:38 even receipt freedom is not enough
0:05:40 because you might be able to see in real time
0:05:42 the direction in which I’m voting
0:05:43 and enforce my vote that way.
0:05:45 So that led to an even stronger property
0:05:46 called coercion resistance,
0:05:48 which is that even if you compromise me
0:05:49 for some period of time,
0:05:52 you still are not able to get me to vote a certain way
0:05:54 in a way that you can trust.
0:05:55 – Yeah, that’s very interesting.
0:05:59 And so let’s connect this to sort of the blockchain world.
0:06:01 These questions of electronic voting have existed
0:06:03 for decades and predate the world
0:06:05 of blockchains and crypto networks.
0:06:07 But now there’s like a resurgence of research
0:06:10 in this direction because so many blockchain
0:06:11 and crypto network projects
0:06:14 want to use on-chain voting for all sorts of purposes.
0:06:16 – So I mean, in blockchain networks in general,
0:06:17 you often need to make decisions.
0:06:20 That’s like part of the attractive point of blockchains
0:06:22 that it makes coordinating group decisions
0:06:24 among actors who don’t trust each other
0:06:26 a little bit easier.
0:06:29 And to make these decisions sort of a natural response
0:06:30 is just vote, right?
0:06:31 That’s something you see in the real world.
0:06:34 It’s something you see in corporations with stockholders.
0:06:35 It’s something you see in boardrooms.
0:06:37 It’s something you see in political elections
0:06:39 and all sorts of other social systems.
0:06:41 So it’s just, I think, a natural human tendency
0:06:43 when asking sort of how to organize these things
0:06:47 that voting is the only real clear shelling point answer
0:06:48 that we can come up with.
0:06:49 So I think an important distinction
0:06:52 on why this stuff really matters in the blockchain world
0:06:54 is that the blockchain world and the real world
0:06:56 don’t operate in the same models.
0:06:57 If you’re going to a boardroom with someone,
0:06:59 you’re sitting next to the person, right?
0:07:02 We’re sort of operating in this model of social honesty
0:07:04 where people can see each other face to face.
0:07:05 You have shared interests in the company.
0:07:08 You sort of know their history at least somewhat.
0:07:10 Whereas in blockchains, you’re operating in an economic,
0:07:13 sort of an economically rational game theoretic model.
0:07:15 So you need much stronger guarantees from your systems.
0:07:17 Your systems need to be strong
0:07:20 even in the presence of economically motivated adversaries.
0:07:21 And they need to be secure,
0:07:24 assuming people are rational rather than honest.
0:07:25 So we don’t get to lean on this sort of honesty
0:07:28 that we have in the real world in blockchains.
0:07:29 And I think that’s where a lot of the mechanisms
0:07:32 that people try to sort of port over naively break down.
0:07:34 – Right, and this is especially important
0:07:36 because in most of the crypto networks
0:07:38 that are actually interesting,
0:07:42 the model is one where anyone can participate.
0:07:44 And people refer to this as the permissionless setting
0:07:46 and that anyone can connect to the network.
0:07:49 Anyone can sort of participate in the decisions
0:07:51 that are made through the governance processes
0:07:53 of the crypto network,
0:07:55 which makes the environment the very hostile one
0:07:57 because anyone anywhere can opt to participate
0:07:59 and they have an economic incentive to do so
0:08:01 because if they can game the system
0:08:03 or if they can sort of subvert it in some way,
0:08:05 then they could potentially profit.
0:08:06 – Exactly.
0:08:08 Satoshi released his white paper in ’09
0:08:10 and academics first started looking at Bitcoin
0:08:12 and its success and its rise
0:08:14 and asking like what is actually the interesting lesson
0:08:16 to be learned here from what we’ve been doing
0:08:17 for the last 20 years.
0:08:19 There was a whole space of consensus protocols
0:08:21 and Byzantine fault-tolerant protocols
0:08:22 that came to consensus on something
0:08:25 even in the presence of malicious users.
0:08:27 But what was really new about Bitcoin
0:08:30 is that it let anyone join and leave the network at any time.
0:08:32 And these people didn’t need to ask the people
0:08:35 who are already participating in the network
0:08:36 whether they can join or not.
0:08:38 So in most consensus protocols,
0:08:40 you have a sort of quorum that’s coming to decisions
0:08:41 and if you want to join,
0:08:43 you need to ask the quorum to join
0:08:45 because the quorum needs to agree on who’s in the quorum.
0:08:46 So they need to sort of come to consensus
0:08:48 on the fact that you’re allowed to join.
0:08:50 Whereas in something like Bitcoin,
0:08:51 if you want to start mining Bitcoin,
0:08:53 you just turn on your rig and as soon as you succeed,
0:08:55 people will accept that mathematically.
0:08:57 They don’t need any sort of membership proof
0:08:58 or anything like that.
0:08:59 What I think is relevant to voting
0:09:01 is that fundamental to the permissionless model
0:09:03 if you’re gonna use cryptography,
0:09:04 which all blockchains do,
0:09:06 is that if I can join and leave at any time,
0:09:08 I need to be able to like generate my own key
0:09:09 and join at any time.
0:09:10 – Right.
0:09:13 I mean, the uses of on-chain voting,
0:09:16 we’re voting within blockchain projects,
0:09:19 range all the way from setting the parameters,
0:09:21 like some parameter in the protocol
0:09:22 that may be something minor,
0:09:25 kind of like the price of gas, for example,
0:09:28 all the way over to sort of some intermediate level
0:09:30 where people use governance
0:09:32 and voting to decide how to allocate funds.
0:09:34 And then this goes all of the way over
0:09:37 to actually deciding how to change the protocol itself.
0:09:40 And so there are projects that are sort of self-amending
0:09:45 and that they use governance as a way of proposing updates
0:09:47 to the protocol and then deciding on which updates
0:09:50 should go through and which updates should not.
0:09:51 And so the stakes are high
0:09:55 and that if you have a governance system that can be gamed,
0:09:59 then all of these use cases may end up being vulnerable
0:10:00 to that kind of attack.
0:10:02 One way of thinking of governance that I quite like
0:10:04 that I think was proposed by Vitalik
0:10:07 is the coordination model of governance
0:10:10 and that really all governance decisions are in essence
0:10:13 a way of coordinating collective action.
0:10:16 He talks about how there are multiple layers
0:10:17 to governance, right?
0:10:19 The bottom layer is like what’s closest
0:10:20 to the real and physical world.
0:10:22 – Yeah, so maybe let’s go bottom up
0:10:24 on everywhere you have voting in blockchains.
0:10:25 At the very base level,
0:10:27 all consensus mechanisms are a vote,
0:10:29 so proof of work itself is a form of voting
0:10:30 on which block is valid
0:10:32 and which history is accepted by the network.
0:10:34 So you have voting at that layer.
0:10:35 Then that half layer up, like you said,
0:10:38 is this governance layer of how do blockchains
0:10:39 actually change their underlying code
0:10:42 and respond to attacks or new situations
0:10:45 or new technology or whatever it may be.
0:10:48 Traditionally, this has sort of gone with the fork model
0:10:50 where you just sort of spin up new code
0:10:52 and try to lobby everyone to just run this new system
0:10:53 instead of the old one.
0:10:55 This model has seen a lot of political strife,
0:10:59 a lot of inefficiency, a lot of sort of lobbying
0:11:01 and traditional politics like nastiness
0:11:03 in the blockchain space.
0:11:06 You can look at the Bitcoin block size debate,
0:11:07 whether to change the one to a two,
0:11:11 which spawned like a year long rift between the communities
0:11:13 that ended up in like several summits and agreements
0:11:16 and eventually a permanent split.
0:11:17 So some people look at that and say,
0:11:18 maybe we can make this more efficient
0:11:20 by just using voting and allowing the coin holders
0:11:22 to express their preference
0:11:23 and sort of just going with that.
0:11:25 And then another layer up from that,
0:11:27 you have the application layers like you were saying.
0:11:30 So these are your DAOs, these are your smart contracts
0:11:32 that wanna use voting to make decisions.
0:11:35 They could be, for example, on how to allocate funds.
0:11:37 They could be on how to change parameters
0:11:38 within their own smart contract.
0:11:41 So you really have voting throughout the blockchain stack.
0:11:42 A lot of projects are using it
0:11:46 and it has a very sort of wide impact as a general problem.
0:11:49 – So one observation that comes out of all of this
0:11:52 is that today’s governance systems
0:11:54 and sort of blockchains and crypto networks,
0:11:56 the way that they exist today will likely devolve
0:11:59 into plutocracy simply because the mechanisms
0:12:02 for vote buying are so effective as you described.
0:12:05 And some proponents of on-chain governance
0:12:07 will argue that plutocracy may not actually
0:12:08 be that bad of a thing.
0:12:10 They may be a bad thing for democracies,
0:12:12 but not so much for blockchains.
0:12:15 In the blockchain world for a crypto network,
0:12:17 it’s not so much a bad thing
0:12:20 because it’s in a sense incentive compatible,
0:12:21 at least at a surface level.
0:12:24 If they are voting using their coins
0:12:26 for any one upgrade to the protocol,
0:12:29 they will want to vote in the interest of other people
0:12:31 who also hold the coins in the interest of the network
0:12:34 because they own it and they have a stake in it.
0:12:37 And also their incentive to protect the network
0:12:38 is proportional to how many coins they own.
0:12:41 So like larger voters or stakeholders
0:12:43 who have more coins in the network
0:12:46 have an even greater incentive to protect the network.
0:12:48 What are your thoughts there?
0:12:49 – So I think every blockchain project
0:12:51 should take a step back and ask,
0:12:52 do we want plutocracy?
0:12:53 Do we want vote buying in our system?
0:12:55 And what are the consequences of that?
0:12:56 For many of them,
0:12:58 maybe it’s more acceptable than for others.
0:13:02 For example, if you have like a small closed sort of contract
0:13:03 that has a few shareholders,
0:13:05 something like an investment firm
0:13:06 and you have like one guy
0:13:08 who decides whether people get in or not,
0:13:10 maybe you’re not so concerned about vote buying
0:13:11 in that kind of a scheme.
0:13:15 Or if you have even like some sort of closed setting
0:13:17 where you can say things about the participants,
0:13:19 maybe you’re not so concerned about vote buying.
0:13:21 In a wider system where let’s say
0:13:23 the whole world is participating in it eventually,
0:13:25 I think the fundamental point is that
0:13:27 most people are disinterested in most votes
0:13:29 and the utility they get from the system
0:13:31 is not directly sort of correlated
0:13:34 with whether they vote A or B on this given issue.
0:13:36 Nonetheless, there are certain groups of people
0:13:37 who are extremely interested
0:13:39 in whether people vote A or B on a certain issue
0:13:41 and these are often pretty moneyed groups.
0:13:42 So in this way,
0:13:44 that kind of governance does sort of degenerate
0:13:45 into plutocracy.
0:13:48 And if that’s acceptable for your system, that’s fine.
0:13:49 I think for many systems, it’s not.
0:13:51 You need to care about these attacks
0:13:52 and you need to reason about
0:13:54 why your system is secure against this
0:13:56 and why your system actually doesn’t degenerate
0:13:57 to plutocracy.
0:13:58 People have tried to get around this
0:14:00 in two ways in blockchains.
0:14:02 The first one is they add some sort of identity.
0:14:03 So they have a third party service
0:14:05 that like you send your cell phone number
0:14:07 or something like that and it sends you a text
0:14:09 and sort of anti-sibles you that way
0:14:11 and then you’re able to participate in a vote.
0:14:15 So at least you can sort of attach some entity
0:14:17 to the person and then count votes per entity
0:14:18 rather than per coin.
0:14:21 This actually still degenerates into plutocracy
0:14:22 because of the way the Dark Dow works
0:14:25 because as long as these identities are keys
0:14:27 that people can sort of generate at any time,
0:14:30 they can be bought and sold and using the Dark Dow model
0:14:31 and you can essentially sell people
0:14:33 like the right to your identity
0:14:35 or you can sell people the right to a certain vote
0:14:38 using your identity or even more specific things than that.
0:14:40 So that kind of doesn’t work
0:14:42 unless you have a strong social protection
0:14:44 where like the person has to come in very often
0:14:46 and the network sort of authenticates
0:14:49 that they’re human or something like that.
