AI transcript
– The content here is for informational purposes only,
should not be taken as legal business tax
or investment advice or be used to evaluate
any investment or security and is not directed
at any investors or potential investors in any A16Z fund.
For more details, please see a16z.com/disclosures.
– Hi everyone, welcome to the A16Z podcast, I’m Sonal.
Today’s episode is all about blockchain-based voting systems
which has implications for crypto economic security
and for governance, especially when you think
about the differences, both good and bad,
between real world and online systems
for coordinating groups of people to vote on something,
whether it’s a decision in a boardroom
or an election or anything else.
This episode was recorded as part
of our New York City podcast road show
and so it features Phil Dayan, a PhD at Cornell Tech,
working with Ari Jules there.
His research focuses on broad questions
of security of distributed systems,
specifically blockchains.
He also wrote a post last year
with Tyler Kell, Ian Mears and Ari Jules
on quote, “On-chain vote buying and the rise of dark DAOs.”
Joining Phil in this hallway style jam
to discuss these topics is Ali Yaya,
who was previously a software engineer
and machine learning researcher at Google X and Google Brain.
He also gave a talk at A16Z Summit on crypto
and the evolution of trust, which you can find
on our website, and he’s a partner on A16Z Crypto.
Speaking of, please note that the content here
is for informational purposes only,
should not be taken as legal business tax
or investment advice, or be used to evaluate
any investment or security and is not directed
at any investors or potential investors in any fund.
For more details, please also see
A16ZCrypto.com/disclosures.
The conversation that follows covers ways
in which blockchain systems are different
from real-world voting systems,
ways the system can be gamed
and what that means for security,
as well as possible solutions
and more importantly, questions
all blockchain system designers should think about
instead of making naive assumptions.
But first, Phil and Ali began by very briefly summing up
the issues in real-world elections
and electronic voting systems.
The first voice you’ll hear is Phil’s, followed by Ali’s.
– So one challenge people have seen is straight up hacking.
Of course, if there is electronic voting in use,
just tampering with the integrity of the election itself
or the integrity of the registration.
Another challenge that people have been worried about
in the past is vote buying and selling.
So if I want you to vote a certain way,
maybe I directly bribe you to do so
or maybe even in the current system,
I can indirectly do it.
But it’s very difficult to bribe someone in person
and sort of understand how they’re going
to act in an election.
– Yeah, you have this great example of how
if the price of a vote is a beer
and you take me out for a beer and say,
“Ali, I want you to vote for ex-candidate.”
I could drink your beer and then go to the poll
and submit whichever ballot I want.
And you have no real mechanism to enforce my vote
in one way or another.
And you then point out how this is not so much the case
when you go to the world of electronic voting.
– Yes, the price of the vote as a beer
is actually kind of realistic.
Like vote buying in general is empirically pretty cheap
for two reasons.
Number one, it’s actually the poorest
and least advantaged people that are the most inclined
to sell their votes.
And number two is most people are disinterested
in most elections.
So this actually makes vote buying pretty cheap.
And in electronic voting, this is a big problem
because with many electronic voting protocols,
you can actually tell at the end of the protocol
how someone voted.
So it becomes much easier for me to bribe you
because I can just say essentially I’ll give you a beer
if I check afterwards and you voted with my candidate
rather than sort of trusting you to go in the polling booth
and make the right decision where socially
I can’t follow you into that booth
and look over your shoulder.
– Exactly.
You point out how in the world of human voting,
there are three things that tend to make vote buying
a little bit more difficult.
And it’s the inefficiencies of the human world
that actually work to your advantage here.
So the first is that in the human world,
it’s a crime to buy votes and that itself
kind of can serve as a deterrent,
which doesn’t really exist so much
in the jurisdiction-less crypto world.
The second one was that ballots
tend to be casted in secrecy.
So there’s no way of me to produce a proof
that I voted in one way or another,
which makes the buying of the vote difficult to enforce.
And the third one you mentioned is that if you tell me
that you’re going to pay me in the future
for voting one direction or another,
I have a hard time trusting you
that you will actually in the end pay me.
And so there’s sort of counterparty risk.
And so in the same way that sort of blockchains
mitigate trust and improve coordination for good purposes,
they can also be used to improve coordination
for sort of malicious purposes.
In this case, vote buying is like a double-edged sword.
Blockchains can be used to increase the efficiency
and effectiveness of bribery and vote buying.
Yes.
In the traditional world,
there’s been a long line of academic research.
So very early on people said we want to vote electronically.
It’ll make tallying cheaper.
It can maybe use cryptography
to increase the integrity of our elections.
So we don’t rely on these pieces of paper
sort of with this weird chain of human custody
and things like that.
But early schemes sort of suffered from this receipt property
where I could produce a proof that like here is the outcome
and here is what I actually voted to lead to this outcome.
So there was a wide range of work early on
on how to sort of solve this issue
and create voting schemes that are receipt free,
which means that after the fact,
I cannot produce a receipt or a proof
to tell you which way I voted.
And it’s sort of equally likely from your perspective
that I voted in any direction.
Later work sort of said that this is not strong enough.
Essentially the high level is
if you’re looking over my shoulder electronically,
like you have a virus on my computer
or you’re just physically looking over my shoulder,
at the time that I’m voting,
even receipt freedom is not enough
because you might be able to see in real time
the direction in which I’m voting
and enforce my vote that way.
So that led to an even stronger property
called coercion resistance,
which is that even if you compromise me
for some period of time,
you still are not able to get me to vote a certain way
in a way that you can trust.
– Yeah, that’s very interesting.
And so let’s connect this to sort of the blockchain world.
These questions of electronic voting have existed
for decades and predate the world
of blockchains and crypto networks.
But now there’s like a resurgence of research
in this direction because so many blockchain
and crypto network projects
want to use on-chain voting for all sorts of purposes.
– So I mean, in blockchain networks in general,
you often need to make decisions.
That’s like part of the attractive point of blockchains
that it makes coordinating group decisions
among actors who don’t trust each other
a little bit easier.
And to make these decisions sort of a natural response
is just vote, right?
That’s something you see in the real world.
It’s something you see in corporations with stockholders.
It’s something you see in boardrooms.
It’s something you see in political elections
and all sorts of other social systems.
So it’s just, I think, a natural human tendency
when asking sort of how to organize these things
that voting is the only real clear shelling point answer
that we can come up with.
So I think an important distinction
on why this stuff really matters in the blockchain world
is that the blockchain world and the real world
don’t operate in the same models.
If you’re going to a boardroom with someone,
you’re sitting next to the person, right?
We’re sort of operating in this model of social honesty
where people can see each other face to face.
You have shared interests in the company.
You sort of know their history at least somewhat.
Whereas in blockchains, you’re operating in an economic,
sort of an economically rational game theoretic model.
So you need much stronger guarantees from your systems.
Your systems need to be strong
even in the presence of economically motivated adversaries.
And they need to be secure,
assuming people are rational rather than honest.
So we don’t get to lean on this sort of honesty
that we have in the real world in blockchains.
And I think that’s where a lot of the mechanisms
that people try to sort of port over naively break down.
– Right, and this is especially important
because in most of the crypto networks
that are actually interesting,
the model is one where anyone can participate.
And people refer to this as the permissionless setting
and that anyone can connect to the network.
Anyone can sort of participate in the decisions
that are made through the governance processes
of the crypto network,
which makes the environment the very hostile one
because anyone anywhere can opt to participate
and they have an economic incentive to do so
because if they can game the system
or if they can sort of subvert it in some way,
then they could potentially profit.
– Exactly.
Satoshi released his white paper in ’09
and academics first started looking at Bitcoin
and its success and its rise
and asking like what is actually the interesting lesson
to be learned here from what we’ve been doing
for the last 20 years.
There was a whole space of consensus protocols
and Byzantine fault-tolerant protocols
that came to consensus on something
even in the presence of malicious users.
But what was really new about Bitcoin
is that it let anyone join and leave the network at any time.
And these people didn’t need to ask the people
who are already participating in the network
whether they can join or not.
So in most consensus protocols,
you have a sort of quorum that’s coming to decisions
and if you want to join,
you need to ask the quorum to join
because the quorum needs to agree on who’s in the quorum.
So they need to sort of come to consensus
on the fact that you’re allowed to join.
Whereas in something like Bitcoin,
if you want to start mining Bitcoin,
you just turn on your rig and as soon as you succeed,
people will accept that mathematically.
They don’t need any sort of membership proof
or anything like that.
What I think is relevant to voting
is that fundamental to the permissionless model
if you’re gonna use cryptography,
which all blockchains do,
is that if I can join and leave at any time,
I need to be able to like generate my own key
and join at any time.
– Right.
I mean, the uses of on-chain voting,
we’re voting within blockchain projects,
range all the way from setting the parameters,
like some parameter in the protocol
that may be something minor,
kind of like the price of gas, for example,
all the way over to sort of some intermediate level
where people use governance
and voting to decide how to allocate funds.
And then this goes all of the way over
to actually deciding how to change the protocol itself.
And so there are projects that are sort of self-amending
and that they use governance as a way of proposing updates
to the protocol and then deciding on which updates
should go through and which updates should not.
