In the past year, there has been an important trend in the blockchain field: People have shifted from focusing on decentralized finance (DeFi) to thinking about decentralized governance (DeGov) at the same time . The development direction of DeFi in 2020 is very broad and is called the year of DeFi. Since then, the complexity and performance of DeFi projects have continued to increase, so people’s research interest in DeGov has increased to cope with the complexity of DeFi. In Ethernet Square, there are some examples: YFI, the Compound, Synthetix, UNI , Gitcoin and other projects have introduced / ready to roll DAO. There are also some examples outside of Ethereum: Bitcoin Cash debates around infrastructure financing proposals, infrastructure financing voting in Zcash, and so on.
It is undeniable that some form of formalized decentralized governance is becoming more and more popular, and there are very important reasons why people are interested in it. But it is also important to remember the risks of such mechanisms. The previous example of Steem being maliciously acquired and then the community members rebelling against the acquirer and forking out of the Hive blockchain is a good lesson. Below I will further demonstrate why this trend is inevitable. In some cases, decentralized governance is necessary, but also has risks , the reasons for which I will introduce in this article. How will we benefit from DeGov while minimizing the risks it brings? I will demonstrate a key part of the answer: we need to go beyond existing forms of token voting.
DeGov is necessary
Since the publication of the Declaration of Independence of Cyberspace in 1996, there has been a key unresolved contradiction in the so-called cypherpunk ideology. On the one hand, cyberpunk’s values are all about using cryptography to minimize centralized control and maximize the efficiency and scope of the main non-mandatory coordination mechanisms currently available: private property and the market. On the other hand, the economic logic of private property and the market is optimized for activities that can be “decomposed” into repetitive one-to-one interactions, while in the field of information (art, documentation, science, and code through irreducible one-to-one interactions) More interaction to produce and consume) is just the opposite.
There are two key issues inherent in this environment that need to be resolved:
- Funding public goods: projects that are valuable to a broad and unspecified group of people in the community often do not have a business model (for example, layer-1 and layer-2 protocol research, client development, documentation, etc.), so how do they get funding? ?
- Agreement maintenance and upgrade: How to negotiate the upgrade of the agreement, and how to regularly maintain and adjust the long-term unstable parts of the agreement (such as the list of safe assets, the source of price oracles, and the holders of multi-party calculation keys). Reach a consensus?
Early blockchain projects largely ignored these two challenges, as if the only important public goods were network security. This can be achieved by a single algorithm that is permanently fixed and paid with a fixed proof-of-work reward. This funding situation may be useful at first because the price of Bitcoin has risen sharply from 2010-2013, followed by the one-off ICO boom in 2014-2017, and the second crypto bubble that occurred simultaneously in 2014-2017. All of these make the ecosystem rich enough to temporarily cover up serious market inefficiencies. The long-term governance of public resources is also neglected: Bitcoin takes the path of extreme minimization, the money supply is fixed, and it supports layer-2 payment systems like Lightning (there are no other use cases). Ethereum has been developing harmoniously most of the time (except for the special case of The DAO attack, because of the recognition of its existing roadmap ) is very strong (basically PoS and sharding), and needs more content The complex application layer project has not yet been launched.
But now, this kind of luck is getting less and less, and the most urgent challenges we are now solving are: coordinating agreement maintenance and upgrading, funding documentation/R&D/development, and avoiding the risk of centralization.
DeGov needs to fund public goods
We need to take a step back and look at the current absurd situation. Ethereum’s daily mining issuance reward is approximately 13,500 ETH (approximately US$40 million). Transaction fees are also high; the non-EIP-1559 burned part is still about 1500 ETH (approximately US$4.5 million) per day. Therefore, billions of dollars of funds are used to maintain network security every year. Now, what is the budget of the Ethereum Foundation? Approximately 30 to 60 million US dollars per year. There are also some non-foundation participants (such as ConsenSys) who contribute to the development, but their scale is small. Bitcoin’s situation is similar. They may provide less funding for non-secure public goods.
