Presentation: 8 areas for PMF and IMF with blockchains*

This past week I gave a new presentation at the 2nd annual Soranomics event (last year I presented on a related topic: pegged coins aka “stablecoins”). It includes a number of illustrations to discuss product market fit and infrastructure market fit.

Below is a copy of the deck as well as the A/V. Note: there are citations and references in the speaker notes. Note: I am to publish a long-form version based on this content.

Is the Pitato why we can’t have nice things?

[Note: I originally wrote the bulk of this article as an unpublished memo about 18 months ago. I have updated it to include new information.  The views and opinions expressed in this article are mine and do not necessarily reflect the views of my clients.]

The big news this past week was that Coinbase acquired Earn.com (née 21.co, née 21e6 LLC). According to Recode, the offer “was slightly more than $100 million” but also lower than Earn.com’s most recent valuation (in 2015) which was $310 million.

From the current coverage, it is unclear what the revenue for any of the products or services for Earn.com was.  Instead most stories have focused on one specific aspect: the current Earn.com CEO, Balaji Srinivasan, will join Coinbase as the CTO.

There have been a lot of questions around why Coinbase would purchase a company that seemed to have poor product-market fit with unknown KPIs. This post will look into several areas for answers.

Taking a step back

Following the official acquisition announcement from Coinbase, Srinivasan published a self-congratulatory Medium post that basically paints him as the savior of 21.co: that it was the previous management that were bad and he came in and turned it all around.1

His revisionism arguably whitewashed what happened, so let’s dive into a little bit of the company’s history.

In May 2013, 21inc (formerly 21e6 LLC) was co-founded by five men including Balaji Srinivasan. According to a story from Nathaniel Popper:

The company was also structured as an limited liability company, rather than the C Corp typical of startups, so that people could invest with their own money.

Why is that important to some investors?

According to Popper:

The 21e6 investment was attractive in part because venture capital firms generally felt that they couldn’t buy Bitcoins directly. 21e6, on the other hand, offered to pay its investors back with Bitcoin dividends, allowing the firm to get Bitcoins without buying them outright.

What does this mean?

Venture funds often have clauses restricting their partners from investing in asset classes that may be seen as a conflict of interest or something that could reduce the firm’s reputation (e.g., cannabis startups). In this case, cryptocurrencies may be seen as a direct speculative bet on a commodity or foreign exchange which could be prohibited by an investment funds by-laws.2

Altogether the 21e6 team, over three separate rounds, raised approximately $116 – 125 million – which at the time was more money than any other cryptocurrency-related company.3 The sum total varied depending on news source but Srinivasan frequently made it a point to casually insert comments such as: we are the “most funded” or “best funded” company in Bitcoin into interviews and talks during 2015-2016.

In the beginning

In its early days 21e6 focused exclusively on designing custom ASIC chips for Bitcoin mining and then integrating and deploying Bitcoin mining hardware for private, non-retail usage. This included installing hundreds of hashing systems in data centers which for several reasons eventually became uncompetitive against those based in China and the Republic of Georgia.45

Based on publicly available information and allegedly leaked slides we know that:6

It closed its Series A for $5 million in May 2013.

  • Investors included: Peter Thiel, David Sacks, Max Levchin, Marc Andreessen, Ben Horowitz, Naval Ravikant, Winklevoss Capital, Mark Pincus
  • Estimated $3.8 million revenue in 2013

In June 2013, then-CEO Matthew Pauker filed a Form D, Notice of Exempt Offering of Securities, which stated that 55 investors had already invested in its offering.7 While that may sound unusual for an early stage company to have so many investors, recall what Popper pointed out above, that individual investors could invest directly into 21e6 because of its LLC status.

It closed its Series B for approximately $65 million in December 2013.

  • Andreessen Horowitz (the VC fund) invested $25 million as the lead investor; and $10 million came from existing investors (such as $100,000 from Pantera)
  • $30 million also came in the form of “venture debt”
  • Estimated $41 million in revenue in 2014
  • 19 employees in November 2014

The funds from its first two rounds were used in part to design and deploy “Gandalf” (its 2nd generation ASIC chip) and “Yoda” (its 3rd generation ASIC chip) in the aforementioned data centers.

How much capital is required to build a state-of-the-art ASIC chip? Depending on how much is done in-house or out-sourced as well as the fabrication facilities, it can be upwards of $15 – $20 million.8

First major pivot

The company rebranded from 21e6 to 21.co and announced its Series C on March 10, 2015, with $56 million led by RRE Ventures. 9

That morning, The Wall Street Journal led with the story:

Secretive Bitcoin Startup 21 Reveals Record Funds, Hints at Mass Consumer Play

This marked the beginning of its pivot from purely building mining hardware and instead marketing itself as supposedly moving into the Internet of Things (IoT) and API marketplace.  Around this time you frequently saw 21.co and its supporters publicly talk about machine-to-machine (M2M) payments as being a killer app.10 One of the 21.co engineers was even interviewed on a (now deleted) podcast where he spoke about how drone owners would pay tolls denominated in bitcoin to cut across airspace over yards in your neighborhood. You know, the usual word salad and shower thoughts on social media.

When I first drafted this memo 18 months ago, based on LinkedIn profiles, 21.co had about 25 full-time employees; as of now their page says 22 employees but most of them are just people adding 21.co in their profiles without formally being affiliated with it. Most of the current employees unsurprisingly have shifted to Earn.com’s official LinkedIn profile. Its tally is 63 people but again, some of these profiles are from people who are likely unaffiliated with the organization.

Other known investors through 2016:11

  • Data Collective
  • Khosla Ventures
  • Yuan Capital
  • Drew Houston
  • Dara Khosrowshahi
  • Avant Global
  • Karl Mehta
  • Capricorn Management / Jeff Skoll Group
  • Qualcomm Ventures
  • World Innovation Labs

Other board members/observers:

  • Alan Chang (Jeff Skoll’s family office via Capricorn Management) in Series B
  • Richard Tapalaga (Qualcomm Ventures) in Series C
  • Gen Isayama (World Innovation Labs) in Series C

According to Nathaniel Popper, as of March 2015 when it announced the closing of its Series C round, “the company has paid back all of its investors.” It did so partially via payouts in bitcoin.

In his self-canonization this week, Srinivasan wrote that:

And with this deal, the total value of cash, cryptocurrency, and equity returned to our shareholders is now in excess of the capital invested in the company.

How much of the cryptocurrency above is from the not-yet-released Earnable Token? Get the whitepaper while you still can.

Since March 2015, there has also been noticeable churn at the top:12

  • Matthew Pauker, co-founder, was replaced as CEO in spring 2015 by Balaji Srinivasan
  • Albert Esser was the COO from December 2013 through August 2015
    • Replaced by John Granata from March 2016 to the present
  • Nigel Drego co-founder, was chief architect from May 2013 through March 2016
    • Replaced by Jian Li as CTO from March 2016 through 2017
  • Lily Liu became CFO during summer 2015 to the present

Because of the economic incentives that tilt in favor of mining countries like China, 21.co stopped its operations in the Bitcoin mining sector and those subject-matter experts seem to have left the ranks.

Second major pivot. Or part of the first?

What has it built since the pivot after Series C?

The 21 Bitcoin Computer was their first consumer-facing product that was announced on September 21, 2015 and released with great fanfare as an exclusive to Amazon Launchpad on November 16, 2015 at a price of $400.  It also picked up the “toaster” nickname from the Financial Times.13

Several enthusiasts explored the component prices via a piece-by-piece breakdown and found that it likely cost around $247 to build each 21 Computer.14 It was subsequently nicknamed the “Pitato” because the main component at its heart was basically a Raspberry Pi, a popular DIY kit that sells for less than $200.

The only other notable piece of tech was a custom built ASIC chip that could be used for mining.  However, ever before it had shipped, the mining chip was already uncompetitive and obsolete.  Even if you had free electricity you likely would not generate enough bitcoin in order to recoup the full cost of buying the 21 Computer, especially since the few satoshi you generated would be stuck as dust.15

What were the maths behind this?

In September 2015, after it was announced, Vitalik Buterin crunched the numbers and worked out that:

So you’re paying $399 upfront and getting $0.105 per day or $38.3 per year, and this is before taking into account network difficulty increases, the upcoming block halving (yay, your profit goes down to $0.03 per day!) and, of course, the near-100% likelihood that you won’t be able to keep that device on absolutely all of the time. I seriously hope they have multiple mining chips inside of their device and forgot to mention it; otherwise you can outcompete this offering pretty easily by just preloading a raspberry pi with $200 of your favorite cryptotokens.

Why the relatively large markup for a device?  Part of it is that Amazon Launchpad gets a 25% cut.

But like just about all things Bitcoin, sales numbers were so bad that they were never disclosed and it was eventually discontinued. Prior to its discontinuation, 21.co representatives approached multiple well-known Bitcoin developers to help resell the devices. In short, these developers were offered to buy 21.co devices at wholesale prices and expected to resell them at the retail price. It is unclear how many (if any) developers did so.

For real, the second major pivot

On April 1, 2016, 21.co launched an app “marketplace” and initially seeded it with 50 apps that were built in-house. At the time, the only way to externally measure usage or traction is to manually observe the amount of ratings (stars) an app had each day. Interestingly, in early July 2016 the amount of apps stood at 95 whereas six weeks later it fell to 76 and basically fluctuated for the remainder of the year.

In May 2016, Srinivasan took the stage at Consensus and announced his vision of a “machine payable web” and introduced several ideas but notably did not mention the Bitsplit which was rumored to have been in the works for over a year.16

Throughout the remainder of the year, 21.co sponsored and hosted meetups and had an active Slack room, and most of the ideas that were used or borrowed as API and app ideas, languished due to… a lack of users.17  If you are new to my site, one reoccurring observation is that in general: cryptocurrency owners typically are not actual users, but that’s a whole different discussion.

The 21.co Marketplace now redirects to the Earn.com homepage.

Pivot three

On October 27, 2017, 21.co emailed its users that it was ending server-side support for three things: the Bitcoin Computer, 21 command line interface (CLI), and marketplace. 18

Three days later, 21.co announced that it was rebranding as Earn.com and pivoting away from its second vision as a VC-backed quasi protocryptojacking play towards taking on Amazon Mechanical Turk, but with Bitcoin. It also announced a non-ICO ICO called Earnable Token, which as you can tell from its name: was earnable from doing the same kind of tasks as you could before like: filling out surveys or answering bots who email you.

Earn.com also migrated the unique profile pages it first introduced with 21.co, which is basically a static page that users can claim and use a bit like LinkedIn, but with more Bitcoin-related spam.19

Source: Twitter

Unregistered securities?

This last part is of particular interest in today’s regulatory climate because Earn.com, which hosts these user-controlled accounts, has accidentally assisted and enabled the promotion of alleged unregistered securities (ICOs) as a business line.  Recall that Google, Facebook, Snap, Twitter, Mailchimp, and other tech companies have reduced or removed the ability for ICOs and cryptocurrency promoters to solicit retail investors, Earn.com has done the opposite and been a refuge.  At what point is this an unsuitable risk profile for a “bank” like Coinbase?20

What does that mean?

In its January 2018 update, Earn.com announced that:

This week we were thrilled to announced the launch of Earn.com Airdrops — a new way for blockchain entrepreneurs to give 100,000+ Earn.com users a free trial of any new coin or token. Airdrops allows token projects to instantly bootstrap your new blockchain project with 100,000+ cryptocurrency early adopters.

We announced our first Airdrop partner, CanYa — a decentralized marketplace for services — as well as the next three upcoming Airdrops: Bloom, Bee Token, and Vezt. Sign up for an account on Earn.com, verify your account, and download the Earn.com mobile apps on iOS or Android apps to become eligible.

I am not a lawyer but in the past – like the dotcom era – companies (including startups) have attempted to give away equity in some very creative ways… and depending on the circumstances, it can be a no-no.21 That’s not to say that the tokens above are securities or that any airdrop is a violation of securities laws. But highlighting this type of feature has inadvertently led to Earn.com becoming a magnet for ICO issuance and promotion.

Where’s the beef?

What was the long term deliverable for roughly $125 million in nearly 5 years?

Throughout 2016 – including at Consensus in NYC – Srinivasan explained that they will announce a “surprise” in the coming months, maybe all of the aforementioned products and chips were the alpha phase of a much larger operation?  Maybe they were, but we probably won’t find out.

Either way, it is worth keeping in mind that between 2013-2016, cryptocurrency-specific startups collectively received a little more than $1 billion in external funding, with nearly 15% of that funneled into just one startup. One who has had to pivot multiple times to find the right product-market fit and tech-market fit.  Keep in mind too that other companies such as Bitfury and Bitmain were able to make superior chips and do so initially without major venture backing.22

If the most funded, best connected startup continually struggled to see consumer traction, what are the prospects for less funded and less connected cryptocurrency startups?  This is worth revisiting in another long-read, especially in seeing what the $125 million was actually spent on (salaries? chips? toasters?).

How involved was he?

Source: Twitter

One of the investors in 21.co responded to Nathaniel Popper above claiming that Srinivasan wasn’t actively involved in the first two years.

Does it matter? Sure, when you are claiming successes and denying failures that should or shouldn’t be attributed to you.

Below is a quick series of interrelated anecdotes.

In December 2014, Srinivasan and I both attended and presented at what would become the second of three round table events organized by R3 (a family office then called R3 CEV).  This was prior to the formal creation of the DLG consortium.23 Unfortunately I do not have his presentation, but the layout and design were nearly identical to the leaked slides that have circulated for years — just with different content.  For instance, the design of his slides at a public talk in the spring of 2015 is pretty close to the other two decks.

In January 2015, I was unexpectedly shown a long set of slides for a company called 21e6, most of which look similar to what has been leaked in the past and linked to above.24

Later that same month – due to a variety of circumstances – I met up with Srinivasan in Palo Alto and he quickly paged through the leaked presentation and stated it was an older deck from October / November 2014.

While there is a little more to our subsequent interactions, I think the key part here and the only reason I brought up this personal anecdote is the fact that Srinivasan was able to dismiss the deck of having any relevance on the current fundraising 21e6 was doing (remember, this was less than two months before the round was publicly announced).25

So while he may not have been “day to day” as he disclaims in his post, he clearly was involved in the fundraising process if not more (deck creation?).  He said as much in a post published in March 2015.

So what to make of all of this news?

An exit is an exit, right?

What ultimately appears to have happened is that Andreessen Horowitz took one of its floundering portfolio companies and merged it with another portfolio company… and declared it a great success.2627

The circle of life...

Source: Twitter

There also appear to be a few parallels with Juicero.28 For those unfamiliar, Juicero is a now-defunct Silicon Valley-based startup that built and sold a custom $400 machine that would squeeze juice packets.  It raised $120 million and unceremoniously shut down last year after reporters showed that the hands from mere humans were capable of squeezing the same juice packets.

In much the same way, during the second pivot of 21.co, no one really bothered to buy the “Pitato” because users could easily do the math: that it was far more effective to either buy bitcoins outright or buy and use more capable mining hardware.

Why hasn’t anyone written about this before?

Most of the knowledge above is public, or at least, pretty well known if you have spent much time in Bitcoinland.  Other reasons involve some tinfoil hat theories around retaliation.29

Funnily enough, back in March 2015 I had a long email exchange with Michael Casey and Paul Vigna over at The Wall Street Journal regarding 21.co and other several other topics.

This culminated in the quote:

Tim Swanson, a consistently skeptical digital-currency consultant who makes a habit of challenging bitcoiners’ unbridled optimism, is unequivocal. 21′s plan is “a dumb idea,” he says, adding that “the investors deserve to get what’s coming to them.”

And while a few of those investors probably did, it is Coinbase share holders that likely got it on the chin this week.30 If you’re looking for more memorable gems, be sure to read this older WSJ article.  It is chocked-full of hubris, kind of like Juicero.31

In closing, raise your hand if you’d like to get paid every time you respond to an email and moreso to a cold email?  I know I would.

So maybe with all of the kinks, toasters, pivot denialism, and chest thumping there is still a future for a pay-to-respond model to thrive.  Maybe Coinbase can turn the ICO sanctuary of Earn.com into a legitimate mainstream product that is integrated with various webmail providers and social media platforms. Or maybe this ends up like ChangeTip, whose platform was basically used to spam coin dust on Twitter… to ultimately shutting down after an acquihire from Airbnb.

Either way, there was a bit more to this story than what was let on in Srinivasan’s original Medium post on Monday.

Update: (see note) 32

Endnotes

  1. Would that be a Bitcoin-powered bus that the management team was thrown under? []
  2. Over the past several years, multiple venture funds have had their by-laws amended or re-written to allow them to purchase cryptocurrencies and directly invest into ICOs. []
  3. In March 2015, 21inc announced that it had raised a total of $116 million, however according to Nathaniel Popper’s account of their history, they had raised about $125 million. For one reason or another, historically many cryptocurrency companies do not typically reveal their active user numbers or revenue figures. Instead they prefer talking about how much outside funding they have raised. And 21.co was not an exception to this. []
  4. There are several reasons why this was the case.  With the right guanxi: a combination of electricity, land, and taxes could be cheaper in certain parts of China versus the US.  In addition, 21e6 and other US-firms were consistently unable to manufacture mining machines and operate farms at a similar scale as their peers.  Part of this was logistics as well: large portions of the supply chain were based overseas (primarily in Guangdong and Taiwan). I have written about this in multiple different posts over the past several years, such as this piece. []
  5. One of the interesting things that Srinivasan’s article confirms was a rumor I first heard two years ago from one of their mining competitors: that 21e6 had signed leases with data centers whose energy rates were so abysmal that you might as well just bought coins instead as it would basically be impossible to recoup those costs. Another unconfirmed rumor was around immersion cooling: that between 2014-2015 21e6 had experimented and burnt through a large quantity of chip inventory in a radical attempt to reduce the cooling needs and costs of mining chips. []
  6. Some of this information comes from: reddit, CoinDesk, Financial Times, and Jorge StolfiGoogling around too. []
  7. Form D – note that the domains 21e6.com and .net and .org all registered around March/April 2013. []
  8. Why Are Computer Chips So Expensive? from Forbes. In addition to non-recoverable engineering, there are also component costs and testing thereof: PCB, SMT, power supply, fans, integration. Testing and trouble-shooting cannot be ignored. For instance, Hashfast was an example of a company who built a relatively fast chip but had problems with managing the power source and consequently went bankrupt. []
  9. At the time it was frequently reported that 21.co had raised $116 million but that was the sum total of all funding rounds.  The Series C was ~$56 million. []
  10. Srinivasan did talk about micropayments as early as March 2014. []
  11. Sources: CrunchBase / AngelList []
  12. In May 2015 it was reported that Cisco may invest or may have invested in 21inc. Padma Warrior, former Chief Technology and Strategy Officer at Cisco, was rumored to be a key individual involved in that deal. Note: as of August 2016, a site redesign on 21.co removed investors and corporate information from the homepage. []
  13. This is mainly because an earlier 21e6 pitch stated that the company would integrate mining chips in always-on consumer electronics and appliances. []
  14. Breakdown of Hardware Costs for New 21 Inc Bitcoin Computer by Sam Patterson []
  15. One reviewer commented: “I’d say one more thing worth adding is that it’s worth critiquing not just the feasibility of the Pitato but also the ethics. Because Pitatoes are inherently less efficient than regular mining farms due to economies of scale, the only way that they could be competitive relative to just buying bitcoin is if they were using free electricity; that is, basically all profitable usage of Pitatoes would be people using other people’s electricity in workplaces, universities, Starbucks, hotels, homes if the landlord pays for it, etc. I predict that if it actually became popular, then we’d see all the places that provide free electricity today become much more cautious about it, which could greatly reduce convenience for everyone but bitcoin miners.” []
  16. In one of its incarnations, Bitsplit was basically a euphemism for socializing CPU labor and privatizing some of the gains… now commonly called cryptojacking. []
  17. One reviewer said: “That earn.com pivot was done through the 21.co meetups that would host with Bitcoin engineers trying to buils apps on the 21 computer, which was eventually bricked. The idea for paying engineers for github pull requests led to earn.com’s business model.” []
  18. Note: in between the second and third pivot, during January 2017, Srinivasan deleted his tweets and interviewed for the top job at the FDA in Washington DC. []
  19. One reviewer commented that: “My personal view is that the current Earn.com concept is fundamentally legitimate and probably will see some usage (I can totally imagine consultants charging $50 for replying to emails, as that’s a very low-transaction-cost way to get one-time advice from people), but it deserves to exist as one of the 173 configurable settings in an email provider or social media service, not an independent multi-hundred-million dollar company. Perhaps the Coinbase acquisition actually will be utility-improving, in that gives the Earn.com team an ability to try to be useful by making gadgets for an existing company that has a userbase and services, rather than trying to build their own ecosystem which never made any sense (though it’s still a pretty disappointing end relative to Balaji’s original hype and aspirations).” []
  20. Is Coinbase a bank?  From the outside they seem to be a bit like a non-licensed deposit taking institution. []
  21. The line of reasoning is as follows: some startups attempted to randomly give away shares to strangers via various gimmicks but ultimately had to either take it back and/or were sued. If certain ICOs are deemed securities, you might not be able to just give them away to anonymous people. Reminder: I am not a lawyer, talk to a securities lawyer. []
  22. One competitor noted that: “21e6’s decision to go the Intel fabrication route was a non-starter. []
  23. Someone should remind me to talk about the dinner conversation that evening as well. []
  24. Coincidentally a few days prior to receiving those slides, I spoke with a NYC-based investor who was asking about the pros and cons of embedded ASICs for mining cryptocurrencies.  Specifically: should the fund invest in a startup designing embedded ASICs for bitcoin mining.  I provided my view point (the answer was no, still is a no).  During this same time frame there was a big meme being pushed by many Bitcoin boosters: that mining would somehow become re-decentralized via some unknown magic bullet.  Some of these promoters believed that 21.co would be the one to do it, without much evidence that the company could (or that anyone could). Note: there have been multiple other attempts at building and shipping embedded ASIC mining chips including from Midea and Bitfury.  None have been successful by any measure. []
  25. Remind me to mention the coincidence at Chipotle. []
  26. One reviewer asked: “Is this self-dealing?” []
  27. Another reviewer said: “This is acquisition theater, everyone is just trying to save face because this wasn’t a great idea, had wasteful execution, and the hype and hoopla reflects poorly on all involved.  The players fundamentally misunderstood the tech, the economics and use cases. I get that a VCs job is to make unsubstantiated bets on tech entrepreneurs they like. But here, an outright $116m investment in Bitcoin would have yielded X billions. And the “we returned all capital” probably because of BTC dividends and its price hike than cash returns.” []
  28. See Section 4 of a popular post last year. []
  29. What are the repercussions for publicly asking critical questions regarding bold claims such as those from a fireside chat with both Srinivasan and Andreessen?  Being blocked on ol’ Twitter. []
  30. Since we are going into the anecdote highway: in March 2015, at the Stanford Blockchain Workshop event, I approached Adam Ludwin after his panel discussion. On the panel he had mentioned that there could be a “redecentralization” of mining through an upcoming “Silicon Valley moment.” I assume he was talking about 21e6’s plan for mining chips being integrated into always-on devices because he was affiliated with one of its investors. When I told him I had seen a 21e6 deck and that it was making some very wild, likely incorrect assumptions, he basically said: we will see about that. Well, we have seen that once again: the difficulty rating rises with prices thereby diluting existing hash generating devices making them obsolete. []
  31. Some of the comments from the 21.co spokesperson are enjoyable. These hashing devices still wouldn’t be profitable at the current prices today because the difficulty rating has increased in proportion to the price yet all of the hashing units inside phone chargers and toasters had a fixed unit of labor. It’s a no-win situation for device owners as they would still have to pay for both the depreciating capital good (the device) as well as the electricity. []
  32. A couple hours after publishing this, a reader reached out and mentioned that: “I’m a proud owner of a Pitato. You forgot to mention that Balaji taught a course at Stanford about cryptocurrency and basically used it to promote 21co and Pitato to students. He gave it for free to students but all the labs were on this hardware. IMO it’s a conflict of interests for him as a professor <-> manager. The instructional material and repo is still online: (1) (2) (3) (4)”.  Note: I don’t think this is a conflict of interest, professors and lecturers sometimes have their students purchase a book they may have authored/co-authored as they are the subject-matter expert. []

Six bedtime stories from 2017

[Note: I neither own nor have any trading position on any cryptocurrency.  I was not compensated by any party to write this.  The views expressed below are solely my own and do not necessarily represent the views of my employer or any organization I advise.  See Post Oak Labs for more information.]

2017 taught us many things, including the fact that no one reads (or writes) or pays for long-form content any more.  Even with lovable memes and animated gifs, keeping an audience’s attention is hard.

Already too distracted to read further?  How about a quick video from JP Sears on how to appropriately Bitcoin Shame your friends and family:

The other takeaway for 2017 is that, if in doubt, open up hundreds of social media accounts and shill your way to riches.  The worst thing that could happen is no one buys your coin.  The best thing that happens is that someone buys your coin and you can then convert the coin into real money, retire, and act like you are super-wise thought leader with oodles of entrepreneurial and investing experience.

Some other stories with revisiting from the past year:

(1) “Legitimization”

If we were being intellectually honest we would say that the only goal post anyone cared about this year was that the price of cryptocurrencies, as measured in real money, and how high they soared.1 And that the main reason this occurred is because Bob knew Alice and Carol were both going to buy a lot of say, bitcoin, thereby pushing up the price, so he did too.  The Economist called it “the greater fool theory.”  But The Economist are great fools for not buying in at $1, so let’s ignore them.

Basically none of the feel-good goals about lowering remittance fees or increasing financial inclusion promoted in previous years by enthusiasts have really materialized.  In fact, at-risk users and buyers in developing economies probably got screwed on the ICO bandwagon as insiders and sophisticated investors who were given privileged early access to pre-sales, dumped the coins on secondary markets and hoi polloi ended up holding the bag on dozens of quarter-baked ICOs.2

Oh, but transaction fees for Bitcoin are at all-time highs, that’s a real milestone right?

There are many reasons for this, including the fact that Bitcoin Core’s scaling roadmap has thus far failed to achieve its advertised deadlines (see section 5 below).3 Maybe that will change at some point.

Shouldn’t higher fees be a cause for celebration with “champaign” (sic)? 4

Some Bitcoin Core representatives and surrogates have created an ever expanding bingo card of scapegoats and bogeymen for why fees have gone up, ranging from:

  • blaming Roger Ver and Jihan Wu as demonic-fueled enemies of Bitcoin
  • to labeling large chunks of transactions as ‘spam attacks’ from nefarious Lizard-led governments5
  • to flat out bitcoinsplaining: higher fees is what to expect when mass adoption takes place!

I’m sure you’ll be on their bingo card at some point too.

Just like Visa and other widely used payment network operators charge higher and higher rates as more and more users join on… oh they don’t.6 But that’s because they censor your freedom loving transactions!  Right?

So what’s the interim solution during this era of higher fees?  Need to send a bitcoin payment to someone?

You know how supermarkets used to hold items on layaway?  They still do, but it’s not as common to use, hence why you googled the term.  Well, in light of high fees, some Bitcoin Core developers are publicly advising people to open up a “tab” with the merchant.  You know, just like you do with your favorite local bartender.