And so the stakes are high
and that if you have a governance system that can be gamed,
then all of these use cases may end up being vulnerable
to that kind of attack.
One way of thinking of governance that I quite like
that I think was proposed by Vitalik
is the coordination model of governance
and that really all governance decisions are in essence
a way of coordinating collective action.
He talks about how there are multiple layers
to governance, right?
The bottom layer is like what’s closest
to the real and physical world.
– Yeah, so maybe let’s go bottom up
on everywhere you have voting in blockchains.
At the very base level,
all consensus mechanisms are a vote,
so proof of work itself is a form of voting
on which block is valid
and which history is accepted by the network.
So you have voting at that layer.
Then that half layer up, like you said,
is this governance layer of how do blockchains
actually change their underlying code
and respond to attacks or new situations
or new technology or whatever it may be.
Traditionally, this has sort of gone with the fork model
where you just sort of spin up new code
and try to lobby everyone to just run this new system
instead of the old one.
This model has seen a lot of political strife,
a lot of inefficiency, a lot of sort of lobbying
and traditional politics like nastiness
in the blockchain space.
You can look at the Bitcoin block size debate,
whether to change the one to a two,
which spawned like a year long rift between the communities
that ended up in like several summits and agreements
and eventually a permanent split.
So some people look at that and say,
maybe we can make this more efficient
by just using voting and allowing the coin holders
to express their preference
and sort of just going with that.
And then another layer up from that,
you have the application layers like you were saying.
So these are your DAOs, these are your smart contracts
that wanna use voting to make decisions.
They could be, for example, on how to allocate funds.
They could be on how to change parameters
within their own smart contract.
So you really have voting throughout the blockchain stack.
A lot of projects are using it
and it has a very sort of wide impact as a general problem.
– So one observation that comes out of all of this
is that today’s governance systems
and sort of blockchains and crypto networks,
the way that they exist today will likely devolve
into plutocracy simply because the mechanisms
for vote buying are so effective as you described.
And some proponents of on-chain governance
will argue that plutocracy may not actually
be that bad of a thing.
They may be a bad thing for democracies,
but not so much for blockchains.
In the blockchain world for a crypto network,
it’s not so much a bad thing
because it’s in a sense incentive compatible,
at least at a surface level.
If they are voting using their coins
for any one upgrade to the protocol,
they will want to vote in the interest of other people
who also hold the coins in the interest of the network
because they own it and they have a stake in it.
And also their incentive to protect the network
is proportional to how many coins they own.
So like larger voters or stakeholders
who have more coins in the network
have an even greater incentive to protect the network.
What are your thoughts there?
– So I think every blockchain project
should take a step back and ask,
do we want plutocracy?
Do we want vote buying in our system?
And what are the consequences of that?
For many of them,
maybe it’s more acceptable than for others.
For example, if you have like a small closed sort of contract
that has a few shareholders,
something like an investment firm
and you have like one guy
who decides whether people get in or not,
maybe you’re not so concerned about vote buying
in that kind of a scheme.
Or if you have even like some sort of closed setting
where you can say things about the participants,
maybe you’re not so concerned about vote buying.
In a wider system where let’s say
the whole world is participating in it eventually,
I think the fundamental point is that
most people are disinterested in most votes
and the utility they get from the system
is not directly sort of correlated
with whether they vote A or B on this given issue.
Nonetheless, there are certain groups of people
who are extremely interested
in whether people vote A or B on a certain issue
and these are often pretty moneyed groups.
So in this way,
that kind of governance does sort of degenerate
into plutocracy.
And if that’s acceptable for your system, that’s fine.
I think for many systems, it’s not.
You need to care about these attacks
and you need to reason about
why your system is secure against this
and why your system actually doesn’t degenerate
to plutocracy.
People have tried to get around this
in two ways in blockchains.
The first one is they add some sort of identity.
So they have a third party service
that like you send your cell phone number
or something like that and it sends you a text
and sort of anti-sibles you that way
and then you’re able to participate in a vote.
So at least you can sort of attach some entity
to the person and then count votes per entity
rather than per coin.
This actually still degenerates into plutocracy
because of the way the Dark Dow works
because as long as these identities are keys
that people can sort of generate at any time,
they can be bought and sold and using the Dark Dow model
and you can essentially sell people
like the right to your identity
or you can sell people the right to a certain vote
using your identity or even more specific things than that.
So that kind of doesn’t work
unless you have a strong social protection
where like the person has to come in very often
and the network sort of authenticates
that they’re human or something like that.
That becomes very complicated
and steps much more into the messy world
of real world elections
and maybe doesn’t work for a global blockchain community.
Another way people have tried to get around it
which also kind of requires identity
is this new line of work by Vitalik Glenn Whale
and a few other people which is quadratic voting
where you actually allow vote buying.
So you allow people to buy votes
but only at an exponentially increasing price.
And this may kind of look like plutocracy
because you’re allowing people to buy votes
but if you actually do the math on the incentives,
it turns out that through this increasing function,
essentially people will express
their true preferences in the end.
And one rich person who really cares about A versus B
won’t be able to sort of overwhelm a disinterested majority
that weakly prefers A
and maybe each don’t have as many funds
as that one individual.
So this fixes some known pathologies
in real world voting systems
and also blockchain voting systems.
But it does require identity
and it’s extremely vulnerable to manipulation.
If this one rich person can pretend
that they’re two rich people or something like that,
the gig is sort of up.
And that’s what these new coordination mechanisms allow.
– Yes, I think this dependence on identity
that you are pointing out is very important
because as you pointed out,
anyone can pretend to be more than one person.
They can generate 10 different sets of key pairs
or hundreds of sets of key pairs
and pretend to be hundreds of people.
– Yeah, and the only thing you can do
is wait by coins basically.
– Exactly.
In that world, you end up with unfair representation
of you’re trying to assign a single vote to a key pair.
So proponents of on-chain coin holder governance
which means that one coin gives you one vote will argue.
It’s at the very least, civil resistant,
which means that if you have like 10 million coins
staked on one particular vote,
they’re basically used to vote for one particular outcome.
It’s very hard to argue that those 10 million coins
come from trolls that are trying to sway the election
because there’s real weight and real capital
that’s staked in one direction or another.
Whereas if you’re not using coin voting,
then that becomes more possible.
And so if you have a mechanism for identity
wherein you securely associate one human to one vote
or something like that,
then more sophisticated voting schemes become possible.
I think today, because we lack that kind of a mechanism,
people end up gravitating towards this simple
and somewhat, perhaps somewhat naive one coin, one vote model
which is vulnerable to this foot buying attack.
– Yeah, and this opens up a range of other issues.
So one problem that people have
when they analyze blockchain systems
and they sort of design these mechanisms
is that they look at their mechanism
and reason about its security properties,
but they do that in isolation.
And an important point is that none of these systems
really exist in a vacuum, right?
So take a look at any sort of blockchain
that uses coinholder voting to decide
the outcome of its consensus rules.
And there’s at least two such blockchains
that are sort of using this model.
If these two very large projects are approximately
the same size or one is a little bit bigger
than the other one or one is twice as big
as the other one or something like that,
it’s in the economic interests of everyone
who holds coins in the bigger project
to buy up coins on the smaller project
and influence votes in ways
that are sort of counter competitive.
And maybe even if they can’t buy up
enough of a blocked influence votes,
they can sow chaos and confusion and things like that.
So while one of these systems, you may say in isolation,
like, okay, the coinholders interests are represented
by this plutocracy, that doesn’t really work
when you have a whole world around it
that’s full of money that can frictionlessly
enter and exit the system at any time.
There’s no guarantee whatsoever
that the people who are economically in right this second
have an interest in that system,
especially when there are much bigger systems
that are competing with it.
So I think that’s a very important point
that people overlook.
And again, we mentioned that there’s this sort of stack
of voting, even at the consensus layer,
that has implications on the whole stack.
So if you have a fork that’s like 10%
of the size of a project,
and this fork could potentially impact
the price of the larger project,
it’s absolutely in the interest of that larger project
to launch attacks on that base layer proof of workflow
and do things like censorship,
use some small percentage of their hash power
to do 51% attacks or denial of service
or whatever they need to do to make sure
that that network goes down in price.
And that attack might even be profitable,
especially if there are mechanisms to short
that sort of smaller project.
– Yeah, that’s a very good point.
I think most proponents of a coinholder voting
would argue that it is just not in your interest
to sell your vote because you’d be damaging
the value of the asset that you hold.
And you hold a coin, and if you sell the votes
associated with that coin,
and that might reduce the value of the coin
in some way that sort of results in a net loss for you.
But that analysis happens entirely in a vacuum.
It happens sort of assuming that there aren’t any kind
of external mechanisms via which you could profit
from the loss of value of this particular coin.
Like for example, what you’re mentioning,
competition between blockchains.
If I’m a stakeholder, a much larger stakeholder
in a competing network,
then I might have a strong interest
in reducing the value of this particular coin,
and that that’s associated
with this one competing crypto network
because it may result in a larger profit
outside of the system.
And so I think, yeah, the incentive structures
that are built in aggregate tend to be far more complex
and they kind of interact in ways
that tend to be difficult to analyze
and could result in complexity
that could ultimately result in attacks.