Show the above situation in the form of graphs:
In the Ethereum ecosystem, it can be shown that this difference is irrelevant; tens of millions of dollars in funding each year is “enough” to carry out the necessary R&D, and adding more funding does not necessarily improve the situation. Therefore, for the credible neutrality of the platform, the risk of establishing the developer’s funding in the agreement is greater than the benefit. But in many smaller ecosystems, whether it is the internal ecosystem of Ethereum or a completely independent blockchain (such as BCK and Zcash), the same debate is ongoing, and in those smaller blocks In the chain, imbalance makes a big difference.
Next, talk about DAOs. Projects released from the first day as a “pure” DAO can achieve a combination of two attributes (the two attributes were previously impossible to combine): (i) the adequacy of developer funding; (ii) the reliability of funding Neutrality (the highly anticipated “fair release”). The developer’s funds do not come from a hard-coded list of receiving addresses, the decision can be made by the DAO itself.
Of course, it is difficult to publish a project fairly, and the unfairness caused by information asymmetry is often worse than the unfairness caused by explicit pre-mining. (At the end of 2010, Bitcoin had distributed 1/of the total supply. 4. At that time, few people had the opportunity to hear about Bitcoin. Is Bitcoin really a fair release?) But even so, it seems that the compensation for non-secure public goods within the agreement is provided from the moment of release. An important step towards obtaining sufficient and more credible and neutral developer funding.
Maintenance and upgrade of the agreement requires DeGov
In addition to public goods funding, another equally important issue that needs to be governed is agreement maintenance and upgrades. Although I advocate minimizing all non-automated parameter adjustments (see the “Limited Governance” section below) and I am a big fan of the “non-governance” strategy in the RAI protocol, sometimes governance is still inevitable. The price oracle input must have a source, and this source sometimes needs to be changed. Before the agreement “rigged” into its final form, it must be coordinated in some way to achieve improvements. Sometimes, the community of a certain agreement may think that they are ready to face rigidity, but then the world throws a curveball that requires a complete and controversial reorganization. If the U.S. dollar collapses, RAI will have to scramble to create and maintain their own decentralized CPI index to maintain the stability and value of its stable currency. From this perspective, DeGov is also necessary, so avoiding it completely is not a feasible solution.
An important difference is whether off-chain governance is feasible. For a long time, I have been very supportive of off-chain governance. In fact, for the basic layer blockchain, off-chain governance is completely possible. But for application layer projects (especially DeFi projects), we will encounter such a problem: the application layer smart contract system often directly controls external assets, and this control cannot be forked. If Tezo’s on-chain governance is attacked, the community can hard fork it without any loss other than the coordination cost (recognized high). If MakerDAO’s on-chain governance is attacked, the community can definitely start a new MakerDAO, but they will lose all ETH and other assets, which will remain in the existing MakerDAO CDPs. Therefore, although off-chain governance is a good solution for the basic layer and certain application layer projects, for many application layer projects, especially DeFi projects, some form of formal On-chain governance.
DeGov is risky
However, all current instances of decentralized governance are accompanied by huge risks. If readers have read my article, they know that the topic is not new; I have mentioned the risks it brings in the articles Notes on Blockchain Governance, Governance, Part 2: Plutocracy Is Still Bad, On Collusion. Regarding token voting, I am mainly concerned with two types of issues: (i) There are inequalities and incentive imbalances even if there are no attackers; (ii) Various forms of (usually confused) vote-buying to conduct a thorough attack . Many mitigation measures (such as commissioning) have been proposed, and there will be more measures. But the latter is a more serious problem, because I don’t see any solution in the current token voting paradigm.
Problems with token voting even in the absence of an attacker
The problems of token voting without a clear attacker are becoming more and more understood (see a recent article by DappRadar and Monday Capital), mainly in the following aspects:
- A small number of giant whales are more likely to successfully execute decisions than most small retail investors. This is because of the tragedy of the commons among small retail investors: each small retail investor has a negligible impact on the results, so they lack the motivation to vote. Even if there are rewards for voting, they have little motivation to study and think about the purpose of their voting.
- Token voting governance empowers token holders and token holding groups at the expense of other parts of the community: the protocol community is composed of different voters, and they have many different values, visions, and goals. However, token voting only empowers voters (that is, token holders, especially wealthy giant whales), which leads to excessive emphasis on the goal of increasing token prices, even if it involves harmful rent extraction. Pattern.