Fun fact: the original title of the Satoshi whitepaper was, Bitcoin: a peer-to-peer electronic layaway system.

This faux comparison didn’t age well.  In 2014 this was supposed to be a parody. (Source)

For example, the ad above was promoted far and wide by Bitcoin enthusiasts, including Andreas Antonopoulos who still tries to throw sand in Western Union’s eye.  Seriously, watch the linked video in which Antonopoulos claims that Bitcoin will somehow help the poor masses save money such that they can now invest in and acquire clean water.  It’s cringe worthy.  Did Bitcoin, or Bitcoin-related businesses, actually do any of the things he predicted?  Beyond a few one-time efforts, not really.7 Never mind tangible outcomes, full steam ahead on the “save the world” narrative!

Many enthusiasts fail to incorporate in their cartoonish models: that the remittance and cross border payment markets have a set of inflexible costs that have led the price structure to look the way it does today, and a portion of those costs, like compliance, have nothing to do with the costs of transacting.8  There may be a way of reducing those costs, but it is disingenuous (and arguably unethical) to pull on the heart strings of those living on subsistence in order to promote your wares.9

Rather than repeat myself, check out the break down I provided on the same Western Union example back in 2014.  Or better yet, look at the frequently updated post from Save on Send, who has the best analysis bar none on the topic.

Back to loathing about ‘adoption’ numbers: few people were interested in actual usage beyond arbitrage opportunities and we know this because no one writes or publishes usage numbers anymore.10 I’ll likely have a new post on this topic next quarter but for a quick teaser: BitPay, like usual, still puts out headline numbers of “328% growth” but doesn’t say what the original 2016 baseline volume was in order to get the new number today.

I don’t strive to pick on BitPay (to be fair they’re like the only guys to actually publish something) but unfortunately for them, the market still has not moved their way: Steam recently dropped support for Bitcoin payments and a Morgan Stanley research note (below) showed that acceptance from top 500 eCommerce merchants dropped from 5 in 2016 to 3 in 2017.11

“This is possibly the saddest bitcoin chart ever” – BI. Source: Morgan Stanley

Due to a lack of relevant animated gifs, a full break down on the topic wouldn’t fit in this article.  But just a quick note, there were a number of startups that moved decisively away from their original stated business case of remittances and instead in to B2B plays (BitPesa, Bitspark) or to wallets (Abra). 12  These would be worth revisiting in a future article.13

So what does this all have to do with “legitimization”?

If you haven’t seen the Godfather trilogy, it’s worth doing so during or after the holiday break.14

This year we have collectively witnessed the techbro re-enactment of Godfather: Part 3 with the seeming legitimization of online bucket shops and dodgy casinos, aka cryptocurrency intermediaries, you wouldn’t talk about in polite company.

All of the worst elements of society, like darknet market operators, hate groups, and malware developers, effectively got eff you money and a cleansing mainstream “exit” courtesy of financial institutions coming in and regulators overwhelmed by all of the noise.15  Just like in No Country for Old Men, the bad guy(s) sometimes win.  This isn’t the end of that story but the takeaway for entrepreneurs and retail investors: don’t work or build anything. Just shill for coins on social media morning, noon, and night.

(2) Red Scares

I am old enough to remember back in 2013 when Bitcoin “thought leaders” welcomed Chinese Bitcoin users.  In late 2013, during the second bull run of that year, there were frequent reddit threads about how mainland Chinese could use Bitcoin to route around censorship and all the other common civil libertarian tropes.

Guess what happened?  On December 5th, 2013, the People’s Bank of China and four other ministries issued guidance which restricted activities that domestic banks could do with cryptocurrencies, thereby putting spot exchanges in a bit of a bind, causing panic and subsequently a market crash.  Within days there were multiple “blame China” threads and memes that still persist to this day.  Case in point: this thread titled, “Dear China” which had Mr. Bean flipping off people in cars, was voted to the top of /r/bitcoin within a couple months of the government guidance.  Classy.

As I detailed in a previous post, earlier in the autumn, several state organs in China finally closed down the spot exchanges, which in retrospect, was probably a good decision because of the enormous amounts of scams and deception going on while no one in the community was policing itself.16 In fact, some of the culprits that led Chinese exchanges into the dishonesty abyss are still around, only now they’re working for other high-profile Bitcoin companies. 17  Big surprise!

For example, Reuters did an investigation into some of the mainland exchanges this past September, prior to the closure of the spot exchanges.  They singled out BTCC (formerly BTC China) as having a checkered past:

Internal customer records reviewed by Reuters from the BTCChina exchange, which has an office in Shanghai but is stopping trading at the end of this month, show that in the fall of 2015, 63 customers said they were from Iran and another nine said they were from North Korea – countries under U.S. sanctions.

It’s unclear how much volume BTCC processed on behalf of North Koreans, one former employee says the volumes were definitely not zero.18 These were primarily North Koreans working in China, some in Dandong (right across the border).

For perspective: North Korea has been accused of masterminding the WannaCry ransomware attack and also attacking several South Korea exchanges to the tune of around $7 million this year.  Sanctions are serious business, check out the US Department of Treasury resource center to learn more.19

Isn’t China the root of all problems in Bitcoinland?

Source: Twitter

The sensationalism (above) is factually untrue yet look how many people retweeted and liked the quickly debunked conspiracy theory.  It’s almost as if, in the current mania, no one cares about facts.

As Hitchens might say: that which can be asserted without evidence, can be dismissed without evidence.  So to are the conspiracies around Bitcoin in China:

  • Is the Chinese government nationalizing Bitcoin?  No.
  • Is the Chinese government responsible for Bitcoin Cash.  No.
  • Is the Chinese government behind the rise in CryptoKitties. No.

In this bull market it is unclear why Paul has to resort to PR stunts, like making fearmongering tweets or opening a strike/call option at LedgerX with the bet that bitcoin will be worth $50,000 next year.20 There are many other ways to better utilize this capital: rethink investing in funds run by managers who are not only factually wrong but who spread fake rumors around serious issues like nationalization.

For instance, I don’t normally publicly write about who I meet, but this past July, while visiting Beijing I sat down with about a dozen members of their ‘Digital Money‘ team (part of the People’s Bank of China group involved in exploring and researching blockchain-related topics). 21 They had already spoken with my then-current employer as well as many other teams and companies (apparently the Zcash team saw them the very next day). While I don’t want to be perceived as endorsing their views, based on my in-depth discussion that day, this Digital Money team had clearly done their homework and heard from all corners of the entire blockchain ecosystem, both cryptocurrency advocates and enterprise vendors. They were interested in the underlying tech: how could the big umbrella of blockchain-related technology improve their financial market infrastructure?

Look at it another way: the Chinese government (or any government for that matter) has no need to nationalize Bitcoin, what value would it bring to them?  It would just be a cost center for them as miners don’t run for free.22  In contrast, their e-RMB team, based out of Shenzhen, has been experimenting with forks/clones of Ethereum.  This is public information.

But what about Jihan and Bitmain?  Aren’t they out to kill Bitcoin?

I can’t speak on his intentions but consider this: as a miner who manufacturers and sells SHA256 hardware that can be used by both Bitcoin and Bitcoin Cash (as well as any SHA256 proof-of-work coin), Bitmain benefits from repeat business and satisfied customers.  It is now clear that the earlier Antbleed campaign effort to demonize Bitmain was a massive PR effort to create a loss of confidence in Bitmain as it was promoted by several well known Bitcoin Core supporters and surrogates to punish Bitmain for its support for an alternative Bitcoin scaling roadmap and client.  In fact, as of this day, no one has brought forth actual evidence beyond hearsay, that covert ASICBoost is/was taking place.  Maybe they did, but you’d need to prove this with evidence.

Speaking of PR campaigns and mining…

(3a) Energy usage / mining

Over the past two months there have probably been more than a dozen articles whitewashing proof-of-work mining energy consumption numbers.  Coin Center, a lobbying group straight out of Thank You for Smoking, has its meme team out on continuous social media patrols trying to conduct damage control: no one must learn that Bitcoin mining isn’t free or that it actually consumes resources!

Source: Twitter

The title of the article above is complete clickbait BS.  Empirically proof-of-work mining is driving miners to find regions of the world that have a good combination of factors including: low taxes, low wages, low energy costs, quick time-to-market access (e.g., being able to buy and install new hashing equipment), reliable energy, reliable internet access, and low political turmoil (aka stability).23  Environmental impact and “clean energy” are talking points that Van Valkenburgh allege, but don’t really prove beyond one token “we moved to renewables!” story.  The next time Coin Center pushes this agenda item, be sure to just ask for evidence from miners directly.24.

Another example is in a recent Bloomberg View column from Elaine Ou (note: the previous company that she co-founded was shut down by the SEC).  She wrote:

Digital currency is wasteful by design. Bitcoin “miners,” who process transactions in return for new currency, must race to solve extremely difficult cryptographic puzzles. This computational burden helps keep the transaction record secure — by raising the bar for anyone who would want to tamper with it –- but also requires miners to build giant farms of servers that consume vast amounts of energy. The more valuable bitcoin becomes, the more miners are willing to spend on equipment and electricity.

Mining a proof-of-work coin (such as Bitcoin) can only be as ‘cheap‘ or ‘efficient’ as the block reward is worth. As the market price of a coin increases so too does the capital expended by miners chasing seigniorage.  This, we both agree on.

In the long run, proof-of-work miners will invest and consume capital up to the threshold in which the marginal costs of mining (e.g., land, labor, electricity, taxes, etc.) roughly equals the marginal revenue they receive from converting the bitcoins into foreign currency (aka real money) to pay those same costs.  This, we also both agree on.

What Ou makes a mistake on is in her first sentence: digital currencies are not all wasteful, only the proof-of-work variety are.  Digital currency != cryptocurrency.25

I know, I know, all other digital currencies that are not proof-of-work are crap coins and those who make them are pearl-clutching morons.  Contra Ou and Coin Center, it is possible for central banks, and even commercial banks, to issue their own digital currency — and they could do so without using resource intensive proof-of-work.26  The Bank of International Settlements recently published a good paper on the various CBDC models out there, well worth a read.  And good news: no mountains of coal are probably used in the CBDC issuance and redemption process.27

Back to proof-of-work coins: a hypothetically stable $1 million bitcoin will result in a world in which miners as a whole expend up to $1 million in capital to mine.  If the network ever became cheaper to operate it would also mean it is cheaper to permanently fork the network.  You can’t have both a relatively high value proof-of-work coin and a simultaneously non-resource intensive network.

While it is debatable as to whether or not Bitcoin mining is wasteful or not, it empirically does consume real resources beyond the costs of energy and the externalization of pollution onto the environment.  The unseen costs of hash generation for a $20,000 bitcoin is at least $13 billion in capital over a year that miners will eventually consume in their rent-seeking race albeit from a combination of resources.

Data source: BitInfoCharts

I quickly made the chart (above) to illustrate this revenue (or costs depending on the point of view).28 These are the eight largest proof-of-work-based cryptocurrencies as measured by real money market prices.

There are a few caveats: (1) some of the block rewards adjust more frequently than others (like XMR); (2) some of the coins have relatively low transaction fees which equates to negligible revenue so they were not included; (3) the month of December has seen some very high transaction fees that may or may not continue into 2018; (4) because block generation for some of these is based on an inhomogeneous Poisson process, blocks may come quicker than what was supposed to be “average.”

How to interpret the table?

The all-time high price for Bitcoin was nearly $20,000 per coin this year.  If in the future, that price held stable and persisted over an entire year, miners would receive about $13 billion in block rewards alone (not including transaction fees).  Empirically we know that miners will deploy and consume capital up to the point where the marginal costs equals the marginal value of the coin.29  So while there are miners with large operating margins right now, those margins will be eaten up such that about $13 billion will eventually be deployed to chase and capture those rewards.  Consequently, if all 8 of these proof-of-work coins saw their ATH extended through 2018, ceteris paribus, miners would collectively earn about $32.6 billion in revenue (including some fees).

There are a variety of sites that attempt to gauge what the energy consumption is to support the network hashrate.  Perhaps the most frequently cited is Digiconomist.  But Bitcoin maximalists don’t like that site, so let’s put together an estimate they cannot deny (yes, there are climate change denialists in the cryptocurrency world).

For the month of December, the network hashrate for Bitcoin hovered around 13.5 exahash/second or 13.5 million terahash/second (TH/s).

To get a lowerbound on how many hash-generating machines are being used, let’s look at a product called the S9 from Bitmain.  It is considered to be the most “efficient” off-the-shelf product that public consumers can order in volume.30 This mining unit generates around 13.5 TH/s.

So, if we were to magically wave our hands and replace all of the current crop of Bitcoin mining machines into the most efficient off-the-shelf product, we’d need about 1 million of these to be manufactured, shipped, installed, and maintained in order to generate the equivalent hashrate that the Bitcoin network has today.  Multiply 1 million S9’s times the amount of energy individually used by a S9 and you’d get a realistic lowerbound energy usage for the network today.31

Note: this doesn’t factor in land prices, energy costs, wages for employees, building the electrical infrastructure (e.g., installing transformers), and many other line items that are unseen in the chart above.  It also doesn’t include the most important factor: as more mining hashrate is added and the difficulty rating adjust upward, it dilutes the existing labor force (e.g., your mining unit does not improve or become more productive over time).

(3b) Energy usage upperbound

So what are the upperbound costs?

Source: Twitter

The tweet above is not a rare occurrence.  If you are reading this, you probably know someone who tried to mine a cryptocurrency from an office computer or maybe their computer was the victim of ransomware.

You may not think of much of the externalization and socialization of equipment degradation that is taking place, but because mining is a resource intensive process, the machines used for that purpose depreciate far faster than those with normal office usage.32  To date, no one has done a thorough analysis of just how many work-related computers have been on the receiving end of the mining process but we know that employees sometimes get caught, like the computer systems manager for the New York City Department of Education or the two IT staffers in Crimea.33

Even if miners eventually fully utilize renewable energy resources, most hash-generating machines currently deployed do not and will not next year.  These figures also do not factor in the fully validating nodes that each network has that run out of charity (people run them without any compensation) yet consume resources.  According to Bitnodes, Bitcoin has around 11,745 nodes online. According to EtherNodes, Ethereum has around 26,429 nodes online.

So is there an actual upperbound number?

There is, by dividing hashpower by cost and comparing to costs of various known processor types.  For instance, see this footnote for the math on how two trillion low-end laptop CPUs could be used.3435

Just looking at the hash-generating machines, according to Chen Min (a chip designer at Avalon Mining), as of early November, 5% of all transistors in the entire semiconductor industry is now used for cryptocurrency mining and that Ethereum mining alone is driving up DRAM prices.

This is not to say you should march in the streets demanding that miners should forgo the use of coal power plants and only use solar panels (which of course, require consumption of resources including semiconductors), there are after all, many other activities that are relatively wasteful.

But some Bitcoin and cryptocurrency enthusiasts are actively whitewashing the environmental impact of their anarchic systems and cannot empirically claim that their proof-of-work-based networks are any less wasteful or resource intensive than the traditional foreign capital markets they loathe.

In point of fact, while the traditional financial markets will continue to exist and grow without having to rely on cryptocurrencies for rationally pricing domestic economic activity, in 2018, as in years prior, Bitcoinland is still fully dependent on the stability of foreign economies providing liquidity and pricing data to the endogenous labor force of Bitcoin.  Specifically, I argue in a new article, that miners cannot calculate without using a foreign unit of account; that economic calculations on whether or not to deploy and consume capital for expanding mining operations can only be done with stable foreign currency.36

Keep in mind that cryptocurrencies such as Bitcoin only clear (not settle) just one coin (or token) whereas traditional financial markets manage, transact, clear and settle hundreds of different financial instruments each day. 37  For comparison, the Federal Reserve estimates that on any given day about 600 million payment, clearing, and settlement transactions take place in the US representing over $11 trillion in value.38  But this brings up a topic that is beyond the scope of this article.  Next section please.

(4) MIT’s Digital Currency Initiative

On the face of it, MIT’s DCI effort makes a lot of sense: one of the world’s most recognized institutions collaborating with cryptocurrency developers and projects worldwide.

But beneath the slick facade is a potential conflict of interest that has not been looked at by any media outlet.  Specifically, around its formal foray into building tools for central bank digital currency (CBDC).  Rob Ali, a well-respected lawyer turned research scientist (formerly with the Bank of England), was hired earlier this year by DCI to build and lead a team at MIT for the purpose of continuing the research he had started at the BoE.  This is no secret.

Less known is how this research has now morphed into a two-fold business:

  1. DCI charges central banks about $1 million a year to be a partner.39  What this allows the central bank to do is send staff to MIT and tap into its research capabilities.  This includes MIT representatives co-authoring a couple of papers each year focused on topics that the central bank is keen to explore.  Multiple central banks have written checks and are working together with DCI at this time.
  2. Building and licensing tools and modules to central banks and commercial banks.  DCI has hired several Bitcoin developers whom in turn have cloned/forked Bitcoin Core and Lightning.  Using this code as a foundation, DCI is building IP it aims to license to central banks who want to build and issue central bank digital currency.

Where is the conflict of interest?

DCI is housed within MIT’s Media Lab, whose current director is Joi Ito.  Ito is also the co-founder and director of Digital Garage.  Digital Garage is an investor in Blockstream and vocal advocate of Lightning; coincidentally Blockstream is building its own Lightning implementation. Having made several public comments in favor of Bitcoin Core’s hegemony, Ito also appears to be a critic of alternative blockchain implementations.

In looking at his publicly recorded events on this topic Ito does not appear to disclose that the organizations he co-runs and invests in, directly benefit from the marketing efforts that Bitcoin Core and Lightning receive.  Perhaps this is just miscommunication.

I’m all for competition in the platform and infrastructure space and think central bank digital currencies are legit (again check out this BIS paper) but this specific DCI for-profit business should probably be spun off into an independent company.  Why?  Because it would help reduce the perception that Ito – and others developers involved in it – benefits from these overlapping relationships.  After all, Bitcoin Core arguably has a disproportional political clout that his investment (Blockstream) potentially benefits from if/when Lightning goes into production.40 And again, this is not to say there shouldn’t be any private-public partnerships or corporate sponsorships of academic research or that researchers should be prohibited in investing in companies, rather just a recommendation for disclosure and clarity.

(5) Lightning Network

If you haven’t seen The Money Pit (with Tom Hanks), it is well worth it for one specific reason: the contractors and their staff who are renovating Hanks’ home keep telling Hanks that it will be ready in two weeks.

And after those two weeks are over, Hanks is informed yet again that it will be ready in another two weeks.

The Lightning Network, as a concept, was first announced via a draft paper in February 2015. Its authors, Tadge Dryja and Joseph Poon, had initially sketched out some of the original ideas at their previous employer Vaurum (now called Mirror).

Lightning, as it is typically called, is commonly used in the same breath as “the scaling solution,” a silver bullet answer to the current transactional limitations on the Bitcoin network.41 Nearly three years later, after enormous hype and some progress, a decentralized routing version still has not gone into production.  Maybe it will eventually but not one of its multiple implementations is quite ready today unless you want to use a centralized hub.42  Strangely, some of the terminology that its advocates frequently use, “Layer 2 for settlement,” is borderline hokum and probably has not been actually vetted to see if it fulfills the requirements for real “settlement finality.”43

And like multiple other fintech infrastructure projects, some of its advocates repeatedly said it would be ready in less than 6 months, several times.  For instance:

  • On October 7, 2015, Pete Rizzo interviewed multiple developers including Tadge Dryja and Joseph Poon regarding Lightning.  Rizzo wrote that: “In interview, Dryja and Poon suggested that, despite assertions project development could take years, Lightning could take as little as six months to be ready for launch.”
  • On April 5, 2016, Kyle Torpey interviewed Joseph Poon regarding expected time lines, stating that: “Lightning Network co-creator Joseph Poon recently supplied some comments to CoinJournal in regards to the current status of the project and when it will be available for general use. Poon claimed a functional version of the Lightning Network should be ready this summer.”
  • A month later, on May 5, 2016, Kyle Torpey interviewed Adam Back regarding his roadmap.  Torpey wrote that: “While all of these improvements are being implemented on Bitcoin’s base layer, various layer-2 solutions, such as the Lightning Network, can also happen in parallel. The Lightning Network only needs CHECKSEQUENCYVERIFY (along with two other related BIPs) and Segregated Witness to be accepted by the network before it can become a reality on top of the main Bitcoin blockchain.”
  • On November 12, 2016, Alyssa Hertig interviewed several developers including Pierre-Marie Padiou, CEO of ACINQ, one of the startups trying to building a Ligthning implementation.  According to Padiou: “The only blocker for a live Lightning implementation is SegWit. It’s not sure how or when it will activate, but if SegWit does activate, there is no technical thing that would prevent Lightning from working.”

Segregated Witness (SegWit) was activated on August 24, 2017.  More than four months later, Lightning is still not in production without the use of hubs.

Source: Twitter

Not to belabor the point, just this past week, one of the executives at Lightning Labs (which is building one of the implementations) was interviewed on Bloomberg but wasn’t asked about their prior rosy predictions for release dates.  To be fair, there is only so much they could cover in a six minutes allocation.

“Building rock solid infrastructure is hard,” is a common retort.

Who could have guessed it would take longer than 6 months?  Yes, for regular readers of my blog, I have routinely pointed out for several years that architecting and deploying financial market infrastructure (FMI) is a time consuming, laborious undertaking which has now washed out more than a handful of startups attempting to build “enterprise” blockchains.

For example, Lightning as a concept predates nearly every single enterprise-focused DLT vendor’s existence.  While not an equal comparison (they are trying to achieve different goals), there are probably ~5 enterprise-focused, ‘permissioned’ platforms that are now being used in mature pilots with real institutional customers and a couple could flip the “production” button on in the next quarter or so.4445

For what it is worth, enterprise DLT vendors as a whole did a very poor job managing expectations the past couple of years (which I mentioned in a recent interview).  And they certainly had their own PR campaigns during the past couple of years too, there is no denying that.  Someone should measure and quantify the amount of mentions on social media and news stories covering enterprise vendors and proposals like Lightning.46

Better late than never, right?  So what about missed time frames?

In a recent (unscientific) poll I did via Twitter (the most scientific voting platform ever!) found that of the more than 1,600 voters, 81% of respondents thought that relatively inexpensive anonymous Lightning usage won’t really be good to go for at least 6+ months.

Just as Adam Back proposed a moratorium on nebulous “contention” for six months (beginning in August), I propose a moratorium on using the term “Lightning” as a trump card until it is actually live and works without relying on hubs.  But don’t expect to see the crescendo of noise (and some signal) to die down in the meantime, especially once exchanges and wallets begin to demonstrate centralized, MSB-licensed implementations.47

With that suggestion, I can see it now: all of the Lightning supporters flaming me in unison on Twitter for not being a vocal advocate.  Sure beats shipping code!  To be even handed, Lightning’s collective PR effort was just one of many others (hello sofachains!) that could be scrutinized.  A future post could look at all funded infrastructure-related efforts to improve cryptocurrency networks.  Which ones, if any, showed much progress in 2017. 48

Interested in reading more contrarian views on the Lightning Network?  See Gerard and Stolfi (and Stolfi2x) (and Stolfi3x).  Let’s revisit in 6 months to see what has been launched and is in production.

(6) Objective reporting and analysis

Without sugar coating it: with the exception of a few stories, coin media not only dropped the ball on critically, objectively covering ICO mania this past year, but was largely complicit in its mostly corrupt rise.  This includes The Information, which is usually stellar, but seems to have fallen in the tank with the ICO pumpers.  That is, unless you’re a fake advisor and then they’ve got your number.

It took some time, but eventually mainstream and a few not-so-mainstream coverage has brought a much needed spotlight on some of the shady actions that took place this year. There were also a number of good papers from lawyers and academics published throughout 2017.

Your holiday reading list in no particular order:

One of my favorite articles this year should be yours too:

Just a few short months after Stephen Palley published the article above, a lawsuit occurred in which, surprise surprise, the plaintiffs highlighted specific claims in the white paper:

Source: Twitter

Note: that the SEC’s order against the Munchee ICO also relied on highlighting specific claims in the white paper.

Concluding remarks

Unfortunately 2017 will probably go down as the year in which several generations of nerds turned into day-trading schmucks, with colorful technical charts and all.50 This included even adopting religious slogans like:  Buy the dip!  Weakhands!  HODL!  We are the new 1%!  The dollar is crashing!  It’s not a bubble, it’s an adoption curve!

A few parting bits of advice: unfollow anyone that says this time things are different or the laws of economics have changed or calls themselves a “cryptolawyer” or who previously got shutdown by the SEC or who doesn’t have a LinkedIn page.  Rethink donating or investing funds to anyone who makes up rumors about mining nationalization or who was fired for gambling problems or has a communications team solely dedicated to designing memes for Twitter.51

Cryptocurrencies aren’t inherently bad and ideas like ERC721 are even cool.52 But as neat as some of the tech ideas may be, magic internet coins sure as heck continue to attract a lot of Scumbag Steves who are enabled by participants that have turned a blind eye.  It’s all good though, because everyone will somehow get a Moonlambo after the final boss is beaten, right?

Coda

I will have a separate post discussing predictions for 2018 but since we are reflecting on 2017, below are a few other areas worth looking into now that you’re a paper zillionare:

  • We have real empirical observation of hyperdeflation occurring: in which it is more rational to hoard the coin instead of spend it.  As a result, Bitcoin-focused companies that have accumulated bitcoin are still raising capital from external financial markets denominated in foreign currency instead of deploying (consuming) their own bitcoin. And these same startups are receiving valuations measured, not in terms of bitcoin, but in terms of a foreign unit of account.  What would change this trend?
  • Bitcoinland, with its heavy concentration of wealth, looks a lot like a feudal agrarian economy completely dependent on other countries and external financial markets in order to rationally deploy capital and do any economic calculation. Is there a way to build a dynamically adjustable cryptocurrency that does not rely on foreign capital or foreign reference rates?
  • How much proof-of-work related pollution has been externalized and socialized on the public at large due to subsidies in various regions like Venezuela?  What are the effects, if any, on global energy markets?
  • As traditional financial markets add products and solutions with direct ties to cryptocurrencies (futures, options, payments, custody), by the end of 2018 how much of the transactional activity on Bitcoin’s edges will be based on non-traditional financial markets (e.g., LocalBitcoins)?
  • There were a lot of publicity stunts this year.  Working backwards chronologically, the Andreas Antonopoulos donation could have been a publicity stunt, it also could be real.  The argument goes: how is someone with a best selling book, who charges $20,000+ for speaking engagements, and who has been receiving bitcoins for years (here is the public address), still in debt.  Maybe he is, maybe his family fell on hard times.  But few asked any questions when an anonymous person sent what amounted to $1 million in bitcoin enabling him to reset his tax basis.  (Hate me for writing this?  As an experiment, earlier this month I put up a Bitcoin and Ethereum address on the sidebar of the home page, feel free to shower me with your magic coins and prove me wrong.  I promise to convert it all into dirty filthy statist bucks.)  A few months prior to that, Jamie Dimon was accused of everything but eating babies after he said “Bitcoin is a fraud.”  Dozens of “Dear Jamie” letters were written begging him to see Bitcoin with their pure rose-tinted eyes.  At what point will Bitcoin enthusiasts grow some thick skin and ignore the critics they claim don’t matter?  And while we can continue to add PR stunts forever, the “fundraiser” for Luke-Jr’s home after Hurricane Irma had zero proof that it was his house, just a picture that Luke-Jr. says it was and the rest of the Bitcoin Core fan club promoting it.  Trust but verify?