And you post, you talk a little bit
about what you refer to as the dark DAO,
which sounds like a fairly dark picture
of what could end up being the case.
In your view, what is the worst case scenario here?
How could this unfold in a bad way?
– Yeah, so there’s a lot of different variants
of the dark DAO which have different assumptions
in the post, some of them require trusted hardware,
some of them don’t.
But the ultimate point of the dark DAO
is that it’s a private smart contract
for attacking a vote, for vote buying,
that essentially hides from the rest of the world
how much money is committed to this contract,
who is participating in the vote buying contract,
and sort of how far along the contract is.
But sort of is a way to frictionlessly
and permissionlessly form a vote buying cartel
for a particular vote.
And this could be sort of a funding pool,
anyone can come contribute money to it.
So if it’s outcome specific,
it could be funded by anyone who’s interested
in such an outcome,
whether it be other blockchain projects,
users on the system, outside groups, whatever it may be.
So once this dark DAO is funded,
what it does is sort of offer up vote buying
to people in the system.
And if people in the system come take this vote buying,
they retain access to their funds,
they keep using their wallet as they normally do,
but they’re sort of shackled by the dark DAO
that for this particular vote,
they can only vote in this certain way.
And this is trustless
because both sides have some guarantees.
So the vote buyers or vote buying network
or whatever it may be has guarantees
that potentially no one will find out
who’s being bought or sold
and how much money is pledged to it.
They’re guaranteed that if they pay for a vote,
this vote will actually be executed in the protocol,
even if the protocol does have
the classic properties of coercion resistance.
Another sort of sidebar of the dark DAO
is that trusted hardware, which is a new technology,
sort of breaks all classical coercion resistance voting
schemes in the blockchain world
and in the regular election world.
So once they launch this attack
and they start buying and selling people’s votes,
they have a number of options available to them.
One cool thing you can do
is you can tell everyone in the cartel
when a certain threshold is reached.
Let’s say when like 70% of the,
or 10% of the votes are locked into this DAO.
And you can do this in a way that’s deniable
such that everyone inside the cartel can check,
yes, 70% is reached,
but no one outside the cartel has any way of knowing
that this is actually reached.
So you can enforce an information asymmetry
that allows for profiting through things like shorting.
You can also enforce stronger information asymmetries,
so not even allow the people who are being bribed
to know at any time how much money is in it
or even potentially whether they voted at all
if the scheme is receipt free.
So it’s a very, very powerful class of attack.
You can spin it up however you want.
It allows people to pool their money and buy votes
in a way that they can keep any part of that secret
to any group of people that they want.
And the outside system has no way of knowing
sort of how far along the attack is.
In some ways, it also represents a credible threat.
If I were to launch a dark DAO,
I might not even need to necessarily have people
participate in it.
Just its existence might be enough
to shake people’s confidence in that underlying vote.
So when we publish that blog post,
we’ve had a lot of reactions from voting projects
and other people in the space.
And I think there is a good question
of why haven’t we seen this already?
But at the end of the day, these systems are tiny, right?
Blockchains today are a drop in the bucket
of like the world financial system
and the incentives just aren’t there yet.
But if we are to use these technologies
and if we are to scale things,
I think these are absolutely realistic scenarios
and potentially nightmare scenarios.
– Yeah, that sounds insane.
And that’s definitely an outcome that is to be prevented.
And I think, I mean, this matters because
if we just take a step back and think about why is governance
so topical and so important in the world of crypto
and blockchains today?
It is because so much of what drives the space forward
in what is sort of the underlying philosophical motivation
is that power over these networks is decentralized.
And so decentralization here refers to
a bunch of different things at the same time.
Like people talk about decentralization
as it refers to sort of consensus,
like who gets to decide like who modifies
the underlying ledger,
but also decentralization applies
to who gets to modify the code.
These networks are decentralized in that
they’re kind of like self-governing organizations
and they don’t have at least philosophically
any central points of control where any one individual
can decide how to sort of modify the code
or make it work in any particular way.
And so all of these initiatives to try to build in governance
into the protocols are an effort to try to
sort of decentralize even that aspect
and to try to make it so that the code itself can evolve
in a way that is still community driven
and not kind of centrally controlled
by the core developer team.
– Yeah, I think the promise of a lot of these systems
is sort of this crypto economic security, right?
You have this mechanism and because the mechanism works
and the incentives are set up right,
everyone comes together harmoniously
and produces something that is bulletproof
and very strong because of the incentives and the mechanism.
An example of this is Bitcoin.
Because of the money paid to miners,
people are burning a small country’s worth of electricity
to try to secure this transaction ledger
that has actually worked fantastically so far.
So when you design these systems,
there needs to be some sort of underlying mechanism
and some sort of reasoning about the security
of that mechanism.
But what these technologies like the dark dial
and private smart contracts allow you to do
is use external money to sort of alter the incentives
inside that game and alter the security properties
that people are actually getting from their project
in a permissionless and trustless way.
So this does sort of speak
to the fundamental coordination of blockchains, right?
Like how do we design these games to coordinate people
to make choices in a way that’s not controlled
by one particular individual, as you said,
or some social trust hierarchy,
but by the economics of the system itself?
And in that model,
if you can’t be secure against economic attacks,
then you’re sort of building something
that doesn’t make much sense in my opinion.
And so I guess that’s a lot of what my work is looking at.
– Right, what do you think are the implications
of vote buying on proof of stake?
– So proof of work is where people use hardware
to sort of solve hard problems.
And if they solve the problem,
then they can post a block to the network.
Rather than using this mechanism,
proof of stake allows people to vote using their coins.
So they lock up their coins for some long period of time
and they can use any number of protocols to do this.
The core idea here is that instead of proof of work
where the economic security you get
is because people are doing this useless computation problem
that is sort of burning money
and there’s some costs associated with doing this,
is that people are paying liquidity costs
to lock up these coins for a long, long period of time
and they’re also taking risks
that they may incur penalties
if they misbehave in the protocol.
And with these liquidity costs,
they’re taking like massive volatility risks
in cryptocurrencies, right?
So if they do something that crashes the system,
well, their coins are locked up
and they’re going to lose money.
If the network decides they misbehaved,
well, they can get rid of all their coins
and they’re gonna lose money.
So it’s this idea of bootstrapping
the economic security of the network from the coins
rather than from some external hardware source.
Obviously that comes with a lot of trade-offs
that are maybe beyond the scope of this discussion,
but at the end of the day, it’s also a voting protocol.
You have these people with coins, they decide how to vote.
So where does vote buying come in here?
Well, obviously this proof-of-stake protocol has an outcome.
It decides what history of the network is valid
and this outcome has all sorts of economic implications.
It decides who gets to send money to who.
It decides who is censored in the system.
It decides what order transactions happen in canonically
according to everyone in the system
and with that comes a lot of profit opportunity.
So I can potentially profit by censoring you
or I can profit by putting my transactions in front of yours
when you wanna execute an order on a decentralized exchange
or I can profit in sort of any number of different ways
by manipulating this vote.
So what you can do with the dark DAO
is to start a staking pool where I say like,
you know, let me do my algorithmic trading
and decide what order of transactions
makes me the most money.
You don’t necessarily care
if someone who’s doing a transaction on a dex
gets front-run and loses like $5, right?
So you say, okay, I’ll happily participate in this.
It’ll still keep the value of my coins high,
especially if I don’t have a lot of coins
and you’re paying me like twice as much
as any other staking pool.
So it sort of opens these coordination mechanisms
for attacks on the underlying transaction history
and the underlying consensus.
– Do you think that there’s a way
of making a proof-of-stake network secure?
– It depends on your definition of secure.
I think it really depends on the type of security you want,
I guess.
– Yeah, and this all gets to the broader question
of like economic security of a blockchain.
And in the case of proof-of-stake,
the resource that’s used to secure the blockchain
is internal to the network.
In the case of proof-of-work,
it’s sort of electricity and like hardware
that’s used external to the network to secure the ledger.
And there are many other kind of approaches.
Like people are experimenting with doing useful work.
Instead of burning electricity uselessly
as you do in proof-of-work,
people try to build a sort of proof-of-space
or proof-of-spacetime protocols
where like for example, you’re able to store files
and storage becomes the resource that people use
to then secure the network.
What do you think of that kind of approach?
– So fundamentally to vote buying,
it doesn’t actually matter what resource you’re using.
Vote buying works for proof-of-work too.
So I could use dark DAO like technology
to start the mining pool.
And the properties of the mining pool would be
you come, you mine here.
I’ll pay you more than we’re making
because I have some external incentive
to censor someone or reorder transactions or whatever.
And then you get the dark DAO privacy properties
of no one knows how much hash power is participating
in this pool or who’s getting paid or things like that.
So these certainly also apply to systems
that use things like files and other useful work properties.
I think there’s a whole class of other questions
on the economic security of those systems.
So you have to be really careful
about where the economic security comes from.
I think you have to be really careful
with what useful means.
Whether the fact that it’s useful also introduces
any external incentives to mess with it, right?
So you could imagine like if the useful thing
the network was doing was like powering a search engine
or something, right?
Those results are valuable
and they bring external actors in who want to manipulate that.
And there’s sort of this feedback loop
between the mechanism securing the protocol
and the utility of what the protocol is actually providing.
