There’s no point in being nuts if you can’t have some fun with it. — “John Nash”, A Beautiful Mind (2001)
Page through the articles on blockchain today and you will see healthy discussions over its applications and endless debates over the future price action of someone’s favorite cryptocurrency. Yet rarely among all these topics is any mention of the most fascinating notion at the heart of the movement — blockchain as a novel means to incentivize desired human behavior.
In many respects, the miracle of blockchain tech is that it allows us to grow crops in a desert and breed chickens in a foxhole. Using cryptography, the blockchain concept allows us to definitively prove what transactions actually happened in the past. Through game theory and economics incorporated into the design of blockchain protocols, the system incentivizes stability and this common good to hold into the future. All of this in an anonymous, hostile, and digital world filled with hackers, scammers, pirates, and trolls!
This is cryptoeconomics, a term so fresh that you’ll need to select “Add to Dictionary” when running spellcheck. When you dig deep enough into the concepts underlying blockchain technology and specific systems built on it, you will find that they heavily incorporate cryptoeconomic tools specifically designed to minimize the impact of evildoers and hostile actors.
While there are many definitions with slight variations floating out there, for the purposes of this article I will base our discussion on the definition published on the Ethereum wiki.
Cryptoeconomics refers to the combinations of cryptography, computer networks and game theory which provide secure systems exhibiting some set of economic dis/incentives.
In this article, I will discuss these economic incentives as they relate to blockchain, explore some security assumptions behind cryptoeconomics, and describe how the Ethereum platform’s new Casper “the friendly ghost” protocol was designed with these ideas in mind.
Incentives and Byzantine Fault Tolerance
Incentives are a central component to game theory and economics in shaping human behavior toward a common good. While cryptography, or the encryption and decryption of blocks in the chain to effectively create a provable past, is universally accepted, there is still some divergence and debate when it comes to whether systems of incentives are actually needed to create successful cryptocurrencies or platforms.
We cannot go on without a brief discussion of an issue underpinning the decentralized digital economy, the Byzantine Generals’ Problem.
The glorious Byzantine army has surrounded and set siege to a castle. The generals, physically separated and commanding different units of the army, realize that that they need to decide on a coordinated attack or coordinated retreat. It is important that the majority commits to one or the other, as a mistimed or halfhearted attack would mean major losses and a far worse outcome for the Byzantines.
Unfortunately, there are an unknown number of traitorous generals in the Byzantine ranks who would like nothing more for the campaign to end disastrously. They may send conflicting messages to different generals in an attempt to sabotage the effort. Furthermore, since messages must be relayed by messenger, it is also impossible to tell if these messages are forged or authentic.
The central question is this: in a system where consensus is absolutely necessary, how can a unanimous agreement be reached by good processes in the absence of trust? In other words, how can these generals overcome the traitors within and reach a coordinated, majority decision?
In computer science, the capability of a system to resist failure from faulty components that prevent other critical components from reaching a necessary consensus is termed Byzantine fault tolerance (BFT). So how is this relevant to blockchain and the discussion around incentives?
In a cryptocurrency such as Bitcoin, in the absence of a protocol addressing BFT we would be completely in the dark without some centralized authority. Just like the generals, Bitcoin nodes (computers sharing and propagating the blockchain) need to know what transactions are valid. For instance, like the traitorous generals and their dubious messages, people could spend bitcoins and simply tell other nodes they had never spent them. The key problem in decentralized digital currency is that no one knows who or what to trust.
Bitcoin’s answer to the Byzantine Generals’ Problem is the proof-of-work (PoW) protocol on top of the blockchain. As you’ll find plenty of discussion and other materials about PoW out there, the general idea behind this protocol is that it makes it as difficult as possible for someone to manipulate a vote due to the significant expenditure of resources (time, electricity, and processing power) required. To log a vote, each “general” would have to complete a very difficult mathematical problem that would be instantly shared with the others, who would then have to solve another difficult problem on top of it. This chain of “work” creates an ironclad transaction history while making it prohibitively expensive and time-consuming for attackers to rig anything.