[Note: if you found this research note helpful, be sure to visit Post Oak Labs for more in the future.]

Acknowledgements

Many thanks to the following for their constructive feedback: VB, YK, RD, CM, WG, MW, PN, JH

End notes

  1. Bitcoin fans basically walked onto the field before the football game, toppled the goal posts, and carried it outside the stadium declaring themselves victorious without having actually played the match. []
  2. How many of these unsophisticated buyers have subsequently lost the corresponding private keys?  See “Nearly 4 Million Bitcoins Lost Forever, New Study Says” from Fortune []
  3. I am sure I will be accused of being a “Bitcoin Cash shill” (which obviously I must be, there is no other explanation!) for pointing this out, but last week, one vocal Bitcoin Core supporter even proposed a commit to change the wording on Bitcoin.org surrounding low fees: “These descriptions of transaction features are somewhat open to interpretation; it would probably be best not to oversell Bitcoin given the current state of the network.” []
  4. As an actor on a classic Saturday Night Live sketch said: “You may ask how we at the Change Bank, make money? It’s simple, volume.” []
  5. I take issue with anyone claiming to be able to label transactions specifically as spam without doing an actual graph analysis.  See Slicing Data for more. Proof-of-lizard is not to be conflated with lizardcoin. []
  6. Note: this is not an endorsement of Visa, I do not have any equity or financial stake in Visa. []
  7. One reviewer commented: “One problem that affects all cryptocurrencies whether proof of work or of stake: What reason do most people have for using them that won’t run afoul of social policy objectives? As long as people need to convert them to regular fiat currencies, they have a distinct disadvantage. The only exception would be in failed economies where stable fiat currencies are restricted, until those governments see a cryptocurrency as a potential substitute and ban it. It is not even clear why a government would need to issue a cryptocurrency (not a CBDC). If it wants to serve unbanked people it could open or subsidize a bank for them which is what is being attempted in a few developing countries.” []
  8. One reviewer commented: “Fully peer-to-peer without banks ultimately leads to creating a new currency. A new currency means that for international payments you have the additional costs of converting into the currency and converting out of the currency. A currency not linked to a real world economy is always going to have a more volatile price (assuming it has any price at all). Volatility in FX always, always leads to higher transaction costs for exchange because the bid offer spread has to be wider. This is before you even get into the mining proof or work model and all its inherent flaws, which again ultimately result from trying to build a financial system without banks.” []
  9. One reviewer noted that: “Transferwise, Currency Fair, Revolut, Mondo and other startups are already doing it. And they’re doing it without having to break the rules and laws banks and Western Union have to play by. They’re building actual real, potentially sustainable businesses that are useful to society. They’re just not grabbing the headlines like the greater fool / Nakamoto Scheme is. When you build a real business, your scope for false promise making behind incoherent computer science jargon is pretty small.” []
  10. I even stopped aggregating numbers 18 months ago because fewer companies were making usage numbers public: it’s hard to write about specific trends when that info disappears.  Note: if you think you have some interesting info, feel free to send it my way. []
  11. BitPay has diversified its portfolio of services now, expanding far beyond the original merchant acceptance and recently closed a $30 million funding round.  However, the problem with their growth claims is they are typically measured in $USD volume. So, as the value of bitcoin has grown 10-20x (as measured in USD) in the past year, it is unclear how much BitPay has really grown in terms of new customers and additional transactions.  Note: the same can be said for most Bitcoin-specific companies making big growth-related claims, BitPay is just one example. []
  12. Movements occurred in other areas too, on the enterprise side, Chain was perhaps the most well known company to pivot away from that vertical. []
  13. One reviewer commented: “2017 was a good year for B2B players with some prominent funding rounds (e.g., Bitspark, Veem, BitPesa) and some claimed growth on blockchain “rails” (but also on non-blockchain) namely Veem and BitPesa. A big surprise of 2017 was a much broader awareness of cryptocurrencies, i.e., free massive PR. The Coinbase app became more popular than Venmo (and far ahead of any bank). As a result, one of the most intriguing questions right now for 2018 is if/how Coinbase could capitalize on this opportunity to become a full-fledged bank leveraging the best of banking-like services from players like Xapo, Uphold, and Luno?” []
  14. I suppose it is safe to assume that if you’re reading this, you are coin millionaire so you don’t worry about fiat-mandated holiday breaks like the rest of us. []
  15. Not all medium-to-large coin holders are the adopters you now see wearing suits on television talk shows.  Most coin holders, including the abusive trolls and misogynists on social media, have seen a large pay raise, enabling the worst elements to continue their bullying attacks and illicit activities.  See Alt-right utilizes bitcoin after crackdown on hate speech from The Hill []
  16. Worth pointing out that Ryan Selkis is attempting to push forward with a the self-regulatory effort called Messari.  See also: The Brooklyn Project. []
  17. Earlier this year, right after the law enforcement raids in China, one of the senior executives left BTCC but still remains on the board of the parent company that operates BTCC.  He quickly found a new senior role at another high-profile Bitcoin-focused company and uses his social media accounts to vigorously promote Bitcoin Core and maximalism. []
  18. As explored in a previous post, fake volumes among the Chinese exchanges was not uncommon and several of the large exchanges attempted to gain funding from venture capitalists while simultaneously faking the usage numbers. As one former employee put it: “That was an extraordinary attempt at fraud — faking the numbers through wash trading and simply printing trades, while using that data to attract investment and establish their valuation.” []
  19. Coinbase got into some problems in early 2015 when one of its investor decks highlighted the fact that cryptocurrencies, such as Bitcoin, could be used to bypass sanctions. []
  20. Ari Paul runs a small “crypto” hedge fund called BlockTower Capital (estimated to have between around $50-$80 million AUM) that like many companies in this space, faces an ongoing lawsuit.  Unclear why LPs didn’t just buy and hold cryptocurrencies themselves and cut out the hysteria and management fees. []
  21. Yea, I know, “money” is already digital… I didn’t give them that name, they did. []
  22. One reviewer noted: “The fact remains that if you replace the mining process with a a centralized system for validation of transactions and up-to-date of balances you could run the whole thing on an ordinary sized server for a few thousand dollars per year. Centralisation and a more logical data model are vastly better technically speaking. And it would be far easier to add in compliance and links to banks for more robust and honest methods for exchanging between a centralized bitcoin and fiat. What would the Chinese government gain from mining?” []
  23. One of the often overlooked benefits of setting up a mining farm in China is that many of the parts and components of mining equipment are either manufactured in China and/or final assembly takes place in China.  So logistically it is much quicker to transport and install the hardware on-site within China versus transport and use overseas. []
  24. I know a bunch and could maybe introduce them though some of them make public appearances at conferences so they can usually be approached or emailed. []
  25. In fact, many regulators, such as the ECB, categorize cryptocurrency as a type of “virtual currency,” separate from a “digital currency.” []
  26. There is often confusion conflating “transaction processing” and “hash generation,” the two are independent activities.  Today mining pools handle the transaction processing and have sole discretion to select any transactions from the memory pool to process (historically there have been thousands of ’empty’ blocks) — yet mining pools are still paid the full block reward irrespective of how many transactions they do or not process.  Hash generation via mining farms has been a discrete service for more than 5 years — think of mining pools as the block makers who outsource or subcontract the hash generation out to a separate labor force (mining farms) and then a mining pool packages the transactions into a block once they receive the correct proof-of-work.  Note: “fees” to miners is a slightly different but related topic. []
  27. CBDCs have their own issues, like the risk of crowding out ordinary banks in market for deposits in a low interest rate environment but they have little in common with anarchic crytocurrencies. []
  28. Many thanks to Vitalik Buterin for his feedback and suggestions here. []
  29. See also: Some Crypto Quibbles with Threadneedle Street from Robert Sams []
  30. There are other mining manufacturers, including some who only build for themselves, such as Bitfury. []
  31. Interestingly enough, the market price for one of these machines is around $2,000.  And if you do the math, you’ll see exactly what all professional miners do: it’d only cost $2 billion to buy enough machines to generate 100% of the network hashrate and claim all the $13 billion in rewards to yourself!  In other words, the seigniorage is big, fat, and juicy… and will attract other miners to come and bid up the price of mining to the equilibrium point. []
  32. There are many walk-throughs of bitcoin mining facilities, including this video from Quartz. []
  33. In the process of writing this article, a new story explained how more than 105,000 users of a Chrome extension were unknowingly mining Monero.  Heroic theft of CPU cycles, right? []
  34. In theory, and practice, the upperbound is not infinite.  We know from the hashrate being generated that there are a finite amount of cycles being spent repeatedly multiplying SHA256 over and over.  Perhaps a possible, but improbable way to gauge the upperbound is to take the processing speed of a low-end laptop CPU (which is not as efficient at hashing as its ASIC cousins are).  At 6 MH/s, how many seventh generation i3 chips would it take to generate the equivalent of 13.5 million TH/s?  On paper, over 2 trillion CPUs.  Note: 1 terahash is 1 million megahashes.  So 1 million laptop CPUs each generating 6 MH/s on paper, would collectively generate around 6 TH/s.  The current network hashrate is 13.5 exahash/s.  So you’d need to flip on north of 2 trillion laptop CPUs to reach the current hashrate.  In reality, you’d probably need more because to replace malfunctioning machines: a low-end laptop isn’t usually designed to vent heat from its CPU throttled to the max all day long. []
  35. One China-based miner reviewed this scenario and mentioned another method to arrive at an upperbound: “Look at the previous generation of ASICs which run at 2-3x watt per hash higher.  The previous generation machines normally get priced out within 18 months.  But with differing electricity costs and a high enough price, these machines get turned on.  Or they go to cheap non-petrodollar countries like Russia or Venezuela. So your base load of 1 million machines will have an upperbound of 2x to 3x depending on prevailing circumstances.” []
  36. It may be also worth pointing out that the “evil Chinese miners blocking virtuous Core” narrative is hard to justify because Bitcoin’s current relatively high fees are a direct result of congestion and has consequently increased miner revenue by 33% (based on December’s fees).  So in theory, it’s actually in the miners interest to now promote the small block position.  Instead, in reality, most miners were and are the ones advocating for bigger block sizes, and certain Bitcoin Core representatives were blocking those proposals as described elsewhere but we’re not going down that rabbit hole today. []
  37. One reviewer commented: “Financial instruments that either directly perform a service to our economy and even indirectly via speculation, enable price discovery for things that are important to people’s lives. Who’s lives is Bitcoin really important to right now? To this day the only markets it can claim to have any significant market share in, let alone be leader in, is illicit trade and ransomware. The rest appears to be just people looking to pump and shill.” []
  38. It’s also probably not worth trying to start a discussion about what the benefits, if any, there is for society regarding cryptocurrency mining relative to the resources it collectively consumes, as the comments below or on social media would simply result in a continuous flame war.  Note: colored coins and metacoins create distortions in the security assumptions (and rewards) for the underlying networks.  Watermarked tokens are neither secure nor proper for financial market infrastructure. []
  39. It is not $1 million straight, there are multiple levels and tiers. []
  40. There is an ongoing controversy around key decision makers within Bitcoin Core (specifically those who approve of BIPs) and their affiliation with Blockstream.  One of Blockstream’s largest investors, Reid Hoffman, said Blockstream would “function similarly to the Mozilla Corporation” (the Mozilla Corporation is owned by a nonprofit entity, the Mozilla Foundation). He likened this investment into “Bitcoin Core” (a term he used six times) as a way of “prioritiz[ing] public good over returns to investors.” []
  41. Because it is its own separate network, it actually has cross-platform capabilities.  However, historically it has been promoted and funded for initial uses on the Bitcoin network moreso than others. []
  42. Yes, I am aware of the demo from Alex Bosworth, it is a big step forward that deserves a pat on the back.  Now to decentralize routing and provide anonymity to users and improve the UI/UX for normal users. []
  43. To start with, see the Principles for Financial Market Infrastructures. []
  44. This is not an endorsement of a specific platform or vendor or level of readiness, but examples would include: Fabric, Quorum, Corda, Axcore, Cuneiform, and Ripple Connect/RCL. []
  45. While Lightning implementations should not be seen as a rival to enterprise chains (it is an apples to oranges comparison), the requirements gathering and technical hurdles needed to be overcome, are arguably equally burdensome and maybe moreso for enterprise-focused companies.  Why?  Because enterprise-focused vendors each need approval from multiple different stakeholders and committees first before they deploy anything in production especially if it touches a legacy system; most Lightning implementations haven’t actually formally defined who their end-customer is yet, let alone their needs and requirements, so in theory they should be able to “launch” it faster without the check-off. []
  46. For instance, CoinDesk currently has 229 entries for “lightning,” 279 entries for “DLT,” and 257 entries for “permissioned.” []
  47. It bears mentioning that Teechain, can achieve similar KPIs that Lightning can, via the use of hardware, and does so today.  BitGo’s “Instant” and payment channels from Yours also attempt to achieve one similar outcome: securely transmitting value quickly between participants (albeit in different ways). []
  48. We’d need to separate that from the enterprise DLT world because again, enterprise vendors are trying to solve for different use cases and have different customers altogether.  Speaking of which, on the corporate side, there is a growing impatience with “pilots” and some large corporates and institutions are even pulling back.  By and large, “blockchain stuff” (people don’t even agree on a definition still or if it is an uncountable noun) remains a multi-year play and aside from the DA / ASX deal, there were not many 2017 events that signaled a shorter term horizon. []
  49. Note: both the Fedcoin and CAD-coin papers were actually completed and sent to consortium members in November 2016 then three months later, published online. []
  50. One reviewer commented: “There seems to be a whole new wave of both suckers and crooks to exploit the geeks. I have read some the Chartist analysis on forums for more traditional forms of day-trading such as FX day-trading and it is exactly the same rubbish of trying to inject the appearance of intelligence and analysis into markets that the day-traders (and those encouraging them) simply do not understand.” []
  51. A former Coinbase employee, now running a “crypto” hedge fund, was allegedly fired for gambling issues.  Maybe he wasn’t but there are a lot of addicts of many strains actively involved in trading and promoting cryptocurrencies; remember what one of the lessons of Scarface was? []
  52. ERC20 and ERC721 tokens may end up causing a top-heavy problem for Ethereum. See Watermarked tokens and also Integrating, Mining and Attacking: Analyzing the Colored Coin “Game” []

Bitcoin Is Now Just A Ticker Symbol and Stopped Being Permissionless Years Ago

Financial market infrastructure in just one country (Source)

What is FMI?  More on that later.  But first, let’s talk about Bitcoin.

If you aren’t familiar with the Bitcoin block size war and its endless online shouting matches which have evolved into legal and even death threats, then you have probably been a very productive human being and should sell hugs and not wander into a non-stop social media dance off.

Why?  Because tens of thousands of man (and woman) hours have collectively been obliterated over a struggle that has illuminated that Bitcoin’s development process is anything but permissionless.

It also illuminates the poor fiduciary care that some VCs have towards their LPs.  In this case, more than a handful of VCs do not seem to really care about what a few of their funded companies actually produce, unless of course the quarterly KPIs include “have your new Bitcoin meme retweeted 1,000 times once a week.”

In some documented cases, several dozen executives from VC-backed Bitcoin companies have spent thousands of hours debating this size attribute instead of building and shipping commercializable products.  But hey, at least they sell cool hats and built up very large Twitter followings, right?

Fact #1: Satoshi Nakomoto did not ask anyone’s permission to launch, change, or modify the codebase she unilaterally released in 2009.

Fact #2: In 2009, when Satoshi Nakomoto issued and minted a new currency (or commodity or whatever these MLIC are) she did so without asking anyone else’s approval or for their “ack.”

In the approximately seven years since she stopped posting under her pseudonym, influential elements of Bitcoin’s anarchic community have intentionally created a permissioned developer system commonly referred to as the Bitcoin Improvement Proposal (BIP) process.  “Bitcoin Core” is the name for the group that self-selected itself to vet BIPs; involvement is empirically permissioned because you can get kicked off the island.1 There are a small handful of decision makers that control access to the code repository.

For example, if you’re a developer that wants to create and launch a new implementation of Bitcoin that includes different block sizes… and you didn’t get it approved through this BIP process, guess what?  You are doing permissionlessness wrong because you didn’t get permission from the BIP approval committee to do so.

Oh, but you realize that and still want to launch this new Bitcoin implementation with the help of other elements of the community, such as some miners and exchanges?

According to some vocal members of the current BIP approval committee (Bitcoin Core) and its surrogates, this is an attack on Bitcoin.  Obviously this is absurd because there is no de jure or legally defined process for changing or forking Bitcoin, either the chain itself or the code.

There is no terms of service or contract which explicitly states what Bitcoin is and who controls its development process.  Or more historically: if Satoshi didn’t need permission from a (non-existent) BIP approval committee to launch a cryptocurrency, then no other Bitcoin developer needs to either.

Tickers

Fast forward to this current moment in time: if the Bitcoin Cash or Segwit2X forks are an attack on network because either fork did not get ack’ed (approved) by the right people on the BIP approval committee or retweeted by the right “thought leaders” on social media, then transitively every 10 minutes (when a block is generated by a miner) arguably could be an attack on Bitcoin.

Why?  At any time a block maker (miner) could use a different software implementation with different consensus rules.  They, like Satoshi before them, do not need permission to modify the code.

Oh, but other miners may not build on top of that block and some exchanges may not recognize those blocks as “legitimate” Bitcoin blocks?

That is certainly a risk.  In fact, several exchanges are now effectively white listing and black listing — permissioning — Bitcoin-related blocks.

For instance, Bittrex, a large crypto-to-crypto exchange, has said:

The “BTC” ticker will remain the Bitcoin Core chain before the hard fork block. Bittrex will observe the Bitcoin network for a period of 24 to 48 hours to determine if a chain split has occurred and the outcome.

In the event of a chain split, “BTC” will remain the existing Bitcoin chain with 1 MB blocks until the industry and ecosystem demonstrates a clear chain preference for Bitcoin.

Bitfinex, the largest (and most nebulous) cryptocurrency exchange in the world, took this even further by stating:

The incumbent implementation (based on the existing Bitcoin consensus protocol) will continue to trade as BTC even if the B2X chain has more hashing power.

After heavy public (and private) lobbying by members and surrogates of Bitcoin Core, other exchanges have instituted similar policies favoring the incumbent.2  So what can alternative implementations to do?  Bend the knee?

Daenerys Targaryen, Breaker of Chains

Historically miners have built on the chain that is both the longest and also has the most accumulated difficulty… and one that has enough profitability to pay for the electricity bills.  It just happens that this collective block building activity is never called an “attack” because in general, most participants have been happy enough with the status quo.

Visions of what Bitcoin is and how it should be defined have clearly, empirically shifted over time.  But since this network was purposefully designed to be self-sovereign and anarchic — lacking contracts and hooks into any legal system — no one group can claim legitimacy over its evolution or its forks.

As a result, recent war cry’s that Segwit2X is a “51% attack” on Bitcoin are a red herring too because there is no consensus on the definition of what Bitcoin is or why the previous block – in which approximately 51% of the hashrate created a block – is not an attack on Bitcoin. 3

This has now morphed into what the “BTC” ticker on exchanges represents.  Is it the longest chain?  The chain with the most accumulated difficulty?  The chain maintained by Bitcoin Core or now defunct NYA developers?  If a group of block makers can build blocks and exchanges are willing to list these coins as “BTC” then that specific chain has just as much legitimacy as any other fork other miners build on top of and exchanges may list.

Furthermore, if the BIP approval committee gets to say what software miners or exchanges should or should not use (e.g., such as increasing or decreasing the block size), that could mean that existing network is a managed and even administered.  And this could have legal implications.  Recall that in the past, because block making and development were originally separate, FinCEN and other regulators issued guidance stating that decentralized cryptocurrencies were exempt from money transmission laws.

Despite what the trade associations and Bitcoin lobbying groups would like the narrative to be, I recently published an article that went into this very topic in depth and have publicly asked several prominent “crypto lawyers” to provide evidence to the contrary (they have yet to do so).  An argument could be made that these dev groups are not just a loose collective of volunteers.

Financial market infrastructure

I’m not defending S2X or XT or Bitcoin Unlimited.  In fact, I have no coins of any sort at this time.

But even if you don’t own any bitcoins or cryptocurrencies at all, the block size debate could impact you if you have invested in the formal financial marketplace.

For example, if and when the CME (and similar exchanges) get CFTC approval to list cryptocurrency-related futures products and/or the NYSE (and similar exchanges) get SEC approval to list cryptocurrency-related ETFs, these products will likely result in a flood of institutional money.

Once institutions, regulators, and sophisticated investors enter the picture, they will want to hold people accountable for actions.  This could include nebulous “general partnerships” that control GitHub repositories.  Recall, in its dressing down of The DAO, the SEC defined the loose collective building and maintaining The DAO as a ‘general partnership.’  Is Bitcoin Core or other identifiable development teams a “general partnership”?

Maybe.  In fact, the common refrain Bitcoin Core and its surrogates continually use amounts to arguments in favor of a purported natural monopoly.

For instance, Joi Ito, Director of MIT’s MediaLab, recently stated that:

“We haven’t won the battle yet. [But] I think the thing that is interesting is that Bitcoin Core has substantially more brain fire power than any of the other networks.”

This is problematic for a couple reasons.

First, Joi Ito is not a disinterested party in this debate.  Through Digital Garage (which he co-founded) it has invested in Blockstream, a company that employs several influential Bitcoin Core devs.4  Ignoring the potential conflict of interest, Ito’s remarks echo a similar sentiment he also made last year, that Core is basically “The Right Stuff” for NASA: they are the only team capable of sending humans into space.

But this is an empirically poor analogy because it ignores technology transfer and aerospace education… and the fact that multiple countries have independently, safely sent humans, animals, and satellites into space.

It also ignores how competitive verticals typically have more than just one dominant enterprise: aerospace, automobiles, semiconductor manufacturers, consumer electronic manufacturers (smart phones), etc.  Each of these has more than one company providing goods and services and even usually more than just one product development team developing those.  Intel, for example, has dozens of design teams working on many new chips at any given time of the year.  And they are just one of the major semiconductor companies.

Even in the highly regulated markets like financial services there is more than one bank.  In fact, most people are unaware of this but banks themselves utilize what is called “Core Banking Software” and there are more than a dozen vendors that build these (see image below).

It is a bit ironic that Bitcoin Core seeks to have a monopoly on the BIP process yet even banks have more than one vendor to choose from for mission critical software securely managing and processing trillions of dollars in assets each day.5

On the enterprise (non-anarchic) blockchain side of the ecosystem, there are well over a dozen funded teams shipping code, some of which is being used in pilots by regulated institutions that are liable if a system breaks.  Note: this is something I discussed in my keynote speech (slides) at the Korea Financial Telecommunications and Clearings Institute last year.

But as one vocal Core supporter in a WeChat room recently said, Bitcoin Core is equivalent to Fedwire or Swift, there is only one of each; so too does it make sense for only one Bitcoin dev team to exist.

Firstly, this conflates at least four different things: a specific codebase, with permissioned dev roles, with acceptance processes, with a formal organization.

It is also not a good analogy because there are many regulatory reasons why these two systems (Swift and Fedwire) exist the way they do, and part of it is because they were either setup by regulators and/or regulated organizations.  In effect, they have a bit of a legally ring-fenced marketplace to solve specific industry problems (though this is somewhat debatable because there are some alternatives now).6

If this supporter is equating Core, the codebase, with real financial market infrastructure (FMI), then they should be prepared to be potentially regulated.  Bitcoin Core and many other centralized development teams are comprised of self-appointed, vocal developers that are easy to identify (they have setup verified Twitter accounts and attend many public events), so subpoenas and RFI’s can be sent their way.

As I mentioned in my previous article: with great power comes great accountability.  Depending on the jurisdiction, Core and other teams could end up with regulatory oversight since they insist on having a monopoly on the main (only) implementation and process by which the implementation is managed.7

Remember that Venn diagram at the very top?  The companies and organizations that manage FMI today for central banks (RTGSs), central securities depositories (CSDs), and other intermediaries such as custodians and CCPs, have specific legal and contractual obligations and liabilities.

Following the most recent financial crisis, the G-20 and other counties and organizations established the Financial Stability Board (FSB) to better coordinate and get a handle on systemic risks (among other issues).  And while the genesis of the principles for financial market infrastructures (PFMI) had existed prior to the creation of the FSB, how many of the international PFMI standards and principles does Bitcoin Core comply with?

Spoiler alert: essentially none, because Satoshi intentionally wasn’t trying to solve problems for banks.  So it is unsurprising that Bitcoin isn’t up to snuff when it comes to meeting the functional and non-functional requirements of a global payments platform for regulated institutions.  Fact-check me by reading through the PFMI 101 guide.

When presented with these strong legal accountability and international standards that are part and parcel with running a payment system, there is lots of hand waving excuses and justifications from Core supporters (and surrogates) as to why they are exempt but if Core wants to enforce its monopoly it can’t have it both ways.  Depending on the jurisdiction they may or may not be scrutinized as FMI.

But in contrast, in looking at the evolution and development of the enterprise chain ecosystem – as I described in multiple previous articles – there are valuable lessons that can be learned from these vendors as to how they plan to operate a compliant network.  I recall one conversation with several managing directors at a large US investment bank over a year ago: maybe the enterprise side should just have CLS run a blockchain system since they have all the right business connections and fulfill the legal and regulatory check boxes.

Note: CLS is a very important FMI operator.  Maybe existing FMI operators will do just that.  Speaking of which, will Bitcoin Core (or other dev teams) apply to participate with organizations like the FSB that monitor systemically important financial institutions and infrastructure?

Angela Walch has argued (slides) that some coders, especially of anarchic chains, are a type of fiduciary.8  Even if this were not true, many countries have anti-monopoly and anti-trust laws, with some exceptions for specific market segments and verticals.  There are also laws against organized efforts involved in racketeering; in the US these are found within the RICO Act.

Watch the Godfather trilogy

I haven’t seen a formal argument as to why Core or other development teams could meet the litmus test for being prosecuted under RICO laws (though the networks they build and administer are frequently used for money laundering and other illicit activity).  But trying to use the “decentralization” trump card when in fact development is centralized and decisions are made by a few key individuals, might not work.