0:14:50 That becomes very complicated
0:14:52 and steps much more into the messy world
0:14:53 of real world elections
0:14:56 and maybe doesn’t work for a global blockchain community.
0:14:58 Another way people have tried to get around it
0:15:00 which also kind of requires identity
0:15:03 is this new line of work by Vitalik Glenn Whale
0:15:05 and a few other people which is quadratic voting
0:15:07 where you actually allow vote buying.
0:15:09 So you allow people to buy votes
0:15:11 but only at an exponentially increasing price.
0:15:13 And this may kind of look like plutocracy
0:15:15 because you’re allowing people to buy votes
0:15:17 but if you actually do the math on the incentives,
0:15:20 it turns out that through this increasing function,
0:15:21 essentially people will express
0:15:22 their true preferences in the end.
0:15:26 And one rich person who really cares about A versus B
0:15:29 won’t be able to sort of overwhelm a disinterested majority
0:15:30 that weakly prefers A
0:15:32 and maybe each don’t have as many funds
0:15:33 as that one individual.
0:15:35 So this fixes some known pathologies
0:15:37 in real world voting systems
0:15:39 and also blockchain voting systems.
0:15:41 But it does require identity
0:15:43 and it’s extremely vulnerable to manipulation.
0:15:45 If this one rich person can pretend
0:15:47 that they’re two rich people or something like that,
0:15:48 the gig is sort of up.
0:15:51 And that’s what these new coordination mechanisms allow.
0:15:53 – Yes, I think this dependence on identity
0:15:55 that you are pointing out is very important
0:15:57 because as you pointed out,
0:15:59 anyone can pretend to be more than one person.
0:16:02 They can generate 10 different sets of key pairs
0:16:03 or hundreds of sets of key pairs
0:16:05 and pretend to be hundreds of people.
0:16:06 – Yeah, and the only thing you can do
0:16:07 is wait by coins basically.
0:16:08 – Exactly.
0:16:10 In that world, you end up with unfair representation
0:16:13 of you’re trying to assign a single vote to a key pair.
0:16:17 So proponents of on-chain coin holder governance
0:16:21 which means that one coin gives you one vote will argue.
0:16:23 It’s at the very least, civil resistant,
0:16:26 which means that if you have like 10 million coins
0:16:28 staked on one particular vote,
0:16:31 they’re basically used to vote for one particular outcome.
0:16:34 It’s very hard to argue that those 10 million coins
0:16:37 come from trolls that are trying to sway the election
0:16:39 because there’s real weight and real capital
0:16:41 that’s staked in one direction or another.
0:16:43 Whereas if you’re not using coin voting,
0:16:45 then that becomes more possible.
0:16:48 And so if you have a mechanism for identity
0:16:52 wherein you securely associate one human to one vote
0:16:53 or something like that,
0:16:57 then more sophisticated voting schemes become possible.
0:17:00 I think today, because we lack that kind of a mechanism,
0:17:03 people end up gravitating towards this simple
0:17:07 and somewhat, perhaps somewhat naive one coin, one vote model
0:17:09 which is vulnerable to this foot buying attack.
0:17:13 – Yeah, and this opens up a range of other issues.
0:17:15 So one problem that people have
0:17:16 when they analyze blockchain systems
0:17:18 and they sort of design these mechanisms
0:17:19 is that they look at their mechanism
0:17:21 and reason about its security properties,
0:17:23 but they do that in isolation.
0:17:25 And an important point is that none of these systems
0:17:27 really exist in a vacuum, right?
0:17:29 So take a look at any sort of blockchain
0:17:31 that uses coinholder voting to decide
0:17:33 the outcome of its consensus rules.
0:17:35 And there’s at least two such blockchains
0:17:37 that are sort of using this model.
0:17:39 If these two very large projects are approximately
0:17:41 the same size or one is a little bit bigger
0:17:43 than the other one or one is twice as big
0:17:45 as the other one or something like that,
0:17:47 it’s in the economic interests of everyone
0:17:49 who holds coins in the bigger project
0:17:51 to buy up coins on the smaller project
0:17:53 and influence votes in ways
0:17:55 that are sort of counter competitive.
0:17:57 And maybe even if they can’t buy up
0:17:58 enough of a blocked influence votes,
0:18:02 they can sow chaos and confusion and things like that.
0:18:05 So while one of these systems, you may say in isolation,
0:18:07 like, okay, the coinholders interests are represented
0:18:09 by this plutocracy, that doesn’t really work
0:18:11 when you have a whole world around it
0:18:13 that’s full of money that can frictionlessly
0:18:15 enter and exit the system at any time.
0:18:17 There’s no guarantee whatsoever
0:18:19 that the people who are economically in right this second
0:18:21 have an interest in that system,
0:18:22 especially when there are much bigger systems
0:18:24 that are competing with it.
0:18:25 So I think that’s a very important point
0:18:26 that people overlook.
0:18:28 And again, we mentioned that there’s this sort of stack
0:18:30 of voting, even at the consensus layer,
0:18:32 that has implications on the whole stack.
0:18:34 So if you have a fork that’s like 10%
0:18:36 of the size of a project,
0:18:38 and this fork could potentially impact
0:18:40 the price of the larger project,
0:18:42 it’s absolutely in the interest of that larger project
0:18:45 to launch attacks on that base layer proof of workflow
0:18:46 and do things like censorship,
0:18:48 use some small percentage of their hash power
0:18:51 to do 51% attacks or denial of service
0:18:52 or whatever they need to do to make sure
0:18:54 that that network goes down in price.
0:18:56 And that attack might even be profitable,
0:18:58 especially if there are mechanisms to short
0:18:59 that sort of smaller project.
0:19:00 – Yeah, that’s a very good point.
0:19:03 I think most proponents of a coinholder voting
0:19:07 would argue that it is just not in your interest
0:19:10 to sell your vote because you’d be damaging
0:19:11 the value of the asset that you hold.
0:19:14 And you hold a coin, and if you sell the votes
0:19:15 associated with that coin,
0:19:17 and that might reduce the value of the coin
0:19:20 in some way that sort of results in a net loss for you.
0:19:22 But that analysis happens entirely in a vacuum.
0:19:26 It happens sort of assuming that there aren’t any kind
0:19:28 of external mechanisms via which you could profit
0:19:31 from the loss of value of this particular coin.
0:19:32 Like for example, what you’re mentioning,
0:19:33 competition between blockchains.
0:19:36 If I’m a stakeholder, a much larger stakeholder
0:19:37 in a competing network,
0:19:39 then I might have a strong interest
0:19:41 in reducing the value of this particular coin,
0:19:42 and that that’s associated
0:19:44 with this one competing crypto network
0:19:46 because it may result in a larger profit
0:19:48 outside of the system.
0:19:51 And so I think, yeah, the incentive structures
0:19:53 that are built in aggregate tend to be far more complex
0:19:55 and they kind of interact in ways
0:19:58 that tend to be difficult to analyze
0:19:59 and could result in complexity
0:20:01 that could ultimately result in attacks.
0:20:03 And you post, you talk a little bit
0:20:05 about what you refer to as the dark DAO,
0:20:07 which sounds like a fairly dark picture
0:20:10 of what could end up being the case.
0:20:11 In your view, what is the worst case scenario here?
0:20:14 How could this unfold in a bad way?
0:20:15 – Yeah, so there’s a lot of different variants
0:20:17 of the dark DAO which have different assumptions
0:20:19 in the post, some of them require trusted hardware,
0:20:20 some of them don’t.
0:20:22 But the ultimate point of the dark DAO
0:20:23 is that it’s a private smart contract
0:20:26 for attacking a vote, for vote buying,
0:20:28 that essentially hides from the rest of the world
0:20:30 how much money is committed to this contract,
0:20:33 who is participating in the vote buying contract,
0:20:35 and sort of how far along the contract is.
0:20:37 But sort of is a way to frictionlessly
0:20:40 and permissionlessly form a vote buying cartel
0:20:41 for a particular vote.
0:20:42 And this could be sort of a funding pool,
0:20:44 anyone can come contribute money to it.
0:20:45 So if it’s outcome specific,
0:20:47 it could be funded by anyone who’s interested
0:20:48 in such an outcome,
0:20:50 whether it be other blockchain projects,
0:20:53 users on the system, outside groups, whatever it may be.
0:20:55 So once this dark DAO is funded,
0:20:57 what it does is sort of offer up vote buying
0:20:58 to people in the system.
0:21:01 And if people in the system come take this vote buying,
0:21:02 they retain access to their funds,
0:21:05 they keep using their wallet as they normally do,
0:21:07 but they’re sort of shackled by the dark DAO
0:21:08 that for this particular vote,
0:21:10 they can only vote in this certain way.
0:21:10 And this is trustless
0:21:12 because both sides have some guarantees.
0:21:16 So the vote buyers or vote buying network
0:21:18 or whatever it may be has guarantees
0:21:19 that potentially no one will find out
0:21:21 who’s being bought or sold
0:21:23 and how much money is pledged to it.
0:21:24 They’re guaranteed that if they pay for a vote,
0:21:27 this vote will actually be executed in the protocol,
0:21:29 even if the protocol does have
0:21:31 the classic properties of coercion resistance.
0:21:33 Another sort of sidebar of the dark DAO
0:21:36 is that trusted hardware, which is a new technology,
0:21:38 sort of breaks all classical coercion resistance voting
0:21:40 schemes in the blockchain world
0:21:42 and in the regular election world.
0:21:43 So once they launch this attack
0:21:45 and they start buying and selling people’s votes,
0:21:47 they have a number of options available to them.
0:21:48 One cool thing you can do
0:21:50 is you can tell everyone in the cartel
0:21:52 when a certain threshold is reached.
0:21:54 Let’s say when like 70% of the,
0:21:57 or 10% of the votes are locked into this DAO.
0:21:59 And you can do this in a way that’s deniable
0:22:01 such that everyone inside the cartel can check,
0:22:03 yes, 70% is reached,
0:22:05 but no one outside the cartel has any way of knowing
0:22:07 that this is actually reached.
0:22:09 So you can enforce an information asymmetry
0:22:12 that allows for profiting through things like shorting.
0:22:14 You can also enforce stronger information asymmetries,
0:22:16 so not even allow the people who are being bribed
0:22:19 to know at any time how much money is in it
0:22:23 or even potentially whether they voted at all
0:22:25 if the scheme is receipt free.
0:22:27 So it’s a very, very powerful class of attack.
0:22:29 You can spin it up however you want.
0:22:31 It allows people to pool their money and buy votes
0:22:34 in a way that they can keep any part of that secret
0:22:35 to any group of people that they want.
0:22:37 And the outside system has no way of knowing
0:22:39 sort of how far along the attack is.
0:22:41 In some ways, it also represents a credible threat.
0:22:42 If I were to launch a dark DAO,
0:22:44 I might not even need to necessarily have people
0:22:45 participate in it.
0:22:47 Just its existence might be enough
0:22:50 to shake people’s confidence in that underlying vote.
0:22:52 So when we publish that blog post,
0:22:54 we’ve had a lot of reactions from voting projects
0:22:55 and other people in the space.
0:22:57 And I think there is a good question
0:22:58 of why haven’t we seen this already?
0:23:01 But at the end of the day, these systems are tiny, right?
0:23:03 Blockchains today are a drop in the bucket
0:23:05 of like the world financial system
0:23:07 and the incentives just aren’t there yet.
0:23:08 But if we are to use these technologies
0:23:10 and if we are to scale things,
0:23:13 I think these are absolutely realistic scenarios
0:23:15 and potentially nightmare scenarios.
0:23:16 – Yeah, that sounds insane.
0:23:18 And that’s definitely an outcome that is to be prevented.
0:23:21 And I think, I mean, this matters because
0:23:24 if we just take a step back and think about why is governance
0:23:26 so topical and so important in the world of crypto
0:23:27 and blockchains today?
0:23:32 It is because so much of what drives the space forward
0:23:35 in what is sort of the underlying philosophical motivation
0:23:39 is that power over these networks is decentralized.
0:23:41 And so decentralization here refers to
0:23:42 a bunch of different things at the same time.
0:23:44 Like people talk about decentralization
0:23:46 as it refers to sort of consensus,
0:23:50 like who gets to decide like who modifies
0:23:51 the underlying ledger,
0:23:52 but also decentralization applies
0:23:54 to who gets to modify the code.