Incentives come into play to encourage participants to maintain the protocol— Bitcoin “miners”, the people who log these transactions, are incentivized with a reward of 12.5 bitcoin and transaction fees every time they apply their computing power and successfully post verified transactions onto the blockchain. In this way, they are rewarded for performing a critical service to Bitcoin, the broadcasting of blocks filled with valid, verified transactions.
In the Ethereum platform, the proposed proof-of-stake (PoS) protocol goes further with a punishment to disincentivize malevolent activity. In PoS, validators must put up a sizeable ante of Ethereum in lieu of electricity and computing power in order to participate in the system. In the event that validators do not act to the system’s benefit, they risk losing their entire stake, or deposit.
So are there any drawbacks to incorporating incentives? Since the protocols of the two major players in the crypto-scene have such a strong focus on cryptoeconomics, it would appear that well-designed incentive systems are critical to any blockchain tech’s success. MIT Professor Silvio Micali, a central authority in the world of cryptography, disagrees.
As reported in this Coindesk article, Micali believes that incentives should be used as a last resort because they can lead to many negative externalities, and cites Bitcoin as an example. The incentives in the Bitcoin PoW system led to “industrial-scale mining pools”, where Bitcoin miners pool their resources together and split up the rewards. Observe the dominance of of these pools in the graphic below:
Incentives gone awry? Bitcoin Hashrate Distribution, July 2017
The advent of these massive mining pools and the consequent power bestowed on the organizations behind them really begin to challenge the idea of Bitcoin as a decentralized cryptocurrency while increasing the possibility of 51% attacks, which we’ll discuss later. In short, if the trend continues, we may reach a state where new bitcoin discovery is almost completely dominated by the largest miners.
Micali instead proposes Algorand, an incentive-less public blockchain that attacks the Byzantine Generals’ Problem by swapping out the generals in each round through a randomization process. While I won’t discuss the mechanics in detail here, this approach avoids the amount of computation resources needed for proof-of-work and yields faster transactions as a result.
The differing approaches revolve around the interesting philosophical question about whether humans are dominated by their altruistic or selfish urges as a whole. Proponents of Micali point to chronic, altruistic seeders on Bittorrent and distributed computing projects like [email protected] as evidence that we do not always need incentives to promote altruistic behavior. Meanwhile, Vitalik Buterin and Vlad Zamfir of the Ethereum Foundation are firmly in the opposite camp, believing that without incentives and penalties, people can be at best apathetic (why even log on?) and at worst malicious.
While the bulk of the blockchain movement embraces the idea of incentives and cryptoeconomics, it is definitely possible that Micali’s system and variants of it may take root in parallel.
It is an open question of whether you need incentives or not, and I don’t think it can be determined in an academic model. It is actually going to be determined by evidence. You launch something and you see what happens. — Charles Hoskinson, Previous Ethereum CEO
While Bitcoin’s PoW system is not perfect, the fact remains that the paradigm-shifting, cryptoeconomic principles it was built on (cryptography to secure the past, economics to ensure the future) have led to its survival and adoption for almost a decade.
Cryptoeconomic Assumptions of Behavior
The exciting thing about cryptoeconomics is that its terminology and theory are being pioneered day-by-day by blockchain developers and thought leaders. To underscore the cutting-edge innovation within this field, some of the terms associated with cryptoeconomics have less than 100 results when googled at the time of writing! While many of the ideas in this area are very theoretical, rest assured that their application will have incredible consequences on the development and adoption of blockchain technology.
That said, the focus of cryptoeconomics is to design robust protocols that can govern decentralized P2P systems and digital economies. In other words, cryptoeconomic concepts and techniques should be applied to shape behavior leading to desired outcomes.