But there’s definitely some people in the community
that look at that and say this is all way too complicated.
This is never going to work.
You have to have it be useless
because there’s no external incentives
and messy things that way.
I personally think that’s an open question.
– Yeah, there’s this argument that people make
that if the resource that is used to secure the network
is very commoditized
and just generally exists in the world
in the world in sort of plentiful quantities
that for example, in the case of storage,
if storage is the resource that’s used to secure the network
then anyone with a bunch of storage
could presumably attack the network.
Whereas in the case of a network like say Bitcoin
where you have ASICs that are specific to the network
in order to attack the network
you have to get your hands on those ASICs
and those ASICs aren’t useful for anything
but mining Bitcoin.
So people would argue the security of that kind of
the economic security of that kind of model is better.
– Yeah, and Joe Bono has a fascinating line of work
on these problems.
So if you Google Goldfinger attacks
he has a paper and a presentation.
There’s also the question of like buying versus renting.
So if something is very commoditized
you may be able to rent it
which substantially subsidizes the tax.
You may be able to buy it, perform the attack
and then resell it into the commodity market
which again substantially subsidizes the attack.
So these are all open and very complex questions
but people will build the systems and we’ll see.
This is sort of a classic pattern you see
in traditional finance.
And then you’ll have sort of black swan
and tail risk like events that surprise people.
– So we’ve talked a lot about governance in general
but you obviously are working on a ton of interesting stuff
just generally with respect to economic security
for crypto networks and blockchain
just the computer security.
What are some of the other interesting ideas
or sort of lines of work that you’re exploring?
– So one that I’m extremely personally interested in
is fairness guarantees for users around these systems.
A lot of what attracted me to them in the first place
was this promise of sort of eliminating the middleman
and making things in control of the user.
Like be your own bank, you don’t need these institutions
to tell you how to set your money supply
or how to route your transactions
or what exchange to use, et cetera, et cetera.
I look a lot at those guarantees
and sort of the ways in which modern blockchain solutions
are failing to meet those guarantees.
So one example of that is in the decentralized exchange space.
That’s something that’s seen a lot of promise
from people who wanna build these exchanges
that aren’t vulnerable to hacks and other user fund theft.
Unfortunately, the way these mechanisms
that people are building interact with the blockchain
is very complex and opens the door for external actors
to make a lot of money from front running them
and make a lot of money from doing algorithmic trading
on the network and everything that you see
in the traditional financial world.
So some of my work is around how large is that economy
and what are the failures of those guarantees?
– What are some interesting results so far on that front?
– So it’s actually probably a bigger market than you think,
even though DEXs have not seen substantial volume.
So this is a big problem for users.
It also highlights a lot of weird quirks of these systems,
such as like allowing for typos that end up costing users
a lot of money when programmatic actors soup in
and sort of take advantage of these inefficient mechanisms.
And it also raises fundamental questions about, I guess,
whether we’ll be able to do something that’s different
from the current financial system
because there are still these information asymmetries
that come up and this is a worldwide network.
And at the end of the day,
someone is still ordering transactions.
So is this rent sort of implicit to all blockchains?
How large is it?
And does it threaten the security of the overall blockchain?
Which I think it may.
– So I think one very interesting line of work
that you did was around gas token
and tokenizing gas on the Ethereum network.
– So this sort of came out of this arbitrage project.
We wrote a blog post very early on,
last I think October, November,
essentially saying decentralized exchanges are flawed.
You can just run this 20 line Python script
and you can profit off of users in a way
that was maybe not foreseen
and is not sort of explicitly stated to them
because of how inefficient these mechanisms are.
And before we wrote this blog post,
we were actually doing this to test it, right?
And we said, we made X dollars, whatever.
After we wrote the blog post,
sort of this cottage industry spawned
of like a few dozen people who are competing
in sort of this market and trying to outbid each other
to get their transactions first in that mind order
and take advantage of these opportunities.
So we’ve been studying that market for quite a while
and competing against these guys.
And unfortunately at some point,
they started out competing us.
So we started competing on what’s called gas,
which is the price you’re willing to pay
per unit of transaction.
The way it works is you make a typo Ali,
it puts a million dollars on the table
for anyone who can get their order in ahead of that typo
and sort of take advantage of your typo.
And then I would like to do a $5 transaction
to take advantage of Ali’s mistake, right?
And then maybe someone else is willing
to do a $10 transaction
’cause it’s a million dollar opportunity, right?
So we sort of get into this bidding war of like,
minor, please pick me first, minor, please pick me first.
That’s inherent to how these transactions
are ordered by miners.
And what we noticed is that when you have like 10 of these,
we were rarely profiting
because we didn’t have the best latency,
we didn’t have the best infrastructure
and they were getting their bids out faster.
They were getting them two miners faster
and they were willing to bid up higher than we were
to essentially take these opportunities.
So that’s where gas token came in.
It’s a way to sort of store this gas for the longer term
rather than just paying for it when you do your transaction.
So gas is the transaction fee.
And usually you say, okay,
I’m willing to pay a $100 fee for this transaction.
Instead, what you could do is sort of bank
a transaction’s worth of gas
and then just deploy that bank gas
and not pay as much fee
for the transaction you are doing.
And that works by taking advantage
of this fundamental issue in Ethereum’s resource model
which has to do with how you pay
to sort of incentivize people to clean up after themselves.
So in Ethereum, you actually give people a refund in gas
if they delete something they stored in the network previously
to incentivize them to not leave garbage around
that everyone has to store forever.
So what we do is when gas is cheap,
we fill the Ethereum state with junk
and then when it’s expensive, we delete this junk
which gives us a refund at that higher price
that we can use to subsidize these arbitrage transactions
which often costs thousands and thousands of dollars in fees.
Like people are bidding multiple thousands,
even tens of thousands in fees on these transactions.
– Right, and so to clarify for those not already familiar,
so gas is basically the resource that you use
to pay for computational resources
on the Ethereum blockchain.
So if you want it to buy computations, say instructions
that miners will execute for you, you pay for those in gas.
If you want it to buy a storage,
you similarly also pay for storage in gas.
And the current model of Ethereum is that you buy
some storage on the blockchain for a fixed price upfront
and then that storage sort of remains
on the blockchain forever.
And the Ethereum blockchain has this mechanism
that if you were to delete that storage,
if you were to free it,
then you will receive a refund for the amount that you paid.
Some refund for what you paid originally
for that amount of storage.
And so you’re basically saying that when gas is very cheap,
you can sort of fill storage on the blockchain
and then reclaim a refund later once gas is expensive.
And sort of the gas will be worth more at that point
than it was when you stored it.
And you could sort of leverage that
to kind of increase the amount of gas
that’s available to you.
– Yeah, and our fundamental observation was that
this is basically a derivative on gas.
It’s like a call option on some gas.
It led to the broader question
of how are these resources actually priced?
Like how do people choose how much is paid for storage?
How do people choose how much is paid for computation?
And in what ways are these suboptimal?
– So you mentioned the current model of pay one store forever.
That’s something we certainly address in our work,
proposing more of a rentful scheme
where you have to pay for ongoing costs at market rate.
There’s also the issue of who’s getting the payment.
So the fact that the miners get payment for storage
when the miners actually don’t need to store the whole state
and it’s the full nodes that bear the cost.
So this sort of asymmetry between who’s bearing the cost
like where the externality is
and like who’s actually profiting
is super important to study.
It leads to a sort of tragedy of the commons
in the worst case where the miners are happy to take payment
for as much storage as you want
because they don’t have to store it and they don’t care.
As long as they don’t break the whole network,
they’ll happily push out as many full nodes as they can.
So these are broader questions.
We have a broader initiative called Project Chicago,
which you can see at projectchicago.io.
That basically is studying these questions
of crypto commodities.
What are the underlying commodities behind blockchains?
For example, computation, relay network and storage.
How are these commodities priced?
How can you exploit these commodities?
How can you exploit like the relay network
to get information about people’s transactions earlier
or the computation layer to sort of, I don’t know,
do this kind of gas refund or something like that.
So there’s a lot of interesting work in that direction.
– Yeah, by the way, why is it called Project Chicago?
– So it’s called Project Chicago
’cause our inspiration is sort of the Chicago mercantile
exchange.
That’s how businesses hedge against volatility
and sort of price commodities in real world markets.
So we think of this as sort of exploring something similar
on blockchains and asking like,
is that the right model or can we do better
now that we have all these decentralized tools
at our disposal?
– Best painting.
Well, thank you so much for coming on the podcast.
– Yeah, thanks for having me.
should not be taken as legal business tax
or investment advice or be used to evaluate
any investment or security and is not directed
at any investors or potential investors in any A16Z fund.
For more details, please see a16z.com/disclosures.
– Hi everyone, welcome to the A16Z podcast, I’m Sonal.
Today’s episode is all about blockchain-based voting systems
which has implications for crypto economic security
and for governance, especially when you think
about the differences, both good and bad,
between real world and online systems
for coordinating groups of people to vote on something,
whether it’s a decision in a boardroom
or an election or anything else.
This episode was recorded as part
of our New York City podcast road show
and so it features Phil Dayan, a PhD at Cornell Tech,
working with Ari Jules there.
His research focuses on broad questions
of security of distributed systems,
specifically blockchains.