Look no further than the string-pulling Mafia which tried to decentralize its operations only for the top decision makers to ultimately be held liable for the activities of their minions.9  And using sock puppets and pseudonyms might not be full proof once forensic specialists are brought in during the discovery phase.10

Concluding remarks

Based on observations from how Bitcoin Core evolved and consolidated its power over time (e.g. removing participants who have proposed alternative scaling solutions), the focus on what Bitcoin is called and defined has landed in the hands of exchanges and really just highlights the distance that Bitcoin has walked away from a “peer-to-peer electronic cash” that initially pitched removing intermediaries.  To even care about what ticker symbol ‘Bitcoin’ is on an exchange is to acknowledge the need for a centralized entity that establishes what the “price” is and by doing so takes away the bitcoin holder’s “self-sovereignty.”11

While the power struggles between various factions within the Bitcoin development community will likely rage on for years, by permissioning off the development process, Bitcoin Core (and any other identifiable development groups), have likely only begun to face the potential regulatory mine field they have foisted on themselves.12

Historically blockchain-based systems have and still are highly dependent on the input and decision-making by people: somebody has to be in charge or nothing gets done and upgrades are a mess.  And the goal of appointing or choosing specific teams on anarchic chains seems to be based around resolving political divisions without disruptive network splits.13

The big questions now are: once these teams are in charge, what will governments expectations be?  What legal responsibilities and regulatory oversight will the developers have?  Can they be sued for anti-trust and/or RICO violations?  With billions of dollars on the line, will they need to submit upgrade and road map proposals for approval?

Endnotes

  1. Examples of developers who were removed: Alex Waters, Jeff Garzik, Gavin Andresen []
  2. Thanks to Ciaran Murray for identifying these exchanges. []
  3. Bitcoin mining is in fact based on an inhomogeneous Poisson process; a participant could theoretically find a block with relatively little hash rate.  Although due to the probabilities involved, most miners pool their resources together to reduce the variance in payouts. []
  4. According to one alleged leak, Digital Garage is testing Confidential Assets, a product of Blockstream. []
  5. According to a paper from the Federal Reserve: payment, clearing, and settlement systems in the United States “process approximately 600 million transactions per day, valued at over $12.6 trillion.” []
  6. On AngelList, there are about 3,400 companies categorized as “payments” — most of these live on top of existing FMI, only a handful are trying to build new independent infrastructure. []
  7. A key difference between Bitcoin and say Ethereum is that with Ethereum there are multiple different usable implementations managed by independent teams and organizations; not so with how Bitcoin has evolved with just one (Bitcoin Core) used by miners.  In addition, the Ethereum community early on formally laid out a reference specification of the EVM in its yellow paper; Bitcoin lacks a formal reference specification beyond the Core codebase itself. []
  8. See also The Bitcoin Blockchain as Financial Market Infrastructure: A Consideration of Operational Risk from Angela Walch []
  9. Thanks to Stephen Palley for providing this observation. []
  10. It is unclear why the current Bitcoin Core team is put onto a pedestal.  There are many other teams around the world building and shipping blockchain-related system code used by companies and organizations (it is not like there is only just one dev team that can build all databases or operating systems).  At the time of this writing Core has not publish any papers in peer-reviewed journals and many of them do not have public resumes or LinkedIn profiles because they have burned business and professional relationships in the past.  Irrespective of what their bonafides may or may not be, it is arguably a non sequitur that ‘permissionless’  coordination in open-source code development has to lead to a monopoly on said development. []
  11. Thanks to Colin Platt for this “appeal to authority” observation. []
  12. Bitcoin stopped being permissionless when developers, miners, and exchanges needed to obtain permission to make and use different code.  And likely there are and will be more other cryptocurrency development teams that follow that same path. []
  13. For an informed contrarian view on governance and distributed ledger technology, see The blockchain paradox: Why distributed ledger technologies may do little to transform the economy by Vili Lehdonvirta []

A few other perspectives on cryptocurrencies and ICOs

I received a lot of questions regarding my last post.  Over the past month I have read a number of interesting interviews and articles that I think contribute a lot to the discussion.

Some additional perspectives:

Update:

On July 25, the SEC published a new Investor Bulletin focused on ICOs and also published a report (pdf) detailing their position on ICOs, using The DAO as an example (which they noted violated several US securities laws).

Layer 2 and settlement

Nary a week goes by without having to hear a startup claim their service will have the ability to “settle” a cryptocurrency or virtual asset or something “smart,” on to Layer 2.

In this instance, Layer 2 refers to a separate network that plugs into a cryptocurrency via off-chain channels.1

This often comes up in conjunction with conversations surrounding the Bitcoin block size debate: specifically around (hypothetically) scaling to enable Visa-like transaction throughput vis-a-vis projects like the Thunder and Lightning network proposals which are often characterized as Layer 2 solutions.2

As Wolfgang Pauli might say, this is not even wrong.

Why?  For starters, the comparisons are not the same.


Apples-to-oranges

Visa is a credit clearing and authentication network, not a settlement network; in contrast no cryptocurrency has credit lines baked-in.  In addition – as I penned a year ago – in practice “settlement” is a legal concept and typically requires ties into the existing legal infrastructure such as courts and legally approved custodians. 3

Two simplified examples:

  1.  If Bob wanted to settle cash electronically and he lived in just about any country on the globe, the only venue that this electronic cash ultimately settles in right now is a central bank usually via its real-time gross settlement (RTGS) network
  2.  If Bob owned the title to a (dematerialized) security and he is trying to transfer ownership of it to someone else, the security ultimately settles in a central securities depository (CSD) such as the DTCC or Euroclear

What does this have to do with the world of blockchains and DLT?

As of this writing, no central bank-backed digital currency (CBDC) exists.4 As a consequence, there is no real digital cash settlement taking place on any ledger outside of a banks’ own ledger (yet).

One of the key goals for DLT platforms is to eventually get “cash on-ledger” issued by one or more central bank.  For instance, at R3 we are currently working on a couple of CBDC-related projects including with the Bank of Canada and Monetary Authority of Singapore.  And other organizations are engaged in similar efforts.

Why?

In short, one of the potential advantages of using a CBDC issued onto a distributed ledger is the enabling of network participants (such as financial institutions) to settle dematerialized (digitized) asset transfers without relying on outside reconciliation processes. Delivery versus Payment (DvP), the simultaneous exchange of an asset and its payment, could actually take place on-chain.5

However, today if participants on a distributed ledger wanted to settle a trade in cash on a distributed ledger, they could not. They would still need to settle via external processes and mechanisms, which according to an estimate from Autonomous research, collectively costs the industry $54 billion a year.  As a result, the industry as a whole is attempting to reduce and – if possible – remove frictions such as these post-trade processes.6

And according to a recent paper from the Bank of England as well as a new paper from the Federal Reserve, CBDCs are one invention that potentially could reduce some of these associated frictions and processes.

How it theoretically works

So how does that tie back in to a hypothetical Layer 2 or 3, 4, 5, connected to a cryptocurrency network?

Assuming one or more of the Lightning implementations is built, deployed, and goes “into production,” the only object that is being tracked and confirmed is a cryptocurrency.7

Cryptocurrencies, as I have written before, are anarchic: purposefully divorced from legal infrastructure and regulatory compliance.

As a result, it cannot be said that “Layer 2” will act as a settlement layer to anything beyond the cryptocurrency itself, especially since the network it attaches to can at most by design only guarantee probabilistic finality.8

In fact, the most accurate description of these add-on networks is that each Lightning implementation requires building completely separate networks run and secured by different third parties: pseudonymous node operators acting as payment processors.  What are the service-level agreements applied to these operators?  What happens if it is no longer profitable or sustainable to operate these nodes?  Who are you going to call when something – like routing – doesn’t work as it is supposed to?

And like most cryptocurrencies, Lightning (the generic Lightning) is developed as a public good, which – as a recent paper explored – may have hurdles from a fiduciary, governance, and accountability perspective.

Assuming the dev teams working on the various implementations solve for decentralized routing and other challenges, at most Lightning will be a clearing network for a cryptocurrency, not electronic cash or securities.  Therefore proponents of existing Layer 2 network proposals might want to drop the “settlement” marketing language because settlement probably isn’t actually occurring.  Trade confirmations are.

But what about colored coins?  Can’t central banks just use the Bitcoin network itself and “peg” bitcoins directly to cash or set-up a Bitcoin-like system that is backed by the central bank itself?

These are tangential to “Layer 2” discussion but sure, they could in theory.  In fact, the latter is an idea explored by JP Koning in a recent paper on “Fedcoin.”  In practice this is probably not ideal for a variety of reasons including: privacy, confidentiality, recourse, security, scalability, public goods problems, and the fact that pseudonymous miners operating outside the purview of national regulatory bodies would be in charge of monetary policy (among many other regulatory compliance issues).

Why not just use an existing database to handle these regulated financial instruments then?  This is a topic that has and will fill academic journals in the years to come (e.g., RSCoin).  But for starters I recommend looking at a previous post from Richard Brown and two newer posts from Antony Lewis.

Conclusion

There are real, non-aesthetic reasons why aviation designers and manufacturers stopped building planes with more than two or three wings, namely aerodynamics.  Creative ideas like Lightning may ultimately be built and deployed by cryptocurrency-related companies and organizations, but it is unclear how or why any regulated enterprise would use the existing proposals since these networks are not being architected around requirements surrounding settlement processes.

Perhaps that will change in time, but laws covering custody, settlement, and payment processing will continue to exist and won’t disappear because of anarchic “Layer 2” proposals.  Maybe it is possible to borrow and clone some of the concepts, reusing them for alternative environments, just like some of the “blockchain”-inspired platforms have reused some of the ideas underlying cryptocurrencies to design new financial market infrastructure.  Either way, both worlds will continue to co-exist and potentially learn from one another.

Endnotes

  1. From a word choice, it is arguably a misnomer to call Lightning a “layer” at all because relatively little is being built on top of Bitcoin itself.  These new networks are not powered by mining validators whereas colored coin schemes are. []
  2. While he doesn’t delve too much into any of these specific projects, Vitalik Buterin’s new paper on interoperability does briefly mention a couple of them.  Also note that the Teechan proposal is different than Lightning in that the former scales via trusted hardware, specifically Intel’s SGX tech, and sidesteps some of the hurdles facing current Lightning proposals. []
  3. This topic is a ripe area for legal research as words need to be precisely defined and used.  For instance, if bitcoins do not currently “settle” (in the sense that miners and users do not tie on-chain identities into court recognized identity, contract, and ledger systems thereby enabling traditional ownership transfer), does this impact government auctions of seized cryptocurrencies?  What was the specific settlement process involved in the auction process and are encumbrances also transferred?  It appears in practice, that in these auctions bitcoins do transfer in the sense that new entities take control of the private key(s), is this settlement? []
  4. An argument can be made that there are at least 3 publicly known exceptions to this, though it depends on the definition of an in-production CBDC.  This includes vendors working with: Senegal, Tunisia, and Barbados. []
  5. In blockchain parlance this is called an “atomic transfer.” []
  6. It is not just reconciliation processes, it is the actual DvP itself (plus the subsequent “did you get it yet” reconciliation processes). []
  7. As an aside, what are the requirements for “being in production?”  In the enterprise world, there is a difference between being in a sandbox and being in production.  Which blockchain(s) have been vetted for and secured against real production level situations and fulfilled functional requirements such as scaling and preserving confidentiality? []
  8. See Settlement Risks Involving Public Blockchains []

What’s the deal with DAOs?

[Disclaimer: I do not own any cryptocurrencies nor have I participated in any DAO crowdfunding.]

This post will look at the difference between a decentralized autonomous organization (DAO) and a project called The DAO.

Brief explanation

The wikipedia entry on DAOs is not very helpful.  However, Chapters 2 through 5 may be of some use (although it is dated information).

In terms of the uber hyped blockchain world, at its most basic kernel, a DAO is a bit of code — sometimes called a “smart contract” (a wretched name) — that enables a multitude of parties including other DAOs to send cryptographically verifiable instructions (such as a digitally signed vote) in order to execute the terms and conditions of the cloud-based code in a manner that is difficult to censor.

One way to think of a simple DAO: it is an automated escrow agent that lives on a decentralized cloud where it can only distribute funds (e.g., issue a dividend, disperse payroll) upon on receiving or even not receiving a digital signal that a task has been completed or is incomplete.

For instance, let us assume that a small non-profit aid organization whose staff primarily work in economically and politically unstable regions with strict capital controls, set up a DAO — an escrow agent — on a decentralized cloud to distribute payroll each month.

This cloud-based escrow agent was coded such that it would only distribute the funds once a threshold of digital signatures had signed an on-chain contract — not just by staff members — but also from independent on-the-ground individuals who observed that the staff members were indeed doing their job.  Some might call these independent observers as oracles, but that is a topic for a different post.1

Once enough signatures had been used to sign an on-chain contract, the escrow agent would automatically release the funds to the appropriate individuals (or rather, to a public address that an individual controls via private key).  The terms in which the agent operated could also be amended with a predetermined number of votes, just like corporate board’s and shareholder’s vote to change charters and contracts today.

The purported utility that decentralization brings to this situation is that it makes censoring transactions by third parties more difficult than if the funds flowed through a centralized rail.  There are trade-offs to these logistics but that is beyond the scope of this post.

The reason the DAO acronym includes the “organization” part is that the end-goal by its promoters is for it to provide services beyond these simple escrow characteristics such as handling most if not all administrative tasks such as hiring and firing.

Watch out Zenefits, the cryptocurrency world is going to eat your lunch!  Oh wait.

A short history

It is really easy to get caught up in the euphoria of a shiny new toy.  And the original goal of a DAO sounds like something out of science fiction —  but these undertones probably do it a disservice.

Prior to 2014 there had been several small discussions around the topic of autonomous “agents” as it related to Bitcoin.

For instance, in August 2013, Mike Hearn gave a presentation at Turing Festival (see above), describing what was effectively a series of decentralized agents that operated logistical companies such as an autonomous car service.

Several months later, Vitalik Buterin published the Ethereum white paper which dove into the details of how to build a network — in this case a public blockchain — which natively supported code that could perform complex on-chain tasks: or what he dubbed as a decentralized autonomous organization.

Timing

The impetus and timing for this post is based on an ongoing crowdsale / crowdfunding activity for the confusingly named “The DAO” that has drawn a lot of media attention.

Over the past year, a group of developers, some of whom are affiliated with the Ethereum Foundation and others affiliated with a company called Slock.it have created what is marketed as the first living and breathing DAO on the Ethereum network.

The organizers kicked off a month long token sale and at the time of this writing just over 10 million ether (the native currency of the Ethereum blockchain) — or approximately 13% of all mined ether — has been sent to The DAO.  This is roughly equivalent to over $100 million based on the current market price of ether (ETH).

In return for sending ether to The DAO, users receive an asset called a DAO Token which can be used in the future to vote on projects that The DAO wants to fund.2 It is a process that Swarm failed at doing.

An investment fund or a Kickstarter project?

I would argue that, while from a technical standpoint it is possible to successfully set up a DAO in the manner that The DAO team did, that there really isn’t much utility to do so in an environment in which censorship or the theft of funds by third parties will probably not occur.

That is to say, just as I have argued before that permissioned-on-permissionless is a shortsighted idea, The DAO as it is currently set up, is probably a solution to a problem that no one really has.3

Or in short, if you “invested” in The DAO crowdsale thinking you’re going to make money back from the projects via dividends, you might be better off investing in Disney dollars.

Why?

Putting aside securities regulations and regulators such as the SEC for a moment, most of the crowdsale “investors” probably don’t realize that:

  1. crowdfunding in general has a checkered track record of return-on-investment4
  2. crowdfunding in the cryptocurrency world almost always relies on the future appreciation of token prices in order to break-even and not through the actual creation of new features or tools (e.g., see Mastercoin/Omni which effectively flopped)
  3. that the funds, when dispersed to Slock.it and other “products,” could take years, if ever to return a dividend

Why would this pool of capital provide any better expected return-on-investment than others?

Or as Nick Zeeb explained to me:

My sense about The DAO is that it’s a fascinating experiment that I do not want to be part of. I also do not think that a committee of over 1,000 strangers will make wise investment decisions. Most good investment decisions are taken by courageous individuals in my opinion. Anything that can get past a big committee will probably not be the next Google. Imagine this pitch: “Hi I’m Larry and this is Sergey and we want to build the world’s 35th search engine.”

While it probably wasn’t the 35th search engine, tor those unfamiliar with the history of Google, Larry Page and Sergey Brin are the co-founders who created a search engine in what was then though a very crowded market.

So why the excitement?

I think part of it is quite simply: if you own a bunch of ether, there really isn’t much you can do with it right now.  This is a problem that plagues the entire cryptocurrency ecosystem.

Despite all the back-patting at conferences, the market is already filled with lots of different tokens. There is a glut of tokens which do not currently provide many useful things that you couldn’t already do with existing cash systems.5

Part of it also is that most probably think they will some become rich quick through dividends, but that probably won’t happen anytime soon, if at all.

With The DAO, only the development teams of projects that are voted and approved by The DAO (e.g., the thousands of users with DAO Tokens), will see any short term gains through a steady paycheck.  And it is only after they build, ship and sell a product that the original investors may begin seeing some kind of return.

Or in other words: over the past several weeks, the pooling of capital has taken place for The DAO.  In the future there will be various votes as to where that capital goes.  Shortly thereafter, some capital is deployed and later KPI’s will be assessed in order to determine whether or not funding should continue.  All the while some type of profit is sought and dividend returned.

Why, I asked another friend, would this pool of capital offer any better risk adjusted return-on-investment than other asset classes?

In his view:

The return might be high but so is the risk. Always adjust for risk. I think The DAO is better compared to a distributed venture capital firm. Whether that’s better or worse I don’t know — I mean you have the crowd deciding on investments. Or more realistically: nerds who know how to obtain ether (ETH) get to decide on investments.

Does that make them better VCs? Probably not. However, The DAO can decide to hire people with actual credentials to manage and select the investments, admitting its own weakness which would then turn into a strength. I think this can go either way but given the regulator is not prepared for any of this it will probably not work out in the short term.

Does the ‘design-by-giant-nerd-committee’ process work?

Over the past year we have already seen the thousands, probably tens-of-thousands of man-hours dropped into the gravity well that is known as the “block size debate.”  In which hundreds of passionate developers have seemingly argued non-stop on Slack, Twitter, reddit, IRC, conferences and so forth without really coming to an amicable decision any one group really likes.

So if block size-design-by-committee hasn’t worked out terribly well, will the thousands of investors in The DAO take to social media to influence and lobby one another in the future?  And if so, how productive is that versus alternative investment vehicles?

Redistributing the monetary base

Assuming Ethereum has an economy (which it probably doesn’t by most conventional measures), will The DAO create a deflationary effect on the Ethereum economy?

For instance, at its current rate, The DAO could absorb about 20% of the ether (ETH) monetary base.

Does that mean it permanently removes some of the monetary base?  Probably not.

For example, we know that there will be some disbursements to projects such as Slock.it, so there will be some liquidity from this on-chain entity.  And that future DAOs will spend their ether on expenses and development like a normal organization.

But we also know that there is a disconnect between what The DAO is, an investment fund, with what many people see it as: a large vault filled with gold laying in Challenger Deep that will somehow appreciate in value and they will be able to somehow extract that value.

Sure, we will all be able to observe that the funds exist at the bottom of the trench, but someone somewhere has to actually create value with the DAO Tokens and/or ether.

For the same reason that most incubators, accelerators and VC funds fail, that entrepreneur-reliant math doesn’t change for The DAO.  Not only does The DAO need to have a large volume of deal flow, but The DAO needs to attract legitimate projects that — as my friend point out above — have a better risk adjusted return-on-investment than other asset classes.

Will the return-on-investment of the DAO as an asset class be positive in the “early days”?  What happens when the operators and recipients of DAO funds eventually confront the problem of securities regulation?

So far, most of the proposals that appear to be geared up for funding are reminiscent to hype cycles we have all seen over the past couple of years.

Let’s build a product…

  • 2014: But with Bitcoin
  • 2015: But with Blockchain
  • 2016: But with DAO

Maybe the funds will not all be vaporized, but if a non-trivial amount of ETH ends up being held in this DAO or others, it could be the case that with sluggish deal flow, a large portion of the funds could remain inert.  And since this ether would not touching any financial flows; it would be equivalent to storing a large fraction of M0 in your basement safe, siloed off from liquid capital markets.

Ten observations

  1. Since the crowdsale / crowdfund began on April 30, the market price of ETH has increased ~30%; is that a coincidence or is there new demand being generated due to The DAO crowdsale?
  2. A small bug has been discovered in terms of the ETH to DAO Token conversion time table
  3. The DAO surpassed the Ethereum Foundation to become the largest single holder of ether (note: the linked article is already outdated)
  4. In terms of concentration of wealth: according to Etherscan, the top 50 DAO Token holders collectively “own” 38.49% of The DAO
  5. The top 500 DAO Token holders collectively “own” 71.39% of The DAO
  6. As of this writing there are over 15,000 entities (not necessarily individuals) that “own” some amount of a DAO Token
  7. Why is “own” in quotation marks? Because it is still unclear if controlling access to these private keys is the same thing as owning them.  See also: Watermarked Tokens as well as The Law of Bitcoin
  8. Gatecoin, which facilitated the crowdsale of both The DAO and DigixDAO was recently hacked and an estimated $2 million in bitcoins and ether were stolen
  9. Yesterday Gavin Wood, a co-founder of Ethereum, announced that he is stepping down as a “curator” for The DAO.  Curators, according to him, are effectively just individuals who identify whether someone is who they say they are — and have no other duties, responsibilities or authority.
  10. Three days ago, the Slock.it dev team — some of whom also worked on creating The DAO — did a live Q/A session that was videotaped and attempted to answer some difficult questions, like how many DAO Tokens they individually own.

Conclusion

About 17 months ago I put together a list of token crowdsales.  It would be interesting to revisit these at some point later this year to see what the return has been for those holders and how many failed.

For instance, there hasn’t really been any qualitative analysis of crowdsales or ICOs in beyond looking at price appreciation.6 What other utility was ultimately created with the issuance of say, factoids (Factom tokens) or REP (Augur tokens)?

Similarly, no one has really probed Bitcoin mining (and all POW mining) through the lens of a crowdsale on network security. Is every 10 minutes an ICO? After all, the scratch-off contest ties up capital seeking rents on seigniorage and in the long run, assuming a competitive market, that seigniorage is bid away to what Robert Sams has pointed out to where the marginal cost equals the marginal value of a token. So you end up with this relatively large capital base — divorced from the real world — that actually doesn’t produce goods or services beyond the need to be circularly protected via capital-intensive infrastructure.

Other questions to explore in the future include:

  • what are the benefits, if any, of using a centralized autonomous organization (CAO) versus decentralized autonomous organization (DAO) for regulated institutions?
  • how can a party or parties sue a decentralized autonomous organization? 7
  • what are the legal implications of conducting a 51% attack on a network with legally recognized DAOs residing on a public blockchain?8
  • will the continued concentration of ether and/or DAO Tokens create a 51% voting problem identified in the “Curator” section?

Still don’t fully understand what The DAO is?  Earlier this week CoinDesk published a pretty good overview of it.

[Special thanks to Raffael Danielli, Robert Sams and Nick Zeeb for their thoughts]

Endnotes

  1. Note: for the purposes of The DAO, “curators” are effectively identity oracles. []
  2. It appears that currently, once a quorum is achieved, a relatively small proportion of token holders can vote “yes” to a proposal to trigger a large payout. []
  3. The current line-up of goods and services are not based around solving for problems in which censorship is a threat, such as those facing an aid worker in a politically unstable region. []
  4. That is not to say that they all fail. In fact according to one statistic from Kickstarter, there was a 9% failure rate on its platform. Thus, it depends on the platform and what the reward is. []
  5. CoinGecko is tracking several hundred tokens. []
  6. ICO stands for “initial coin offering” — it is slight twist to the term IPO as it relates to securities. []
  7. An added wrinkle to identifying liable parties is: what happens when systems like Zcash launch? []
  8. This presupposes that a DAO will gain legal recognition and/or a public blockchain gains legal standing as an actual legal record. []

AFA Presentation: Cryptocurrencies, Blockchains and the Future of Financial Services

The slideshow below was first presented at an AFA panel on January 4, 2016 in San Francisco.

References:

A proxy for users

[Note: opinions expressed below are solely my own and do not represent the views of my employer or any company I advise.  Today is the 7th anniversary of the Genesis block.]

With over $900 million invested in cryptocurrency startups over the past couple of years, what does adoption and usage numbers look like?

Unfortunately very few of the companies that have received funding have publicly divulged actual numbers, primarily because consumer uptake has been lower than expected (or promised).

For instance, Coinbase recently published five charts it says reflect growth.

The first chart they show is transactions per day.

However, since we know that most transactions are “long-chain” transactions (comprised of spam, wallet shuffling, coin mixing, mining payouts, faucets, etc.), this is a poor indicator of actual on-chain trade and commerce or adoption.

long-chain transactionsAs illustrated in the chart above, once long-chains are removed, growth (as highlighted in the pink region) is roughly linear since 2014, at ~0.5x per year.

What about Coinbase itself?

Coinbase doesn’t typically divulge much about specifics, however it’s older pitch deck (from September 2014) does give a few details about its users, such as 40% of all Coinbase users are from three states: California, New York and Texas; as well as the amount of deposits that Coinbase holds for each customer.

wallet size

Slide 14, Coinbase pitch deck

While this number likely has changed in the past 15 months, ignoring the fluctuation in token prices it may be the case that the average deposit per customer has not increased significantly.  Why might that be?

Above is a 1-year chart produced by Coinbase showing the daily amount of off-chain transactions.  Or rather, transactions that take place on their own internal system.  As we can see, the volume is roughly the same across all of 2015.  If usage actually was increasing or user numbers were growing substantially, then we should be able to see some visible changes upward.  This has not occurred.

P2SH

P2SH chart

Source: P2SH.info

P2SH, or pay to script hash, is probably the most common method for securing bitcoins (or UTXOs) via multisig.  As shown in the two charts above, over the course of 2015 the percentage of existing bitcoins held in P2SH addresses increased from 6% to around 10% today.  Though over the past 5 months the amount has effectively plateaued.

According to marketing material, BitGo processes more than 50% of all P2SH transactions (more than all other service providers combined).  So this may also be an upward bound indicator of people who are savvy enough to secure their bitcoins via multisig (note: many custodial wallets such as Coinbase and Xapo purportedly secure certain layers of “cold wallets” via multisig and P2SH is just one method of doing so).

Multisig and Top Rich List

The chart above visualizes the percent of bitcoins owned by each address balance range.

As of block height 390,000 approximately 98.16% of all bitcoins reside on 513,648 addresses.  This is not to say there are only half a million bitcoin users on the planet, as some of the addresses are owned or controlled by multiple people (such as a custodial wallet or exchange).  But it is probably a pretty good proxy of on-chain users — users who actually control the private key and do not use an intermediary.

This is roughly twice as many on-chain users as twenty-one months ago (in April 2014) — at block height 295,000 — when I first started looking at this source.1

One interesting trend that ties in with the multisig window above is that at one point as recently as April 2014, none of the Top 500 addresses were using multisig.  But over the past year, as seen by the “3” prefix at the start of addresses, we can visibly see several dozen Top 500 addresses that now use multisig (note: some of the other addresses may use hardware wallets such as Trezor, Ledger or Case and not use multisig).

ATMs

bitcoin atm

Source: CoinATMRadar

I once heard a Bitcoin reporter tell me in the August 2014 that BitAccess was on track to be the first billion dollar Bitcoin company.  Whoops!