Today, as a result of Satoshi Nakamoto’s innovations, Bitcoin runs on the back of a PoW incentive system that both nearly conquers the Byzantine Generals’ Problem and promotes participants’ efforts to maintain it. However, for the negative externalities Micali identified such as the push toward centralized mining pools with significant influence, the PoW protocol cannot be considered cryptoeconomically efficient. While Micali points toward this as evidence that incentive systems are detrimental overall, proponents of cryptoeconomics would instead suggest that the incentives or penalties do not go far enough and are not applied optimally.
So through what kind of lenses should we assess a protocol? Developers at the Ethereum Foundation utilize the following security models in their analysis. These assumptions of participants’ behavior are the basis for protocol design.
Honest majority model — the traditional fault-tolerance assumption that 51% or more of participants are fundamentally honest, “nice guys”. This model is largely rejected in the cryptoeconomic community and is often considered wishful thinking in a pseudonymous, decentralized digital landscape.
Instead, in cryptoeconomic research, we are far more cynical. We obsess over assumptions regarding attackers — namely how coordinated they are, the budget they have to mount the attack, and the actual cost incurred by the attack)
Coordinated choice model — assumption that all the protocol participants are united under the same coalition or agent.
The large Bitcoin mining pools are a good example here. Since the majority of Bitcoin hashpower is controlled by a small handful of people, collusion is quite a realistic and threatening scenario. With the rise of mining pools, a 51% attack, where a single agent (or colluding agents) is able to manipulate the Bitcoin blockchain by controlling over half of the mining hashrate, is in reality quite feasible.
While the agent would not be able to rewrite previous transactions, steal coins from wallets, or wreak any serious havoc, he or she would be able to prevent other miners from posting blocks and “double-spend” bitcoins using both chains. Overall, the deterrent seems to be the action’s own self-defeating implications — such a collusive or massive effort would only devalue Bitcoin as a whole since participants would lose trust in the system and refuse to acknowledge transactions during this time.
Rare sighting of 90% of Bitcoin mining power in one room.
Uncoordinated choice model — assumption that all protocol participants do not coordinate with each other, are smaller than a particular size, and have their own goals.
This is the true idea behind “decentralization”. The Bitcoin protocol was built on the assumption of a universe of small, self-interested participants that do not or cannot coordinate.
Bribing Attacker Model — this assumption builds on the uncoordinated choice model, but also assumes that an attacker exists with enough resources to incentivize other participants to take certain actions through conditional bribes.
This model is already described at length in the SchellingCoin case brought forward by Vitalik and other writers. For flavour purposes, I’ll provide a quick and abbreviated example:
Let’s say in the universe of the uncoordinated choice model there exists a game of thrones. Participants in the game will vote on whether they want to sit on an iron throne or a styrofoam throne. Everyone who voted in the majority will win $100, while everyone in the minority will get nothing.
In this game, the assumption is you would vote to sit on the Iron Throne because you want to rule the Seven Kingdoms and because sitting on a styrofoam block sucks. You also believe the majority will do this for the same reasons. Since everyone else arrives at the same conclusion you do, the majority vote will go toward sitting on the Iron Throne and everyone will collect $100.
However, let’s say a malicious styrofoam executive is out to promote his non-biodegradable wares. In a fit of cunning, he sends everyone a conditional offer: “Vote for the styrofoam block, and if you’re in the minority I will personally give you $110!”. Because he has a long history of always paying his debts, everyone knows that he is good for this commitment and has the budget to pay it.
Diagrams showing your payout depending on the actions taken in the game of thrones
Suddenly, the equilibrium shifts. Now it makes sense for you to vote for the styrofoam throne — if you’re in the majority, you collect $100, but if you’re in the minority, even better, you’ll walk home with $110. Since everyone else again arrived at the same conclusion you did, the majority will vote for the styrofoam and the executive will allow himself a hearty chuckle, not having to pay out at all and achieving his goal at zero cost. Truly, his threat of benevolence was his masterstroke.
This is formally known as the P + epsilon Attack, and the Bitcoin protocol is just as susceptible to this strategy! Substitute the iron throne for the main blockchain and the styrofoam one for the attacker’s chain and you should be able to see the vulnerability — a malicious actor incentivizing the majority of other miners to accept a deviant chain. Nonetheless, due to the extensive budget an attacker must be able to credibly reveal in order to pursue such an attack, Bitcoin’s proof-of-work protocol has persisted despite this flaw.