0:23:56 These networks are decentralized in that
0:23:58 they’re kind of like self-governing organizations
0:24:00 and they don’t have at least philosophically
0:24:03 any central points of control where any one individual
0:24:06 can decide how to sort of modify the code
0:24:08 or make it work in any particular way.
0:24:12 And so all of these initiatives to try to build in governance
0:24:15 into the protocols are an effort to try to
0:24:17 sort of decentralize even that aspect
0:24:20 and to try to make it so that the code itself can evolve
0:24:22 in a way that is still community driven
0:24:24 and not kind of centrally controlled
0:24:27 by the core developer team.
0:24:28 – Yeah, I think the promise of a lot of these systems
0:24:31 is sort of this crypto economic security, right?
0:24:33 You have this mechanism and because the mechanism works
0:24:34 and the incentives are set up right,
0:24:36 everyone comes together harmoniously
0:24:38 and produces something that is bulletproof
0:24:42 and very strong because of the incentives and the mechanism.
0:24:43 An example of this is Bitcoin.
0:24:45 Because of the money paid to miners,
0:24:48 people are burning a small country’s worth of electricity
0:24:50 to try to secure this transaction ledger
0:24:52 that has actually worked fantastically so far.
0:24:53 So when you design these systems,
0:24:56 there needs to be some sort of underlying mechanism
0:24:57 and some sort of reasoning about the security
0:24:59 of that mechanism.
0:25:01 But what these technologies like the dark dial
0:25:03 and private smart contracts allow you to do
0:25:06 is use external money to sort of alter the incentives
0:25:09 inside that game and alter the security properties
0:25:12 that people are actually getting from their project
0:25:15 in a permissionless and trustless way.
0:25:17 So this does sort of speak
0:25:20 to the fundamental coordination of blockchains, right?
0:25:23 Like how do we design these games to coordinate people
0:25:26 to make choices in a way that’s not controlled
0:25:28 by one particular individual, as you said,
0:25:30 or some social trust hierarchy,
0:25:32 but by the economics of the system itself?
0:25:33 And in that model,
0:25:35 if you can’t be secure against economic attacks,
0:25:38 then you’re sort of building something
0:25:40 that doesn’t make much sense in my opinion.
0:25:43 And so I guess that’s a lot of what my work is looking at.
0:25:45 – Right, what do you think are the implications
0:25:47 of vote buying on proof of stake?
0:25:50 – So proof of work is where people use hardware
0:25:51 to sort of solve hard problems.
0:25:53 And if they solve the problem,
0:25:55 then they can post a block to the network.
0:25:56 Rather than using this mechanism,
0:25:59 proof of stake allows people to vote using their coins.
0:26:01 So they lock up their coins for some long period of time
0:26:04 and they can use any number of protocols to do this.
0:26:07 The core idea here is that instead of proof of work
0:26:09 where the economic security you get
0:26:12 is because people are doing this useless computation problem
0:26:13 that is sort of burning money
0:26:16 and there’s some costs associated with doing this,
0:26:18 is that people are paying liquidity costs
0:26:20 to lock up these coins for a long, long period of time
0:26:22 and they’re also taking risks
0:26:23 that they may incur penalties
0:26:25 if they misbehave in the protocol.
0:26:27 And with these liquidity costs,
0:26:28 they’re taking like massive volatility risks
0:26:30 in cryptocurrencies, right?
0:26:32 So if they do something that crashes the system,
0:26:33 well, their coins are locked up
0:26:34 and they’re going to lose money.
0:26:36 If the network decides they misbehaved,
0:26:38 well, they can get rid of all their coins
0:26:39 and they’re gonna lose money.
0:26:40 So it’s this idea of bootstrapping
0:26:42 the economic security of the network from the coins
0:26:45 rather than from some external hardware source.
0:26:46 Obviously that comes with a lot of trade-offs
0:26:48 that are maybe beyond the scope of this discussion,
0:26:50 but at the end of the day, it’s also a voting protocol.
0:26:53 You have these people with coins, they decide how to vote.
0:26:55 So where does vote buying come in here?
0:26:57 Well, obviously this proof-of-stake protocol has an outcome.
0:27:00 It decides what history of the network is valid
0:27:02 and this outcome has all sorts of economic implications.
0:27:05 It decides who gets to send money to who.
0:27:07 It decides who is censored in the system.
0:27:10 It decides what order transactions happen in canonically
0:27:12 according to everyone in the system
0:27:14 and with that comes a lot of profit opportunity.
0:27:17 So I can potentially profit by censoring you
0:27:19 or I can profit by putting my transactions in front of yours
0:27:22 when you wanna execute an order on a decentralized exchange
0:27:25 or I can profit in sort of any number of different ways
0:27:26 by manipulating this vote.
0:27:28 So what you can do with the dark DAO
0:27:30 is to start a staking pool where I say like,
0:27:32 you know, let me do my algorithmic trading
0:27:34 and decide what order of transactions
0:27:35 makes me the most money.
0:27:36 You don’t necessarily care
0:27:38 if someone who’s doing a transaction on a dex
0:27:40 gets front-run and loses like $5, right?
0:27:43 So you say, okay, I’ll happily participate in this.
0:27:45 It’ll still keep the value of my coins high,
0:27:46 especially if I don’t have a lot of coins
0:27:48 and you’re paying me like twice as much
0:27:50 as any other staking pool.
0:27:52 So it sort of opens these coordination mechanisms
0:27:54 for attacks on the underlying transaction history
0:27:56 and the underlying consensus.
0:27:56 – Do you think that there’s a way
0:27:59 of making a proof-of-stake network secure?
0:28:01 – It depends on your definition of secure.
0:28:04 I think it really depends on the type of security you want,
0:28:05 I guess.
0:28:07 – Yeah, and this all gets to the broader question
0:28:10 of like economic security of a blockchain.
0:28:11 And in the case of proof-of-stake,
0:28:13 the resource that’s used to secure the blockchain
0:28:14 is internal to the network.
0:28:15 In the case of proof-of-work,
0:28:18 it’s sort of electricity and like hardware
0:28:21 that’s used external to the network to secure the ledger.
0:28:22 And there are many other kind of approaches.
0:28:26 Like people are experimenting with doing useful work.
0:28:28 Instead of burning electricity uselessly
0:28:30 as you do in proof-of-work,
0:28:32 people try to build a sort of proof-of-space
0:28:34 or proof-of-spacetime protocols
0:28:39 where like for example, you’re able to store files
0:28:41 and storage becomes the resource that people use
0:28:43 to then secure the network.
0:28:44 What do you think of that kind of approach?
0:28:46 – So fundamentally to vote buying,
0:28:48 it doesn’t actually matter what resource you’re using.
0:28:50 Vote buying works for proof-of-work too.
0:28:52 So I could use dark DAO like technology
0:28:53 to start the mining pool.
0:28:55 And the properties of the mining pool would be
0:28:56 you come, you mine here.
0:28:57 I’ll pay you more than we’re making
0:28:59 because I have some external incentive
0:29:02 to censor someone or reorder transactions or whatever.
0:29:04 And then you get the dark DAO privacy properties
0:29:06 of no one knows how much hash power is participating
0:29:09 in this pool or who’s getting paid or things like that.
0:29:11 So these certainly also apply to systems
0:29:15 that use things like files and other useful work properties.
0:29:17 I think there’s a whole class of other questions
0:29:19 on the economic security of those systems.
0:29:21 So you have to be really careful
0:29:23 about where the economic security comes from.
0:29:24 I think you have to be really careful
0:29:26 with what useful means.
0:29:28 Whether the fact that it’s useful also introduces
0:29:31 any external incentives to mess with it, right?
0:29:35 So you could imagine like if the useful thing
0:29:37 the network was doing was like powering a search engine
0:29:38 or something, right?
0:29:39 Those results are valuable
0:29:42 and they bring external actors in who want to manipulate that.
0:29:43 And there’s sort of this feedback loop
0:29:45 between the mechanism securing the protocol
0:29:48 and the utility of what the protocol is actually providing.
0:29:50 But there’s definitely some people in the community
0:29:53 that look at that and say this is all way too complicated.
0:29:54 This is never going to work.
0:29:55 You have to have it be useless
0:29:57 because there’s no external incentives
0:29:59 and messy things that way.
0:30:02 I personally think that’s an open question.
0:30:03 – Yeah, there’s this argument that people make
0:30:06 that if the resource that is used to secure the network
0:30:08 is very commoditized
0:30:09 and just generally exists in the world
0:30:12 in the world in sort of plentiful quantities
0:30:13 that for example, in the case of storage,
0:30:16 if storage is the resource that’s used to secure the network
0:30:17 then anyone with a bunch of storage
0:30:19 could presumably attack the network.
0:30:22 Whereas in the case of a network like say Bitcoin
0:30:25 where you have ASICs that are specific to the network
0:30:27 in order to attack the network
0:30:28 you have to get your hands on those ASICs
0:30:30 and those ASICs aren’t useful for anything
0:30:31 but mining Bitcoin.
0:30:35 So people would argue the security of that kind of
0:30:38 the economic security of that kind of model is better.
0:30:40 – Yeah, and Joe Bono has a fascinating line of work
0:30:41 on these problems.
0:30:42 So if you Google Goldfinger attacks
0:30:44 he has a paper and a presentation.
0:30:47 There’s also the question of like buying versus renting.
0:30:48 So if something is very commoditized
0:30:50 you may be able to rent it
0:30:52 which substantially subsidizes the tax.
0:30:54 You may be able to buy it, perform the attack
0:30:56 and then resell it into the commodity market
0:30:59 which again substantially subsidizes the attack.
0:31:02 So these are all open and very complex questions
0:31:04 but people will build the systems and we’ll see.
0:31:06 This is sort of a classic pattern you see
0:31:08 in traditional finance.
0:31:10 And then you’ll have sort of black swan
0:31:13 and tail risk like events that surprise people.
0:31:15 – So we’ve talked a lot about governance in general
0:31:19 but you obviously are working on a ton of interesting stuff
0:31:21 just generally with respect to economic security
0:31:23 for crypto networks and blockchain
0:31:24 just the computer security.
0:31:27 What are some of the other interesting ideas
0:31:29 or sort of lines of work that you’re exploring?
0:31:32 – So one that I’m extremely personally interested in
0:31:35 is fairness guarantees for users around these systems.
0:31:36 A lot of what attracted me to them in the first place
0:31:39 was this promise of sort of eliminating the middleman
0:31:41 and making things in control of the user.
0:31:43 Like be your own bank, you don’t need these institutions
0:31:45 to tell you how to set your money supply
0:31:47 or how to route your transactions
0:31:50 or what exchange to use, et cetera, et cetera.
0:31:52 I look a lot at those guarantees
0:31:54 and sort of the ways in which modern blockchain solutions
0:31:56 are failing to meet those guarantees.
0:31:59 So one example of that is in the decentralized exchange space.
0:32:01 That’s something that’s seen a lot of promise
0:32:03 from people who wanna build these exchanges
0:32:06 that aren’t vulnerable to hacks and other user fund theft.
0:32:08 Unfortunately, the way these mechanisms
0:32:10 that people are building interact with the blockchain
0:32:13 is very complex and opens the door for external actors
0:32:15 to make a lot of money from front running them
0:32:17 and make a lot of money from doing algorithmic trading
0:32:19 on the network and everything that you see
0:32:21 in the traditional financial world.
0:32:24 So some of my work is around how large is that economy
0:32:27 and what are the failures of those guarantees?
0:32:30 – What are some interesting results so far on that front?
0:32:33 – So it’s actually probably a bigger market than you think,
0:32:36 even though DEXs have not seen substantial volume.
0:32:38 So this is a big problem for users.
0:32:41 It also highlights a lot of weird quirks of these systems,
0:32:44 such as like allowing for typos that end up costing users
0:32:47 a lot of money when programmatic actors soup in
0:32:50 and sort of take advantage of these inefficient mechanisms.
0:32:53 And it also raises fundamental questions about, I guess,
0:32:55 whether we’ll be able to do something that’s different
0:32:57 from the current financial system
0:32:59 because there are still these information asymmetries
0:33:01 that come up and this is a worldwide network.
0:33:02 And at the end of the day,
0:33:04 someone is still ordering transactions.