As we know empirically, the ATM industry in general is very low margin; companies make it up on volume which none of these startups have been able to thus far.  Despite the hype, over the past a grand total of 536 Bitcoin ATMs have been installed, roughly 275 per year.

For comparison, according to the ATM Association there are roughly 3 million ATMs globally.

Can’t this change in the future?   Perhaps, but recall that the average two-way (roundtrip) Bitcoin ATM fee is ~11% and there are only a handful located in emerging markets.  Why is the fee relatively high?  Because ATM owners are not operating charities and want to turn a profit.  If Bitcoin adoption truly was going gang busters you would expect this number to be growing exponentially and not linearly.

Bitcoin volatility

bitcoin volatility seriesAdmittedly this chart doesn’t have to deal with adoption.  There is no scientific correlation between the amount of usage or users of cryptocurrencies and the volatility of its trading pairs.

The reason I have included this is because in the Coinbase post above they state that bitcoin volatility is decreasing… relative to the Russian ruble and Brazilian real.  Yet from the volatility chart above, it is clear that volatility has not really decreased.  The BTC/USD volatility may be less than what it was in 2012, but on any given day it is still 10x more volatile than CNY/USD and 6x more volatile than USD/EUR — trading pairs that represent the real lionshare of global economic activity.

VC Funding

vc funding

Source: btcuestion / Coindesk

The chart above was created by user “btcuestion” and is based on data in the Coindesk venture investment spreadsheet.  It is a month by month bar chart over the course of the past two years.

What it shows is that VC investment in cryptocurrency-related startups peaked in Q1 2015.  Yet, the bulk of the Q1 investments came from the 21inc announcement which itself was an aggregation of its previous rounds that had taken place over the previous 18 months.  So funding may have actually peaked in Q4 2014.2

What this probably illustrates is that aside from a couple of permabull investors (such as Boost and Pantera), most serious venture capital has decided to wait and see how the dust settles before investing anything in this space.  Why?  Basically there has been no product market fit and few viable business models.3  Sure there has been a lot of publicity, but as Kevin Collier recently explored, there does not appear to be any permanent impact of say: Bitpay sponsoring a college bowl game last year.4

Bitwage activity

user signups

Source: Bitwage

payroll volume

Source: Bitwage

The two charts above both come from Bitwage, a startup that converts payrolls into bitcoins.  Ignoring the drop-off in January 2016 (it is the beginning of a new month), for most of 2015 there were roughly 200-300 new user signups each month and about $250,000 in salaries converted as well.

Again, this is not to say that Bitwage’s service is not useful, rather that if there was increased bitcoin growth and adoption, then one proxy could be through payroll conversion.  However, as shown above, growth is linear not exponential.

Blockchain.info wallets

Above is a 2-year, nearly linear line chart from Blockchain.info depicting the “My Wallet” Number of Users.  It bears mentioning that many people still use Blockchain.info wallets like a “temporary” wallet (or burner wallet) for coin mixing, yet despite the rapid creation rate for this purpose even if we look just at the last 6 months, it is not close to being exponential.

Hash rate

But what about hash rate?  It has continually gone up and to the right the last few months, surely this is an indicator of mass adoption?

All hash rate is measuring is the amount of work being generated by an unknown amount of computers (typically ASICs) somewhere on the planet.  Hash rate typically rises when the price of bitcoins rise and falls when the price of bitcoins fall (see Appendix B).  Since prices have nearly doubled over the past four months then it stands to reason that hash rate would correspondingly increase as hashing farms deploy new capital.5

Unless each site is inspected, it’s difficult to tell if there are more hashing farms and equipment and therefore “more users.”  However, what we do know is that there are roughly the same amount of pools today (~20) as there were three years ago.6

Counterparty

counterparty transactions

Source: Blockscan

Counterparty is an embedded consensus system (see section 1): an asset issuance platform that effectively staples itself onto the Bitcoin blockchain.

As shown above, on a given day roughly 500-1000 transactions take place through the platform.  According to Laurent MT, the spikes may be related to the weekly distribution of LTBCoins.  And again, despite turnkey services and vending machines such as Tokenly and CoinDaddy (and CounterpartyChain), overall growth on the ECS has effectively plateaued over the past year.

Conclusion

Bitcoin is a solution and service provider for those who hold bitcoins.  Despite the fanfare, the conferences and the perpetual feel-good op-eds in Techcrunch, the only people who seem to use it regularly seven years later are a niche demographic group: young, white, tech-savvy men in North America and Western Europe.  Many of whom have access to multiple other payment networks and asset classes for investment.

As a result, it is probably not a surprise that instead of using bitcoins to pay for coffee on-chain each day, most private key owners prefer to “hodl” or use intermediaries.  This may make sense for those with low time preferences, but it shouldn’t then come as a surprise that there are few, if any metrics that show wide-scale adoption beyond this core demographic.  Will this change in 2016 or will the “great pivot” continue?

  1. Spam and dust (such as “tips”) likely represents the remaining 1.84% of all bitcoins (located on 99% of all addresses). []
  2. Funding has instead switched over to the fledgling non-cryptocurrency distributed ledger industry. []
  3. Anecdotally, it appears that Coins.ph, BitX and Align Commerce have each gained actual traction in their respective regions. []
  4. Stephen Pair provided a new chart for Forbes which purportedly shows a large uptick in transactions processed.  This “surge” occurred during the same month as Bitcoin Black Friday and should be looked at again in the following months to see if it was a one-off event. []
  5. There are also stories of new chips supposedly being deployed.  In practice hashing farms do the Red Queen race: replace a machine… with another machine that uses the same amount of energy. []
  6. The claim that 21inc or other mining chip manufacturers will “redecentralize mining” is a misnomer.  Mining and hashing are not the same thing.  Unless a hashing operator also runs a fully validating node, then they are part of the outsourcing process.  More people may be hashing as part of the 21inc botnet, but not mining (mining is defined as selecting transactions to include in blocks; hashers do not do this activity, pools do). []

More events and articles

The past couple of months I’ve attended a number of events and written a few external articles.  Below is a compilation of them.

Panels:

Interviews and op-eds:

Citations

Anchor’s aweigh

One comment I have noticed continually re-appear on social media over the last couple months is roughly the following:

If you’re building a new blockchain you should regularly take a hash of the network state and “anchor” it (write it) into another blockchain, for redundancy purposes.

This “anchor” idea has appeared in public material from BitFury, Factom, Tierion, Gil Luria and now 21inc (a VC-backed botnet operator).

Part of the current popularity in the anchoring meme is that some cryptocurrency enthusiasts and Bitcoin maximalists in particular want other non-cryptocurrency distributed ledgers to rely on existing cryptocurrency networks — networks that some enthusiasts own tokens to and hope that price appreciation will take place in the event that the network is used.

Ignoring the hypothetical monetary incentives, let’s assume that writing/storing network states externally is useful and it is the goal of every blockchain designers such as Bob and Alice.  Are other blockchains the only relevantly secure places that all blockchain designers should look at using?

Probably not.

For instance, if the goal is to publish a hash of a state in a media that is difficult to censor and widespread enough to retrieve over time, then there are several “old school” newspapers and magazines that can be used for such purposes (which is what Guardtime does).

For instance:

  • There are half a dozen Japanese newspapers that each have over 2 million in circulation.
  • In the UK, both The Sun and Daily Mirror have a circulation of over 1.5 million
  • Similarly, in the US, there are three companies: USA Today, The New York Times and The Wall Street Journal that also have a circulation of over 1.5 million

The question for the paranoid is, what is more likely: someone deliberately destroying and/or replacing 1.5 million newspapers which contain the hash of the network state, or someone knocking out 5,728 network nodes?

While “anchoring” the hash of state into other media may be useful, leaving it in just one blockchain — such as the Bitcoin blockchain — does not fully reduce the risk of a well-funded attacker trying to revise history.  Safety in this case comes in numbers and if it is redundancy Bob and Alice are looking for (and paranoid about), it may be worth it to publish hashes in multiple venues and media.

Similarly, if sustainability is a key concern then public goods such as cryptocurrencies have a question mark on them as well. Why?  Because there are over 100 dead altcoins now.  Convincing users — and more importantly miners — to maintain a network when it is no longer profitable to do so is an uphill challenge.1

Lastly, a well designed network (or distributed ledger in this case) that is robust and mature should not necessarily rely on “anchoring” at all.  But this dovetails into a different conversation about how to design a secure network, a topic for another post.  Either way, hash-storage-as-service, is probably not the next big trillion dollar idea for 2016.

  1. It’s a challenge for any public good, not just Bitcoin, that eventually relies solely on altruism and charity. []

Watermarked tokens and pseudonymity on public blockchains

As mentioned a couple weeks ago I have published a new research paper entitled: “Watermarked tokens and pseudonymity on public blockchains

In a nutshell: despite recent efforts to modify public blockchains such as Bitcoin to secure off-chain registered assets via colored coins and metacoins, due how they are designed, public blockchains are unable to provide secure legal settlement finality of off-chain assets for regulated institutions trading in global financial markets.

The initial idea behind this topic started about 18 months ago with conversations from Robert Sams, Jonathan Levin and several others that culminated into an article.

The issue surrounding top-heaviness (as described in the original article) is of particular importance today as watermarked token platforms — if widely adopted — may create new systemic risks due to a distortion of block reorg / double-spending incentives.  And because of how increasingly popular watermarked projects have recently become it seemed useful to revisit the topic in depth.

What is the takeaway for organizations looking to use watermarked tokens?

The security specifications and transaction validation process on networks such as the Bitcoin blockchain, via proof-of-work, were devised to protect unknown and untrusted participants that trade and interact in a specific environment.

Banks and other institutions trading financial products do so with known and trusted entities and operate within the existing settlement framework of global financial markets, with highly complex and rigorous regulations and obligations.  This environment has different security assumptions, goals and tradeoffs that are in some cases opposite to the designs assumptions of public blockchains.

Due to their probabilistic nature, platforms built on top of public blockchains cannot provide definitive settlement finality of off-chain assets. By design they are not able to control products other than the endogenous cryptocurrencies they were designed to support.  There may be other types of solutions, such as newer shared ledger technology that could provide legal settlement finality, but that is a topic for another paper.

This is a very important issue that has been seemingly glossed over despite millions of VC funding into companies attempting to (re)leverage public blockchains.  Hopefully this paper will help spur additional research into the security of watermarking-related initiatives.

I would like to thank Christian Decker, at ETH Zurich, for providing helpful feedback — I believe he is the only academic to actually mention that there may be challenges related to colored coins in a peer-reviewed paper.  I would like to thank Ernie Teo, at SKBI, for creating the game theory model related to the hold-up problem.  I would like to thank Arthur Breitman and his wife Kathleen for providing clarity to this topic.  Many thanks to Ayoub Naciri, Antony Lewis, Vitalik Buterin, Mike Hearn, Ian Grigg and Dave Hudson for also taking the time to discuss some of the top-heavy challenges that watermarking creates.  Thanks to the attorneys that looked over portions of the paper including (but not limited to) Jacob Farber, Ryan Straus, Amor Sexton and Peter Jensen-Haxel; as well as additional legal advice from Juan Llanos and Jared Marx.  Lastly, many thanks for the team at R3 including Jo Lang, Todd McDonald, Raja Ramachandran and Richard Brown for providing constructive feedback.

Watermarked Tokens and Pseudonymity on Public Blockchains

What challenges arise when trying to scale watermarked tokens on Bitcoin?

[Note: the following overview on scaling Bitcoin was originally included in a new paper but needed to be removed for space and flow considerations]

Looking in the past, the older Viceroy overlay network scaled at O(logN) where N is the number of peers which is different than the contentious scaling in Bitcoin, where even Core developers do not agree on how per node bandwidth actually scales.1

For instance, one group of developers thinks that per node bandwidth on the Bitcoin network scales linearly, O(n).2

The use of O(n) is a way of capturing simply whether something scales linearly or not.   O(n) means: if it takes 5 seconds to do something when there are 10 nodes, it will take 50 seconds if there are 100. An example would be washing the dishes. It takes 30 seconds per plate and you just keep going one plate after another.

In contrast, another group of developers believes bandwidth requirements squares per node, which reads as O(n2).3

O(n2) means: if it takes 5 seconds to do something when there are 10 nodes, it will take 5 hundred seconds if there are 100. O(x) notation is an approximate. That is to say, while you have increased the number of items by a factor of 10, the time taken increased by a factor of about 100.

An example here might be if Bob needs to broker bilateral contracts between all the members of a new limited partnership fund.   Four partners would require six bilateral NDAs in total. Eight partners would require 24. Thus if Bob doubled the number of partners he would need more than four times as many contracts executing.4

One calculation (BitFury 2015a) implies that in terms of block verification time, Bitcoin scales at: N(1 + 0:091 log2 N).5 For comparison, Ripple’s consensus ledger also has O(n2) scaling.67

What does this have to do with watermarked tokens?

As described in (Breitman 2015c):8

[C]olored coins are potentially nefarious to the Bitcoin ecosystem. The security of Bitcoin rests on the assumption that miners stand to lose more by departing from consensus than they stand to gain. This assumption requires a balance between the reward received by miners, and the amounts they might stand to gain by reversing transactions. If colored coins represent valuable assets, this balance might be upset, endangering the status of all transactions.

A consequence of the hold-up problem is that it could lead to vertical integration. That is to say, to prevent this type of event (holding up the whole network) from happening in the future, colored coin platforms could acquire (or build) hashing facilities and pools.

Yet if they did this, not only would they need to increase expenditures by several orders of magnitude – which is the very reason they wanted to piggy back off the existing infrastructure to begin with – but they would effectively be building a permissioned network, with very high marginal costs.

In (Breitman 2015c) the author uses a car analogy to describe the cantankerous situation colored coins have created.9

In the analogy, the author explores an alternative universe in which the car was recently created and new owners foresaw the ability to use the car in many different ways, including a new “application” called shipping.

In this scenario, the car owners unilaterally dismissed unproven alternative “truck technology” and instead designed a solution for shipping: bolt a new wooden layer on top of four cars, much like watermarked platforms bolt themselves on top of Bitcoin.

But what about all the various mechanical challenges that came with this new ad hoc design?

Breitman makes the point that, though the same functionality of a truck can be achieved by putting a slab of wood on top of four cars, choosing it as a solution when other options exist is not effective. Similarly, in the context of a closed system, it makes little sense to rely on bitcoind, though inexperienced developers may have a bias towards it:

To be sure, they were several problems with the design. The aerodynamics were atrocious, but that could be somewhat alleviated by placing a tent over the contraption. Turning was initially difficult, but some clever engineers introduced swivels on top of the car, making the process easier. The cars would not always stay at the same speed, but using radio communication between the drivers more or less remedied the issue.

But, truck technology? Well that was unproven, and also trucks looked a lot like train wagons, and the real innovation was the car, so cars had to be used!

Where am I going with this? A large number of projects in the space of distributed ledgers have been peddling solutions involving the use of colored coins within permissioned ledgers. As we’ve explained earlier, colored coins were born out of the near impossibility of amending the code base of Bitcoin. They are first and foremost a child of necessity in the Bitcoin world… a necessary evil, a fiendish yet heroic hack unlocking new functionality at a dire cost.

One could argue that reusing the core bitcoind code offers the benefit of receiving downstream bug fixes from the community. This argument falls flat as the gist of such fixes can be incorporated into any implementation. Issues encountered by Bitcoin have ranged from a lack of proper integer overflow checking to vulnerabilities with signature malleability. Such issues can potentially affect any blockchain implementation; the difficulty lies in identifying them, not in producing a patch to fix them, a comparatively straightforward process. Of course, other bugs might be introduced when developing new functionalities, but the same is true regardless of the approach undertaken.

Basing a fresh ledger, independent from the Bitcoin blockchain, on a colored coin implementation is nothing short of perversion. It is akin to designing a truck using a wooden board bolted on the top of four cars. If, for some reason, the only type of vehicle that could use a highway were sedans, that solution might make sense. But if you have the chance to build a truck and instead chose to rig a container on top of a few cars then perhaps you should first learn how to engineer trucks.

As explored in the game theory model in Appendix B and car example above, there are real security issues with using this specific layered approach in both permissionless and permissioned systems.

The typical excuse for going such route is that building a new blockchain from scratch (e.g., Ethereum, Zerocash, Tendermint, Tezos) delays market entry and could make your startup fall behind the competition.

While it may be true that spending a year or more to purposefully design a new distributed ledger network from scratch will take significant time and resources, the reasons for doing (better security and scalabity) outweigh the downsides (systemic risks and vulnerabilities). Future research should also build models with additional agents.

It also bears repeating that based on the model presented in Appendix B, if the cost of attack is very high, the more plausible outcome is to not attack. However, if it is very attractive to attack there could have a different outcome that is worth further research.

  1. See A Survey and Comparison of Peer-to-Peer Overlay Network Schemes by Lua et al. p. 10 and Big-O scaling by Gavin Andresen []
  2. Over the past five months there have been volumes of emails, forum posts and panel discussions on the topic of how Bitcoin can and does scale. One thread that is recommended to readers is a recent reddit debate between Mike Hearn (mike_hearn) and Greg Maxwell (nullc). []
  3. Why do people say that bitcoin scales according to O(n^2)? from StackExchange []
  4. I would like to thank Richard Brown for this example and illustration. []
  5. Block Size Increase from BitFury Group, p. 5 []
  6. See p. 9 from Ripple Protocol Consensus Algorithm Review by Peter Todd []
  7. Surveying literature we can see that historically there have been dozens of attempts to create decentralized peer-to-peer reputation systems that needed to be self-organizing, Sybil-resistant, fault tolerant as well as the ability to scale. A Survey and Comparison of Peer-to-Peer Overlay Network Schemes by Lua et al.; A Survey of Attack and Defense Techniques for Reputation Systems by Kevin Hoffman, David Zage and Cristina Nita-Rotaru; and Survey of trust models in different network domains by Mohammad Momani and Subhash Challa []
  8. Making sense of colored coins by Arthur Breitman []
  9. Ibid []

A brief literature review

[Note: the following literature review was originally included in a new paper but needed to be removed for space and flow considerations]

How has previous research looked at information security?

Academic literature covering distributed computing and economics of information security and specifically peer-to-peer networks “Before Bitcoin” spans several decades.

Surveying literature (Lua et al. 2004; Hoffman et al. 2007; Momani and Challa 2009) we can see that there have been dozens of attempts to create decentralized peer-to-peer reputation systems that needed to be self-organizing, Sybil-resistant and fault tolerant.1

For instance, the Content Addressable Network (CAN), Chord, Kademlia and the Cooperative File System (CFS) each had a variety of characteristics that attempted to stave off abuse from attackers due to the environments they operated in (e.g., a distributed decentralized P2P infrastructure). Some used public-private key pairs, content hashes and others used NodeID.

These surveys also looked at Distributed Hash Trees (DHT) which have been known to be vulnerable to a number of attacks including Eclipse attacks, where the peering network itself comes under attack (which Bitcoin’s network is also prone to).2

What about other game theory issues? For example in (Lua et al., 2004) the authors wrote that:3

The ability to overcome free-rider problems in P2P overlay networks will definitely improve the system’s reliability and its value.

Sybil attacked termed by Douceur4 described the situation whereby there are a large number of potentially malicious peers in the system and without a central authority to certify peers’ identities. It becomes very difficult to trust the claimed identity. Dingledine et al.,5 proposes puzzles schemes, including the use of micro-cash, which allows peers to build up reputations. Although this proposal provides a degree of accountability, this still allows a resourceful attacker to launch attacks.

This is the same problem discussed above, that (Rosenfeld 2012) runs into regarding how to pay nodes on an open network.

How do these researchers believe it could be solved or fixed? According to (Lua et al., 2004):6

Having some sort of incentive model using economic and game theories, for P2P peers to collaborate is crucial to create an economy of equilibrium. When non-cooperative users benefit from free-riding on others’ resources, the tragedy of the commons7 is inevitable. Such incentives implementation in P2P overlay services would also provide a certain level of self-regulatory auditing and accounting behavior for resource sharing.

As shown above, despite rhetoric at Bitcoin-related conferences, many of the challenges facing Bitcoin today are in fact known problems facing decentralized peer-to-peer networks in general. The problem space for preventing Sybil attacks was and is relatively well-defined, Bitcoin again side-steps the actual solution by making it economically expensive, but not technically impossible to conduct history-reversing attacks, or even Sybil attacks on the gossip network.

P2Prep is a reputation system designed to “mitigate the effects of selfish and malicious peers in an anonymous, completely decentralized system.”8

How did it do this?

The system guards the anonymity of users and the integrity of packets through the use of public key cryptography. All replies are signed using the requester’s public key, protecting the identity of the responder and the integrity of the data. Only the requester is able to decrypt the packet and check the validity of the information.9

Credence (Walsh and Sirer 2006) is another peer-to-peer reputation system that uses gossip-based techniques to disseminate information.10 It defends itself:11

A key security consideration in the Credence system is the use of mechanisms to prevent spoofed votes or votes generated by fake identities. The system guards against such attacks by issuing digital certificates in an anonymous but semi-controlled fashion. The authors propose to mitigate Sybil attacks by requiring expensive computation on the part of the client before the server grants a new digital certificate. Every voting statement is digitally signed by the originator and anyone can cryptographically verify the authenticity of any given voting statement.

In (Momani and Challa 2010) the authors looked at security and trust concepts surrounding wireless sensor networks (WSN). At first glance this may seem unrelated to peer-to-peer networks but there are many similarities:12

The security issue has been raised by many researchers [14 – 24], and, due to the deployment of WSN nodes in hazardous and/or hostile areas in large numbers, such deployment forces the nodes to be of low cost and therefore less reliable or more prone to overtaking by an adversary force. Some methods used, such as cryptographic authentication and other mechanisms [25 – 32], do not entirely solve the problem. For example, adversarial nodes can have access to valid cryptographic keys to access other nodes in the network. The reliability issue is certainly not addressed when sensor nodes are subject to system faults. These two sources of problems, system faults and erroneous data or bad routing by malicious nodes, can result in the total breakdown of a network and cryptography by itself is insufficient to solve these problems. So new tools from different domains social sciences, statistics, e-commerce and others should be integrated with cryptography to completely solve the unique security attacks in WSNs, such as node capturing, Sybil attacks, denial of service attacks, etc.

In their survey they identified previous research that had looked at some of these same issues including In (Xiong and Liu 2003) where the authors attempted to build a reputation-based trust model for peer-to-peer distributed commerce platforms and use game theory to ameliorate the trust parameters by threats from malicious attacks.13

Going back more than fifteen years we can see that other researchers (Lamport 1998) and (Castro and Liskov 1999), that successful attempts were made to “use cryptographic techniques to prevent spoofing and replays and to detect corrupted messages” on a network that replicates services in the face of Byzantine faults.14

Volumes more can and will likely be written covering the research on these specific topics due in large part to the integral role that different types of information and financial networks play in the lives of consumers and businesses alike.

  1. A Survey and Comparison of Peer-to-Peer Overlay Network Schemes by Lua et al.; A Survey of Attack and Defense Techniques for Reputation Systems by Kevin Hoffman, David Zage and Cristina Nita-Rotaru; and Survey of trust models in different network domains by Mohammad Momani and Subhash Challa []
  2. Eclipse Attacks on Bitcoin’s Peer-to-Peer Network by Heilman et al. []
  3. A Survey and Comparison of Peer-to-Peer Overlay Network Schemes by Lua et al., p. 11 []
  4. J. R. Douceur, “The sybil attack,” in Proceedings of the First International Workshop on Peer-to-Peer Systems , March 7-8 2002, pp. 251– 260. []
  5. R.   Dingledine,   M.   J.   Freedman,   and   D.   Molnar,   “Accountability measures for peer-to-peer systems,” in Peer-to-Peer: Harnessing the Power of Disruptive Technologies , D. Derickson, Ed.     O’Reilly and Associates, November. []
  6. A Survey and Comparison of Peer-to-Peer Overlay Network Schemes by Lua et al., p. 20 []
  7. G. Hardin, “The tragedy of the commons,” Science , vol. 162, pp. 1243– 1248, 1968. []
  8. A Survey and Comparison of Peer-to-Peer Overlay Network Schemes by Lua et al., p. 28. Among other startups, Mnet was a peer-to-peer distributed data store, whose (former) employees would go on to help create BitTorrent and Tahoe-LAFS. This was during the same survey period. []
  9. Ibid, p. 29 []
  10. Experience with an Object Reputation System for Peer-to-Peer Filesharing by Kevin Walsh and Emin Gün Sirer []
  11. A Survey of Attack and Defense Techniques for Reputation Systems by Kevin Hoffman, David Zage and Cristina Nita-Rotaru, p. 30 []
  12. Survey of trust models in different network domains by Mohammad Momani and Subhash Challa []
  13. A Reputation-Based Trust Model for Peer-to-Peer eCommerce Communities by Li Xiong and Ling Liu []
  14. Practical Byzantine Fault Tolerance by Miguel Castro and Barbara Liskov. According to Leslie Lamport, in The Part-Time Parliament, p. 23: “The Paxon Parliament protocol provides a distributed, fault-tolerant imiplmentation of the database system.” []

Creative angles of attacking proof-of-work blockchains

[Note: the following views were originally included in a new paper but needed to be removed for space and flow considerations]

While most academic literature has thus far narrowly focused under the assumption that proof-of-work miners such as those used in Bitcoin will behave according to a “goodwill” expectation, as explored in this paper, there may be incentives that creative attackers could look to exploit.

Is there another way of framing this issue as it relates to watermarked tokens such as colored coins and metacoins?

Below are comments from several thought-leaders working within the industry.

According to John Light, co-founder of Bitseed:1

When it comes to cryptocurrency, as with any other situation, an attacker has to balance the cost of attacking the network with the benefit of doing so. If an attacker spends the minimum amount required to 51% attack bitcoin, say $500 million, then the attacker needs to either be able to short $500 million or more worth of BTC for the attack to be worth it, or needs to double spend $500 million or more worth of BTC and receive some irreversible benefit and not get caught (or not have consequences for getting caught), all while taking into consideration the loss of future revenues from mining honestly. When you bring meta-coins into the equation, things get even murkier; the cost is less dependent on the price of bitcoin or future mining revenues, and depends more on the asset being attacked, whether it’s a stock sale or company merger that’s being prevented, or USD tokens being double-spent.

There’s no easy answer, but based on the economics of the situation, and depending on the asset in question, it doesn’t seem wise to put more value on chain than the market cap of BTC itself (as a rough benchmark – probably not that exact number, but something close to it).

Not a single study has been publicly published looking at this disproportionalism yet it is regularly touted at conferences and social media as a realistic, secure, legal possibility.

According to Vitalik Buterin, creator of Ethereum:2

There are actually two important points here from an economics perspective. The first is that when you are securing $1 billion on value on a system with a cryptoeconomic security margin that is very small, that opens the door to a number of financial attacks:

  1. Short the underlying asset on another exchange, then break the system
  2. Short or long some asset at ultrahigh leverage, essentially making a coin-flip bet with a huge amount of money that it will go 0.1% in one direction before the other. If the bet pays off, great. If it does not pay off, double spend.
  3. Join in and take up 60%+ of the hashrate without anyone noticing. Then, front-run everyone. Suppose that person A sends an order “I am willing to buy one unit of X for at most $31”, and person B sends an order “I am willing to sell one unit of X for at least $30”. As a front-runner, you would create an order “I am willing to sell one unit of X for at least $30.999” and “I am willing to buy one unit of X for at most $30.001”, get each order matched with the corresponding order, and earn $0.998 risk-free profit. There are also of course more exotic attacks.