He also wrote a post last year
with Tyler Kell, Ian Mears and Ari Jules
on quote, “On-chain vote buying and the rise of dark DAOs.”
Joining Phil in this hallway style jam
to discuss these topics is Ali Yaya,
who was previously a software engineer
and machine learning researcher at Google X and Google Brain.
He also gave a talk at A16Z Summit on crypto
and the evolution of trust, which you can find
on our website, and he’s a partner on A16Z Crypto.
Speaking of, please note that the content here
is for informational purposes only,
should not be taken as legal business tax
or investment advice, or be used to evaluate
any investment or security and is not directed
at any investors or potential investors in any fund.
For more details, please also see
A16ZCrypto.com/disclosures.
The conversation that follows covers ways
in which blockchain systems are different
from real-world voting systems,
ways the system can be gamed
and what that means for security,
as well as possible solutions
and more importantly, questions
all blockchain system designers should think about
instead of making naive assumptions.
But first, Phil and Ali began by very briefly summing up
the issues in real-world elections
and electronic voting systems.
The first voice you’ll hear is Phil’s, followed by Ali’s.
– So one challenge people have seen is straight up hacking.
Of course, if there is electronic voting in use,
just tampering with the integrity of the election itself
or the integrity of the registration.
Another challenge that people have been worried about
in the past is vote buying and selling.
So if I want you to vote a certain way,
maybe I directly bribe you to do so
or maybe even in the current system,
I can indirectly do it.
But it’s very difficult to bribe someone in person
and sort of understand how they’re going
to act in an election.
– Yeah, you have this great example of how
if the price of a vote is a beer
and you take me out for a beer and say,
“Ali, I want you to vote for ex-candidate.”
I could drink your beer and then go to the poll
and submit whichever ballot I want.
And you have no real mechanism to enforce my vote
in one way or another.
And you then point out how this is not so much the case
when you go to the world of electronic voting.
– Yes, the price of the vote as a beer
is actually kind of realistic.
Like vote buying in general is empirically pretty cheap
for two reasons.
Number one, it’s actually the poorest
and least advantaged people that are the most inclined
to sell their votes.
And number two is most people are disinterested
in most elections.
So this actually makes vote buying pretty cheap.
And in electronic voting, this is a big problem
because with many electronic voting protocols,
you can actually tell at the end of the protocol
how someone voted.
So it becomes much easier for me to bribe you
because I can just say essentially I’ll give you a beer
if I check afterwards and you voted with my candidate
rather than sort of trusting you to go in the polling booth
and make the right decision where socially
I can’t follow you into that booth
and look over your shoulder.
– Exactly.
You point out how in the world of human voting,
there are three things that tend to make vote buying
a little bit more difficult.
And it’s the inefficiencies of the human world
that actually work to your advantage here.
So the first is that in the human world,
it’s a crime to buy votes and that itself
kind of can serve as a deterrent,
which doesn’t really exist so much
in the jurisdiction-less crypto world.
The second one was that ballots
tend to be casted in secrecy.
So there’s no way of me to produce a proof
that I voted in one way or another,
which makes the buying of the vote difficult to enforce.
And the third one you mentioned is that if you tell me
that you’re going to pay me in the future
for voting one direction or another,
I have a hard time trusting you
that you will actually in the end pay me.
And so there’s sort of counterparty risk.
And so in the same way that sort of blockchains
mitigate trust and improve coordination for good purposes,
they can also be used to improve coordination
for sort of malicious purposes.
In this case, vote buying is like a double-edged sword.
Blockchains can be used to increase the efficiency
and effectiveness of bribery and vote buying.
Yes.
In the traditional world,
there’s been a long line of academic research.
So very early on people said we want to vote electronically.
It’ll make tallying cheaper.
It can maybe use cryptography
to increase the integrity of our elections.
So we don’t rely on these pieces of paper
sort of with this weird chain of human custody
and things like that.
But early schemes sort of suffered from this receipt property
where I could produce a proof that like here is the outcome
and here is what I actually voted to lead to this outcome.
So there was a wide range of work early on
on how to sort of solve this issue
and create voting schemes that are receipt free,
which means that after the fact,
I cannot produce a receipt or a proof
to tell you which way I voted.
And it’s sort of equally likely from your perspective
that I voted in any direction.
Later work sort of said that this is not strong enough.
Essentially the high level is
if you’re looking over my shoulder electronically,
like you have a virus on my computer
or you’re just physically looking over my shoulder,
at the time that I’m voting,
even receipt freedom is not enough
because you might be able to see in real time
the direction in which I’m voting
and enforce my vote that way.
So that led to an even stronger property
called coercion resistance,
which is that even if you compromise me
for some period of time,
you still are not able to get me to vote a certain way
in a way that you can trust.
– Yeah, that’s very interesting.
And so let’s connect this to sort of the blockchain world.
These questions of electronic voting have existed
for decades and predate the world
of blockchains and crypto networks.
But now there’s like a resurgence of research
in this direction because so many blockchain
and crypto network projects
want to use on-chain voting for all sorts of purposes.
– So I mean, in blockchain networks in general,
you often need to make decisions.
That’s like part of the attractive point of blockchains
that it makes coordinating group decisions
among actors who don’t trust each other
a little bit easier.
And to make these decisions sort of a natural response
is just vote, right?
That’s something you see in the real world.
It’s something you see in corporations with stockholders.
It’s something you see in boardrooms.
It’s something you see in political elections
and all sorts of other social systems.
So it’s just, I think, a natural human tendency
when asking sort of how to organize these things
that voting is the only real clear shelling point answer
that we can come up with.
So I think an important distinction
on why this stuff really matters in the blockchain world
is that the blockchain world and the real world
don’t operate in the same models.
If you’re going to a boardroom with someone,
you’re sitting next to the person, right?
We’re sort of operating in this model of social honesty
where people can see each other face to face.
You have shared interests in the company.
You sort of know their history at least somewhat.
Whereas in blockchains, you’re operating in an economic,
sort of an economically rational game theoretic model.
So you need much stronger guarantees from your systems.
Your systems need to be strong
even in the presence of economically motivated adversaries.
And they need to be secure,
assuming people are rational rather than honest.
So we don’t get to lean on this sort of honesty
that we have in the real world in blockchains.
And I think that’s where a lot of the mechanisms
that people try to sort of port over naively break down.
– Right, and this is especially important
because in most of the crypto networks
that are actually interesting,
the model is one where anyone can participate.
And people refer to this as the permissionless setting
and that anyone can connect to the network.
Anyone can sort of participate in the decisions
that are made through the governance processes
of the crypto network,
which makes the environment the very hostile one
because anyone anywhere can opt to participate
and they have an economic incentive to do so
because if they can game the system
or if they can sort of subvert it in some way,
then they could potentially profit.
– Exactly.
Satoshi released his white paper in ’09
and academics first started looking at Bitcoin
and its success and its rise
and asking like what is actually the interesting lesson
to be learned here from what we’ve been doing
for the last 20 years.
There was a whole space of consensus protocols
and Byzantine fault-tolerant protocols
that came to consensus on something
even in the presence of malicious users.
But what was really new about Bitcoin
is that it let anyone join and leave the network at any time.
And these people didn’t need to ask the people
who are already participating in the network
whether they can join or not.
So in most consensus protocols,
you have a sort of quorum that’s coming to decisions
and if you want to join,
you need to ask the quorum to join
because the quorum needs to agree on who’s in the quorum.
So they need to sort of come to consensus
on the fact that you’re allowed to join.
Whereas in something like Bitcoin,
if you want to start mining Bitcoin,
you just turn on your rig and as soon as you succeed,
people will accept that mathematically.
They don’t need any sort of membership proof
or anything like that.
What I think is relevant to voting
is that fundamental to the permissionless model
if you’re gonna use cryptography,
which all blockchains do,
is that if I can join and leave at any time,
I need to be able to like generate my own key
and join at any time.
– Right.
I mean, the uses of on-chain voting,
we’re voting within blockchain projects,
range all the way from setting the parameters,
like some parameter in the protocol
that may be something minor,
kind of like the price of gas, for example,
all the way over to sort of some intermediate level
where people use governance
and voting to decide how to allocate funds.
And then this goes all of the way over
to actually deciding how to change the protocol itself.
And so there are projects that are sort of self-amending
and that they use governance as a way of proposing updates
to the protocol and then deciding on which updates
should go through and which updates should not.
And so the stakes are high
and that if you have a governance system that can be gamed,
then all of these use cases may end up being vulnerable
to that kind of attack.
One way of thinking of governance that I quite like
that I think was proposed by Vitalik
is the coordination model of governance
and that really all governance decisions are in essence
a way of coordinating collective action.
He talks about how there are multiple layers
to governance, right?
The bottom layer is like what’s closest
to the real and physical world.
– Yeah, so maybe let’s go bottom up
on everywhere you have voting in blockchains.
At the very base level,
all consensus mechanisms are a vote,
so proof of work itself is a form of voting
on which block is valid
and which history is accepted by the network.
So you have voting at that layer.
Then that half layer up, like you said,
is this governance layer of how do blockchains
actually change their underlying code
and respond to attacks or new situations
or new technology or whatever it may be.