0:33:07 So is this rent sort of implicit to all blockchains?
0:33:09 How large is it?
0:33:12 And does it threaten the security of the overall blockchain?
0:33:13 Which I think it may.
0:33:15 – So I think one very interesting line of work
0:33:18 that you did was around gas token
0:33:20 and tokenizing gas on the Ethereum network.
0:33:23 – So this sort of came out of this arbitrage project.
0:33:25 We wrote a blog post very early on,
0:33:27 last I think October, November,
0:33:29 essentially saying decentralized exchanges are flawed.
0:33:31 You can just run this 20 line Python script
0:33:33 and you can profit off of users in a way
0:33:34 that was maybe not foreseen
0:33:37 and is not sort of explicitly stated to them
0:33:39 because of how inefficient these mechanisms are.
0:33:40 And before we wrote this blog post,
0:33:42 we were actually doing this to test it, right?
0:33:44 And we said, we made X dollars, whatever.
0:33:45 After we wrote the blog post,
0:33:47 sort of this cottage industry spawned
0:33:50 of like a few dozen people who are competing
0:33:53 in sort of this market and trying to outbid each other
0:33:57 to get their transactions first in that mind order
0:33:59 and take advantage of these opportunities.
0:34:00 So we’ve been studying that market for quite a while
0:34:02 and competing against these guys.
0:34:04 And unfortunately at some point,
0:34:05 they started out competing us.
0:34:07 So we started competing on what’s called gas,
0:34:08 which is the price you’re willing to pay
0:34:10 per unit of transaction.
0:34:12 The way it works is you make a typo Ali,
0:34:14 it puts a million dollars on the table
0:34:16 for anyone who can get their order in ahead of that typo
0:34:18 and sort of take advantage of your typo.
0:34:20 And then I would like to do a $5 transaction
0:34:23 to take advantage of Ali’s mistake, right?
0:34:26 And then maybe someone else is willing
0:34:27 to do a $10 transaction
0:34:29 ’cause it’s a million dollar opportunity, right?
0:34:31 So we sort of get into this bidding war of like,
0:34:33 minor, please pick me first, minor, please pick me first.
0:34:35 That’s inherent to how these transactions
0:34:36 are ordered by miners.
0:34:38 And what we noticed is that when you have like 10 of these,
0:34:39 we were rarely profiting
0:34:40 because we didn’t have the best latency,
0:34:42 we didn’t have the best infrastructure
0:34:44 and they were getting their bids out faster.
0:34:46 They were getting them two miners faster
0:34:48 and they were willing to bid up higher than we were
0:34:50 to essentially take these opportunities.
0:34:51 So that’s where gas token came in.
0:34:54 It’s a way to sort of store this gas for the longer term
0:34:57 rather than just paying for it when you do your transaction.
0:34:59 So gas is the transaction fee.
0:35:00 And usually you say, okay,
0:35:03 I’m willing to pay a $100 fee for this transaction.
0:35:05 Instead, what you could do is sort of bank
0:35:06 a transaction’s worth of gas
0:35:08 and then just deploy that bank gas
0:35:09 and not pay as much fee
0:35:11 for the transaction you are doing.
0:35:12 And that works by taking advantage
0:35:16 of this fundamental issue in Ethereum’s resource model
0:35:18 which has to do with how you pay
0:35:22 to sort of incentivize people to clean up after themselves.
0:35:24 So in Ethereum, you actually give people a refund in gas
0:35:27 if they delete something they stored in the network previously
0:35:29 to incentivize them to not leave garbage around
0:35:30 that everyone has to store forever.
0:35:32 So what we do is when gas is cheap,
0:35:35 we fill the Ethereum state with junk
0:35:36 and then when it’s expensive, we delete this junk
0:35:39 which gives us a refund at that higher price
0:35:42 that we can use to subsidize these arbitrage transactions
0:35:44 which often costs thousands and thousands of dollars in fees.
0:35:47 Like people are bidding multiple thousands,
0:35:49 even tens of thousands in fees on these transactions.
0:35:51 – Right, and so to clarify for those not already familiar,
0:35:54 so gas is basically the resource that you use
0:35:56 to pay for computational resources
0:35:57 on the Ethereum blockchain.
0:36:00 So if you want it to buy computations, say instructions
0:36:03 that miners will execute for you, you pay for those in gas.
0:36:05 If you want it to buy a storage,
0:36:08 you similarly also pay for storage in gas.
0:36:10 And the current model of Ethereum is that you buy
0:36:14 some storage on the blockchain for a fixed price upfront
0:36:16 and then that storage sort of remains
0:36:18 on the blockchain forever.
0:36:20 And the Ethereum blockchain has this mechanism
0:36:22 that if you were to delete that storage,
0:36:23 if you were to free it,
0:36:26 then you will receive a refund for the amount that you paid.
0:36:30 Some refund for what you paid originally
0:36:31 for that amount of storage.
0:36:35 And so you’re basically saying that when gas is very cheap,
0:36:38 you can sort of fill storage on the blockchain
0:36:42 and then reclaim a refund later once gas is expensive.
0:36:45 And sort of the gas will be worth more at that point
0:36:47 than it was when you stored it.
0:36:48 And you could sort of leverage that
0:36:50 to kind of increase the amount of gas
0:36:51 that’s available to you.
0:36:53 – Yeah, and our fundamental observation was that
0:36:54 this is basically a derivative on gas.
0:36:57 It’s like a call option on some gas.
0:36:58 It led to the broader question
0:37:00 of how are these resources actually priced?
0:37:03 Like how do people choose how much is paid for storage?
0:37:06 How do people choose how much is paid for computation?
0:37:07 And in what ways are these suboptimal?
0:37:10 – So you mentioned the current model of pay one store forever.
0:37:12 That’s something we certainly address in our work,
0:37:14 proposing more of a rentful scheme
0:37:17 where you have to pay for ongoing costs at market rate.
0:37:19 There’s also the issue of who’s getting the payment.
0:37:21 So the fact that the miners get payment for storage
0:37:24 when the miners actually don’t need to store the whole state
0:37:26 and it’s the full nodes that bear the cost.
0:37:29 So this sort of asymmetry between who’s bearing the cost
0:37:31 like where the externality is
0:37:32 and like who’s actually profiting
0:37:34 is super important to study.
0:37:36 It leads to a sort of tragedy of the commons
0:37:38 in the worst case where the miners are happy to take payment
0:37:40 for as much storage as you want
0:37:42 because they don’t have to store it and they don’t care.
0:37:43 As long as they don’t break the whole network,
0:37:46 they’ll happily push out as many full nodes as they can.
0:37:47 So these are broader questions.
0:37:50 We have a broader initiative called Project Chicago,
0:37:53 which you can see at projectchicago.io.
0:37:55 That basically is studying these questions
0:37:56 of crypto commodities.
0:37:59 What are the underlying commodities behind blockchains?
0:38:02 For example, computation, relay network and storage.
0:38:03 How are these commodities priced?
0:38:05 How can you exploit these commodities?
0:38:07 How can you exploit like the relay network
0:38:09 to get information about people’s transactions earlier
0:38:13 or the computation layer to sort of, I don’t know,
0:38:16 do this kind of gas refund or something like that.
0:38:19 So there’s a lot of interesting work in that direction.
0:38:21 – Yeah, by the way, why is it called Project Chicago?
0:38:23 – So it’s called Project Chicago
0:38:25 ’cause our inspiration is sort of the Chicago mercantile
0:38:26 exchange.
0:38:28 That’s how businesses hedge against volatility
0:38:31 and sort of price commodities in real world markets.
0:38:35 So we think of this as sort of exploring something similar
0:38:36 on blockchains and asking like,
0:38:38 is that the right model or can we do better
0:38:40 now that we have all these decentralized tools
0:38:41 at our disposal?
0:38:42 – Best painting.
0:38:44 Well, thank you so much for coming on the podcast.
0:38:46 – Yeah, thanks for having me.
0:00:05 should not be taken as legal business tax
0:00:07 or investment advice or be used to evaluate
0:00:10 any investment or security and is not directed
0:00:14 at any investors or potential investors in any A16Z fund.
0:00:18 For more details, please see a16z.com/disclosures.
0:00:22 – Hi everyone, welcome to the A16Z podcast, I’m Sonal.
0:00:25 Today’s episode is all about blockchain-based voting systems
0:00:29 which has implications for crypto economic security
0:00:32 and for governance, especially when you think
0:00:34 about the differences, both good and bad,
0:00:36 between real world and online systems
0:00:38 for coordinating groups of people to vote on something,
0:00:40 whether it’s a decision in a boardroom
0:00:42 or an election or anything else.
0:00:44 This episode was recorded as part
0:00:46 of our New York City podcast road show
0:00:49 and so it features Phil Dayan, a PhD at Cornell Tech,
0:00:51 working with Ari Jules there.
0:00:53 His research focuses on broad questions
0:00:55 of security of distributed systems,
0:00:56 specifically blockchains.
0:00:58 He also wrote a post last year
0:01:00 with Tyler Kell, Ian Mears and Ari Jules
0:01:05 on quote, “On-chain vote buying and the rise of dark DAOs.”
0:01:06 Joining Phil in this hallway style jam
0:01:09 to discuss these topics is Ali Yaya,
0:01:10 who was previously a software engineer
0:01:13 and machine learning researcher at Google X and Google Brain.
0:01:16 He also gave a talk at A16Z Summit on crypto
0:01:18 and the evolution of trust, which you can find
0:01:22 on our website, and he’s a partner on A16Z Crypto.
0:01:24 Speaking of, please note that the content here
0:01:26 is for informational purposes only,
0:01:29 should not be taken as legal business tax
0:01:32 or investment advice, or be used to evaluate
0:01:34 any investment or security and is not directed
0:01:38 at any investors or potential investors in any fund.
0:01:39 For more details, please also see
0:01:42 A16ZCrypto.com/disclosures.
0:01:44 The conversation that follows covers ways
0:01:46 in which blockchain systems are different
0:01:48 from real-world voting systems,
0:01:50 ways the system can be gamed
0:01:52 and what that means for security,
0:01:54 as well as possible solutions
0:01:56 and more importantly, questions
0:01:58 all blockchain system designers should think about
0:02:01 instead of making naive assumptions.
0:02:04 But first, Phil and Ali began by very briefly summing up
0:02:06 the issues in real-world elections
0:02:08 and electronic voting systems.
0:02:11 The first voice you’ll hear is Phil’s, followed by Ali’s.
0:02:14 – So one challenge people have seen is straight up hacking.
0:02:17 Of course, if there is electronic voting in use,
0:02:19 just tampering with the integrity of the election itself
0:02:21 or the integrity of the registration.
0:02:23 Another challenge that people have been worried about
0:02:26 in the past is vote buying and selling.
0:02:27 So if I want you to vote a certain way,
0:02:30 maybe I directly bribe you to do so
0:02:32 or maybe even in the current system,
0:02:34 I can indirectly do it.
0:02:37 But it’s very difficult to bribe someone in person
0:02:39 and sort of understand how they’re going
0:02:40 to act in an election.
0:02:42 – Yeah, you have this great example of how
0:02:44 if the price of a vote is a beer
0:02:45 and you take me out for a beer and say,
0:02:48 “Ali, I want you to vote for ex-candidate.”
0:02:50 I could drink your beer and then go to the poll
0:02:53 and submit whichever ballot I want.
0:02:56 And you have no real mechanism to enforce my vote
0:02:58 in one way or another.
0:03:01 And you then point out how this is not so much the case
0:03:03 when you go to the world of electronic voting.
0:03:04 – Yes, the price of the vote as a beer
0:03:06 is actually kind of realistic.
0:03:09 Like vote buying in general is empirically pretty cheap
0:03:10 for two reasons.
0:03:11 Number one, it’s actually the poorest
0:03:13 and least advantaged people that are the most inclined
0:03:15 to sell their votes.
0:03:17 And number two is most people are disinterested
0:03:18 in most elections.
0:03:20 So this actually makes vote buying pretty cheap.
0:03:22 And in electronic voting, this is a big problem
0:03:25 because with many electronic voting protocols,
0:03:26 you can actually tell at the end of the protocol
0:03:27 how someone voted.