- Conflict of interest issues: only giving voting rights to a single voter (token holders), especially giving too much power to wealthy participants, may over-expose the conflict of interest within that particular elite (for example, certain investment funds) Or the holder also holds tokens from other DeFi platforms, but the DeFi platform has interacted with the platform in question)
There is a main strategy to solve the first problem (and thus alleviate the third problem): delegation. Small retail investors do not need to personally judge every decision: instead, they can delegate to their trusted community members. This is a very valuable experiment; we will see how much commission can alleviate this problem.
My voting delegation page in Gitcoin DAO
On the other hand, the problem of token holder centralization is more challenging: in a system where token holder voting is the only input, token holder centralization is an inherent problem. It is a deep misunderstanding that the centralization of token holders is the expected goal rather than the wrong idea, which has caused confusion and harm; an (generally excellent) article discussing blockchain public goods complained:
If ownership is concentrated in the hands of a few giant whales, can encryption protocols be regarded as public goods? In layman’s terms, these market primitives are sometimes described as “public infrastructure”, but if the blockchain serves the “public” today, it is mainly a kind of decentralized finance. Fundamentally speaking, these token holders have only one focus: price.
This complaint is unreasonable; the blockchain serves a richer and broader public than DeFi token holders. But our governance system driven by token voting can’t capture this at all, and without a more fundamental change to the paradigm, it seems difficult to build a governance system that can capture this richness.
The biggest hidden danger of token voting in front of attackers: voting by election
Once an attacker who deliberately sabotages the system intervenes, the problem gets worse. The fundamental loopholes in token voting are well understood. A token with a token voting mechanism in the agreement is a token in which two rights are bundled together into a single asset: (i) a certain economic benefit in the income of the agreement; (ii) the right to participate in governance. This combination is deliberate: the purpose is to align rights and responsibilities. But in reality, these two rights are easily separated from each other. Imagine a simple packaging contract with these rules: if you deposit 1 XYZ into the contract, you will get 1 WXYZ. WXYZ can be converted to XYZ at any time, and it can also generate bonuses. Where does the bonus come from? Although XYZ tokens are in the packaging contract, the contract can use them at will in governance (putting proposals, voting on proposals, etc.). The packaging contract easily auctions this right every day and distributes the profits to the original depositors.
As an XYZ holder, is it in your interest to deposit your tokens in the contract? If you are a giant whale, this behavior may not be in your interest; you like dividends, but you are afraid that evildoers may use the governance rights you sell to do something. If you are a small retail investor, then this is in your interest. If the governance right of the package contract auction is bought by an attacker, you will personally suffer only a small part of the loss caused by bad governance decisions, but you can get dividends from the governance right auction. This situation is a typical tragedy of the commons.
Suppose the decision made by the attacker destroys the DAO, and the attacker benefits from it. The harm of a successful decision to each participant is D, and the probability that a vote will tilt the result is p. Suppose the attacker proposes B bribery. The chart is as follows:
If B>D∗p, you tend to accept bribes, but as long as B<1000∗D∗p, accepting bribes is harmful to the collective. Therefore, if p<1 (usually, p is much lower than 1), the attacker has the opportunity to bribe users to take a net negative decision, and the compensation for each user is much lower than the harm they suffer.
A common criticism of the fear of voting by bribery is: Will voters really be so immoral that they accept such obvious bribes? Ordinary DAO token holders are enthusiasts, it is difficult for them to be so selfish and openly sell their projects. But one thing is missing, that is, there are more vague ways to separate benefit-sharing rights and governance rights, and these methods do not require anything as explicit as encapsulation contracts.
The simplest example is borrowing from DeFi lending platforms (such as Compound). Users who already hold ETH can lock their ETH in the CDP (collateralized debt position) of one of these platforms. Once they do this, the CDP contract allows them to lend a certain amount of XYZ (such as Lend XYZ which is half of the total value of the deposited ETH). Then they can use these XYZs to do whatever they want. In order to redeem their ETH, they will eventually need to repay the loaned XYZ, plus interest.
