The trustlessness attributed to public blockchains is a mirage. Trust or in other words, counterparty risk, not only still exists, but often exists where stakeholders can’t easily identify it. In this post I will attempt to extrapolate where trust lies in the blockchain ecosystem and subsequently draw conclusions as to what trade-offs are made in migrating from legacy systems.
Satoshi Nakamoto introduced Bitcoin to the world as a peer-to-peer system for electronic cash. His proof-of-work solution to the double spend problem inherent to digital currency was designed with the goal of removing trusted third party intermediaries from electronic payments. His method is clever but exceedingly inefficient with enormous resources required to secure transactions and by corollary the money supply. Nakamoto, according to his writings, felt the cost of fraud and mediation that arises from the possibility of reversible transactions outweighed the cost of achieving consensus across many nodes. The resilience of the Bitcoin network as a result of its decentralised structure without a trusted third party guardian is indisputable. It has been enormously successful in facilitating regulatory arbitrage payments, which has given it a floor as a store of value and ergo an attractive investment in the eyes of many. In addition, many other blockchains that secure other forms of contractual relationships have emerged, most notably, Ethereum – a blockchain that was built to secure any type of contractual relationship. The replacement of the centralised third party with machine consensus lead many to call blockchain protocols ‘trustless’ systems, a term which is now often diluted to ‘trust-minimised’ systems. In this post I will interrogate the veracity of this statement.
Guardians of the Ledger
It is indisputable that a trusted third party has huge scope to censor and in some cases reverse transactions. Satoshi, and subsequent blockchain developers have sought to make the possibility of reversing transactions highly infeasible through carefully designed economic incentives. The assumption of Nakamoto consensus, is that the cost for a malicious miner to attack the system vastly outweighs the benefit in attacking it as long as the majority of miners are honest. However, a coordinated majority of over 51% of miners can, with little cost, engage in double spend attacks, censor transactions and even dispossess users of their bitcoin through the erasure of accounts from the ledger. This hasn’t occurred up until this point as miners, as a group, have further rationalised that their long-term investment in mining equipment would be threatened by engaging in such attacks, since investors would likely lose confidence in the currency given it is its censorship-resistant qualities that gives it value. It is this rationality that keeps a majority of miners honest, thus far ensuring Nakamoto’s assumption is held. In other words, the reason miners don’t engage in these attacks is that they don’t want to damage their commercial interests. If one considers it, this forms a large part of why we trust centralised third parties not to break contractual agreements too. If they betray customer’s trust, they can be punished by the courts and/or damage their business image and consequently their profits. We therefore trust both miners and known trusted third parties to act rationally (in the social sciences meaning of the word) and secure our transactions and funds.
Satoshi only considered miner behaviour within the scope of the protocol rules he defined. However, since a majority of miners determine the valid chain, they can collude to enact a protocol change or prevent other proposed changes. Since protocol changes are likely to be far more subjective and open to debate, this places great power in the hands of the mining interest group. Other newer blockchain consensus algorithms have taken this into account in introducing definitive financial punishments for unilateral miner political action beyond a possible depression of the asset price. Regardless of the system however, overcoming an unrepresentative mining political force requires community action to hard fork the software to remedy it. Whether this remedy is regarded as theft or just punishment is down to politics as opposed to any codified law. Further, the remedy relies on diverse stakeholders overcoming the collective action problem, which is never an easy task to accomplish. In these cases where a user-initiated hard fork of the software is required, all users need to update their software or else risk losing funds from transacting on the wrong chain. Consequently, users have to trust themselves to be a lot more vigilant in blockchain ecosystems. This has led some to describe the blockchain space as a caveat emptor environment. If the Bitcoin mining majority choose to repeat the action/attack, the only defence the user base has is to initiate an algorithm change in order to allow new miners into the system and prevent a recurrence of the attack. Collectively deciding on this may be extremely time consuming and challenging leading to a period of great uncertainty and risk for the network(s). In the future proposed plans for Ethereum, such algorithm changes would not be required as long as the deposit forfeitures miners may incur act as a sufficient disincentive. None-the-less collective action to remedy the situation is still required. In legacy systems on the other hand, victims of malicious third parties rarely have to organise a group into collective action as generally a remedy can be found within the institutions of the state. Victims simply have to report the crime to the police who will then use their resources to investigate and remedy the matter if they can.