0:03:30 So it becomes much easier for me to bribe you
0:03:31 because I can just say essentially I’ll give you a beer
0:03:34 if I check afterwards and you voted with my candidate
0:03:36 rather than sort of trusting you to go in the polling booth
0:03:38 and make the right decision where socially
0:03:40 I can’t follow you into that booth
0:03:41 and look over your shoulder.
0:03:42 – Exactly.
0:03:44 You point out how in the world of human voting,
0:03:47 there are three things that tend to make vote buying
0:03:48 a little bit more difficult.
0:03:49 And it’s the inefficiencies of the human world
0:03:51 that actually work to your advantage here.
0:03:53 So the first is that in the human world,
0:03:55 it’s a crime to buy votes and that itself
0:03:57 kind of can serve as a deterrent,
0:03:59 which doesn’t really exist so much
0:04:01 in the jurisdiction-less crypto world.
0:04:03 The second one was that ballots
0:04:04 tend to be casted in secrecy.
0:04:06 So there’s no way of me to produce a proof
0:04:08 that I voted in one way or another,
0:04:11 which makes the buying of the vote difficult to enforce.
0:04:13 And the third one you mentioned is that if you tell me
0:04:15 that you’re going to pay me in the future
0:04:16 for voting one direction or another,
0:04:18 I have a hard time trusting you
0:04:20 that you will actually in the end pay me.
0:04:22 And so there’s sort of counterparty risk.
0:04:25 And so in the same way that sort of blockchains
0:04:30 mitigate trust and improve coordination for good purposes,
0:04:34 they can also be used to improve coordination
0:04:36 for sort of malicious purposes.
0:04:38 In this case, vote buying is like a double-edged sword.
0:04:41 Blockchains can be used to increase the efficiency
0:04:44 and effectiveness of bribery and vote buying.
0:04:45 Yes.
0:04:46 In the traditional world,
0:04:48 there’s been a long line of academic research.
0:04:51 So very early on people said we want to vote electronically.
0:04:52 It’ll make tallying cheaper.
0:04:54 It can maybe use cryptography
0:04:55 to increase the integrity of our elections.
0:04:57 So we don’t rely on these pieces of paper
0:05:00 sort of with this weird chain of human custody
0:05:01 and things like that.
0:05:03 But early schemes sort of suffered from this receipt property
0:05:06 where I could produce a proof that like here is the outcome
0:05:09 and here is what I actually voted to lead to this outcome.
0:05:11 So there was a wide range of work early on
0:05:12 on how to sort of solve this issue
0:05:15 and create voting schemes that are receipt free,
0:05:17 which means that after the fact,
0:05:19 I cannot produce a receipt or a proof
0:05:20 to tell you which way I voted.
0:05:22 And it’s sort of equally likely from your perspective
0:05:24 that I voted in any direction.
0:05:27 Later work sort of said that this is not strong enough.
0:05:29 Essentially the high level is
0:05:31 if you’re looking over my shoulder electronically,
0:05:33 like you have a virus on my computer
0:05:35 or you’re just physically looking over my shoulder,
0:05:36 at the time that I’m voting,
0:05:38 even receipt freedom is not enough
0:05:40 because you might be able to see in real time
0:05:42 the direction in which I’m voting
0:05:43 and enforce my vote that way.
0:05:45 So that led to an even stronger property
0:05:46 called coercion resistance,
0:05:48 which is that even if you compromise me
0:05:49 for some period of time,
0:05:52 you still are not able to get me to vote a certain way
0:05:54 in a way that you can trust.
0:05:55 – Yeah, that’s very interesting.
0:05:59 And so let’s connect this to sort of the blockchain world.
0:06:01 These questions of electronic voting have existed
0:06:03 for decades and predate the world
0:06:05 of blockchains and crypto networks.
0:06:07 But now there’s like a resurgence of research
0:06:10 in this direction because so many blockchain
0:06:11 and crypto network projects
0:06:14 want to use on-chain voting for all sorts of purposes.
0:06:16 – So I mean, in blockchain networks in general,
0:06:17 you often need to make decisions.
0:06:20 That’s like part of the attractive point of blockchains
0:06:22 that it makes coordinating group decisions
0:06:24 among actors who don’t trust each other
0:06:26 a little bit easier.
0:06:29 And to make these decisions sort of a natural response
0:06:30 is just vote, right?
0:06:31 That’s something you see in the real world.
0:06:34 It’s something you see in corporations with stockholders.
0:06:35 It’s something you see in boardrooms.
0:06:37 It’s something you see in political elections
0:06:39 and all sorts of other social systems.
0:06:41 So it’s just, I think, a natural human tendency
0:06:43 when asking sort of how to organize these things
0:06:47 that voting is the only real clear shelling point answer
0:06:48 that we can come up with.
0:06:49 So I think an important distinction
0:06:52 on why this stuff really matters in the blockchain world
0:06:54 is that the blockchain world and the real world
0:06:56 don’t operate in the same models.
0:06:57 If you’re going to a boardroom with someone,
0:06:59 you’re sitting next to the person, right?
0:07:02 We’re sort of operating in this model of social honesty
0:07:04 where people can see each other face to face.
0:07:05 You have shared interests in the company.
0:07:08 You sort of know their history at least somewhat.
0:07:10 Whereas in blockchains, you’re operating in an economic,
0:07:13 sort of an economically rational game theoretic model.
0:07:15 So you need much stronger guarantees from your systems.
0:07:17 Your systems need to be strong
0:07:20 even in the presence of economically motivated adversaries.
0:07:21 And they need to be secure,
0:07:24 assuming people are rational rather than honest.
0:07:25 So we don’t get to lean on this sort of honesty
0:07:28 that we have in the real world in blockchains.
0:07:29 And I think that’s where a lot of the mechanisms
0:07:32 that people try to sort of port over naively break down.
0:07:34 – Right, and this is especially important
0:07:36 because in most of the crypto networks
0:07:38 that are actually interesting,
0:07:42 the model is one where anyone can participate.
0:07:44 And people refer to this as the permissionless setting
0:07:46 and that anyone can connect to the network.
0:07:49 Anyone can sort of participate in the decisions
0:07:51 that are made through the governance processes
0:07:53 of the crypto network,
0:07:55 which makes the environment the very hostile one
0:07:57 because anyone anywhere can opt to participate
0:07:59 and they have an economic incentive to do so
0:08:01 because if they can game the system
0:08:03 or if they can sort of subvert it in some way,
0:08:05 then they could potentially profit.
0:08:06 – Exactly.
0:08:08 Satoshi released his white paper in ’09
0:08:10 and academics first started looking at Bitcoin
0:08:12 and its success and its rise
0:08:14 and asking like what is actually the interesting lesson
0:08:16 to be learned here from what we’ve been doing
0:08:17 for the last 20 years.
0:08:19 There was a whole space of consensus protocols
0:08:21 and Byzantine fault-tolerant protocols
0:08:22 that came to consensus on something
0:08:25 even in the presence of malicious users.
0:08:27 But what was really new about Bitcoin
0:08:30 is that it let anyone join and leave the network at any time.
0:08:32 And these people didn’t need to ask the people
0:08:35 who are already participating in the network
0:08:36 whether they can join or not.
0:08:38 So in most consensus protocols,
0:08:40 you have a sort of quorum that’s coming to decisions
0:08:41 and if you want to join,
0:08:43 you need to ask the quorum to join
0:08:45 because the quorum needs to agree on who’s in the quorum.
0:08:46 So they need to sort of come to consensus
0:08:48 on the fact that you’re allowed to join.
0:08:50 Whereas in something like Bitcoin,
0:08:51 if you want to start mining Bitcoin,
0:08:53 you just turn on your rig and as soon as you succeed,
0:08:55 people will accept that mathematically.
0:08:57 They don’t need any sort of membership proof
0:08:58 or anything like that.
0:08:59 What I think is relevant to voting
0:09:01 is that fundamental to the permissionless model
0:09:03 if you’re gonna use cryptography,
0:09:04 which all blockchains do,
0:09:06 is that if I can join and leave at any time,
0:09:08 I need to be able to like generate my own key
0:09:09 and join at any time.
0:09:10 – Right.
0:09:13 I mean, the uses of on-chain voting,
0:09:16 we’re voting within blockchain projects,
0:09:19 range all the way from setting the parameters,
0:09:21 like some parameter in the protocol
0:09:22 that may be something minor,
0:09:25 kind of like the price of gas, for example,
0:09:28 all the way over to sort of some intermediate level
0:09:30 where people use governance
0:09:32 and voting to decide how to allocate funds.
0:09:34 And then this goes all of the way over
0:09:37 to actually deciding how to change the protocol itself.
0:09:40 And so there are projects that are sort of self-amending
0:09:45 and that they use governance as a way of proposing updates
0:09:47 to the protocol and then deciding on which updates
0:09:50 should go through and which updates should not.
0:09:51 And so the stakes are high
0:09:55 and that if you have a governance system that can be gamed,
0:09:59 then all of these use cases may end up being vulnerable
0:10:00 to that kind of attack.
0:10:02 One way of thinking of governance that I quite like
0:10:04 that I think was proposed by Vitalik
0:10:07 is the coordination model of governance
0:10:10 and that really all governance decisions are in essence
0:10:13 a way of coordinating collective action.
0:10:16 He talks about how there are multiple layers
0:10:17 to governance, right?
0:10:19 The bottom layer is like what’s closest
0:10:20 to the real and physical world.
0:10:22 – Yeah, so maybe let’s go bottom up
0:10:24 on everywhere you have voting in blockchains.
0:10:25 At the very base level,
0:10:27 all consensus mechanisms are a vote,
0:10:29 so proof of work itself is a form of voting
0:10:30 on which block is valid
0:10:32 and which history is accepted by the network.
0:10:34 So you have voting at that layer.
0:10:35 Then that half layer up, like you said,
0:10:38 is this governance layer of how do blockchains
0:10:39 actually change their underlying code
0:10:42 and respond to attacks or new situations
0:10:45 or new technology or whatever it may be.
0:10:48 Traditionally, this has sort of gone with the fork model
0:10:50 where you just sort of spin up new code
0:10:52 and try to lobby everyone to just run this new system
0:10:53 instead of the old one.
0:10:55 This model has seen a lot of political strife,
0:10:59 a lot of inefficiency, a lot of sort of lobbying
0:11:01 and traditional politics like nastiness
0:11:03 in the blockchain space.
0:11:06 You can look at the Bitcoin block size debate,
0:11:07 whether to change the one to a two,
0:11:11 which spawned like a year long rift between the communities
0:11:13 that ended up in like several summits and agreements
0:11:16 and eventually a permanent split.
0:11:17 So some people look at that and say,
0:11:18 maybe we can make this more efficient
0:11:20 by just using voting and allowing the coin holders
0:11:22 to express their preference
0:11:23 and sort of just going with that.
0:11:25 And then another layer up from that,
0:11:27 you have the application layers like you were saying.
0:11:30 So these are your DAOs, these are your smart contracts
0:11:32 that wanna use voting to make decisions.
0:11:35 They could be, for example, on how to allocate funds.
0:11:37 They could be on how to change parameters
0:11:38 within their own smart contract.
0:11:41 So you really have voting throughout the blockchain stack.
0:11:42 A lot of projects are using it
0:11:46 and it has a very sort of wide impact as a general problem.
0:11:49 – So one observation that comes out of all of this
0:11:52 is that today’s governance systems
0:11:54 and sort of blockchains and crypto networks,
0:11:56 the way that they exist today will likely devolve
0:11:59 into plutocracy simply because the mechanisms
0:12:02 for vote buying are so effective as you described.
0:12:05 And some proponents of on-chain governance
0:12:07 will argue that plutocracy may not actually
0:12:08 be that bad of a thing.
0:12:10 They may be a bad thing for democracies,
0:12:12 but not so much for blockchains.
0:12:15 In the blockchain world for a crypto network,
0:12:17 it’s not so much a bad thing
0:12:20 because it’s in a sense incentive compatible,
0:12:21 at least at a surface level.
0:12:24 If they are voting using their coins
0:12:26 for any one upgrade to the protocol,
0:12:29 they will want to vote in the interest of other people
0:12:31 who also hold the coins in the interest of the network
0:12:34 because they own it and they have a stake in it.
0:12:37 And also their incentive to protect the network
0:12:38 is proportional to how many coins they own.