Please note that throughout the process, the borrower has no financial risk to XYZ. In other words, if they use their XYZ to vote for the value of XYZ, they will not lose a penny. The XYZ they hold is the XYZ that must eventually be returned to CDP anyway, so they don’t care whether its value has risen or fallen. In this way, we have achieved the separation of benefit-sharing rights and governance rights: borrowers have governance rights but no related economic benefits; while lenders have economic benefits but no governance rights.
There are also some centralized mechanisms that separate benefit-sharing rights and governance rights. Most notably, when users deposit their tokens in a (centralized) exchange, the exchange is fully custodial, and the exchange can use these tokens to vote. This is not just theory; there is evidence that multiple exchanges use user tokens in multiple DPoS systems. The most notable recent example is the attempted hostile takeover of Steem. In this event, the exchange used its users’ tokens to support some hostile takeover proposals for the Steem network (and most members of the community opposed the proposal). This situation can only be solved by a thorough large-scale migration, and then a large part of the community migrated to another chain called Hive.
Some DAO protocols are using timelock techniques to limit these attacks, requiring users to lock their tokens and not transfer tokens for voting for a period of time. These technologies can limit the “buy-vote-sell” attack in the short term, but in the end, the time lock mechanism will be bypassed by users, that is, users can pass a contract that issues their token package version (more simply put , Is a centralized exchange) to hold and use tokens for voting. As far as the security mechanism is concerned, the time-locking mechanism is more like a payment scheme on newspapers and websites (you can find a way to bypass it), rather than a lock and key.
At present, many blockchains and DAOs that have token voting have a way to avoid these most serious attacks. Occasionally there are signs of trying to bribe:
However, despite all these important issues, a simple analysis shows that there are very few cases of blatant bribery of voters, including the use of vague forms such as financial markets. A natural question to ask is, why haven’t more blatant attacks happened yet?
My answer is, “Why not yet” depends on three accidental factors. They are real today, but they are likely to slowly disappear in the future.
1. It comes from the community spirit of giving a close connection to the community , where everyone feels the friendship like being in a tribe and evangelistic group.
2. High concentration of wealth and coordination among coin holders; large coin holders are more capable of influencing governance results and long-term investment relationships with each other (both venture capitalists known as the “Old Boys Club”, but also many The same influential but relatively low-key, wealthy holders), which makes it more difficult for them to bribe.
3. Immature financial market for governance tokens : The ready-made tools used to encapsulate tokens in the market are now in the proof-of-concept stage and have not been widely used; there are bribery contracts but they are also immature; and governance tokens are in the reception market. Liquidity is also very low.
When a small user coordination organization holds more than 50% of the tokens, they and others invest in a closely connected community, and only a very small amount of tokens are lent at a reasonable interest rate. All the above-mentioned bribery attacks may It can only be on paper. But over time, no matter what we do, the two factors (1) and (3) will inevitably become less sufficient; if we want to make DAO fairer, (2) must also become less So full. When all these changes happen, will the DAO remain safe? If token voting cannot sustainably resist attacks, what can it be?
Solution 1: Limited governance
There is a possible mitigation measure for the above problem, which has been tried to varying degrees, namely, to set limits on token-driven governance. There are several ways to do this:
- Only use on-chain governance at the application layer, not at the base layer: Ethereum already does this. The governance of the protocol itself is off-chain governance, while DAOs and other applications on Ethereum sometimes (not always) use on-chain Governance.
- Use limited governance for fixed parameter options: Uniswap does this because it only allows to affect (i) the distribution of tokens and (ii) the 0.05% rate of the Uniswap exchange. Another good example is RAI’s “Minimization of Governance” roadmap, which states that over time, governance will have less and less control over functions.
- Increasing time delay: A governance decision made at time T can only take effect after, for example, T+90 days. This allows users and applications that think this decision is unacceptable to move to another application (or fork). Compound’s governance has a time delay mechanism, but in principle the delay can (and eventually should be) longer.
- Become more fork friendly: make it easier for users to quickly coordinate and implement forks. This makes the return that can be captured in governance smaller.
The Uniswap example is particularly interesting: funding the team through on-chain governance is a planned arrangement, which will develop future versions of the Uniswap protocol, but it is up to the user to choose whether to upgrade to those versions. This is a combination of on-chain and off-chain governance, and the space it gives on-chain governance is limited.