Traditionally, this has sort of gone with the fork model
where you just sort of spin up new code
and try to lobby everyone to just run this new system
instead of the old one.
This model has seen a lot of political strife,
a lot of inefficiency, a lot of sort of lobbying
and traditional politics like nastiness
in the blockchain space.
You can look at the Bitcoin block size debate,
whether to change the one to a two,
which spawned like a year long rift between the communities
that ended up in like several summits and agreements
and eventually a permanent split.
So some people look at that and say,
maybe we can make this more efficient
by just using voting and allowing the coin holders
to express their preference
and sort of just going with that.
And then another layer up from that,
you have the application layers like you were saying.
So these are your DAOs, these are your smart contracts
that wanna use voting to make decisions.
They could be, for example, on how to allocate funds.
They could be on how to change parameters
within their own smart contract.
So you really have voting throughout the blockchain stack.
A lot of projects are using it
and it has a very sort of wide impact as a general problem.
– So one observation that comes out of all of this
is that today’s governance systems
and sort of blockchains and crypto networks,
the way that they exist today will likely devolve
into plutocracy simply because the mechanisms
for vote buying are so effective as you described.
And some proponents of on-chain governance
will argue that plutocracy may not actually
be that bad of a thing.
They may be a bad thing for democracies,
but not so much for blockchains.
In the blockchain world for a crypto network,
it’s not so much a bad thing
because it’s in a sense incentive compatible,
at least at a surface level.
If they are voting using their coins
for any one upgrade to the protocol,
they will want to vote in the interest of other people
who also hold the coins in the interest of the network
because they own it and they have a stake in it.
And also their incentive to protect the network
is proportional to how many coins they own.
So like larger voters or stakeholders
who have more coins in the network
have an even greater incentive to protect the network.
What are your thoughts there?
– So I think every blockchain project
should take a step back and ask,
do we want plutocracy?
Do we want vote buying in our system?
And what are the consequences of that?
For many of them,
maybe it’s more acceptable than for others.
For example, if you have like a small closed sort of contract
that has a few shareholders,
something like an investment firm
and you have like one guy
who decides whether people get in or not,
maybe you’re not so concerned about vote buying
in that kind of a scheme.
Or if you have even like some sort of closed setting
where you can say things about the participants,
maybe you’re not so concerned about vote buying.
In a wider system where let’s say
the whole world is participating in it eventually,
I think the fundamental point is that
most people are disinterested in most votes
and the utility they get from the system
is not directly sort of correlated
with whether they vote A or B on this given issue.
Nonetheless, there are certain groups of people
who are extremely interested
in whether people vote A or B on a certain issue
and these are often pretty moneyed groups.
So in this way,
that kind of governance does sort of degenerate
into plutocracy.
And if that’s acceptable for your system, that’s fine.
I think for many systems, it’s not.
You need to care about these attacks
and you need to reason about
why your system is secure against this
and why your system actually doesn’t degenerate
to plutocracy.
People have tried to get around this
in two ways in blockchains.
The first one is they add some sort of identity.
So they have a third party service
that like you send your cell phone number
or something like that and it sends you a text
and sort of anti-sibles you that way
and then you’re able to participate in a vote.
So at least you can sort of attach some entity
to the person and then count votes per entity
rather than per coin.
This actually still degenerates into plutocracy
because of the way the Dark Dow works
because as long as these identities are keys
that people can sort of generate at any time,
they can be bought and sold and using the Dark Dow model
and you can essentially sell people
like the right to your identity
or you can sell people the right to a certain vote
using your identity or even more specific things than that.
So that kind of doesn’t work
unless you have a strong social protection
where like the person has to come in very often
and the network sort of authenticates
that they’re human or something like that.
That becomes very complicated
and steps much more into the messy world
of real world elections
and maybe doesn’t work for a global blockchain community.
Another way people have tried to get around it
which also kind of requires identity
is this new line of work by Vitalik Glenn Whale
and a few other people which is quadratic voting
where you actually allow vote buying.
So you allow people to buy votes
but only at an exponentially increasing price.
And this may kind of look like plutocracy
because you’re allowing people to buy votes
but if you actually do the math on the incentives,
it turns out that through this increasing function,
essentially people will express
their true preferences in the end.
And one rich person who really cares about A versus B
won’t be able to sort of overwhelm a disinterested majority
that weakly prefers A
and maybe each don’t have as many funds
as that one individual.
So this fixes some known pathologies
in real world voting systems
and also blockchain voting systems.
But it does require identity
and it’s extremely vulnerable to manipulation.
If this one rich person can pretend
that they’re two rich people or something like that,
the gig is sort of up.
And that’s what these new coordination mechanisms allow.
– Yes, I think this dependence on identity
that you are pointing out is very important
because as you pointed out,
anyone can pretend to be more than one person.
They can generate 10 different sets of key pairs
or hundreds of sets of key pairs
and pretend to be hundreds of people.
– Yeah, and the only thing you can do
is wait by coins basically.
– Exactly.
In that world, you end up with unfair representation
of you’re trying to assign a single vote to a key pair.
So proponents of on-chain coin holder governance
which means that one coin gives you one vote will argue.
It’s at the very least, civil resistant,
which means that if you have like 10 million coins
staked on one particular vote,
they’re basically used to vote for one particular outcome.
It’s very hard to argue that those 10 million coins
come from trolls that are trying to sway the election
because there’s real weight and real capital
that’s staked in one direction or another.
Whereas if you’re not using coin voting,
then that becomes more possible.
And so if you have a mechanism for identity
wherein you securely associate one human to one vote
or something like that,
then more sophisticated voting schemes become possible.
I think today, because we lack that kind of a mechanism,
people end up gravitating towards this simple
and somewhat, perhaps somewhat naive one coin, one vote model
which is vulnerable to this foot buying attack.
– Yeah, and this opens up a range of other issues.
So one problem that people have
when they analyze blockchain systems
and they sort of design these mechanisms
is that they look at their mechanism
and reason about its security properties,
but they do that in isolation.
And an important point is that none of these systems
really exist in a vacuum, right?
So take a look at any sort of blockchain
that uses coinholder voting to decide
the outcome of its consensus rules.
And there’s at least two such blockchains
that are sort of using this model.
If these two very large projects are approximately
the same size or one is a little bit bigger
than the other one or one is twice as big
as the other one or something like that,
it’s in the economic interests of everyone
who holds coins in the bigger project
to buy up coins on the smaller project
and influence votes in ways
that are sort of counter competitive.
And maybe even if they can’t buy up
enough of a blocked influence votes,
they can sow chaos and confusion and things like that.
So while one of these systems, you may say in isolation,
like, okay, the coinholders interests are represented
by this plutocracy, that doesn’t really work
when you have a whole world around it
that’s full of money that can frictionlessly
enter and exit the system at any time.
There’s no guarantee whatsoever
that the people who are economically in right this second
have an interest in that system,
especially when there are much bigger systems
that are competing with it.
So I think that’s a very important point
that people overlook.
And again, we mentioned that there’s this sort of stack
of voting, even at the consensus layer,
that has implications on the whole stack.
So if you have a fork that’s like 10%
of the size of a project,
and this fork could potentially impact
the price of the larger project,
it’s absolutely in the interest of that larger project
to launch attacks on that base layer proof of workflow
and do things like censorship,
use some small percentage of their hash power
to do 51% attacks or denial of service
or whatever they need to do to make sure
that that network goes down in price.
And that attack might even be profitable,
especially if there are mechanisms to short
that sort of smaller project.
– Yeah, that’s a very good point.
I think most proponents of a coinholder voting
would argue that it is just not in your interest
to sell your vote because you’d be damaging
the value of the asset that you hold.
And you hold a coin, and if you sell the votes
associated with that coin,
and that might reduce the value of the coin
in some way that sort of results in a net loss for you.
But that analysis happens entirely in a vacuum.
It happens sort of assuming that there aren’t any kind
of external mechanisms via which you could profit
from the loss of value of this particular coin.
Like for example, what you’re mentioning,
competition between blockchains.
If I’m a stakeholder, a much larger stakeholder
in a competing network,
then I might have a strong interest
in reducing the value of this particular coin,
and that that’s associated
with this one competing crypto network
because it may result in a larger profit
outside of the system.
And so I think, yeah, the incentive structures
that are built in aggregate tend to be far more complex
and they kind of interact in ways
that tend to be difficult to analyze
and could result in complexity
that could ultimately result in attacks.
And you post, you talk a little bit
about what you refer to as the dark DAO,
which sounds like a fairly dark picture
of what could end up being the case.
In your view, what is the worst case scenario here?
How could this unfold in a bad way?
– Yeah, so there’s a lot of different variants
of the dark DAO which have different assumptions
in the post, some of them require trusted hardware,
some of them don’t.
But the ultimate point of the dark DAO
is that it’s a private smart contract
for attacking a vote, for vote buying,
that essentially hides from the rest of the world
how much money is committed to this contract,
who is participating in the vote buying contract,
and sort of how far along the contract is.
But sort of is a way to frictionlessly
and permissionlessly form a vote buying cartel
for a particular vote.
And this could be sort of a funding pool,
anyone can come contribute money to it.