0:12:41 So like larger voters or stakeholders
0:12:43 who have more coins in the network
0:12:46 have an even greater incentive to protect the network.
0:12:48 What are your thoughts there?
0:12:49 – So I think every blockchain project
0:12:51 should take a step back and ask,
0:12:52 do we want plutocracy?
0:12:53 Do we want vote buying in our system?
0:12:55 And what are the consequences of that?
0:12:56 For many of them,
0:12:58 maybe it’s more acceptable than for others.
0:13:02 For example, if you have like a small closed sort of contract
0:13:03 that has a few shareholders,
0:13:05 something like an investment firm
0:13:06 and you have like one guy
0:13:08 who decides whether people get in or not,
0:13:10 maybe you’re not so concerned about vote buying
0:13:11 in that kind of a scheme.
0:13:15 Or if you have even like some sort of closed setting
0:13:17 where you can say things about the participants,
0:13:19 maybe you’re not so concerned about vote buying.
0:13:21 In a wider system where let’s say
0:13:23 the whole world is participating in it eventually,
0:13:25 I think the fundamental point is that
0:13:27 most people are disinterested in most votes
0:13:29 and the utility they get from the system
0:13:31 is not directly sort of correlated
0:13:34 with whether they vote A or B on this given issue.
0:13:36 Nonetheless, there are certain groups of people
0:13:37 who are extremely interested
0:13:39 in whether people vote A or B on a certain issue
0:13:41 and these are often pretty moneyed groups.
0:13:42 So in this way,
0:13:44 that kind of governance does sort of degenerate
0:13:45 into plutocracy.
0:13:48 And if that’s acceptable for your system, that’s fine.
0:13:49 I think for many systems, it’s not.
0:13:51 You need to care about these attacks
0:13:52 and you need to reason about
0:13:54 why your system is secure against this
0:13:56 and why your system actually doesn’t degenerate
0:13:57 to plutocracy.
0:13:58 People have tried to get around this
0:14:00 in two ways in blockchains.
0:14:02 The first one is they add some sort of identity.
0:14:03 So they have a third party service
0:14:05 that like you send your cell phone number
0:14:07 or something like that and it sends you a text
0:14:09 and sort of anti-sibles you that way
0:14:11 and then you’re able to participate in a vote.
0:14:15 So at least you can sort of attach some entity
0:14:17 to the person and then count votes per entity
0:14:18 rather than per coin.
0:14:21 This actually still degenerates into plutocracy
0:14:22 because of the way the Dark Dow works
0:14:25 because as long as these identities are keys
0:14:27 that people can sort of generate at any time,
0:14:30 they can be bought and sold and using the Dark Dow model
0:14:31 and you can essentially sell people
0:14:33 like the right to your identity
0:14:35 or you can sell people the right to a certain vote
0:14:38 using your identity or even more specific things than that.
0:14:40 So that kind of doesn’t work
0:14:42 unless you have a strong social protection
0:14:44 where like the person has to come in very often
0:14:46 and the network sort of authenticates
0:14:49 that they’re human or something like that.
0:14:50 That becomes very complicated
0:14:52 and steps much more into the messy world
0:14:53 of real world elections
0:14:56 and maybe doesn’t work for a global blockchain community.
0:14:58 Another way people have tried to get around it
0:15:00 which also kind of requires identity
0:15:03 is this new line of work by Vitalik Glenn Whale
0:15:05 and a few other people which is quadratic voting
0:15:07 where you actually allow vote buying.
0:15:09 So you allow people to buy votes
0:15:11 but only at an exponentially increasing price.
0:15:13 And this may kind of look like plutocracy
0:15:15 because you’re allowing people to buy votes
0:15:17 but if you actually do the math on the incentives,
0:15:20 it turns out that through this increasing function,
0:15:21 essentially people will express
0:15:22 their true preferences in the end.
0:15:26 And one rich person who really cares about A versus B
0:15:29 won’t be able to sort of overwhelm a disinterested majority
0:15:30 that weakly prefers A
0:15:32 and maybe each don’t have as many funds
0:15:33 as that one individual.
0:15:35 So this fixes some known pathologies
0:15:37 in real world voting systems
0:15:39 and also blockchain voting systems.
0:15:41 But it does require identity
0:15:43 and it’s extremely vulnerable to manipulation.
0:15:45 If this one rich person can pretend
0:15:47 that they’re two rich people or something like that,
0:15:48 the gig is sort of up.
0:15:51 And that’s what these new coordination mechanisms allow.
0:15:53 – Yes, I think this dependence on identity
0:15:55 that you are pointing out is very important
0:15:57 because as you pointed out,
0:15:59 anyone can pretend to be more than one person.
0:16:02 They can generate 10 different sets of key pairs
0:16:03 or hundreds of sets of key pairs
0:16:05 and pretend to be hundreds of people.
0:16:06 – Yeah, and the only thing you can do
0:16:07 is wait by coins basically.
0:16:08 – Exactly.
0:16:10 In that world, you end up with unfair representation
0:16:13 of you’re trying to assign a single vote to a key pair.
0:16:17 So proponents of on-chain coin holder governance
0:16:21 which means that one coin gives you one vote will argue.
0:16:23 It’s at the very least, civil resistant,
0:16:26 which means that if you have like 10 million coins
0:16:28 staked on one particular vote,
0:16:31 they’re basically used to vote for one particular outcome.
0:16:34 It’s very hard to argue that those 10 million coins
0:16:37 come from trolls that are trying to sway the election
0:16:39 because there’s real weight and real capital
0:16:41 that’s staked in one direction or another.
0:16:43 Whereas if you’re not using coin voting,
0:16:45 then that becomes more possible.
0:16:48 And so if you have a mechanism for identity
0:16:52 wherein you securely associate one human to one vote
0:16:53 or something like that,
0:16:57 then more sophisticated voting schemes become possible.
0:17:00 I think today, because we lack that kind of a mechanism,
0:17:03 people end up gravitating towards this simple
0:17:07 and somewhat, perhaps somewhat naive one coin, one vote model
0:17:09 which is vulnerable to this foot buying attack.
0:17:13 – Yeah, and this opens up a range of other issues.
0:17:15 So one problem that people have
0:17:16 when they analyze blockchain systems
0:17:18 and they sort of design these mechanisms
0:17:19 is that they look at their mechanism
0:17:21 and reason about its security properties,
0:17:23 but they do that in isolation.
0:17:25 And an important point is that none of these systems
0:17:27 really exist in a vacuum, right?
0:17:29 So take a look at any sort of blockchain
0:17:31 that uses coinholder voting to decide
0:17:33 the outcome of its consensus rules.
0:17:35 And there’s at least two such blockchains
0:17:37 that are sort of using this model.
0:17:39 If these two very large projects are approximately
0:17:41 the same size or one is a little bit bigger
0:17:43 than the other one or one is twice as big
0:17:45 as the other one or something like that,
0:17:47 it’s in the economic interests of everyone
0:17:49 who holds coins in the bigger project
0:17:51 to buy up coins on the smaller project
0:17:53 and influence votes in ways
0:17:55 that are sort of counter competitive.
0:17:57 And maybe even if they can’t buy up
0:17:58 enough of a blocked influence votes,
0:18:02 they can sow chaos and confusion and things like that.
0:18:05 So while one of these systems, you may say in isolation,
0:18:07 like, okay, the coinholders interests are represented
0:18:09 by this plutocracy, that doesn’t really work
0:18:11 when you have a whole world around it
0:18:13 that’s full of money that can frictionlessly
0:18:15 enter and exit the system at any time.
0:18:17 There’s no guarantee whatsoever
0:18:19 that the people who are economically in right this second
0:18:21 have an interest in that system,
0:18:22 especially when there are much bigger systems
0:18:24 that are competing with it.
0:18:25 So I think that’s a very important point
0:18:26 that people overlook.
0:18:28 And again, we mentioned that there’s this sort of stack
0:18:30 of voting, even at the consensus layer,
0:18:32 that has implications on the whole stack.
0:18:34 So if you have a fork that’s like 10%
0:18:36 of the size of a project,
0:18:38 and this fork could potentially impact
0:18:40 the price of the larger project,
0:18:42 it’s absolutely in the interest of that larger project
0:18:45 to launch attacks on that base layer proof of workflow
0:18:46 and do things like censorship,
0:18:48 use some small percentage of their hash power
0:18:51 to do 51% attacks or denial of service
0:18:52 or whatever they need to do to make sure
0:18:54 that that network goes down in price.
0:18:56 And that attack might even be profitable,
0:18:58 especially if there are mechanisms to short
0:18:59 that sort of smaller project.
0:19:00 – Yeah, that’s a very good point.
0:19:03 I think most proponents of a coinholder voting
0:19:07 would argue that it is just not in your interest
0:19:10 to sell your vote because you’d be damaging
0:19:11 the value of the asset that you hold.
0:19:14 And you hold a coin, and if you sell the votes
0:19:15 associated with that coin,
0:19:17 and that might reduce the value of the coin
0:19:20 in some way that sort of results in a net loss for you.
0:19:22 But that analysis happens entirely in a vacuum.
0:19:26 It happens sort of assuming that there aren’t any kind
0:19:28 of external mechanisms via which you could profit
0:19:31 from the loss of value of this particular coin.
0:19:32 Like for example, what you’re mentioning,
0:19:33 competition between blockchains.
0:19:36 If I’m a stakeholder, a much larger stakeholder
0:19:37 in a competing network,
0:19:39 then I might have a strong interest
0:19:41 in reducing the value of this particular coin,
0:19:42 and that that’s associated
0:19:44 with this one competing crypto network
0:19:46 because it may result in a larger profit
0:19:48 outside of the system.
0:19:51 And so I think, yeah, the incentive structures
0:19:53 that are built in aggregate tend to be far more complex
0:19:55 and they kind of interact in ways
0:19:58 that tend to be difficult to analyze
0:19:59 and could result in complexity
0:20:01 that could ultimately result in attacks.
0:20:03 And you post, you talk a little bit
0:20:05 about what you refer to as the dark DAO,
0:20:07 which sounds like a fairly dark picture
0:20:10 of what could end up being the case.
0:20:11 In your view, what is the worst case scenario here?
0:20:14 How could this unfold in a bad way?
0:20:15 – Yeah, so there’s a lot of different variants
0:20:17 of the dark DAO which have different assumptions
0:20:19 in the post, some of them require trusted hardware,
0:20:20 some of them don’t.
0:20:22 But the ultimate point of the dark DAO
0:20:23 is that it’s a private smart contract
0:20:26 for attacking a vote, for vote buying,
0:20:28 that essentially hides from the rest of the world
0:20:30 how much money is committed to this contract,
0:20:33 who is participating in the vote buying contract,
0:20:35 and sort of how far along the contract is.
0:20:37 But sort of is a way to frictionlessly
0:20:40 and permissionlessly form a vote buying cartel
0:20:41 for a particular vote.
0:20:42 And this could be sort of a funding pool,
0:20:44 anyone can come contribute money to it.
0:20:45 So if it’s outcome specific,
0:20:47 it could be funded by anyone who’s interested
0:20:48 in such an outcome,
0:20:50 whether it be other blockchain projects,
0:20:53 users on the system, outside groups, whatever it may be.
0:20:55 So once this dark DAO is funded,
0:20:57 what it does is sort of offer up vote buying
0:20:58 to people in the system.
0:21:01 And if people in the system come take this vote buying,
0:21:02 they retain access to their funds,
0:21:05 they keep using their wallet as they normally do,
0:21:07 but they’re sort of shackled by the dark DAO
0:21:08 that for this particular vote,
0:21:10 they can only vote in this certain way.
0:21:10 And this is trustless
0:21:12 because both sides have some guarantees.
0:21:16 So the vote buyers or vote buying network
0:21:18 or whatever it may be has guarantees
0:21:19 that potentially no one will find out
0:21:21 who’s being bought or sold
0:21:23 and how much money is pledged to it.
0:21:24 They’re guaranteed that if they pay for a vote,
0:21:27 this vote will actually be executed in the protocol,
0:21:29 even if the protocol does have
0:21:31 the classic properties of coercion resistance.
0:21:33 Another sort of sidebar of the dark DAO
0:21:36 is that trusted hardware, which is a new technology,
0:21:38 sort of breaks all classical coercion resistance voting
0:21:40 schemes in the blockchain world
0:21:42 and in the regular election world.