But limited governance in itself is not an acceptable solution; the places that need governance the most (such as the allocation of funds for public goods) are themselves the most vulnerable. Public goods fundraising is very vulnerable, because attackers can directly profit from bad decisions-they can push through a wrong decision and send funds to themselves. Therefore, we also need technology to improve governance…
Solution 2: non-token-driven governance
The second method is to use a non-token-driven form of governance. But if tokens cannot determine the weight of an account in governance, what can? There are two reasonable options:
- Proof of personhood systems: A system used to prove that the account corresponds to a unique human individual, so that each human can be assigned a vote. Please read this paper to learn about the technologies that have been developed in this area, as well as the two attempts of ProofOfHumanity and BrightID to implement a personality proof system.
- Proof of participation: Proof that an account corresponds to a system that has participated in a certain activity, passed a certain education and training, or has done meaningful work in the ecology. POAP is an attempt to achieve proof of participation.
There is also the possibility of mixing the two: an example is quadratic voting, which makes the influence of a voter proportional to the square root of the economic resources they invest in decision-making. Preventing people from spreading their resources through multiple identities to exploit system vulnerabilities requires personality proof, and the remaining economic part allows participants to credibly indicate how much they care about an event and ecology. Gitcoin’s quadratic fundraising is a kind of quadratic voting, and the DAO of quadratic voting is being constructed.
The proof of participation is not so well understood. Its key difficulty is that determining how much participation is required itself requires a very strong governance structure. Perhaps the simplest solution is to start the system by carefully selecting 10 of the 100 early contributors, and then slowly through the Nth round of selected participants to determine the participation criteria for the N+1 round. Decentralization. The possibility of bifurcation helps to provide a path for recovery and also provides stimulus for preventing governance from getting out of shape.
Both proof of personality and proof of participation require some form of collusion resistance (see the article explaining this issue, and the document of Minimum Collusion Resistance Infrastructure (MACI)) to ensure that the non-monetary resources used to measure voting power are still non-financial , Instead of being placed in a smart contract that sells governance rights to the highest bidder.
Solution 3: risk sharing
The third method is to break the tragedy of the commons by changing the rules of voting itself. The token vote fails because the voters are collectively responsible for their decision (if everyone votes for a bad decision, everyone’s tokens are reduced to 0), and each voter is not responsible for their own vote. (If there is a bad decision, there is no difference between those who support it and those who oppose it). Can we build a voting system that changes this situation so that voters are individually responsible for the decisions they voted for, rather than collectively?
If the fork is carried out like Hive forks from Steem, then fork friendliness can be said to be a risk-sharing strategy. If a destructive governance decision has been made, and it is useless to object within the agreement, users can fork themselves. In addition, in this fork, the tokens that voted for bad decisions can be destroyed.
This sounds harsh, and maybe it even seems to violate an implicit norm-when a token is forked, the “immutability of the ledger” should remain sacred and unshakable. But when viewed from another angle, this idea seems more reasonable. We still insist that individual token balances should be inviolable, but this firewall protection only applies to tokens that are not involved in governance. If you participate in governance, even if you put your tokens in an encapsulation mechanism indirectly, then you will be responsible for the losses caused by your actions.
This creates personal responsibility: if an attack occurs and you vote for the attack, then your tokens will be destroyed. If your token does not vote for the attack, then your token is intact. The responsibility goes back up: if your tokens are put into the packaging contract, and the packaging contract votes for the attack, and the balance of the packaging contract returns to zero, you will also lose your tokens. If an attacker borrows XYZ from a defi lending platform, when the platform is forked, anyone who borrows XYZ will lose tokens (please note that this makes lending governance tokens generally risky ; This is the expected result).
Share risks in daily voting
But the above approach only applies to guarding against truly extreme decisions. What about small-scale thefts, those attackers who unfairly tend to manipulate the governance economy, but are not serious enough to bring devastating results? And those who have no attackers at all, just simple laziness, and whether token voting governance does not tend to be subject to selection pressure for high-quality opinions?