So if it’s outcome specific,
it could be funded by anyone who’s interested
in such an outcome,
whether it be other blockchain projects,
users on the system, outside groups, whatever it may be.
So once this dark DAO is funded,
what it does is sort of offer up vote buying
to people in the system.
And if people in the system come take this vote buying,
they retain access to their funds,
they keep using their wallet as they normally do,
but they’re sort of shackled by the dark DAO
that for this particular vote,
they can only vote in this certain way.
And this is trustless
because both sides have some guarantees.
So the vote buyers or vote buying network
or whatever it may be has guarantees
that potentially no one will find out
who’s being bought or sold
and how much money is pledged to it.
They’re guaranteed that if they pay for a vote,
this vote will actually be executed in the protocol,
even if the protocol does have
the classic properties of coercion resistance.
Another sort of sidebar of the dark DAO
is that trusted hardware, which is a new technology,
sort of breaks all classical coercion resistance voting
schemes in the blockchain world
and in the regular election world.
So once they launch this attack
and they start buying and selling people’s votes,
they have a number of options available to them.
One cool thing you can do
is you can tell everyone in the cartel
when a certain threshold is reached.
Let’s say when like 70% of the,
or 10% of the votes are locked into this DAO.
And you can do this in a way that’s deniable
such that everyone inside the cartel can check,
yes, 70% is reached,
but no one outside the cartel has any way of knowing
that this is actually reached.
So you can enforce an information asymmetry
that allows for profiting through things like shorting.
You can also enforce stronger information asymmetries,
so not even allow the people who are being bribed
to know at any time how much money is in it
or even potentially whether they voted at all
if the scheme is receipt free.
So it’s a very, very powerful class of attack.
You can spin it up however you want.
It allows people to pool their money and buy votes
in a way that they can keep any part of that secret
to any group of people that they want.
And the outside system has no way of knowing
sort of how far along the attack is.
In some ways, it also represents a credible threat.
If I were to launch a dark DAO,
I might not even need to necessarily have people
participate in it.
Just its existence might be enough
to shake people’s confidence in that underlying vote.
So when we publish that blog post,
we’ve had a lot of reactions from voting projects
and other people in the space.
And I think there is a good question
of why haven’t we seen this already?
But at the end of the day, these systems are tiny, right?
Blockchains today are a drop in the bucket
of like the world financial system
and the incentives just aren’t there yet.
But if we are to use these technologies
and if we are to scale things,
I think these are absolutely realistic scenarios
and potentially nightmare scenarios.
– Yeah, that sounds insane.
And that’s definitely an outcome that is to be prevented.
And I think, I mean, this matters because
if we just take a step back and think about why is governance
so topical and so important in the world of crypto
and blockchains today?
It is because so much of what drives the space forward
in what is sort of the underlying philosophical motivation
is that power over these networks is decentralized.
And so decentralization here refers to
a bunch of different things at the same time.
Like people talk about decentralization
as it refers to sort of consensus,
like who gets to decide like who modifies
the underlying ledger,
but also decentralization applies
to who gets to modify the code.
These networks are decentralized in that
they’re kind of like self-governing organizations
and they don’t have at least philosophically
any central points of control where any one individual
can decide how to sort of modify the code
or make it work in any particular way.
And so all of these initiatives to try to build in governance
into the protocols are an effort to try to
sort of decentralize even that aspect
and to try to make it so that the code itself can evolve
in a way that is still community driven
and not kind of centrally controlled
by the core developer team.
– Yeah, I think the promise of a lot of these systems
is sort of this crypto economic security, right?
You have this mechanism and because the mechanism works
and the incentives are set up right,
everyone comes together harmoniously
and produces something that is bulletproof
and very strong because of the incentives and the mechanism.
An example of this is Bitcoin.
Because of the money paid to miners,
people are burning a small country’s worth of electricity
to try to secure this transaction ledger
that has actually worked fantastically so far.
So when you design these systems,
there needs to be some sort of underlying mechanism
and some sort of reasoning about the security
of that mechanism.
But what these technologies like the dark dial
and private smart contracts allow you to do
is use external money to sort of alter the incentives
inside that game and alter the security properties
that people are actually getting from their project
in a permissionless and trustless way.
So this does sort of speak
to the fundamental coordination of blockchains, right?
Like how do we design these games to coordinate people
to make choices in a way that’s not controlled
by one particular individual, as you said,
or some social trust hierarchy,
but by the economics of the system itself?
And in that model,
if you can’t be secure against economic attacks,
then you’re sort of building something
that doesn’t make much sense in my opinion.
And so I guess that’s a lot of what my work is looking at.
– Right, what do you think are the implications
of vote buying on proof of stake?
– So proof of work is where people use hardware
to sort of solve hard problems.
And if they solve the problem,
then they can post a block to the network.
Rather than using this mechanism,
proof of stake allows people to vote using their coins.
So they lock up their coins for some long period of time
and they can use any number of protocols to do this.
The core idea here is that instead of proof of work
where the economic security you get
is because people are doing this useless computation problem
that is sort of burning money
and there’s some costs associated with doing this,
is that people are paying liquidity costs
to lock up these coins for a long, long period of time
and they’re also taking risks
that they may incur penalties
if they misbehave in the protocol.
And with these liquidity costs,
they’re taking like massive volatility risks
in cryptocurrencies, right?
So if they do something that crashes the system,
well, their coins are locked up
and they’re going to lose money.
If the network decides they misbehaved,
well, they can get rid of all their coins
and they’re gonna lose money.
So it’s this idea of bootstrapping
the economic security of the network from the coins
rather than from some external hardware source.
Obviously that comes with a lot of trade-offs
that are maybe beyond the scope of this discussion,
but at the end of the day, it’s also a voting protocol.
You have these people with coins, they decide how to vote.
So where does vote buying come in here?
Well, obviously this proof-of-stake protocol has an outcome.
It decides what history of the network is valid
and this outcome has all sorts of economic implications.
It decides who gets to send money to who.
It decides who is censored in the system.
It decides what order transactions happen in canonically
according to everyone in the system
and with that comes a lot of profit opportunity.
So I can potentially profit by censoring you
or I can profit by putting my transactions in front of yours
when you wanna execute an order on a decentralized exchange
or I can profit in sort of any number of different ways
by manipulating this vote.
So what you can do with the dark DAO
is to start a staking pool where I say like,
you know, let me do my algorithmic trading
and decide what order of transactions
makes me the most money.
You don’t necessarily care
if someone who’s doing a transaction on a dex
gets front-run and loses like $5, right?
So you say, okay, I’ll happily participate in this.
It’ll still keep the value of my coins high,
especially if I don’t have a lot of coins
and you’re paying me like twice as much
as any other staking pool.
So it sort of opens these coordination mechanisms
for attacks on the underlying transaction history
and the underlying consensus.
– Do you think that there’s a way
of making a proof-of-stake network secure?
– It depends on your definition of secure.
I think it really depends on the type of security you want,
I guess.
– Yeah, and this all gets to the broader question
of like economic security of a blockchain.
And in the case of proof-of-stake,
the resource that’s used to secure the blockchain
is internal to the network.
In the case of proof-of-work,
it’s sort of electricity and like hardware
that’s used external to the network to secure the ledger.
And there are many other kind of approaches.
Like people are experimenting with doing useful work.
Instead of burning electricity uselessly
as you do in proof-of-work,
people try to build a sort of proof-of-space
or proof-of-spacetime protocols
where like for example, you’re able to store files
and storage becomes the resource that people use
to then secure the network.
What do you think of that kind of approach?
– So fundamentally to vote buying,
it doesn’t actually matter what resource you’re using.
Vote buying works for proof-of-work too.
So I could use dark DAO like technology
to start the mining pool.
And the properties of the mining pool would be
you come, you mine here.
I’ll pay you more than we’re making
because I have some external incentive
to censor someone or reorder transactions or whatever.
And then you get the dark DAO privacy properties
of no one knows how much hash power is participating
in this pool or who’s getting paid or things like that.
So these certainly also apply to systems
that use things like files and other useful work properties.
I think there’s a whole class of other questions
on the economic security of those systems.
So you have to be really careful
about where the economic security comes from.
I think you have to be really careful
with what useful means.
Whether the fact that it’s useful also introduces
any external incentives to mess with it, right?
So you could imagine like if the useful thing
the network was doing was like powering a search engine
or something, right?
Those results are valuable
and they bring external actors in who want to manipulate that.
And there’s sort of this feedback loop
between the mechanism securing the protocol
and the utility of what the protocol is actually providing.
But there’s definitely some people in the community
that look at that and say this is all way too complicated.
This is never going to work.
You have to have it be useless
because there’s no external incentives
and messy things that way.
I personally think that’s an open question.
– Yeah, there’s this argument that people make
that if the resource that is used to secure the network
is very commoditized
and just generally exists in the world
in the world in sort of plentiful quantities
that for example, in the case of storage,
if storage is the resource that’s used to secure the network
then anyone with a bunch of storage
could presumably attack the network.
Whereas in the case of a network like say Bitcoin
where you have ASICs that are specific to the network
in order to attack the network
you have to get your hands on those ASICs
and those ASICs aren’t useful for anything
but mining Bitcoin.
So people would argue the security of that kind of
the economic security of that kind of model is better.