The problem with founding systems on economic incentives alone is that it is likely impossible to account for every incentive every actor possesses. Satoshi (Bitcoin), Vlad Zamfir, Vitalik Buterin (Ethereum), and many others, have attempted to account for the rationality of actors in terms of fiat profit and loss on mining equipment or the asset required to stake. Of course, this is all they feasibly can account for. Bitcoin’s and to a greater extent, the economic assumptions of Ethereum’s proposed model, are thus likely hold if you consider the BTC/Fiat or ETH/Fiat pairs in a vacuum. The problem is, in the real world, they don’t exist in a vacuum. The stakeholders involved can have any number of competing economic interests that may incentivise them to act maliciously and thus incur a fiat loss on a particular blockchain asset in return for higher gains elsewhere. Evidence of such competing incentives already exists simply by looking at the blockchain space alone. For example, since the Ethereum network permits multiple currencies, at one point, the validating majority may have stood to gain more by altering the ledger to protect an investment they had made in another token. This alteration need not always be for the benefit of the network as a whole even if it did appear to have strong support on this particular occasion. In other circumstances miners may also realise their gains before any collective remedy could be coordinated. Further there are murmurings the dominant player in Bitcoin mining has substantial holdings of ether. In a market where capitalism is the only law, it is therefore far from a remote possibility that miner/validator attacks would occur. In fact, if one employs the same rational choice theory Satoshi did on a broader spectrum, it is entirely expected that they would occur. When privacy technology becomes more prevalent and attacks less risky for the perpetrators (if deemed illegal), we may even see an increase in their amount and see them occur on higher value blockchains. If the attacks were solely inter-chain, one might rationalise that eventually they would end up damaging the space as a whole and would possibly cease. However, this is far from a certainty and one can unquestionably not discount attacks from forces external to the blockchain community in any event.
Those wishing to hold crypto-currencies are thus involved in a constant guessing game of which blockchain is currently the most attack-resistant and as seen from the Bitcoin example above, this need not necessarily be the most valuable one. Far from it. All blockchains, all economic actors and all blockchain assets exist in an almost completely unbridled free market. If there’s one thing free markets do very effectively, it is prevent monopolies from forming meaning the blockchain space is likely to remain in a constant state of flux. Many network maximalists argue that the network effect will result in one network becoming dominant, but due to the fact blockchains depend on economically incentivised actors for their very utility, I have become highly sceptical this would be the case. Unlike in the case of value agnostic (no redistributory effects) network protocols such as HTTP or TCP/IP, there is simply too much opportunity for well-organised players to profit from disrupting any potential network hegemony. This is especially the case given how difficult it is for blockchains to scale (decentralised structure) and upgrade (require consensus) to respond to technological advancements from competing alternatives. The only way I can see one network triumphing and delivering an equivalent level of stability (trust) to that of legacy commerce and financial systems, is in the case of one winning over the collective minds of international governments. However, if we’re relying on governments to tell us which blockchain is ‘the blockchain’, this naturally begs the question, why go to all the trouble of game theory and decentralisation in the first place?
It could be credibly argued that users actually have to trust miners and validators more than they have to trust known third parties. In the blockchain space you trust transactions to be executed and your funds to maintain value due to economic incentives. If you are a party that was unlucky enough to accept a crypto-currency for goods and services on ‘the wrong chain’ in the case of a fork, you have to trust the purchaser to be honest and reimburse you. In legacy systems you trust your transactions will be executed and your funds not to be stolen due to economic incentives AND punishment through force by the institutions of the state. Additionally, since systemic changes that create global risk aren’t required to remedy individual attacks, the value of the asset in question isn’t likely to be affected by the dispute.
If you transact on the internet it goes with out saying that you employ computer software to do so. When you transact in legacy systems, you do so through the proprietary software silos of trusted third parties. The proprietor thus has fiduciary responsibility with the users’ data and assets. If something goes wrong, they are accountable. Since blockchains are permissionless systems, anyone can write a software implementation for a particular blockchain. Anyone else can download this client and use it without engaging in a formal contract with the developers. This provides quite a lot of scope for programmers to write a malicious client that can steal people’s assets. Again this adds to the caveat emptor environment that open blockchain systems induce. As in the case of malicious miners and validators, it may be difficult if not impossible to hold the thief to account in such a situation. Further, Ethereum permits people to write applications that actually exist on the blockchain. If there is a bug, intentional or otherwise, the results can be catastrophic. Due to the division of labour in society, most users don’t have the knowledge to perform due diligence themselves and therefore must trust the developers and the people auditing them. As in the case of the DAO hack, bugs may not be spotted and assets lost as a result.