0:21:43 So once they launch this attack
0:21:45 and they start buying and selling people’s votes,
0:21:47 they have a number of options available to them.
0:21:48 One cool thing you can do
0:21:50 is you can tell everyone in the cartel
0:21:52 when a certain threshold is reached.
0:21:54 Let’s say when like 70% of the,
0:21:57 or 10% of the votes are locked into this DAO.
0:21:59 And you can do this in a way that’s deniable
0:22:01 such that everyone inside the cartel can check,
0:22:03 yes, 70% is reached,
0:22:05 but no one outside the cartel has any way of knowing
0:22:07 that this is actually reached.
0:22:09 So you can enforce an information asymmetry
0:22:12 that allows for profiting through things like shorting.
0:22:14 You can also enforce stronger information asymmetries,
0:22:16 so not even allow the people who are being bribed
0:22:19 to know at any time how much money is in it
0:22:23 or even potentially whether they voted at all
0:22:25 if the scheme is receipt free.
0:22:27 So it’s a very, very powerful class of attack.
0:22:29 You can spin it up however you want.
0:22:31 It allows people to pool their money and buy votes
0:22:34 in a way that they can keep any part of that secret
0:22:35 to any group of people that they want.
0:22:37 And the outside system has no way of knowing
0:22:39 sort of how far along the attack is.
0:22:41 In some ways, it also represents a credible threat.
0:22:42 If I were to launch a dark DAO,
0:22:44 I might not even need to necessarily have people
0:22:45 participate in it.
0:22:47 Just its existence might be enough
0:22:50 to shake people’s confidence in that underlying vote.
0:22:52 So when we publish that blog post,
0:22:54 we’ve had a lot of reactions from voting projects
0:22:55 and other people in the space.
0:22:57 And I think there is a good question
0:22:58 of why haven’t we seen this already?
0:23:01 But at the end of the day, these systems are tiny, right?
0:23:03 Blockchains today are a drop in the bucket
0:23:05 of like the world financial system
0:23:07 and the incentives just aren’t there yet.
0:23:08 But if we are to use these technologies
0:23:10 and if we are to scale things,
0:23:13 I think these are absolutely realistic scenarios
0:23:15 and potentially nightmare scenarios.
0:23:16 – Yeah, that sounds insane.
0:23:18 And that’s definitely an outcome that is to be prevented.
0:23:21 And I think, I mean, this matters because
0:23:24 if we just take a step back and think about why is governance
0:23:26 so topical and so important in the world of crypto
0:23:27 and blockchains today?
0:23:32 It is because so much of what drives the space forward
0:23:35 in what is sort of the underlying philosophical motivation
0:23:39 is that power over these networks is decentralized.
0:23:41 And so decentralization here refers to
0:23:42 a bunch of different things at the same time.
0:23:44 Like people talk about decentralization
0:23:46 as it refers to sort of consensus,
0:23:50 like who gets to decide like who modifies
0:23:51 the underlying ledger,
0:23:52 but also decentralization applies
0:23:54 to who gets to modify the code.
0:23:56 These networks are decentralized in that
0:23:58 they’re kind of like self-governing organizations
0:24:00 and they don’t have at least philosophically
0:24:03 any central points of control where any one individual
0:24:06 can decide how to sort of modify the code
0:24:08 or make it work in any particular way.
0:24:12 And so all of these initiatives to try to build in governance
0:24:15 into the protocols are an effort to try to
0:24:17 sort of decentralize even that aspect
0:24:20 and to try to make it so that the code itself can evolve
0:24:22 in a way that is still community driven
0:24:24 and not kind of centrally controlled
0:24:27 by the core developer team.
0:24:28 – Yeah, I think the promise of a lot of these systems
0:24:31 is sort of this crypto economic security, right?
0:24:33 You have this mechanism and because the mechanism works
0:24:34 and the incentives are set up right,
0:24:36 everyone comes together harmoniously
0:24:38 and produces something that is bulletproof
0:24:42 and very strong because of the incentives and the mechanism.
0:24:43 An example of this is Bitcoin.
0:24:45 Because of the money paid to miners,
0:24:48 people are burning a small country’s worth of electricity
0:24:50 to try to secure this transaction ledger
0:24:52 that has actually worked fantastically so far.
0:24:53 So when you design these systems,
0:24:56 there needs to be some sort of underlying mechanism
0:24:57 and some sort of reasoning about the security
0:24:59 of that mechanism.
0:25:01 But what these technologies like the dark dial
0:25:03 and private smart contracts allow you to do
0:25:06 is use external money to sort of alter the incentives
0:25:09 inside that game and alter the security properties
0:25:12 that people are actually getting from their project
0:25:15 in a permissionless and trustless way.
0:25:17 So this does sort of speak
0:25:20 to the fundamental coordination of blockchains, right?
0:25:23 Like how do we design these games to coordinate people
0:25:26 to make choices in a way that’s not controlled
0:25:28 by one particular individual, as you said,
0:25:30 or some social trust hierarchy,
0:25:32 but by the economics of the system itself?
0:25:33 And in that model,
0:25:35 if you can’t be secure against economic attacks,
0:25:38 then you’re sort of building something
0:25:40 that doesn’t make much sense in my opinion.
0:25:43 And so I guess that’s a lot of what my work is looking at.
0:25:45 – Right, what do you think are the implications
0:25:47 of vote buying on proof of stake?
0:25:50 – So proof of work is where people use hardware
0:25:51 to sort of solve hard problems.
0:25:53 And if they solve the problem,
0:25:55 then they can post a block to the network.
0:25:56 Rather than using this mechanism,
0:25:59 proof of stake allows people to vote using their coins.
0:26:01 So they lock up their coins for some long period of time
0:26:04 and they can use any number of protocols to do this.
0:26:07 The core idea here is that instead of proof of work
0:26:09 where the economic security you get
0:26:12 is because people are doing this useless computation problem
0:26:13 that is sort of burning money
0:26:16 and there’s some costs associated with doing this,
0:26:18 is that people are paying liquidity costs
0:26:20 to lock up these coins for a long, long period of time
0:26:22 and they’re also taking risks
0:26:23 that they may incur penalties
0:26:25 if they misbehave in the protocol.
0:26:27 And with these liquidity costs,
0:26:28 they’re taking like massive volatility risks
0:26:30 in cryptocurrencies, right?
0:26:32 So if they do something that crashes the system,
0:26:33 well, their coins are locked up
0:26:34 and they’re going to lose money.
0:26:36 If the network decides they misbehaved,
0:26:38 well, they can get rid of all their coins
0:26:39 and they’re gonna lose money.
0:26:40 So it’s this idea of bootstrapping
0:26:42 the economic security of the network from the coins
0:26:45 rather than from some external hardware source.
0:26:46 Obviously that comes with a lot of trade-offs
0:26:48 that are maybe beyond the scope of this discussion,
0:26:50 but at the end of the day, it’s also a voting protocol.
0:26:53 You have these people with coins, they decide how to vote.
0:26:55 So where does vote buying come in here?
0:26:57 Well, obviously this proof-of-stake protocol has an outcome.
0:27:00 It decides what history of the network is valid
0:27:02 and this outcome has all sorts of economic implications.
0:27:05 It decides who gets to send money to who.
0:27:07 It decides who is censored in the system.
0:27:10 It decides what order transactions happen in canonically
0:27:12 according to everyone in the system
0:27:14 and with that comes a lot of profit opportunity.
0:27:17 So I can potentially profit by censoring you
0:27:19 or I can profit by putting my transactions in front of yours
0:27:22 when you wanna execute an order on a decentralized exchange
0:27:25 or I can profit in sort of any number of different ways
0:27:26 by manipulating this vote.
0:27:28 So what you can do with the dark DAO
0:27:30 is to start a staking pool where I say like,
0:27:32 you know, let me do my algorithmic trading
0:27:34 and decide what order of transactions
0:27:35 makes me the most money.
0:27:36 You don’t necessarily care
0:27:38 if someone who’s doing a transaction on a dex
0:27:40 gets front-run and loses like $5, right?
0:27:43 So you say, okay, I’ll happily participate in this.
0:27:45 It’ll still keep the value of my coins high,
0:27:46 especially if I don’t have a lot of coins
0:27:48 and you’re paying me like twice as much
0:27:50 as any other staking pool.
0:27:52 So it sort of opens these coordination mechanisms
0:27:54 for attacks on the underlying transaction history
0:27:56 and the underlying consensus.
0:27:56 – Do you think that there’s a way
0:27:59 of making a proof-of-stake network secure?
0:28:01 – It depends on your definition of secure.
0:28:04 I think it really depends on the type of security you want,
0:28:05 I guess.
0:28:07 – Yeah, and this all gets to the broader question
0:28:10 of like economic security of a blockchain.
0:28:11 And in the case of proof-of-stake,
0:28:13 the resource that’s used to secure the blockchain
0:28:14 is internal to the network.
0:28:15 In the case of proof-of-work,
0:28:18 it’s sort of electricity and like hardware
0:28:21 that’s used external to the network to secure the ledger.
0:28:22 And there are many other kind of approaches.
0:28:26 Like people are experimenting with doing useful work.
0:28:28 Instead of burning electricity uselessly
0:28:30 as you do in proof-of-work,
0:28:32 people try to build a sort of proof-of-space
0:28:34 or proof-of-spacetime protocols
0:28:39 where like for example, you’re able to store files
0:28:41 and storage becomes the resource that people use
0:28:43 to then secure the network.
0:28:44 What do you think of that kind of approach?
0:28:46 – So fundamentally to vote buying,
0:28:48 it doesn’t actually matter what resource you’re using.
0:28:50 Vote buying works for proof-of-work too.
0:28:52 So I could use dark DAO like technology
0:28:53 to start the mining pool.
0:28:55 And the properties of the mining pool would be
0:28:56 you come, you mine here.
0:28:57 I’ll pay you more than we’re making
0:28:59 because I have some external incentive
0:29:02 to censor someone or reorder transactions or whatever.
0:29:04 And then you get the dark DAO privacy properties
0:29:06 of no one knows how much hash power is participating
0:29:09 in this pool or who’s getting paid or things like that.
0:29:11 So these certainly also apply to systems
0:29:15 that use things like files and other useful work properties.
0:29:17 I think there’s a whole class of other questions
0:29:19 on the economic security of those systems.
0:29:21 So you have to be really careful
0:29:23 about where the economic security comes from.
0:29:24 I think you have to be really careful
0:29:26 with what useful means.
0:29:28 Whether the fact that it’s useful also introduces
0:29:31 any external incentives to mess with it, right?
0:29:35 So you could imagine like if the useful thing
0:29:37 the network was doing was like powering a search engine
0:29:38 or something, right?
0:29:39 Those results are valuable
0:29:42 and they bring external actors in who want to manipulate that.
0:29:43 And there’s sort of this feedback loop
0:29:45 between the mechanism securing the protocol
0:29:48 and the utility of what the protocol is actually providing.
0:29:50 But there’s definitely some people in the community
0:29:53 that look at that and say this is all way too complicated.
0:29:54 This is never going to work.
0:29:55 You have to have it be useless
0:29:57 because there’s no external incentives
0:29:59 and messy things that way.
0:30:02 I personally think that’s an open question.
0:30:03 – Yeah, there’s this argument that people make
0:30:06 that if the resource that is used to secure the network
0:30:08 is very commoditized
0:30:09 and just generally exists in the world
0:30:12 in the world in sort of plentiful quantities
0:30:13 that for example, in the case of storage,
0:30:16 if storage is the resource that’s used to secure the network
0:30:17 then anyone with a bunch of storage
0:30:19 could presumably attack the network.
0:30:22 Whereas in the case of a network like say Bitcoin
0:30:25 where you have ASICs that are specific to the network
0:30:27 in order to attack the network
0:30:28 you have to get your hands on those ASICs
0:30:30 and those ASICs aren’t useful for anything
0:30:31 but mining Bitcoin.
0:30:35 So people would argue the security of that kind of
0:30:38 the economic security of that kind of model is better.
0:30:40 – Yeah, and Joe Bono has a fascinating line of work
0:30:41 on these problems.
0:30:42 So if you Google Goldfinger attacks
0:30:44 he has a paper and a presentation.