In fact, I could see miners even without any attacks taking place front-running as many markets as they can; the ability to do this may well change the equilibrium market price of mining to the point where the system will, quite ironically, be “secure” without needing to pay high transaction fees or have an expensive underlying currency.

The second is that assets on a chain are in “competition” with each other: network security is a public good, and if that public good is paid for by inflation of one currency (which in my opinion, in a single-currency-chain environment, is economically optimal) then the other currencies will gain market share; if the protocol tries to tax all currencies, then someone will create a funky meta-protocol that “evades taxes by definition”: think colored coins where all demurrage is ignored by definition of the colored coin protocol. Hence, we’ll see chains secured by the combination of transaction fee revenue and miner front running.

Unsolved economics question: would it be a good thing or a bad thing if markets could secure themselves against miner frontruns? May be good because it makes exchanges more efficient, or bad because it removes a source of revenue and reduces chain security.

Cryptoeconomics is a nascent academic field studying the confluence of economics, cryptography, game theory and finance.3

Piotr Piasecki, a software developer and independent analyst explained:4

If a malicious miner sees a big buy order coming into the market that would move the price significantly, they can engage in front running – the buy order could be pushed to the back of the queue or even left out until the next block, while the miner buys up all of the current stock and re-lists it at a higher price to turn a profit. Alternatively, when they see there is a high market pressure coming in, especially in systems that are inefficient by design, they can buy the orders up one by one by using their power to include any number of their own transactions into a block for free, and similarly re-list them for people to buy up.

Or in other words, because miners have the ability to order transactions in a block this creates an opportunity to front run. If publicly traded equities are tracked as a type of colored coin on a public blockchain, miners could order transaction in such a way as to put certain on-chain transactions, or trades in this case, to execute before others.

Robert Sams, co-founder of Clearmatics, previously looked at the bearer versus registered asset challenge:5

One of the arguments against the double-spend and 51% attacks is that it needs to incorporate the effect a successful attack would have on the exchange rate. As coloured coins represent claims to assets whose value will often have no connection to the exchange rate, it potentially strengthens the attack vector of focusing a double spend on some large-value colour. But then, I’ve always thought the whole double-spend thing could be reduced significantly if both legs of the exchange were represented on a single tx (buyer’s bitcoin and seller’s coloured coin).

The other issue concerns what colour really represents. The idea is that colour acts like a bearer asset, whoever possesses it owns it, just like bitcoin. But this raises the whole blacklisted coin question that you refer to in the paper. Is the issuer of colour (say, a company floating its equity on the blockchain) going to pay dividends to the holder of a coloured coin widely believed to have been acquired through a double-spend? With services like Coin Validation, you ruin fungibility of coins that way, so all coins need to be treated the same (easy to accomplish if, say, the zerocoin protocol were incorporated). But colour? The expectations are different here, I believe.

On a practical level, I just don’t see how pseudo-anonymous colour would ever represent anything more than fringe assets. A registry of real identities mapping to the public keys would need to be kept by someone. This is certainly the case if you ever wanted these assets to be recognised by current law.

But in a purely binary world where this is not the case, I would expect that colour issuers would “de-colour” coins it believed were acquired through double-spend, or maybe a single bitcoin-vs-colour tx would make that whole attack vector irrelevant anyway. In which case, we’re back to the question of what happens when the colour value of the blockchain greatly exceeds that of the bitcoin monetary base? Who knows, really depends on the details of the colour infrastructure. Could someone sell short the crypto equity market and launch a 51% attack? I guess, but then the attacker is left with a bunch of bitcoin whose value is…

The more interesting question for me is this: what happens to colour “ownership” when the network comes under 51% control? Without a registry mapping real identities to public keys, a pseudo-anonymous network of coloured assets on a network controlled by one guy is just junk, no longer represents anything (unless the 51% hasher is benevolent of course). Nobody can make a claim on the colour issuer’s assets. So perhaps this is the real attack vector: a bunch of issuers get together (say, they’re issuers of coloured coin bonds) to launch a 51% attack to extinguish their debts. If the value of that colour is much greater than cost of hashing 51% of the network, that attack vector seems to work.

On this point, Jonathan Levin, co-founder of Chainalysis previously explained that:6

We don’t know how much proof of work is enough for the existing system and building financially valuable layers on top does not contribute any economic incentives to secure the network further. These incentives are fixed in terms of Bitcoin – which may lead to an interesting result where people who are dependent on coloured coin implementations hoard bitcoins to attempt to and increase the price of Bitcoin and thus provide incentives to miners.

It should also be noted that the engineers and those promoting extensibility such as colored coins do not see the technology as being limited in this way. If all colored coins can represent is ‘fringe assets’ then the level of interest in them would be minimal.

Time will tell whether this is the case. Yet if Bob could decolor assets, in this scenario, an issuer of a colored coin has (inadvertently) granted itself the ability to delegitimize the bearer assets as easily as it created them. And arguably, decoloring does not offer Bob any added insurance that the coin has been fully redeemed, it is just an extra transaction at the end of the round trip to the issuer.

  1. Personal correspondence, August 10, 2015. Bitseed is a startup that builds plug-and-play full nodes for the Bitcoin network. []
  2. Personal correspondence, August 13, 2015. []
  3. See What is cryptoeconomics? and Formalizing Cryptoeconomics by Vlad Zamfir []
  4. Mining versus Consensus algorithms in Crypto 2.0 systems by Piotr Piasecki []
  5. As quoted in: Will colored coin extensibility throw a wrench into the automated information security costs of Bitcoin? by Tim Swanson; reused with permission. []
  6. This example originally comes from Will colored coin extensibility throw a wrench into the automated information security costs of Bitcoin? by Tim Swanson; reused with permission. []

A few known Bitcoin mining farms

[Note: the following overview on known Bitcoin mining farms was originally included in a new paper but needed to be removed for space and flow considerations]

Several validators on the Bitcoin network, as well as many watermarked token issuers, are identifiable and known.1 What does this mean?  Many Bitcoin validators are drifting usage outside the pseudonymous context of the original network due to their use of specialty equipment that creates a paper trail.  In other words, pseudonymity has given way to real world identity.  Soon issuers of color will likely follow because they too have strong ties to the physical, off-chain world.

For instance, on August 4, 2015, block 368396 was mined by P2Pool. This is notable for two reasons.

The first is that the block included a transaction sent from Symbiont.io, a NYC-based startup building “middleware” that enables organizations and financial institutions to create and use ‘smart securities’ off-chain between multiple parties and have the resulting transaction hashed onto a blockchain, in this case, the Bitcoin blockchain.2

Several weeks later, Symbiont announced that it would begin using their “stack” to provide similar functionality on a permissioned ledger.3 This follows a similar move by T0.com – a wholly owned subsidiary of Overstock.com – which initially used Open Assets to issue a $5 million “cryptobond” onto the Bitcoin blockchain, but have subsequently switched to using a “blockchain-inspired” system designed by Peernova.456

The second reason this was notable is that the block above, 368396, included at least one transaction from Symbiont which was mined by a small pool called P2Pool.7 Unlike other pools discussed in this paper, P2Pool is not continually operated in a specific region or city.

It is decentralized in that all participants (hashers) must run their own full Bitcoin nodes which stand in contrast with pools such as F2Pool, KnC mining pool and BTCC (formerly called BTC China), where the pool operator alone runs the validating node and the labor force (hashers) simply search for a mid-state that fulfills the target difficulty.8

Due to this resource intensive requirement (running a full node requires more bandwidth and disk space than merely hashing itself), P2Pool is infrequently used and consequently comprises less than 1% of the current network hashrate.

P2Pool’s users are effectively pseudonymous. Due to the intended pseudonymity it is also unclear where the transaction fees and proceeds of hashing go. For instance, do the hashers comprising this pool benefit from the proceeds of illicit trade or reside in sanctioned countries or who to contact in the event there is a problem? And unlike in other pools, there is no customer service to call and find out.

Bitcoin’s – and P2Pool’s – lack of terms of service was intentionally done by design (i.e., caveat emptor). And in the event of a block reversal, censored transaction or a mere mistake by end-users, as noted above there is no contract, standard operating procedure or EULA that mining pools (validators) must adhere to. This is discussed in section 3.

This pseudonymous arrangement was the default method of mining in 2009 but has evolved over the years. For example, there are at least two known incidents in which a miner was contacted and returned fees upon request.

Launched in late summer of 2012 and during the era of transition from GPUs and FPGA mining, ASICMiner was one of the first publicly known companies to create its own independent ASIC mining hardware. Its team was led by “FriedCat,” a Chinese businessman, who custom designed and integrated ASIC chips called Block Eruptors, ASICMiner operated their own liquid immersion facility in Hong Kong.9

At its height, ASICMiner (which solo-mined similar to KnC and BitFury do today) reached over 10% of the network hashrate and its “shareholders” listed its stock on GLBSE (Global Bitcoin Stock Exchange), GLBSE is a now defunct virtual “stock market” that enabled bitcoin users to purchase, trade and acquire “shares” in a variety of listed companies.10 GLBSE is notable for having listed, among other projects, SatoshiDice which was later charged by the Securities and Exchange Commission (SEC) for offering unregistered securities to the public.1112

While unregistered stock exchanges catering to cryptocurrency users and China-based mining pools may be common sights today, on August 28, 2013, a bitcoin user sent a 200 bitcoin fee that was processed by ASICMiner.13 Based on then-market rates, this was approximately worth $23,518.14 The next day, for reasons that are unknown, ASICMiner allegedly sent the errant fee back to the original user.15 At the time, one theory proposed by Greg Maxwell (a Bitcoin Core developer) was that this fee was accidentally sent due to a bug with CoinJoin, a coin-mixing service.16

Liquid Bitcoin

Liquid cooled hashing equipment at ASICMiner in 2013. Source: Xiaogang Cao

The second notable incident involved BitGo, a multisig-as-a-service startup based in Palo Alto and AntPool, a large China-based pool (which currently represents about 15% of the network hashrate) operated by Bitmain which also manufacturers Antminer hardware that can be acquired directly from the company (in contrast to many manufacturers which no longer sell to the public-at-large). On April 25, 2015 a BitGo user, due to a software glitch, accidentally sent 85 bitcoins as a mining fee to AntPool. Based on then-market rates, this was worth approximately $19,197.17

The glitch occurred in BitGo’s legacy recovery tool which used an older version of a library that causes a 32-bit truncation of values and results in a truncation of outputs on the recovery transaction.18 To resolve this problem, the user “rtsn” spent several days publicly conversing with tech support (and the community) on Reddit.19

Eventually the glitch was fixed and Bitmain – to be viewed as a “good member of the community” yet defeating the purpose of a one-way-only, pseudonymous blockchain – sent the user back 85 bitcoins.

May Bitcoin Fee

Fee to Bitmain (Antpool) highlighted in red on Total Transaction Fee chart.  Source: Blockchain.info

On September 11, 2015 another user accidentally sent 4.6 bitcoins (worth $1,113) as a fee to a mining pool, which in this instance was AntPool.20 Bitmain, the parent company, once again returned the fee to the user.

Do we know about other farms?21

HaoBTC is a newly constructed medium-sized hashing farm located in Kangding, western Sichuan, near the Eastern border with Tibet.22 It currently costs around 1.5 million RMB per petahash (PH) – or $242,000 – to operate per year. This includes the infrastructure and miner equipment costs. It does not include the operating costs which consists of: electricity, labor, rent and taxes (the latter two are relatively negligible).

The facility itself cost between $600,000 – $700,000 to build (slightly less than the $1 million facility BitFury built in 2014 in the Republic of Georgia) and its electrical rate of 0.2 RMB per kWh comes from a nearby hydroelectric dam which has a 25,000 kW output (and cost around $10 million to construct).23

In dollar terms this is equivalent to around $0.03 / kWh (during the “wet” or “summer” season). For perspective, their electric bill in August 2015 came in at 1.4 million RMB (roughly $219,000); thus electricity is by far the largest operating cost component.

When all the other costs are accounted for, the average rises to approximately $0.045 per kWh. The electricity rate is slightly more expensive (0.4 RMB or $0.06) during winter due to less water from the mountains. The summer rate is roughly the same price as the Washington State-based hashing facilities which is the cheapest in the US (note: it bears mentioning that Washington State partly subsidizes hydroelectricity).

HaoBTC

HaoBTC staff installing hashing equipment. Source: Eric Mu

At this price per joule it would cost around $105 million to reproduce “work” generated by the 450 petahash Bitcoin blockchain. Due to a recent purchase of second-hand ASICMiner Tubes, HaoBTC currently generates just over 10 PH and they are looking to expand to 12 PH by the end of the year.24 The key figure that most miners are interested in is that at the current difficulty level it costs around $161 for HaoBTC’s farm to create a bitcoin, giving them a nearly 100% margin relative to the current market price.

The ASIC machines they – and the rest of the industry uses – are single use; this hashing equipment cannot run Excel or Google services, or even bitcoind. Thus common comparisons with university supercomputers is not an apples-to-apples comparison as ASIC hashing cannot do general purpose computing; ASIC hashing equipment can perform just one function.25

There is also a second-hand market for it. For instance, hashing facilities such as HaoBTC actively look to capitalize off their unique geographical advantages by using older, used hardware. And there is a niche group of individuals, wanting to remain anonymous, that will also purchase older equipment.26

Although individual buyers of new hashing equipment such as Bob, do typically have to identify themselves to some level, both Bob can also resell the hardware on the second-hand market without any documentation. Thus, some buyers wanting to buy hashing equipment anonymously can do so for a relative premium and typically through middlemen.2728

While Bitbank’s BW mining farm and pool have been in the news recently29, perhaps the most well-known live visual of mining facilities is the Motherboard story on a large Bitcoin mining farm in Dalian, Liaoning:30

Incidentally, while Motherboard actually looked at just one farm, the foreigner helping to translate for the film crew independently visited another farm in Inner Mongolia which during the past year Bitbank apparently acquired.31

Are there any other known facilities outside of China?32

Genesis Mining

Source: Business Insider / Genesis Mining

Genesis Mining is a cloudhashing service provider that purportedly has several facilities in Iceland.33 According to a recent news story the company is one of the largest users of energy on the island and ignoring all the other costs of production (aside from electricity), it costs about $60 to produce a bitcoin.34 However, when other costs are included (such as hardware and staffing) the margin declines to — according to the company — about 20% relative to the current bitcoin price. At the time of the story, the market price of a bitcoin was around $231.

The four illustrations above are among a couple dozen farms that generate the majority of the remaining hashrate.

What does this have to do with colored coins?

The network was originally designed in such a way that validators (block makers) were pseudonymous and identification by outside participants was unintended and difficult to do.  If users can now contact validators, known actors in scenic Sichuan, frigid Iceland or rustic Georgia, why not just use a distributed ledger system that already identifies validators from the get go?  What use is proof-of-work at all? Why bother with the rhetoric and marginal costs of pseudonymity?

The social pressure type of altruism noted above (e.g,. Bitmain and BitGo returning fees) actually could set a nebulous precedent: once block rewards are reduced and fees begin to represent a larger percentage of miner revenue, it will no longer be an “easy” decision to refund the user in the event there is a mistake.35 If Bitmain did not send a refund, this backup wallet error would serve as a powerful warning to future users to try and not make mistakes.

While there have been proposals to re-decentralize the hashing process, such as a consumer-device effort led by 21inc which amounts to creating a large corporate operated botnet, one trend that has remained constant is the continued centralization of mining (block making) itself.3637 The motivation for centralizing block making has and continues to be about one factor: variance in payouts.38 Investors in hashing prefer stable payouts over less stable payouts and the best way to do that with the current Poisson process is to pool capital (much like pooling capital in capital markets to reduce risk).

Whether or not these trends stay the same in the future are unknown, however it is likely that the ability to contact (or not contact) certain pools and farms will be an area of continued research.

Similarly one other potential drawback of piggy backing on top of a public blockchain that could be modeled in the future is the introduction of a fat tail risk due to the boundlessness of the price of the native token.39 In the case of price spikes even if for short time can create price distortions or liquidity problem on the off-chain asset introducing a correlation between the token and the asset that theoretically was not supposed to be there.

  1. For instance, the staff of Let’s Talk Bitcoin issues LTBCoin on a regular basis to listeners, content creators and commenters. []
  2. Wall Street, Meet Block 368396, the Future of Finance from Bloomberg []
  3. On August 20, 2015, Symbiont announced it is also building a permissioned ledger product. See also the second half of Bitcoin’s Noisy Size Debate Reaches a Hard Fork from The Wall Street Journal, Why Symbiont Believes Blockchain Securities Are Wall Street’s Future from CoinDesk and Why Symbiont Believes Blockchain securities are Wall Street’s Future []
  4. The CoinPrism page for the specific token that Overstock.com initially used for the “cryptobond” can be viewed here; similarly the file on the T0 domain that verifies its authenticity can be seen here. See also: World’s First Corporate “Cryptobond” was issued using Open Assets []
  5. Overstock CEO Uses Bitcoin Tech to Spill Wall Street Secret from Wired and Overstock.com and FNY Capital Conclude $5 Million Cryptobond Deal from Nasdaq []
  6. One reviewer likened the Overstock “cryptobond” proof of concept as a large wash trade: ”Basically it’s a cashless swap of paper and thus no currency settlement. And the paper has no covenants and thus very easy to digitally code. Basically Overstock is paying FNY a spread of 4% for doing this deal. And if the bond and loan are called simultaneously, say in the next month, that means that Overstock paid FNY about $16,667.00 to do this trade. And since there was no cash exchanged, I am presuming, then this is smoke and mirrors. But they actually did it. However, I don’t see much of a business model where the issuer of a bond has to simultaneously fund the investor with a loan to buy the bond and pay him 33 basis points to boot!” []
  7. P2Pool wiki and P2Pool github []
  8. See Target, How Bitcoin Hashing Works and On Mining by Vitalik Buterin []
  9. ASICMINER: Entering the Future of ASIC Mining by Inventing It from Bitcoin Talk, Mystery in Bitcoinland…. the disappearance of FriedCat from Bitcoin Reporter; Chinese Mining mogul FriedCat has stolen more than a million in AM hash SCAM from Bitcoin Talk and Visit of ASICMINER’s Immersion Cooling Mining Facility from Bitcoin Talk []
  10. See 12.2 Pool and network miner hashrate distributions from Organ of Corti and Bitcoin “Stock Markets” – It’s Time To Have A Chat from Bitcoin Money []
  11. See SEC Charges Bitcoin Entrepreneur With Offering Unregistered Securities from SEC and the Administrative Proceeding order []
  12. In (Rosenfeld 2012) the author noted that one of the risks for running an “alternative to traditional markets” – such as GLBSE – were the regulatory compliance hurdles. Overview of Colored Coins by Meni Rosenfeld, p. 4. []
  13. Block 254642 and Some poor person just paid a 200BTC transaction fee to ASICminer. []
  14. According to the Coindesk Bitcoin Price Index, the market price of a bitcoin on August 28, 2013 was approximately $117.59. []
  15. Included in block 254769 []
  16. A thread discussed this theory: Re: CoinJoin: Bitcoin privacy for the real world (someday!) []
  17. According to the Coindesk Bitcoin Price Index, the market price of a bitcoin on April 25, 2015 was approximately $225.85. []
  18. The user “vytah” debugged this issue in a reddit thread: Holy Satoshi! Butter pays 85Btc transaction fees for a 16Btc transaction. Is this the largest fee ever paid? []
  19. Help! Losing Over 85 BTC Because of BitGo’s Flawed Recovery Process! on Reddit []
  20. To AntMiner, miner of block #374082. I did an accidental 4.6 BTC fee. on Reddit []
  21. Readers may be interested in a little more history regarding self-identification by miners: Slush, the first known pool, began publicly operating at the end of November 2010 and was the first to publicly claim a block (97838).   Eligius was announced on April 27, 2011 and two months later signed the first coinbase transaction (130635).   DeepBit publicly launched on February 26, 2011 and at one point was the most popular pool, reaching for a short period in May 2011, more than 50% of the network hashrate. See Deepbit pool owner pulls in $112* an hour, controls 50% of network and DeepBit pool temporarily reaches critical 50% threshold from Bitcoin Miner and What has been the reaction to permissioned distributed ledgers? []
  22. This information comes from personal correspondence with Eric Mu, July 7, 2015 as well as two other public sources: Inside a Tibetan Bitcoin Mine: The Race for Cheap Energy from CoinTelegraph and Three months living in a multi-petahash BTC mine in Kangding, Sichuan, China from Bitcoin Talk []
  23. Last summer BitFury quickly built a relatively cheap data center in Georgia partly due to assistance from the national government. See BitFury Reveals New Details About $100 Million Bitcoin Mine from CoinDesk []
  24. Personal correspondence with Eric Mu, August 10, 2015 []
  25. One common talking point by some Bitcoin enthusiasts including venture capitalists is that Google’s computers, if repurposed for mining Bitcoin, would generate only 1-2% of the network hashrate – that the Bitcoin network is “faster” than all of Google’s data centers combined. This is misleading because these Bitcoin hashing machines cannot provide the same general purpose utility that Google’s systems can. In point of fact, the sole task that ASIC hashing equipment itself does is compute two SHA256 multiplications repeatedly. []
  26. Some academic literature refers to miners on the Bitcoin network as “anonymous participants.” In theory, Bitcoin mining can be anonymous however by default mining was originally a pseudonymous activity. Participants can attempt to remain relatively anonymous by using a variety of operational security methods or they can choose to identify (“doxx”) themselves as well. See The Bitcoin Backbone Protocol: Analysis and Applications by Garay et al. []
  27. Thanks to Anton Bolotinsky for this insight. []
  28. This is similar to the “second-hand” market for bitcoins too: bitcoins originally acquired via KYC’ed gateways sometimes end up on sites like LocalBitcoins.com (akin to “Uber for bitcoins”) – where the virtual currency is sold at a premium to those wanting to buy anonymously. []
  29. The Unknown Giant: A First Look Inside BW, One of China’s Oldest and Largest Miners from Bitcoin Magazine []
  30. Inside the Chinese Bitcoin Mine That’s Grossing $1.5M a Month from Motherboard []
  31. Jake Smith, the translator, also wrote a short story on it: Inside one of the World’s Largest Bitcoin Mines at The Coinsman []
  32. While it is beyond the scope of this paper, there are a couple of general reasons why medium-sized farms such as HaoBTC have been erected in China. Based upon conversations with professional miners in China one primary reason is that both the labor and land near energy generating facilities is relatively cheap compared with other parts of the world. Furthermore, energy itself is not necessarily cheaper, unless farms managers and operators have guanxi with local officials and power plant owners.   And even though it is common to assume that due to the capital controls imposed at a national level – citizens are limited to the equivalent of $50,000 in foreign exchange per year – there have been no public studies as to how much capital is converted for these specific purposes. There are other ways to avoid capital controls in China including art auctions and pawn shops on the border with Macau and Hong Kong. See also How China’s official bank card is used to smuggle money from Reuters and What Drives the Chinese Art Market? The Case of Elegant Bribery by Jia Guo See On Getting Paid From China. Is There Really A $50,000 Yearly Limit? from China Law Blog and Bitcoins: Made in China []
  33. Look inside the surreal world of an Icelandic bitcoin mine, where they literally make digital money from Business Insider []
  34. It is unclear how much hashrate they actually operate or control, a challenge that plagues the entire cloudhashing industry leading to accusations of fraud. []
  35. And this is also a fundamental problem with public goods, there are few mechanisms besides social pressure and arbitrary decision making to ration resources. As described in (Evans 2014), since miners are the sole labor force, they create the economic outputs (bitcoins) and security, it is unclear why they are under any expectation to return fees in a network purposefully designed to reduce direct interactions between participants. See Economic Aspects of Bitcoin and Other Decentralized Public-Ledger Currency Platforms by David Evans []
  36. See 21 Inc Confirms Plans for Mass Bitcoin Miner Distribution from CoinDesk and What impact have various investment pools had on Bitcoinland? []
  37. In 2014 the state of New Jersey sued a MIT student, Jeremy Rubin, for creating a web-based project that effectively does the same thing as the silicon-based version proposed by 21inc. See Case Against Controversial Student Bitcoin Project Comes to Close from CoinDesk. In addition, the FTC, in its case against Butterfly Labs also looked at BFL not informing customers properly regarding difficulty rating changes. According to the FTC’s new release on this case: “A company representative [BFL] said that the passage of time rendered some of their machines as effective as a “room heater.” The FTC charged that this cost the consumers potentially large sums of money, on top of the amount they had paid to purchase the computers, due to the nature of how Bitcoins are made available to the public.” []
  38. This issue was cited in the CryptoNote whitepaper as one motivation for creating a new network. On p. 2: “This permits us to conjecture the properties that must be satisfied by the proof-of-work pricing function. Such function must not enable a network participant to have a significant advantage over another participant; it requires a parity between common hardware and high cost of custom devices. From recent examples [8], we can see that the SHA-256 function used in the Bitcoin architecture does not possess this property as mining becomes more efficient on GPUs and ASIC devices when compared to high-end CPUs. Therefore, Bitcoin creates favourable conditions for a large gap between the voting power of participants as it violates the “one-CPU-one-vote” principle since GPU and ASIC owners possess a much larger voting power when compared with CPU owners. It is a classical example of the Pareto principle where 20% of a system’s participants control more than 80% of the votes.” []
  39. I would like to thank Ayoub Naciri for providing this example. []

A dissection of two Bitfury papers

BitFuryBitfury, the Bitcoin mining company, recently published two papers:

The underlying motivations for writing them was that Bitfury is trying to assure the world that public blockchains can still be used in “proprietary contexts.” While they provide a good frame for the issue, there are several leaps in logic, or direct contradictions to established theory that necessarily weaken their argument.

Below is my discussion of them. Note: as usual, this only represents my opinion and does not necessarily represent the views of the organizations that I advise or work for.

Overall I thought the two papers did not seem to have been reviewed by a wider audience including lawyers: specifically they should have sent them to commercial and securities lawyers to see if any legal issues should be considered. Much of their pitch basically amounts to mining for the sake of mining.

One final note: for additional commentary I also reached out to Dave Hudson who is proprietor of HashingIt and an expert as it relates to Bitcoin mining analysis.  He is unaffiliated with Bitfury.

Notes for Part 1:

On p. 2, Bitfury wrote the following statement:

The key design element of blockchains – embedded security – makes them different from ordinary horizontally scalable distributed databases such as MySQL Cluster, MongoDB and Apache HBase. Blockchain security makes it practically impossible to modify or delete entries from the database; furthermore, this kind of security is enforced not through the central authority (as it is possible with the aforementioned distributed databases), but rather through the blockchain protocol itself.

Is this a problematic summary?