There’s an old saying in tech diaspora that “software is never finished”. The blockchain space is not unique in this regard, the only difference being that protocol changes require strong consensus amongst many stakeholders in order to avoid a damaging fork. However, As mentioned above, what constitutes a protocol improvement is entirely subjective. This means upgrades will often be political. Since this is the case, upgrades are best viewed as pieces of political legislation. Analogous to national parliaments, in the blockchain space any member can initiate a ‘bill’ and if it gains enough support, it will pass. As mentioned above, miners and validators have tremendous power in vetoing legislation, a veto which can only be overcome through their overthrowal by the polity. However, software developers have governance power in this regard too, they have the power to initiate legislation. For a long time this power was largely neglected by political scientists in analysing political decision-making systems. However it is now known to be a very powerful position to occupy if the proposer has good information of the global preferenential set of voters. They can thus position the legislation in a space where it is likely to get passed. The enormous success of the European Commission in achieving consensus amongst competing EU Member States with varied interests solely from its ability to ‘bat first’, is an excellent example of this power. Again, due to the division of labour problem, in the blockchain space there are actually very few people with the ability and understanding to enact protocol improvements. The cult of personality that thus surrounds influential developers provides them with huge scope with which to shape the future of the protocol. If they collude with a majority of miners/validators, they are placed in an even more dominant position. Ordinary users must therefore have great trust that they have the interests of the whole protocol at heart.
In sum, compared with legacy systems, it can be objectively stated that users must have far greater trust in those developing the software they use to transact on in the blockchain space.
Conclusions and Thoughts
Trust is something that envelopes everything thing we do. If we reduce our reliance on it in one way, we increase it in another. In the blockchain space, it is clear that trust isn’t removed but rather reassigned. The risks and costs of fraud and mediation in legacy systems are merely replaced with risks and costs of economic incentives and collective governance in anarchy. It is clear that despite these systems being built to have no central authority, the natural order of things has dictated that informal hierarchies have indeed emerged. It is also true that when hierarchies exist, trust becomes a fundamental part of the relationship between the governors and the governed. For this reason, some have declared miners and developers to be fiduciaries, which naturally places them on the very same standing as a trusted third party in legacy financial systems. However, since they are not as easily held to account as traditional fiduciaries, one can only come to the conclusion that the reassignment of trust in the blockchain space comes at the expense of ordinary users.
The only truly discernible way risk appears to be clearly reduced for a particular type of user in the blockchain space, is for those users engaged in illegal activity. Public blockchains are resilient to government censorship as they are governed by diffuse actors and cryptography as opposed to the institutions of the state. They are thus highly resistant to government influence. If one wades through all the blockchain hype and rewinds the clock to observe the context of the Bitcoin whitepaper emerged from in 2008, it is actually quite obvious that this conclusion is the case. In 2007, there were two main digital currencies, the Liberty Dollar and E-gold. The former was shut down by Federal prosecutors and their creators indicted for various crimes, and the latter had begun actively assisting authorities in prosecuting criminals using E-gold. Despite this, in 2009, subsequent to the release of Bitcoin, E-gold was shut down and its owners also indicted. When Bitcoin is released a year later by an anonymous persona, as a decentralised system with no central authority for governments to censor, one doesn’t have to read between the lines as to the intentions of the creator: he wanted to create something that couldn’t be shut down by powerful adversaries. The removal of the much-maligned trusted third party – and its replacement with proof-of-work and a distributed ledger – wasn’t and end in-and-for itself, it was merely the means through which he wished to achieve his ultimate goal. In other words, fraud mitigation may not really what he was hoping to prevent; it was likely to have been government censorship. Trust is assigned according to a threat model and the threat Satoshi wished to counter above all else was the government. If he believed no nation state regime would attempt to eliminate Bitcoin, I don’t believe he ever would have designed the blockchain.
When this key point is understood, one can infer that if the government isn’t in your threat model, you may prefer to choose a federated ledger with a USD-backed token as opposed to a blockchain with its scaling limitations and governance risks. There are also plenty of tools – both cryptographic and legal – available that are very effective at minimising third party counterparty risk. I must emphasise that this conclusion isn’t a denigration of blockchain technology. I find it a very interesting and worthwhile field of study. However, I do believe its future is likely to be the new British Virgin Islands as opposed to the new Wall St.