Ethereum’s Proof-of-Stake: The Next Experiment
I want to impress upon you that the developments in blockchain tech are driven by the implications of these security models. As Nick Tomaino of the Control writes, “Cryptoeconomics is the fundamental catalyst for this whole movement.”
To assess the design of protocol capability to mitigate these existing and theoretical flaws in these security models, developers utilize two concepts:
The first is the cryptoeconomic security margin, which measures the consequences (in dollars lost) of those violating a protocol guarantee. Theoretically, since the attacker can execute the P + epsilon attack at zero cost provided he or she has the budget, Bitcoin’s PoW system can be said to have a cryptoeconomic security margin of zero!
Cryptoeconomic proof is somewhat similar; it is an assurance or message from a participant in the network that something is true. In the event that it turns out not to be true, that participant will lose a certain amount of money.
So let us examine the most ambitious project on blockchain tech today — the coming Casper update to Ethereum that attempts to drill to the heart of these problems by switching the platform proof-of-work to proof-of-stake. While a discussion about the intricacies of Casper’s Proof-of-Stake (PoS) system is beyond the scope of this article, in short PoS seeks to provide a very large cryptoeconomic security margin by enforcing large security deposits of Ethereum in lieu of computing power in order to serve as a validator. This security deposit, or cryptoeconomic proof, acts as a potent deterrent. The message is clear — cause trouble and lose everything!
Casper forces participants to enter a SchellingCoin Game (as outlined by our iron-styrofoam throne example) where they are forced to bet their security deposits on what the majority will be. Using the same recursive logic we discussed in the iron throne game, the majority of participants will accurately vote on which transactions are valid because each participant expects everyone else to reach the same conclusion. As such, PoS is resistant to the P + epsilon attack because the attacker will have to credibly show an enormous budget to subsidize the participants’ security deposits in the event that they end up voting in the minority.
In the context of the security models, we can see Casper’s resilience in the uncoordinated choice model and from bribing attackers. Casper is also theoretically susceptible to the 51% attack stemming from the coordinated choice model. However, like Bitcoin, as Ethereum grows the costs of doing such an attack are so prohibitive as to almost completely discourage it. In Casper’s case, the threat of losing the stakes of all involved is an even stronger deterrent. To read more about the development of Casper, check out Vlad Zamfir’s series.
While many elements of Casper are highly theoretical and the proof-of-stake protocol itself has invoked its fair share of debate, it is evident that this transition is almost entirely cryptoeconomically-minded and meant to address many of the shortcomings of the PoW system. Slowly but surely, thinkers in the blockchain space move the needle ever further in our understanding of what optimal protocol design looks like in a decentralized, digital economy.
Some critics of blockchain technology as a whole are uncomfortable with the idea that there are so many attack vectors that are theoretically plausible today. I think it is worth noting that, given enough money and time, an attacker will always be able to do damage in any system. Cryptoeconomics stands as a critical bulwark that, at worst, endeavors to make these attacks as expensive, difficult, and undesirable as possible.
As we move into an era of Turing-complete smart contracts, this field will surely grow even more complex and exciting.
I hope this gives you an appreciation for the burgeoning and very fertile field of cryptoeconomics. As a consequence, there are not a lot of resources out there, so I wanted to share some links that were extremely edifying to me.
Introduction to Cryptoeconomics (Video) — straight from the horse’s mouth. Vitalik Buterin spits fire.
Why Cryptoeconomics and X-Risk Researchers Should Listen to Each Other More — article by Vitalik Buterin on the intersection of cryptoeconomics and AI research.
Fundamental problems in Ethereum — current shortlist of challenges in the Ethereum space. Contains some good discussion on cryptoeconomics.
The Strategy of Conflict — old but gold book on game theory by Thomas C. Schelling, Master Theorist of Nuclear Strategy (I’m serious!)