– Yeah, and Joe Bono has a fascinating line of work
on these problems.
So if you Google Goldfinger attacks
he has a paper and a presentation.
There’s also the question of like buying versus renting.
So if something is very commoditized
you may be able to rent it
which substantially subsidizes the tax.
You may be able to buy it, perform the attack
and then resell it into the commodity market
which again substantially subsidizes the attack.
So these are all open and very complex questions
but people will build the systems and we’ll see.
This is sort of a classic pattern you see
in traditional finance.
And then you’ll have sort of black swan
and tail risk like events that surprise people.
– So we’ve talked a lot about governance in general
but you obviously are working on a ton of interesting stuff
just generally with respect to economic security
for crypto networks and blockchain
just the computer security.
What are some of the other interesting ideas
or sort of lines of work that you’re exploring?
– So one that I’m extremely personally interested in
is fairness guarantees for users around these systems.
A lot of what attracted me to them in the first place
was this promise of sort of eliminating the middleman
and making things in control of the user.
Like be your own bank, you don’t need these institutions
to tell you how to set your money supply
or how to route your transactions
or what exchange to use, et cetera, et cetera.
I look a lot at those guarantees
and sort of the ways in which modern blockchain solutions
are failing to meet those guarantees.
So one example of that is in the decentralized exchange space.
That’s something that’s seen a lot of promise
from people who wanna build these exchanges
that aren’t vulnerable to hacks and other user fund theft.
Unfortunately, the way these mechanisms
that people are building interact with the blockchain
is very complex and opens the door for external actors
to make a lot of money from front running them
and make a lot of money from doing algorithmic trading
on the network and everything that you see
in the traditional financial world.
So some of my work is around how large is that economy
and what are the failures of those guarantees?
– What are some interesting results so far on that front?
– So it’s actually probably a bigger market than you think,
even though DEXs have not seen substantial volume.
So this is a big problem for users.
It also highlights a lot of weird quirks of these systems,
such as like allowing for typos that end up costing users
a lot of money when programmatic actors soup in
and sort of take advantage of these inefficient mechanisms.
And it also raises fundamental questions about, I guess,
whether we’ll be able to do something that’s different
from the current financial system
because there are still these information asymmetries
that come up and this is a worldwide network.
And at the end of the day,
someone is still ordering transactions.
So is this rent sort of implicit to all blockchains?
How large is it?
And does it threaten the security of the overall blockchain?
Which I think it may.
– So I think one very interesting line of work
that you did was around gas token
and tokenizing gas on the Ethereum network.
– So this sort of came out of this arbitrage project.
We wrote a blog post very early on,
last I think October, November,
essentially saying decentralized exchanges are flawed.
You can just run this 20 line Python script
and you can profit off of users in a way
that was maybe not foreseen
and is not sort of explicitly stated to them
because of how inefficient these mechanisms are.
And before we wrote this blog post,
we were actually doing this to test it, right?
And we said, we made X dollars, whatever.
After we wrote the blog post,
sort of this cottage industry spawned
of like a few dozen people who are competing
in sort of this market and trying to outbid each other
to get their transactions first in that mind order
and take advantage of these opportunities.
So we’ve been studying that market for quite a while
and competing against these guys.
And unfortunately at some point,
they started out competing us.
So we started competing on what’s called gas,
which is the price you’re willing to pay
per unit of transaction.
The way it works is you make a typo Ali,
it puts a million dollars on the table
for anyone who can get their order in ahead of that typo
and sort of take advantage of your typo.
And then I would like to do a $5 transaction
to take advantage of Ali’s mistake, right?
And then maybe someone else is willing
to do a $10 transaction
’cause it’s a million dollar opportunity, right?
So we sort of get into this bidding war of like,
minor, please pick me first, minor, please pick me first.
That’s inherent to how these transactions
are ordered by miners.
And what we noticed is that when you have like 10 of these,
we were rarely profiting
because we didn’t have the best latency,
we didn’t have the best infrastructure
and they were getting their bids out faster.
They were getting them two miners faster
and they were willing to bid up higher than we were
to essentially take these opportunities.
So that’s where gas token came in.
It’s a way to sort of store this gas for the longer term
rather than just paying for it when you do your transaction.
So gas is the transaction fee.
And usually you say, okay,
I’m willing to pay a $100 fee for this transaction.
Instead, what you could do is sort of bank
a transaction’s worth of gas
and then just deploy that bank gas
and not pay as much fee
for the transaction you are doing.
And that works by taking advantage
of this fundamental issue in Ethereum’s resource model
which has to do with how you pay
to sort of incentivize people to clean up after themselves.
So in Ethereum, you actually give people a refund in gas
if they delete something they stored in the network previously
to incentivize them to not leave garbage around
that everyone has to store forever.
So what we do is when gas is cheap,
we fill the Ethereum state with junk
and then when it’s expensive, we delete this junk
which gives us a refund at that higher price
that we can use to subsidize these arbitrage transactions
which often costs thousands and thousands of dollars in fees.
Like people are bidding multiple thousands,
even tens of thousands in fees on these transactions.
– Right, and so to clarify for those not already familiar,
so gas is basically the resource that you use
to pay for computational resources
on the Ethereum blockchain.
So if you want it to buy computations, say instructions
that miners will execute for you, you pay for those in gas.
If you want it to buy a storage,
you similarly also pay for storage in gas.
And the current model of Ethereum is that you buy
some storage on the blockchain for a fixed price upfront
and then that storage sort of remains
on the blockchain forever.
And the Ethereum blockchain has this mechanism
that if you were to delete that storage,
if you were to free it,
then you will receive a refund for the amount that you paid.
Some refund for what you paid originally
for that amount of storage.
And so you’re basically saying that when gas is very cheap,
you can sort of fill storage on the blockchain
and then reclaim a refund later once gas is expensive.
And sort of the gas will be worth more at that point
than it was when you stored it.
And you could sort of leverage that
to kind of increase the amount of gas
that’s available to you.
– Yeah, and our fundamental observation was that
this is basically a derivative on gas.
It’s like a call option on some gas.
It led to the broader question
of how are these resources actually priced?
Like how do people choose how much is paid for storage?
How do people choose how much is paid for computation?
And in what ways are these suboptimal?
– So you mentioned the current model of pay one store forever.
That’s something we certainly address in our work,
proposing more of a rentful scheme
where you have to pay for ongoing costs at market rate.
There’s also the issue of who’s getting the payment.
So the fact that the miners get payment for storage
when the miners actually don’t need to store the whole state
and it’s the full nodes that bear the cost.
So this sort of asymmetry between who’s bearing the cost
like where the externality is
and like who’s actually profiting
is super important to study.
It leads to a sort of tragedy of the commons
in the worst case where the miners are happy to take payment
for as much storage as you want
because they don’t have to store it and they don’t care.
As long as they don’t break the whole network,
they’ll happily push out as many full nodes as they can.
So these are broader questions.
We have a broader initiative called Project Chicago,
which you can see at projectchicago.io.
That basically is studying these questions
of crypto commodities.
What are the underlying commodities behind blockchains?
For example, computation, relay network and storage.
How are these commodities priced?
How can you exploit these commodities?
How can you exploit like the relay network
to get information about people’s transactions earlier
or the computation layer to sort of, I don’t know,
do this kind of gas refund or something like that.
So there’s a lot of interesting work in that direction.
– Yeah, by the way, why is it called Project Chicago?
– So it’s called Project Chicago
’cause our inspiration is sort of the Chicago mercantile
exchange.
That’s how businesses hedge against volatility
and sort of price commodities in real world markets.
So we think of this as sort of exploring something similar
on blockchains and asking like,
is that the right model or can we do better
now that we have all these decentralized tools
at our disposal?
– Best painting.
Well, thank you so much for coming on the podcast.
– Yeah, thanks for having me.
with Phil Daian (@phildaian) and Ali Yahya (@ali01)
Whether in corporations, boardrooms, or political elections, voting is something we see in all kinds of social systems… including blockchains. It’s the natural human tendency for how to organize decisions, and in distributed systems without centralized middlemen, it’s the only clear Schelling point we can come up with.
But too many people design voting mechanisms in distributed systems in isolation — sometimes naively ”porting over” assumptions from the real world or from simple cryptoeconomic models without thinking through the economic adversaries present in a larger, more rational (vs. ”honest”) game-theoretic system. So how are blockchain systems different from real-world paper and electronic voting systems? How can such systems be gamed, and what are the implications for cryptoeconomic security… as well as the governance of distributed organizations?
This hallway-style episode of the a16z Podcast covers all this and more. Recorded as part of our NYC roadtrip, it features Cornell Tech PhD student and software engineer Phil Daian, who researches applied cryptography and smart contracts — and who also wrote about ”On-chain Vote Buying and the Rise of Dark DAOs” in 2018 (with Tyler Kell, Ian Miers, and his advisor Ari Juels). Daian is joined by a16z crypto partner Ali Yahya (previously a software engineer and machine learning researcher at GoogleX and Google Brain), who also recently presented on crypto as the evolution — and future — of trust.
The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation.
This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments and certain publicly traded cryptocurrencies/ digital assets for which the issuer has not provided permission for a16z to disclose publicly) is available at https://a16z.com/investments/.
Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information.