0:30:47 There’s also the question of like buying versus renting.
0:30:48 So if something is very commoditized
0:30:50 you may be able to rent it
0:30:52 which substantially subsidizes the tax.
0:30:54 You may be able to buy it, perform the attack
0:30:56 and then resell it into the commodity market
0:30:59 which again substantially subsidizes the attack.
0:31:02 So these are all open and very complex questions
0:31:04 but people will build the systems and we’ll see.
0:31:06 This is sort of a classic pattern you see
0:31:08 in traditional finance.
0:31:10 And then you’ll have sort of black swan
0:31:13 and tail risk like events that surprise people.
0:31:15 – So we’ve talked a lot about governance in general
0:31:19 but you obviously are working on a ton of interesting stuff
0:31:21 just generally with respect to economic security
0:31:23 for crypto networks and blockchain
0:31:24 just the computer security.
0:31:27 What are some of the other interesting ideas
0:31:29 or sort of lines of work that you’re exploring?
0:31:32 – So one that I’m extremely personally interested in
0:31:35 is fairness guarantees for users around these systems.
0:31:36 A lot of what attracted me to them in the first place
0:31:39 was this promise of sort of eliminating the middleman
0:31:41 and making things in control of the user.
0:31:43 Like be your own bank, you don’t need these institutions
0:31:45 to tell you how to set your money supply
0:31:47 or how to route your transactions
0:31:50 or what exchange to use, et cetera, et cetera.
0:31:52 I look a lot at those guarantees
0:31:54 and sort of the ways in which modern blockchain solutions
0:31:56 are failing to meet those guarantees.
0:31:59 So one example of that is in the decentralized exchange space.
0:32:01 That’s something that’s seen a lot of promise
0:32:03 from people who wanna build these exchanges
0:32:06 that aren’t vulnerable to hacks and other user fund theft.
0:32:08 Unfortunately, the way these mechanisms
0:32:10 that people are building interact with the blockchain
0:32:13 is very complex and opens the door for external actors
0:32:15 to make a lot of money from front running them
0:32:17 and make a lot of money from doing algorithmic trading
0:32:19 on the network and everything that you see
0:32:21 in the traditional financial world.
0:32:24 So some of my work is around how large is that economy
0:32:27 and what are the failures of those guarantees?
0:32:30 – What are some interesting results so far on that front?
0:32:33 – So it’s actually probably a bigger market than you think,
0:32:36 even though DEXs have not seen substantial volume.
0:32:38 So this is a big problem for users.
0:32:41 It also highlights a lot of weird quirks of these systems,
0:32:44 such as like allowing for typos that end up costing users
0:32:47 a lot of money when programmatic actors soup in
0:32:50 and sort of take advantage of these inefficient mechanisms.
0:32:53 And it also raises fundamental questions about, I guess,
0:32:55 whether we’ll be able to do something that’s different
0:32:57 from the current financial system
0:32:59 because there are still these information asymmetries
0:33:01 that come up and this is a worldwide network.
0:33:02 And at the end of the day,
0:33:04 someone is still ordering transactions.
0:33:07 So is this rent sort of implicit to all blockchains?
0:33:09 How large is it?
0:33:12 And does it threaten the security of the overall blockchain?
0:33:13 Which I think it may.
0:33:15 – So I think one very interesting line of work
0:33:18 that you did was around gas token
0:33:20 and tokenizing gas on the Ethereum network.
0:33:23 – So this sort of came out of this arbitrage project.
0:33:25 We wrote a blog post very early on,
0:33:27 last I think October, November,
0:33:29 essentially saying decentralized exchanges are flawed.
0:33:31 You can just run this 20 line Python script
0:33:33 and you can profit off of users in a way
0:33:34 that was maybe not foreseen
0:33:37 and is not sort of explicitly stated to them
0:33:39 because of how inefficient these mechanisms are.
0:33:40 And before we wrote this blog post,
0:33:42 we were actually doing this to test it, right?
0:33:44 And we said, we made X dollars, whatever.
0:33:45 After we wrote the blog post,
0:33:47 sort of this cottage industry spawned
0:33:50 of like a few dozen people who are competing
0:33:53 in sort of this market and trying to outbid each other
0:33:57 to get their transactions first in that mind order
0:33:59 and take advantage of these opportunities.
0:34:00 So we’ve been studying that market for quite a while
0:34:02 and competing against these guys.
0:34:04 And unfortunately at some point,
0:34:05 they started out competing us.
0:34:07 So we started competing on what’s called gas,
0:34:08 which is the price you’re willing to pay
0:34:10 per unit of transaction.
0:34:12 The way it works is you make a typo Ali,
0:34:14 it puts a million dollars on the table
0:34:16 for anyone who can get their order in ahead of that typo
0:34:18 and sort of take advantage of your typo.
0:34:20 And then I would like to do a $5 transaction
0:34:23 to take advantage of Ali’s mistake, right?
0:34:26 And then maybe someone else is willing
0:34:27 to do a $10 transaction
0:34:29 ’cause it’s a million dollar opportunity, right?
0:34:31 So we sort of get into this bidding war of like,
0:34:33 minor, please pick me first, minor, please pick me first.
0:34:35 That’s inherent to how these transactions
0:34:36 are ordered by miners.
0:34:38 And what we noticed is that when you have like 10 of these,
0:34:39 we were rarely profiting
0:34:40 because we didn’t have the best latency,
0:34:42 we didn’t have the best infrastructure
0:34:44 and they were getting their bids out faster.
0:34:46 They were getting them two miners faster
0:34:48 and they were willing to bid up higher than we were
0:34:50 to essentially take these opportunities.
0:34:51 So that’s where gas token came in.
0:34:54 It’s a way to sort of store this gas for the longer term
0:34:57 rather than just paying for it when you do your transaction.
0:34:59 So gas is the transaction fee.
0:35:00 And usually you say, okay,
0:35:03 I’m willing to pay a $100 fee for this transaction.
0:35:05 Instead, what you could do is sort of bank
0:35:06 a transaction’s worth of gas
0:35:08 and then just deploy that bank gas
0:35:09 and not pay as much fee
0:35:11 for the transaction you are doing.
0:35:12 And that works by taking advantage
0:35:16 of this fundamental issue in Ethereum’s resource model
0:35:18 which has to do with how you pay
0:35:22 to sort of incentivize people to clean up after themselves.
0:35:24 So in Ethereum, you actually give people a refund in gas
0:35:27 if they delete something they stored in the network previously
0:35:29 to incentivize them to not leave garbage around
0:35:30 that everyone has to store forever.
0:35:32 So what we do is when gas is cheap,
0:35:35 we fill the Ethereum state with junk
0:35:36 and then when it’s expensive, we delete this junk
0:35:39 which gives us a refund at that higher price
0:35:42 that we can use to subsidize these arbitrage transactions
0:35:44 which often costs thousands and thousands of dollars in fees.
0:35:47 Like people are bidding multiple thousands,
0:35:49 even tens of thousands in fees on these transactions.
0:35:51 – Right, and so to clarify for those not already familiar,
0:35:54 so gas is basically the resource that you use
0:35:56 to pay for computational resources
0:35:57 on the Ethereum blockchain.
0:36:00 So if you want it to buy computations, say instructions
0:36:03 that miners will execute for you, you pay for those in gas.
0:36:05 If you want it to buy a storage,
0:36:08 you similarly also pay for storage in gas.
0:36:10 And the current model of Ethereum is that you buy
0:36:14 some storage on the blockchain for a fixed price upfront
0:36:16 and then that storage sort of remains
0:36:18 on the blockchain forever.
0:36:20 And the Ethereum blockchain has this mechanism
0:36:22 that if you were to delete that storage,
0:36:23 if you were to free it,
0:36:26 then you will receive a refund for the amount that you paid.
0:36:30 Some refund for what you paid originally
0:36:31 for that amount of storage.
0:36:35 And so you’re basically saying that when gas is very cheap,
0:36:38 you can sort of fill storage on the blockchain
0:36:42 and then reclaim a refund later once gas is expensive.
0:36:45 And sort of the gas will be worth more at that point
0:36:47 than it was when you stored it.
0:36:48 And you could sort of leverage that
0:36:50 to kind of increase the amount of gas
0:36:51 that’s available to you.
0:36:53 – Yeah, and our fundamental observation was that
0:36:54 this is basically a derivative on gas.
0:36:57 It’s like a call option on some gas.
0:36:58 It led to the broader question
0:37:00 of how are these resources actually priced?
0:37:03 Like how do people choose how much is paid for storage?
0:37:06 How do people choose how much is paid for computation?
0:37:07 And in what ways are these suboptimal?
0:37:10 – So you mentioned the current model of pay one store forever.
0:37:12 That’s something we certainly address in our work,
0:37:14 proposing more of a rentful scheme
0:37:17 where you have to pay for ongoing costs at market rate.
0:37:19 There’s also the issue of who’s getting the payment.
0:37:21 So the fact that the miners get payment for storage
0:37:24 when the miners actually don’t need to store the whole state
0:37:26 and it’s the full nodes that bear the cost.
0:37:29 So this sort of asymmetry between who’s bearing the cost
0:37:31 like where the externality is
0:37:32 and like who’s actually profiting
0:37:34 is super important to study.
0:37:36 It leads to a sort of tragedy of the commons
0:37:38 in the worst case where the miners are happy to take payment
0:37:40 for as much storage as you want
0:37:42 because they don’t have to store it and they don’t care.
0:37:43 As long as they don’t break the whole network,
0:37:46 they’ll happily push out as many full nodes as they can.
0:37:47 So these are broader questions.
0:37:50 We have a broader initiative called Project Chicago,
0:37:53 which you can see at projectchicago.io.
0:37:55 That basically is studying these questions
0:37:56 of crypto commodities.
0:37:59 What are the underlying commodities behind blockchains?
0:38:02 For example, computation, relay network and storage.
0:38:03 How are these commodities priced?
0:38:05 How can you exploit these commodities?
0:38:07 How can you exploit like the relay network
0:38:09 to get information about people’s transactions earlier
0:38:13 or the computation layer to sort of, I don’t know,
0:38:16 do this kind of gas refund or something like that.
0:38:19 So there’s a lot of interesting work in that direction.
0:38:21 – Yeah, by the way, why is it called Project Chicago?
0:38:23 – So it’s called Project Chicago
0:38:25 ’cause our inspiration is sort of the Chicago mercantile
0:38:26 exchange.
0:38:28 That’s how businesses hedge against volatility
0:38:31 and sort of price commodities in real world markets.
0:38:35 So we think of this as sort of exploring something similar
0:38:36 on blockchains and asking like,
0:38:38 is that the right model or can we do better
0:38:40 now that we have all these decentralized tools
0:38:41 at our disposal?
0:38:42 – Best painting.
0:38:44 Well, thank you so much for coming on the podcast.
0:38:46 – Yeah, thanks for having me.
with Phil Daian (@phildaian) and Ali Yahya (@ali01)
Whether in corporations, boardrooms, or political elections, voting is something we see in all kinds of social systems… including blockchains. It’s the natural human tendency for how to organize decisions, and in distributed systems without centralized middlemen, it’s the only clear Schelling point we can come up with.
But too many people design voting mechanisms in distributed systems in isolation — sometimes naively ”porting over” assumptions from the real world or from simple cryptoeconomic models without thinking through the economic adversaries present in a larger, more rational (vs. ”honest”) game-theoretic system. So how are blockchain systems different from real-world paper and electronic voting systems? How can such systems be gamed, and what are the implications for cryptoeconomic security… as well as the governance of distributed organizations?
This hallway-style episode of the a16z Podcast covers all this and more. Recorded as part of our NYC roadtrip, it features Cornell Tech PhD student and software engineer Phil Daian, who researches applied cryptography and smart contracts — and who also wrote about ”On-chain Vote Buying and the Rise of Dark DAOs” in 2018 (with Tyler Kell, Ian Miers, and his advisor Ari Juels). Daian is joined by a16z crypto partner Ali Yahya (previously a software engineer and machine learning researcher at GoogleX and Google Brain), who also recently presented on crypto as the evolution — and future — of trust.
The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation.
This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments and certain publicly traded cryptocurrencies/ digital assets for which the issuer has not provided permission for a16z to disclose publicly) is available at https://a16z.com/investments/.
Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information.