According to Dave Hudson:

As a network protocol engineer of many years I tend to find the concept of a “blockchain protocol” somewhat odd. Here’s a link to definitions of “protocol.”

What do we mean by protocol here? It’s not actually a network protocol because there is no “blockchain protocol”, there are many different ones (each altcoin has its own and there are many more besides). At best the idea of a “blockchain protocol” is more a meta-protocol, in that we say there are some things that must be done in order for our data to have blockchain-like characteristics. It’s those characteristics that provide for non-repudiation.

Also on p. 2, Bitfury uses the term “blockchain-based ledger.”  I like that because, as several developers have pointed out in the past, the two concepts are not the same — distributed ledgers are not necessarily blockchains and vice versa.

On p. 4 and 5 they list several objections for why financial institutions are hesitant to use a public blockchain yet leave a couple noticeable ones off including the lack of a service level agreement / terms of service between end users and miners.  That is to say, in the event of a block reorg or 51% attack, who calls who?

On p. 7, I don’t think that censorship resistance can be generalized as a characteristic for “all blockchains.”

In Dave Hudson’s view:

Moreover, censorship resistance makes absolutely no sense in many instances. Who would be censoring what?

I’m actually not convinced that censorship resistance is actually a “thing” in Bitcoin either. Plenty of well-formed transactions can be censored by virtue of them being dust or having non-standard scripts. If anything the only thing that Bitcoin does is provide a set of conditions in which a transaction is probabilistically going to be mined into blocks in the network.

For those interested, there are a handful of “standard’ transaction types that are usually accepted by most mining pools.

On p. 11, I disagree with this statement:

If a blockchain database is completely opaque for clients (i.e., they have no access to blockchain data), the security aspect of blockchain technology is diminished. While such system is still protected from attacks on the database itself, interaction with clients becomes vulnerable, e.g. to man-in-the middle attacks. As a built-in protocol for transaction authorization is one of core aspects of blockchain technology, its potential subversion in favor of centralized solutions could negatively influence the security aspect of the system. Additionally, as transactions are accessible to a limited set of computers, there exists a risk of human factor intervening into the operation of the blockchain with no way for clients to detect such interference. Thus, the opaque blockchain design essentially undermines the core aspects of blockchain technology:
• decentralization (absence of a single point of failure in the system)
• trustlessness (reliance on algorithmically enforced rules to process transactions with no human interaction required).

I think trustlessness is a red herring that cypherpunks and Bitcoiners have been perpetually distracted by. It may be an end-goal that many would like to strive for but trust-minimization is a more realistic intermediate characteristic for those operating within the physical, real world.

Why? Because existing institutions and legal infrastructure are not going to disappear tomorrow just because a vocal group of cryptocurrency enthusiasts dislikes them.

According to Dave Hudson:

As with so many things-Bitcoin, I think this is an implementation necessity being seen as a innately desirable characteristic. Bitcoin requires “trustlessness” because it’s non-permissioned, yet in truth it totally relies on trust to work. We trust that Sybil attacks aren’t happening and that network service providers are not colluding to support such attacks. We trust that a large body of miners are not colluding to distort the system. We trust that changes to the software (or updates to compilers and operating systems) have not rendered old, non-recently-used keys are still able to support signing of transactions. We trust that Satoshi (and other large holders) will not drop 1M, or worse 10M coins onto exchanges crashing the price to a few cents per coin! There’s no “too big to fail” here!

In truth real-world people actually like to trust things. They want to trust that their national governments will ensure services work and that invaders are kept out. They want to trust that law enforcement, fire and medical services will keep them safe. I’m not sure that I like the idea of a trustless Police force?

What people do like is the ability to verify that the entities that they actually do trust are in fact doing what they should. Blockchain designs allow us to do just this.

That last statement in particular succinctly summarizes some of the motivations for financial institutions looking to use a shared ledger that is not the Bitcoin blockchain.

On p. 12, I disagree with this statement:

While the permissioned nature of blockchains for proprietary applications may be a necessary compromise in the medium term because of compliance and other factors, read access to blockchain data together with the publicly available blockchain protocol would remove most of vulnerabilities associated with opaque blockchain designs and would be more appealing to the clients of the institution(s) operating the blockchain. As evidenced by Bitcoin, simplified payment verification softwarecan be used to provide a direct interface to blockchain data that would be both secure and not resource intensive.

The reason I disagree with this statement is because the term “opaque” is loaded and ill-defined.

For instance, several groups within the Bitcoin ecosystem have spent the last several years trying to delink or obfuscate transaction history via zk-SNARKs, stealth addresses, mixing via Coinjoin and Coinshuffle and other methods. This type of activity is not addressed by Bitfury — will they process Bitcoin transactions that are obfuscated?

Granular permissions — who is allowed to see, read or write to a ledger — is a characteristic some of these same Bitcoin groups are not fans of but is a needed feature for financial institutions. Why? Because financial institutions cannot leak or expose personal identifiable information (PII) or trading patterns to the public.

Securely creating granular permissions is doable and would not necessarily reduce safety or transparency for compliance and regulatory bodies. Operating a non-public ledger is not the same thing as being “opaque.” While hobbyists on social media may not be able to look at nodes run by financial institutions, regulators and compliance teams can still have access to the data.

It also bears mentioning that another potential reason some public blockchains have and/or use a token is as an anti-spam mechanism (e.g., in Ripple and Stellar a minute amount is burnt).1

On p. 13, I disagree with this statement:

The problem is somewhat mitigated if the access to block headers of the chain is public and unrestricted; however, convincing tech-savvy clients and regulators that the network would be impervious to attacks could still be a difficult task, as colluding operators have the ability to effortlessly reorganize the arbitrary parts of the blockchain at any given moment. Thus, the above consensus protocol is secure only if there is no chance of collusion among blockchain operators (e.g., operators represent ideal parties with conflicting interests). Proof of work provides a means to ensure absence of collusion algorithmically, aligning with the overall spirit of blockchain technology.

This is untrue. People run pools, people run farms. Earlier this year Steve Waldman gave a whole presentation aptly named “Soylent Blockchains” because people are involved in them.

As we have seen empirically, pool and farm operators may have conflicting incentives and this could potentially lead to collusion. Bitcoin’s “algorithms” cannot prevent exogenous interactions.

On p. 14 I disagree with this statement:

There is still a fixed number of miners with known identities proved by digital signatures in block headers. Note that miners and transaction processors are not necessarily the same entities; in the case that mining is outsourced to trusted companies, block headers should include digital signatures both from a miner and one or more processing institutions.

Having a “trusted company” run a proof-of-work mining farm is self-defeating with respect to maintaining pseudonymity on an untrusted network (which were the assumptions of Bitcoin circa 2009). If all miners are “trusted” then you are now operating a very expensive trusted network. This also directly conflicts with the D in DMMS (dynamic-membership multi-party signature).

According to Dave Hudson:

If the signing is actually the important thing then we may as well say there’s a KYC requirement to play in the network and we can scale it all the way back to one modest x86 server at each (with the 1M x reduction in power consumption). Of course this would kill mining as a business.

On p. 14 I think the Bitfury proposal is also self-defeating:

The proposed protocol solves the problem with the potentially unlimited number of alternative chains. Maintaining multiple versions of a blockchain with proof of work costs resources: electricity and hashing equipment. The hashing power spent to create a blockchain and the hashing power of every miner can be reliably estimated based on difficulty target and period between created blocks; an auditor could compare these numbers with the amount of hashing equipment available to operators and make corresponding conclusions.

The authors go into detail later on but basically they explain what we can already do today: an outside observer can look at the block headers to see the difficulty and guess how much hashrate and therefore capital is being expended on the hash.

On p. 15 they present their proposal:

Consequently, $10 million yearly expenses on proof of work security (which is quite low compared to potential gains from utilizing blockchain technology, estimated at several billion dollars per year [54]) correspond to the hash rate of approximately 38 PHash / s, or a little less than 10% of the total hash rate of the Bitcoin network.

This is entirely unneeded. Banks do not need to spend $10 million to operate hardware or outsource operation of that hardware to some of its $100 million Georgia-based hydro-powered facilities.

According to Dave Hudson:

Precisely; banks can use a permissioned system that doesn’t need PoW. I think this also misses something else that’s really important: PoW is necessary in the single Bitcoin blockchain because the immutability characteristics are derived from the system itself, but if we change those starting assumptions then there are other approaches that can be taken.

In section 3.1 the authors spend some time discussing merged mining and colored coins but do not discuss the security challenges of operating in a public environment. In fact, they assume that issuing colored coins on a public blockchain is not only secure (it is not) but that it is legal (probably not either).2

On p. 16 they mention “transaction processors” which is a euphemism that Bitfury has been using for over a year now. They dislike being called a mining company preferring the phrase “transaction processors” yet their closed pool does not process any kind of transactions beyond the Bitcoin variety.

On page 17 they wrote:

[M]aintenance of the metachain could be outsourced to a trusted security provider without compromising confidential transaction details.

If taken to the logical extreme and all of the maintenance was “outsourced” to trusted security providers they would have created a very expensive trusted network. Yet in their scenario, financial institutions would have to trust a Republic of Georgia-based company that is not fully transparent.

Also on page 17 they start talking about “blockchain anchors.” This is not a new or novel idea.  As other developers have spoken about the past and Guardtime puts anchors into newspapers like The New York Times (e.g., publishes the actual hashes in a newspaper).  And, again, this could easily be done in other ways too. Why restrict anchoring to one location? This is Bitcoin maximalism at work again.

On p. 20 they wrote:

Bitcoin in particular could be appropriate for use in blockchain innovations as a supporting blockchain in merged mining or anchoring due to the following factors: • relatively small number of mining pools with established identities, which allows them to act as known transaction validators by cooperating with institutions

This is self-defeating for pseudonymous interactions (e.g., Bitcoin circa 2008). Proof-of-work was integrated to fight Sybil attacks. If there are only a few mining pools with established identities then there are no Sybil’s and you effectively have an extremely expensive trusted network.

Notes on Part 2:

On p. 3 they wrote:

If an institution wants to ensure that related Bitcoin transactions are mined by accredited miners, it may send transactions over a secure channel directly to these miners rather than broadcasting them over the network; accepting non-broadcast transactions into blocks is a valid behavior according to the Bitcoin protocol.

An “accredited miner” is a contradiction.

On p. 4 the first paragraph under section 1.3 was well written and seems accurate. But then it falls apart as they did not consult lawyers and financial service experts to find out how the current plumbing in the back-office works — and more importantly, why it works that way.

On p.4 they wrote:

First, the transfer of digital assets is not stored by the means of the Bitcoin protocol; the protocol is unaware of digital assets and can only recognize and verify the move of value measured in bitcoins. Systems integrating digital assets with the Bitcoin blockchain utilize various colored coin protocols to encode asset issuance and transfer (see Section 2.2 for more details). There is nothing preventing such a protocol to be more adapted to registered assets.

Yes there is in fact things preventing Bitcoin from being used to move registered assets, see “Watermarked tokens and pseudonymity on public blockchains.”  And their methods in Section 1.6 are non-starters.

Also on page 4 they wrote:

Second, multisignature schemes allow for the creation of limited trust in the Bitcoin environment, which can be beneficial when dealing with registered assets and in other related use cases. Whereas raw bitcoins are similar to cash, multisignature schemes act not unlike debit cards or debit bank accounts; the user still has a complete control of funds, and a multisignature service provides reputation and risk assessment services for transactions.

This is the same half-baked non-sense that Robert Sams rightly criticized in May. This is a centralized setup. Users are not gaining any advantage for using the Bitcoin network in this manner as one entity still controls access via identity/key.

On p. 5 they wrote:

One of the use cases of the 2-of-3 multisignature scheme is escrow involving a mediator trusted by both parties. A buyer purchasing certain goods locks his cryptocurrency funds with a multisignature lock, which requests two of the three signatures: the buyer’s, the seller’s, and the mediator’s.

This is only useful if it is an on-chain, native asset. Registered assets represent something off-chain, therefore Bitcoin as it exists today cannot control them.

On p. 6 they talk about transactions being final for an entire page without discussing why this is important from a legal perspective (e.g., why courts and institutions need to have finality). This paper ignores how settlement finality takes place in Europe or North America nor are regulatory systems just going to disappear in the coming months.

On page 7 they mention that:

To prevent this, a protocol could be modified to reject reorganizations lasting more than a specified number of blocks (as it is done in Nxt). However, this would make the Bitcoin protocol weakly subjective [21], introducing a social-driven security component into the Bitcoin ecosystem.

There is already a very publicly known, social-driven security component: the Bitcoin dev mailing list. We see this almost daily with the block-size debate. The statement above seems to ignore what actually happens in practice versus theory.

On p. 7 and 8 they write:

The security of the Bitcoin network in the case of economic equilibrium is determined by the rewards received by block miners and is therefore tied to the exchange rate of Bitcoin. Thus, creating high transaction throughput of expensive digital assets on the Bitcoin blockchain with the help of colored coin protocols has certain risks: it increases the potential gain from an attack on the network, while security of the network could remain roughly the same (as there are no specific fees for digital asset transactions; transaction fees for these transactions are still paid in bitcoins). The risk can be mitigated if Bitcoin fees for asset transactions would be consciously set high, either by senders or by a colored coins protocol itself, allowing Bitcoin miners to improve security of the network according to the value transferred both in bitcoins and in digital assets.

There is no way to enforce this increase in fee. How are “Bitcoin fees for asset transactions … consciously set high”? This is a question they never answer, (Rosenfeld 2012) did not answers it, no one does. It is just assumed that people will start paying higher fees to protect off-chain securities via Bitcoin miners.

There is no incentive to pay more and this leads to a hold-up problem described in the colored coin “game” from Ernie Teo.

On p. 8 they wrote:

As there is a relatively small number of Bitcoin mining pools, miners can act as known processors of Bitcoin transactions originating from institutions (e.g., due to compliance reasons). The cooperation with institutions could take the form of encrypted channels for Bitcoin transactions established between institutions and miners.

This is silly. If they are known and trusted, you have a trusted network that lacks a Sybil attacker. There is no need for proof-of-work mining equipment in such a scenario.

On p. 8 they wrote:

In the ideal case though, these transactions would be prioritized solely based on their transaction fees (i.e., in a same way all Bitcoin transactions are prioritized), which at the same time would constitute payments for the validation by a known entity. Thus, this form of transaction processing would align with the core assumption for Bitcoin miningthat miners are rational economic actors and try to maximize their profit.

It cannot be assumed that miners will all behave as “rational economic actors.” They will behave according to their own specific incentives and goals.

On p. 9 they wrote:

Additionally, partnerships between institutions and miners minimize risk in case transactions should not be made public before they are confirmed.

Registered and identifiable miners is the direct anti-thesis of pseudonymous interactions circa Bitcoin 2008. That type of partnership is a win-lose interaction.

On p. 10 they wrote:

One of the interesting financial applications of colored coins is Tether (tether.to), a service using colored coins to represent US dollars for fast money transfer. Several cryptocurrencies such as Nxt and BitShares support custom digital assets natively.

As it exists today, Tether.to is similar in nature to a Ripple gateway such as SnapSwap: both are centralized entities that are subject to multiple regulatory and compliance requirements (note: SnapSwap recently exited its USD gateway business and locked out US-based users from its BTC2Ripple business).

tether msb

According to FinCEN’s MSB Registrant Search Web page, Tether has a registration number (31000058542968) and one MSB.  While they have an AML/CTF program in place, it is unclear in its papers how Bitfury believes the Bitcoin network (which Tether utilizes) can enforce exogenous claims (e.g., claims on USD, euros, etc.).

Furthermore, there has been some recent research looking at how the Federal Reserve and the Bank of England could use distributed ledgers to issue digital currency.3

If a central bank does utilize some kind of distributed ledger for a digital currency they do not need proof-of-work mining or the Bitcoin network to securely operate and issue digital currency.

Ignoring this possible evolution, colored coins are still not a secure method for exogenous value transfers.

On page 10 they wrote:

Colored coins are more transparent for participants and auditors compared to permissioned blockchains

This is untrue and unproven. As Christopher Hitchens would say, what can be asserted without evidence can be dismissed without evidence.

On page 10 they wrote:

As colored coins operate on top of permissionless blockchains, systems using colored coins are inherently resistant to censorship – restrictions on transactions are fully specified by a colored coins protocol instead of being enforced by a certain entity

This is also untrue. This is a bit like trying to have their cake and eat it too.

On page 11 they have a diagram which states:

Figure 2: Using colored coins on top of the Bitcoin blockchain to implement asset transactions. For compliance, financial institutions may use secure communication channels with miners described in Section 2.1 to place asset transactions on the blockchain

Again this is self-defeating. As the saying goes: be careful what you wish for. If Bitfury’s proposal came true, their pool(s) could become payment service providers (PSP) and regulated by FinCEN.

On page 12 and 13 they wrote:

Bitcoin and other public permissionless blockchains could be a part of the interconnected financial environment similarly to how cash is a ubiquitous part of the banking system. More concretely, cryptocurrencies could be used as: • one of the means to buy and sell assets on permissioned blockchains • an instrument that enables relatively fast value transfer among permissioned blockchains • an agreed upon medium for clearing operations among blockchains maintained by various institutions (Fig. 4).

Bitcoins as a permanent store-of-value are effectively a non-starter as they lack any endogenous self-stabilizing mechanism.4

According to Dave Hudson:

The systemic risks here just make this idea farcical. The Internet is somewhat immune to this because there are technology providers all over the world who can independently choose to ignore things in regulatory domains that want to do “bad things”. There is no such safety net in a system that relies on International distributed consensus (the Internet has no such problem, although DNS is a little too centralized right now). Even if it could somehow be guaranteed that things can’t be changed, fixed coin supply means artificial scarcity problems are huge (think Goldfinger trying to irradiate the gold in Fort Knox) – you wouldn’t need a nuclear weapon, just a good piece of malware that could burn coins (if they’re not stolen then there’s no way to trace who stole them). There’s also the 1M coins dropped onto exchanges problem.

The discussion over elastic and inelastic money supplies is a topic for another post.

On page 15 they wrote:

If a blockchain is completely opaque for its end users (e.g., a blockchain-based banking system that still uses legacy communication interfaces such as credit cards), the trustless aspect of blockchains is substantially reduced. End users cannot even be sure that a blockchain system is indeed in use, much less to independently verify the correctness of blockchain data (as there is no access to data and no protocol rules to check against). Human factor remains a vulnerability in private blockchain designs as long as the state of the blockchain is not solely based on its protocol, which is enforced automatically with as little human intervention as possible. Interaction based on legacy user authentication interfaces would be a major source of vulnerabilities in the case of the opaque blockchain design; new interfaces based on public key cryptography could reduce the associated risk of attacks.

While mostly true, there are existing solutions to provide secure verification. It is not as if electronic commerce did not or could not occur before Bitcoin came into existence. Some private entities take operational security seriously too. For instance, Visa’s main processing facility has 42 firewalls and a moat.

On page 15 they wrote:

Proprietary nature of private blockchains makes them less accessible; open sourced and standardized blockchain implementations would form a more attractive environment for developers and innovations. In this sense, blockchains with a public protocol are similar to open Internet standards such as IP, TCP and HTTP, while proprietary blockchain designs could be similar to proprietary Internet protocols that did not gain much traction. A proprietary blockchain protocol could contain security vulnerabilities that remain undiscovered and exploited for a long time, while a standardized open blockchain protocol could be independently studied and audited. This is especially true for protocols of permissionless blockchains, as users have a direct economic incentive to discover vulnerabilities in the system in order to exploit them.

This is just scaremongering. While some of the “blockchain” startups out there do in fact plan to keep the lower layers proprietary, the general view in October 2015 is that whatever bottom layer(s) are created, will probably be open-sourced and an open-standard. Bitcoin doesn’t have a monopoly on being “open” in its developmental process.

On page 15 they wrote:

As the Bitcoin protocol has been extensively studied by cryptographers and scientists in the field, it could arguably form the basis for the standardized blockchain design.

This is untrue, it cannot be the backbone of a protocol as it is not neutral. In order to use the Bitcoin network, users are required to obtain what are effectively illiquid pre-paid gift cards (e.g., bitcoins). Furthermore, an attacker cannot collect “51%” of all TCP/IP packets and take over the “internet” whereas with Bitcoin there is a real “majoritarianism” problem due to how network security works.

A truly neutral protocol is needed and there have been at least two proposals.5

On page 15 they wrote:

The key design element of blockchains is “embedded economy” – a superset of embedded security and transaction validation. Each blockchain forms its own economic ecosystem; a centrally controlled blockchain is therefore a centrally controlled economy, with all that entails.

This is untrue. If we are going to use real-world analogies: Bitcoin’s network is not dynamic but rather disperses static rewards to its labor force (miners). It is, internally, a rigid economy and if it were to be accurately labeled, it is a command economy that relies on altruism and VC subsidies to stay afloat.6

On page 16 they wrote:

It is not clear how the blockchain would function in the case validators would become disinterested in its maintenance, or how it would recover in the case of a successful attack (cf. with permissionless blockchains, which offer the opportunity of self-organization).

The statement above is unusual in that it ignores how payment service providers (PSPs) currently operate.  Online commerce for the most part has and likely will continue to exist despite the needed maintenance and profit-motive of individual PSPs.  There are multiple motivations for continued maintenance of maintenance transfer agreements — this is not a new challenge.

While it is true that there will likely be dead networks in the futures (just like dead ISPs in the past), Bitcoin also suffers from a sustainability problem: it continually relies on altruism to be fixed and maintained and carries with it an enormous collective action burden which we see with the block-size debate.

There are over a hundred dead proof-of-work blockchains already, a number that will likely increase because they are all public goods that rely on external subsidies to exist. See Ray Dillinger’s “necronomicon” for a list of dead alt coins.

If Bitfury’s proposal for having a set of “fixed” miners arises, then it is questionable about how much self-organization could take place in a static environment surrounding a public good.

Conclusion

Despite the broad scope of the two papers from Bitfury neither was able to redress some of the most important defects that public blockchains have for securing off-chain assets:

  • how is legal settlement finality resolved
  • how to incentivize the security of layers (such as colored coins) which distort the mining process
  • how to enforce the security of merged mining which empirically becomes weaker over time

If Bitfury is truly attempting to move beyond merely processing Bitcoin transactions in its Georgian facilities, it needs to address what constraints and concerns financial institutions actually face and not just what the hobbyist community on social media thinks.

  1. See also: Needing a token to operate a distributed ledger is a red herring and A blockchain with emphasis on the “a” []
  2. See also: Can Bitcoin’s internal economy securely grow relative to its outputs? and Will colored coin extensibility throw a wrench into the automated information security costs of Bitcoin? []
  3. This includes: Fedcoin—how banks can survive blockchains by Robin Winkler and Centrally Banked Cryptocurrencies by George Danezis and Sarah Meiklejohn []
  4. See Seigniorage Shares from Robert Sams []
  5. See: A Protocol for Interledger Payments by Stefan Thomas and Evan Schwartz and An architecture for the Internet of Money by Meher Roy []
  6. See also: Chapter 10 in The Anatomy of a Money-like Informational Commodity and Economic Aspects of Bitcoin and Other Decentralized Public-Ledger Currency Platforms by David Evans []

Integrating, Mining and Attacking: Analyzing the Colored Coin “Game”

[Note: Below is a guest post from Ernie Teo, a post-doctorate researcher at SKBI (where I am currently a visiting research fellow).  It is referenced in a new paper covering the distorted incentives for securing public blockchains.]

Integrating, Mining and Attacking: Analyzing the Colored Coin “Game”

By Ernie G. S. Teo, Sim Kee Boon Institute for Financial Economics,
Singapore Management University

The research in this post came about when Tim Swanson invited me to look at colored coin providers and their incentives from a game theory perspective. The results are based on a number of phone conversations with Tim; I would like to take the opportunity to thank Tim for his insights on the matter. For an introduction to what colored coins are, refer to Chapter 3 in Great Chain of Numbers.

The initial question Tim wanted to know was if colored coins can be identified will miners charge excessively high fees to include these transactions. The led to a discussion of the possibilities of the colored coin issuer becoming a miner; and of an attack on the network to take control of the colored assets.

The problem proved to be very interesting as there could be many implications on the success of the system given the potential costs and benefits. Entities or players within the “game” could strategically choose to sabotage themselves if the incentives were right. In this post, I will attempt to explain this using a “sequential game” format. I will explain the various stages where choices can be made and the players involved in each stage. This will be followed by an analysis of the various outcomes and the strategic choices of each party given the incentives involved.

Before we start, I would like to disclaim that the model that follows is a simplified version of the problem and helps us to think about the potential issues that could arise. They are based on various assumptions and in no way should the results be taken at face value.

Stage 1: Before the colored coin issuer (CCI) starts operations, we assume that they will consider if they will choose to become a miner (Assuming that they can include their own transactions into blocks if no one else would). The decision maker (or player) here is the CCI, the choices available are to integrate or to not integrate.

Stage 2a: When the CCI starts issuing colored coins, it would have to decide on the fees it would pay for the transaction. We assume that the CCI is a rational entity and will choose the optimal fees. However as there are two possibilities in stage 1, there will be 2 possible fees quoted; one for a CCI whom is also a miner (integrated) and another for a CCI whom is not a miner (non-integrated). The decision maker here is the CCI and the choice is the fee quoted.

Stage 2b: This is immediately followed by the miners deciding to include the transaction in the block or not. For simplicity’s sake, we assume that there is only one miner in this game (this can be the CCI). The decision maker here is the miner and the choice is to mine the transaction or not.

If the decision in Stage 2b is not to mine, the game ends (End 1).

Stage 3: We next assume that the miner can choose to fraudulently attack the system and transfers the colored coin to itself. The decision maker here is still the miner and the choice is to attack or not.

This gives us 2 alternative endings (End 2 and End 3). The game can be described by Figure 1.

Colored Coin Teo

Figure 1: The stages of the “game”

If we consider the game, there are only 2 decision makers or players: The CCI and the miner. Next, we consider what are the possible outcomes or payoffs for each possible ending described above. This is described in Figure 2 below, there are actually 6 possibilities as there are 2 types of CCIs, integrated and non-integrated. When there is integration, there is really only one player.

Colored Coin Teo 2

Figure 2: Payoffs of the game

Having setup the game and determined the payoffs, we analyze the possibilities of each outcome. This is subject to the comparative magnitude of each payoff. Let’s start with the non-integrated outcomes, there are 3 possibilities:

  1. Not Integrated. Mined. Attacked.
  2. Not Integrated. Mined. Not Attacked.
  3. Not Integrated. Not Mined.

An attack happens if M3>M2 (this will happen if the net benefit of the attack is positive).

If M3>M2, the transaction will be mined if M3>M1. This is because the miner expects the attack to take place, the miner will thus only mine the transaction if it the payoff from mining and attacking is better than not mining. Since we assumed that M1=0, M3 will be always larger than M1. Thus When M3>M2, mining always takes place and an attack happens.

If M2>M3, the attack will not happen (this would indicate that the net benefits of the attack is negative). The transaction will be mined if M2>M1 or if the transaction fees are positive.

The transaction will not be mined if M1≥M2. Since M2 (the transaction fee) has to be at least zero, if M2=0, the transaction will not be mined.