For these problems, the most popular solution is futarchy, which was introduced by Robin Hanson in early 2000. In this scheme, voting becomes a bet: to vote on a proposal, you are equivalent to betting that the proposal will lead to a good result; while voting against a proposal, you are equivalent to betting that the proposal leads to a bad result The result. The reason for Futarchy’s introduction of personal liability is obvious: you make a good bet, you get more money; you make a bad block, you lose your money.
It turns out that “pure” futarchy is difficult to introduce, because in practice the objective function is very difficult to define (people want more than just the price of the token!), but different futarchy hybrid forms may work. Examples of mixed futarchy are as follows:
- Vote as a pay: please refer to this article on ethresear.ch. Voting for a proposal requires an executable purchase order-the purchase of additional tokens at a lower than the current price of the tokens. This ensures that if a bad decision is passed, those who support it will be forced to buy the tokens bet by opponents, but it also ensures that in a more “normal” decision, token holders have more More space, if they want, they can decide based on non-price criteria.
- Retroactive public goods fundraising : please refer to this article by the Optimism team. When some public goods have achieved certain results, they can be retroactively funded through a certain voting mechanism. Users can purchase project tokens to fund their projects, and at the same time express their confidence in these projects; if the project is deemed to have achieved the expected goals, the purchaser of project tokens will receive a certain share of rewards.
- Upgrading the game: look at the two examples of Augur and Kleros. In the low-level decision-making, the correct bet will be motivated, and it will be more difficult to participate in the decision-making, but with higher accuracy and higher level; the voter will be rewarded if the vote is consistent with the final decision.
In the latter two examples, the mixed futarchy scheme relies on some non-futarchy governance forms to measure the objective function or as a last resort to deal with disputes. However, this non-futarchy governance has some advantages that will not be apparent if it is used directly: (i) its start-up time is later, so it can obtain more information, (ii) it is used less frequently, so It consumes less, and (iii) each use of it will have a greater impact, so it is more acceptable to rely only on forks to coordinate the incentive problems of the last layer.
There are also solutions that combine the above-mentioned technical elements. Here are some examples:
- Time delay + election expert governance: This is an ancient puzzle about how to build an encrypted pledged stablecoin. The funds locked in the stablecoin can exceed the profitable tokens without the risk of governance capture. The price oracle used by stablecoins consists of the median of the values submitted by N (for example, N=13) selected suppliers. Tokens vote to select suppliers, but only one supplier can be eliminated every week. If users notice that the token vote has introduced an untrustworthy price provider, they can switch to another N/2 weeks before the stablecoin crashes.
- Futarchy + Collusion Resistance = Reputation: Users vote with “reputation”, which is a token that cannot be transferred. If a user’s decision leads to an ideal result, they will gain a reputation, and if their decision leads to an undesirable result, they will lose the reputation. Please refer to this article, it advocates a reputation-based approach.
- Loosely coupled (consultative) token voting: it does not directly implement token voting for proposed changes. On the contrary, it exists only to publicize the results and establish legitimacy for off-chain governance to implement the change. This can bring the benefits of token voting with less risk, because if the evidence shows that the token vote has been bribed or manipulated, the legality of the token vote will automatically decline.
But these are just a few possible examples. There is still a lot to do in the research and development of non-token-driven governance algorithms. The most important thing that can be done right now is to get rid of the idea that token voting is the only legal form of governance decentralization. Token voting is very attractive because it feels that its neutrality is very credible: anyone can go to Uniswap to buy some governance tokens. However, in reality, token voting only seems safe today, precisely because its neutrality is imperfect (that is, most of the supply is in the hands of a tightly coordinated small group of internal personnel).
We should be highly vigilant against the idea that the current form of token voting is “secure by default”. There are still many things to be seen about how they operate under greater economic pressure, mature ecological and financial market conditions, and now is the time to start experimenting with other solutions at the same time.
Special thanks to Karl Floersch, Dan Robinson and Tina Zhen for their feedback and proofreading. I recommend reading my earlier articles: Notes on Blockchain Governance, Governance, Part 2: Plutocracy Is Still Bad, On Collusion, Coordination, Good and Bad, which elaborated my thoughts on similar topics.
Source | vitalik.ca
Author | Vitalik Buterin
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/vitalik-governance-is-more-than-token-voting/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.