To summarize, there are 3 scenarios:

  1. M3>M2≥M1: The transaction is mined and an attack takes place. The CCI gets CC3NI.
  2. M2>M3 and M2>M1: The transaction is mined and an attack will not take place. Note that the inequality between M1 and M3 does not matter for this outcome. The CCI gets CC2NI.
  3. M1≥M2>M3: The transaction is not mined. The CCI gets CC1NI.

In stage 1, the CCI is making the decision to integrate. To analyze this, we need to compare the non-integrated outcomes with the integrated ones. We thus have to look at the integrated outcomes first before we discuss stage 1. The outcomes are:

  1. Mined. Attacked.
  2. Mined. Not Attacked.
  3. Not Mined.

An attack happens if CC3I>CC2I. (This again will happen if the net benefit of the attack is positive).

If CC3I>CC2I, mining will occur if CC3I>CC1I. Similar to the non-integrated case, CC3I is always larger than CC1I . In fact this case is stronger as CC1I is at most zero and is likely to be negative as it is a cost. Thus if the CCI is willing to launch an attack against itself, it will definitely mine the transaction.

If CC2I>CC3I, no attack happens. For mining to occur, CC2I≥CC1I (the CCI will prefer to mine if they are indifferent). CC2I will always be larger than CC1I unless mining fees are zero (in which case it is equal), mining will always occur if CC2I>CC3I.

For mining to not occur, CC1I>CC2I or CC1I>CC3I needs to hold. To summarize, there are 3 scenarios:

  1. CC3I>CC2I and CC3I>CC1I: The transaction will be mined and an attack occurs. CC3I is the final payoff.
  2. CC2I>CC3I and CC2I>CC1I: The transaction is mined and no attack happens. CC2I is the final payoff.
  3. CC1I>CC3I (we had determined that CC1I>CC2I could not be possible): No mining occurs. CC1I is the final payoff.

Note that we have determined that mining will always occur if the CCI chooses to integrate. Thus there are only 2 relevant scenarios instead of the 3 found in the non-integrated case. The main assumption is that the CCI miner will be able to get its transaction included on the blockchain; this could be either because it is the only miner or it has invested in sufficient computing resources to ensure it.

There are a total of 9 combinations of events detailed in Figure 3. Figure 3 also shows the conditions required for integration to occur under each scenario.

Colored Coin Teo 3

Figure 3: Analyzing the Integration Choice.

Colored Coin Teo 2

Figure 2: Payoffs of the game

Referring back to figure 2, we can make the following assumptions:

CC1NI is always larger than CC1I

CC2NI is always larger than CC2I

CC2NI is always larger than CC1I

Thus the 3 inequalities highlighted in red in Figure 4 are never possible, no integration will occur in scenario B+E, B+F and C+F.

In the other 6 scenarios, integration could occur given the right conditions. We can make some predictions on what is likely to occur.

  1. In all scenarios with event A (A+D, A+E and A+F) where the non-integrated miner attacks, it is likely that the CCI prefers to integrate.
  2. In scenario B+D, there are two possibilities. If the cost of attack is large, the CCI will not integrate. Otherwise, it will integrate and reap the benefits of launching an attack on itself.
  3. When event C occurs and no integration takes place, the transaction will not be mined and the CCI gets nothing. Integration will thus occur as long as the cost of integration is small enough. This will be relevant for scenario C+D and C+E as we has ruled out C+F earlier.

One may ask if the CCI would want to attack itself. Well, if the benefit of attacking is large, a colored coin issuer may want to attack the network to derive a onetime benefit even though the company will never be trusted afterwards. However, this is unlikely as the cost of integration has to be extremely large for the CCI to be able to successfully attack the network.

Finally to answer our initial question, let us consider the issue of whether a non-integrated miner (in the event that a colored coin transaction can be identified) will force the CCI to quote high fees in order to get the transaction included. This is only relevant in the scenarios where the CCI initially chooses not to integrate. However, if colored transactions can be identified, miners can choose not to include these transactions unless the transaction fees are high enough. The fee can only be so high that it does not force the CCI to choose integration instead. In general, we can say that this fee cannot be higher than the cost of integration (this would refer to the per transaction cost of integration on average).

Based on this “game”, will colored coins be able to exist on a network such as Bitcoin? If colored transactions can be identified, there could be 2 issues. 1. The colored assets are so valuable that the non-integrated miner would want to attack the system, 2. The fees do not incentivized non-integrated miners to include the transactions. To overcome these issues the CCI could chose to integrate (or become a miner with sufficient computing power to be able to ensure that its transactions gets recorded). However, if the cost of doing so is too high to be justifiable, the CCI is better off not operating at all.

What are a few direct and indirect costs of the “block size debate”?

About six weeks ago I mentioned a dollar figure during a panel at the Consensus event in NYC: $6 million. Six million USD is a loose estimate — for illustrative purposes — of the amount of engineering time representing thousands of man hours over the past 7-9 months that has gone into a productivity black hole surrounding the Bitcoin block size debate.

A little recent history

While there had been some low intensity discussions surrounding block size(s) over the past several years, most of that simmered in the background until the beginning of 2015.

On January 20th Gavin Andresen posted a 20 MB proposal which was followed over the subsequent weeks by a number of one-and-done counterpoints by various developers.

About four months later, beginning on May 4, Gavin posted a series of blog articles that kicked things up a notch and spurred enormous amounts of activity on social media, IRC, web forums, listservs, podcasts and conferences.

The crescendo of public opinion built up over the summer and reached a new peak on August 15th with a post from Mike Hearn, that Bitcoin would fork into two by the beginning of next year.

The passionate enthusiasts on all sides of the spectrum took to social media once again to voice their concerns.  During the final two weeks of August, the debate became particularly boisterous as several moderators on reddit began to ban discussions surrounding Bitcoin XT (among other forks and proposals).  There was even an academic paper published that looked at the sock puppets involved in this period: Author Attribution in the Bitcoin Blocksize Debate on Reddit by Andre Haynes.

Ignoring the future evolution of block size(s), with respect to the opportunity costs of the debate itself: investors and consumers have unintentionally funded what has turned out to be a battle between at least two special interest groups. 1

So where does the $6 million figure come from?

Of the roughly $900 million of VC funding related to Bitcoin itself that has been announced over the past 3 years, about half has been fully spent and went towards legal fees, domain names, office rent, conference sponsorship’s, buying cryptocurrencies for internal inventory and about a dozen other areas.2

At the current burn rate, Bitcoin companies collectively spend about $8-$10 million a month, perhaps more.  And since the debate is not isolated to development teams, because upper management at these companies are involved in letter writing campaigns (and likely part of the sock puppet campaigns), then it could be the case that 5-10% of on-the-clock time at certain companies was spent on this issue.

Consequently, this translates into about $400,000 to $1 million each month which has been redirected and spent funding tweets, reddit posts, blog posts, conferences, research papers and industry conferences.3

What about specific numbers?

For instance, with around 150-200 attendees the Montreal scalability conference likely absorbed $250,000 from everyone involved (via travel, lodging, food, etc.).  Similarly, one independent estimate that Greg Maxwell mentioned at the same Consensus event was his back-of-the-envelope projection of the opportunity costs: a few hundred thousand USD in the first couple weeks of May alone as engineers were distracted with block sizes instead of shipping code.

While a more precise number (+/-) could probably be arrived at if someone were to link individual developer activity on the dev mailing list/reddit/twitter with their estimated salaries on Glassdoor — since this past spring roughly $6 million or so has probably gone towards what has amounted to basically two diametrically opposed political campaigns.

And the issue is still far from resolved as there are more planned scalability conferences, including one in Hong Kong in early December.

Why is it a black hole though?  Surely there is utility from the papers and projects like Lightning, right?

It’s a money pit because it doesn’t and cannot resolve the coordination problem that decentralized governance creates.  I have an upcoming paper that briefly touches on this issue (in Appendix A): the key point is that any time decision making is decentralized then specific trade-offs occur.

In this case, due to an intentional power vacuum in which there is no “leader,” special interest groups lobby one another for the de facto right to make decisions.  Some decisions, like raising the minimum transaction relay fees involve less tweets and downvotes and are for various reasons considered less important as others.  Yet ultimately, de jure decision making remains out of reach.

Not the first time to a rodeo

Because decentralized governance (and external social consensus) was/is a key feature for many cryptocurrencies, this type of political activity could happen again with say, increasing the money supply from 21 million or if KYC becomes mandatory for all on-chain interactions.

Again, this was bound to happen because of the tragedy of the commons: because the Bitcoin network is a public good that lacks an explicit governance structure.  Anytime you have a lack of formal governance you often end up with an informal power structure that makes it difficult to filter marketing fluff from sock puppets like Cypherdoc (aka Marc Lowe) from actual fact-filled research.

And this subsequently impacts any project that relies on the Bitcoin network as its security mechanism.  Why?  According to anecdotes, projects from new organizations and enterprises have reconsidered using public blockchains due to the aforementioned inherent governance hurdles alone.

After all, who do they call when the next Mexican standoff, block reorg or mutually assured destruction situation arises?  There is no TOS, EULA or service-level agreement and as a result they look at other options and platforms.4

  1. It is probably too simplistic to say that, with $6 million in funding, these same developers could have simply created a new system, like Ethereum, from scratch that factors in scalability challenges from day one.  It is unlikely that these same developers would have come to agreement on what to spend those funds on as well. []
  2. See What impact have various investment pools had on Bitcoinland? and Flow of investments funds in Bitcoinland []
  3. The academic term for this is single-issue politics. []
  4. For instance, Tezos was designed specifically with a self-amending chain in mind due to this issue. []

Some housekeeping of events and interviews

It has been a little while since I posted the events, panels and presentations I have been involved with.  Below is some of the public activity over the past 5-6 months.

Interviews with direct quotes:

Indirect quotes:

Academic citations:

Presentations, panels and events:

Designing a Global Fabric for Finance (G3F)

Over the past two weeks there have been a number of news stories related to R3 — a fintech startup that I now work at.  The first of which was from the Financial Times, entitled Blockchain initiative backed by nine large investment banks.  Today we announced an additional 13 banks have joined our effort.

Although I cannot speak for the whole team, I can give you the vision I have with the aim of bringing clarity to the various bits of information that have been circulating.

Homework

Over the past year, the R3 team has spent copious amounts of time conducting due diligence on the greater “distributed ledger” or “shared ledger” space.  I joined as an advisor in January when they were already knee deep in the task; I am now Director of Market Research.

What I and several others on the team found is that while there were a number of orthogonally useful pieces floating around (such as multisig and ideas like Engima), none of the publicly available technology platforms that has been funded by venture capital provided a flexible, holistic base layer with the specific functional requirements for secure, scalable enterprise use.

This includes incorporating non-functionals that globally regulated financial institutions must adhere to such as: compliance, privacy, reporting and reconciliation.  Similarly, many of the venture funded projects also failed to address the business requirements of these same institutions.

In sportsball terms, the nascent industry is 0-for-2 in their current approach.

Some of that is understandable; for example, Bitcoin solves a set of problems for a niche group of individuals operating under certain security assumptions (e.g., cypherpunks not wanting to interface with banks or governments).  Regulated financial institutions do not operate under those assumptions, thus axiomatically Bitcoin in its current form is highly unlikely to be a solution to their problems at this time.  As a consequence, the technology solutions pitched by many of these startups are hammers looking for nails that do not exist in the off-chain world.

R3 is not a Bitcoin company nor a cryptocurrency company.  We are not seeking to build a “better” or even a different type of virtual currency.  Why not?  Instead of starting with a known solution, such as a spreadsheet, we are starting with the problem set which continually influences the customized solution.  This is one of the biggest reasons I was attracted to this specific effort: R3 is not a re-enactment of Field of Dreams.  Build it with the hopes that someone will come is the siren song, the motto even, for throngs of failed startups.

But weren’t the original shared ledgers — often called blockchains — robust enough to protect all types of assets and a legion of use-cases?

Many public ledgers were originally designed to secure endogenous, on-chain information (e.g., the native token) but in their current incarnations are not fit for purpose to handle off-chain titles.  For instance, Bitcoin was not initially designed to secure exogenous data — such as transmitting high-value off-chain securities — vis-a-vis pseudonymous miners.  And it appears all attempts to mutate Bitcoin itself into a system that does, ends up creating a less secure and very expensive P-o-P network.

What are we doing then?

Rather than try to graft and gerrymander our business requirements onto solutions designed for other problems, we are systematically looking at a cornucopia of challenges and cost-drivers that currently exist at financial institutions.  We will seek to address some of these drivers with a generalized agnostic fabric, with layers that fulfill the critical infrastructure specifications of large enterprises and with services that can be run on top in a compliant fashion.

What is a Global Fabric for Finance (G3F) then?  If you had the chance to build a new financial information network from scratch that incorporated some of the elements and learnings of the shared ledger world, what would it look like?

For starters, a fabric specifically built for and by trusted parties does not need something akin to mining or block rewards.  In fact, not only is there is no Sybil spoofing problem on a trusted network but there are already many known, existing methods for securely maintaining a transaction processing system.  Consequently, needing a block reward may (or may not) be a red herring and has likely been a costly, distracting sideshow to other types of utility that this technology represents.

If trust is not an issue, what use (as Arvind Narayanan and certain high profile enthusiasts have asked) is any part of the shared ledger toolkit?  There are a number of uses, many of which I touched on in a paper back in April.

What about specific use-cases?

While a number of ideas that have surfaced at conferences and media events over the past summer, R3 remains focused on an approach of exploration and ideation.

And while there will likely be some isolated tests on some use-case(s) in sand boxes in the coming year, it is important to reflect on the G3F vision which will be further elaborated on by Richard Brown (our head of technology) in the coming weeks.  If the fabric is only capable of handling one or two specific asset classes, it will fall short of the mandate of being a generalized fabric used to secure financial information for enterprises.

Why directly work with banks during this formative stage?  Why not just raise money and start building and shipping code?

To be frank, if financial institutions and regulatory bodies are not involved and engaged  from the beginning, then whatever fabric created will likely: 1) fail to be viewed as an authoritative and legal record of truth and 2) fall short of adequately address their exacting needs.  It would be a non-starter for a financial institution to use technology that is neither secure, or whose on-chain record is considered non-canonical by off-chain authorities.

What does that mean?

While some in the shared ledger community would like to believe that dry, on-chain code supersedes off-chain wet-code, the facts on the ground continue to contradict that thesis.  Therefore, if you are going to create a non-stealth fintech startup, it must be assumed that whatever products and services you create will need to operate under existing laws.  Otherwise you will spend most of your time hiding out in remote Caribbean islands or Thailand.

Growth

The R3 team is comprised of pragmatic thinkers and doers, experienced professionals who understand that a financial system cannot be built with up and down votes on reddit or whose transaction processors may reside in sanctioned countries.

standards

Source: XKCD

While nothing is finalized at the time of this writing, it is our aim at R3 to make the underlying base layer of this fabric both open sourced and an open standard.

After all, a foundation layer this critical would benefit from the collective eyeballs of the entire programming community.  It also bears mentioning that the root layer may or may not even be a chain of hashed blocks.

Furthermore, we are very cognizant of the fact that the graveyard for building industry standards is deep and wide.  Yet, as I mentioned to IBT, failing to create a universal standard will likely result in additional Balkanization, recreating the same silos that exist today and nullifying the core utility of a shared ledger.

It is a pretty exciting time in modern history, where being a nerd — even a cryptonerd — means you are asked to appear on stage in front of decision makers, policy makers, captains of industry and social media influencers.  Some even get to appear in person and not just as a telepresence robot.  Yet as neat as some of the moon math and cryptographic wizardry may be, failing to commercialize it in a sustainable manner could leave many of the innovative forks, libraries and github repos no more than starry-eyed science fair projects.

To that end, we are currently hiring talented developers keen on building a scalable, secure network.  In addition, rather than reinventing the wheel, we are also open to partnerships with existing technology providers who may hold key pieces to building a unified standard.  I am excited to be part of this mathematical industrial revolution, it’s time to strike while the iron is hot and turn good academic ideas into commercial reality.  Feel free to contact us.

Cryptocurrency KYSF: Know Your Source of Funds part 2

ecommerceA few days ago I was asked a number of questions from a reporter at CoinDesk regarding on-chain trade volume; this was a follow-up from some questions back in early May.

A few of my responses were published in a new article today: Dark Web Markets ‘Processed more Bitcoin than BitPay in 2014’

Below are my unabbreviated comments:

Q: How have the recent posts from Coinbase and BitPay impacted the diagram you outlined in that previous post? Has it had any impact at all?

A: The most striking data point from the Coinbase and BitPay posts was what was missing: actual real user numbers.  Neither one of them is willing to publicly say how many monthly active users (MAU) they have which stands in contrast to other fintech companies, financial institutions and “social media” startups they like to compare themselves to.

For instance, even though Coinbase claims to have 2.4 million users/3.1 million wallets, what does that mean?  Are these all fully KYC’ed accounts?  What percent have logged on in the past month?  What percent have actually used Coinbase’s services?  How many simply create an account, deposit $10 and never log on again?

Similarly, BitPay numbers are actually pretty sobering.  We know demographically from both the CoinDesk report and the leaked Coinbase pitch deck that the over 80% of all bitcoin holders/owners are males between the ages of 18-45.  And that the majority of the overall users reside in North America.  Yet according to the BitPay charts, North American volume has been relatively flat the last 6 quarters.

So if the largest group of bitcoin owners are not using their holdings despite a marked increase in available merchants, that is probably not an indication that they are interested in spending their funds and probably see bitcoins as an investable asset than actual money.  BitPay also does not disclose aggregate USD or euro volume.  Startups like to make noise when they are doing good or can show growth; if the value of their volume was actually growing, they probably would say.

And while transaction count in Europe and Latin America appear to be growing, perhaps the collective value has stayed the same (the Latin America numbers are also a bit misleading; it’s easy to show large growth percentages when you start from 0).

Another point about BitPay’s post is that they don’t really say what “IT services” is.  Notably absent from this post, compared with their post in April, is what “mining” related activity is.  Recall that some miners, such as KnC and now defunct BFL were (are) using BitPay as their payment processor.  In fact, in BitPay’s post earlier this year, “Bitcoin Mining” — by volume — represented the largest share of volume processed.  Does “IT services” now include this previously large segment?

Lastly, one number they do not include is the total aggregate transactions by each quarter.  Eye-balling it, it appears for Q2 2015 they processed about 180,000 transactions.  Divided by 60,000 merchants comes to around 3 transactions per quarter or 1 transaction per month per merchant.

In all likelihood usage follows a power law or a 80-20 rule, that 20% of the merchants account for the majority of transaction volume.  My understanding is that Gyft uses (or used BitPay) as their payment processor and since 9% of all bitcoin-related transactions last quarter were related to gift cards, it is likely that the lionshare of this “gift card” activity in the power law distribution is represented by just one or two companies (e.g., FoldApp and Purse.io are a couple potential ones to look at as well).

Startups like Blockseer, Sabr, Coinalytics and Chainalysis have APIs and address labeling that may be able to tell us more about specific merchant/payment processor activity,

Q: Also, are clearnet tx outweighed by darknet tx with bitcoin? Silk Road and other marketplaces were the first use case for bitcoin, but are they still the biggest?

A: According to a new paper (Soska and Christin 2015), if you look at Figure 5 and the discussion involved, prior to Operation Olympus, six large dark net marketplaces collectively accounted for more than $600,000 in sales per day.  It is unclear how much of that activity was expressly illegal, although the paper does attempt to break down the amount of illicit drugs being sold on the same sites.

dark net market volume

Source: Soska and Christin

During the same time frame (most of 2014), volume at payment processors such as BitPay and Coinbase were relatively flat with a few outliers during days with speculative and media frenzies as well as ‘Bitcoin Black Friday.’

As of today it is unclear what activity is the “biggest” — we would need to aggregate all of the dark net marketplaces and compare that with the reused addresses BitPay uses plus the self-disclosed numbers from Coinbase.

In the chart above, illustrating off-chain activity between August 14, 2014 – August 13, 2015, it is also unclear from Coinbase’s number what a “off-chain” transaction is.  Is it only related to merchant activity?  Does it also include movement between users or with cold storage as well?

Therefore based on past historical trends (above) I do not think that “clearnet” or on-chain “licit” activity outweighs illicit transactions.  One darknet market alone — Evolution — processed roughly the same amount of bitcoins last year as BitPay did.

Q: Do you think consumer volumes will change significantly in the next year – what would it take for this to happen?

A: It depends on what we mean by “consumer volume.”  If this includes both illicit and licit activity, sure, maybe.  If it also includes “off-chain” transactions, then yes, probably as well.  But it is important to note you are not using Bitcoin (or bitcoin) when you go off-chain.  The transparency and auditability trail disappears and a user is now reliant on a trusted third party — many of whom in the “Bitcoin space” have a checkered past on financial controls — to protect and secure your privkeys.

I think we have already largely witnessed what the “killer apps” that incentivize increased usage of on-chain bitcoin activity are: censorship-resistant activities.

If the goal of Bitcoin was to provide a censorship-resistant payment processing platform (the word “payment” appears 12 times in the white paper) then it is safe to say that: dark net markets, casino sites, ransomware and other activities that require censorship-resistance and cannot be globally accessed on permissioned networks will continue to attract users towards it.1

It is my view that the following two laws explain the on-chain phenomenon we observe on a regular basis.  Folk law: “Anything that needs censorship-resistance will gravitate towards censorship-resistant systems.”  In contrast is Sams’ law: “Anything that doesn’t need censorship-resistance will gravitate towards non censorship-resistant systems.”

As far as other “apps” such as sites like Zapchain, while boasting growth numbers, appears to recreate a trusted third party system (e.g., facilitate deposit-taking and MSB activities like other hosted wallets) all while simultaneously scraping content from other sites.2

So Buzzfeed, but with bitcoins.

Does it have legs?  Porter Bibb would probably say no.

In closing, one last comment related to real on-chain trade (as opposed to spam-like “long-chain transactions“) is the recent announcement / non-announcement from TigerDirect.  Jorge Stolfi, a computer science professor in Brazil, probably best summarized the nebulous responses from the electronic retailer:

  • How much have you been making in bitcoin payments? “While Expedia has seen a decrease in bitcoin payments, TigerDirect shared a different story.”
  • How many customers are paying with bitcoin? “46 percent of customers purchasing with bitcoin are new users”
  • Sorry, how much did you say you made with bitcoin payments? “the average order placed with bitcoin is 30 percent larger than the average order.”
  • Yes, but, how much are you selling with bitcoin? “TigerDirect sees the highest volume of bitcoin orders during periods of volatility for bitcoin price.”
  • We would really like to know how much, roughly, you are getting from bitcoin payments. “TigerDirect has still seen consistent bitcoin transaction volume.”
  1. According to Kotov and Rajpal, bitcoins are now the most common method of payment for ransomware.  See Understanding Crypto-Ransomware. []
  2. Zapchain uses Coinbase as a wallet provider for deposits — the tipping of transactions is done via via BlockCypher. []

What is permissioned-on-permissionless?

As of this writing, more than half of all VC funding to date has gone into building permissioned systems on top of a permissionless network (Bitcoin). Permissioned-on-Permissionless (PoP) systems are an odd hydra, they have all of the costs of Sybil-protected permissionless systems (e.g., high marginal costs) without the benefits of actual permissioned systems (e.g., fast confirmations, low marginal costs, direct customer service).

Thus it is curious to hear some enthusiasts and VCs on social media and at conferences claim that the infrastructure for Bitcoin is being rolled out to enable permissionless activity when the actual facts on the ground show the opposite is occurring.  To extract value, maintain regulatory compliance and obtain an return-on-investment, much of the investment activity effectively recreates many of the same permission-based intermediaries and custodians that currently exist, but instead of being owned by NYC and London entities, they are owned by funds based near Palo Alto.

For example, below are a few quotes over the past 18 months.

In a February 2014 interview with Stanford Insights magazine, Balaji Srinivasan, board partner at Andreessen Horowitz and CEO of 21inc, stated:

Thus, if the Internet enabled permissionless innovation, Bitcoin allows permissionless monetization.

In July 2015, Coinbase announced the winners of its hackathon called BitHack, noting:

The BitHack is important to us because it taps into a core benefit of Bitcoin: permissionless innovation.

Also in July 2015, Alex Fowler, head of business development at Blockstream, which raised $21 million last fall, explained:

At Blockstream, our focus is building and supporting core bitcoin infrastructure that remains permissionless and trustless with all of the security and privacy benefits that flow from that architecture.

Yet despite the ‘permissionless’ exposition, to be a customer of these companies, you need to ask their permission first and get through their KYC gates.

For instance, in Circle’s user agreement they note that:

Without limiting the foregoing, you may not use the Services if (i) you are a resident, national or agent of Cuba, North Korea, Sudan, Syria or any other country to which the United States embargoes goods (“Restricted Territories”), (ii) you are on the Table of Denial Orders, the Entity List, or the List of Specially Designated Nationals (“Restricted Persons”), or (iii) you intend to supply bitcoin or otherwise transact with any Restricted Territories or Restricted Persons.

Is there another way of looking at this phenomenon?

There have been a number of interesting posts in the past week that have helped to refine the terms and definitions of permissioned and permissionless:

Rather than rehashing these conversations, let’s look at a way to define permissionless in the first place.

Permissionless blockchains

permissionless blockchain
A couple weeks ago I gave a presentation at the BNY Mellon innovation center and created the mental model above to describe some attributes of a permissionless blockchain.  It is largely based on the characteristics described in Consensus-as-a-service.

DMMS validators are described in the Blockstream white paper.  In their words:

We  observe  that  Bitcoin’s  blockheaders  can  be  regarded  as  an  example  of  a dynamic-membership multi-party signature (or DMMS ), which we consider to be of independent interest as a new type of group signature. Bitcoin provides the first embodiment of such a signature, although this has not appeared in the literature until now. A DMMS is a digital signature formed by a set of signers which has no fixed size.  Bitcoin’s blockheaders are DMMSes because their proof-of-work has the property that anyone can contribute with no enrolment process.   Further,  contribution is weighted by computational power rather than one threshold signature contribution per party, which allows anonymous membership without risk of a Sybil attack (when one party joins many times and has disproportionate input into the signature).  For this reason, the DMMS has also been described as a solution to the Byzantine Generals Problem [AJK05]

In short, there is no gating or authorizing process to enroll for creating and submitting proofs-of-work: theoretically, validating Bitcoin transactions is permissionless.  “Dynamic-membership” means there is no fixed list of signatories that can sign (i.e. anyone in theory can).  “Multi-party” effectively means “many entities can take part” similar to secure multi-party computation.1

Or in other permission-based terms: producing the correct proof of work, that meets the target guidelines, permits the miner (block maker) to have full authority to decide which transactions get confirmed.  In other words, other than producing the proof-of-work, miners do not need any additional buy-in or vetting from any other parties to confirm transactions onto the blockchain. It also bears mentioning that the “signature” on a block is ultimately signed by one entity and does not, by itself, prove anything about how many people or organizations contributed to it.2

Another potential term for DMMS is what Ian Grigg called a Nakamoto signature.

Censorship-resistance, while not explicitly stated as such in the original 2008 white paper, was one of the original design goals of Bitcoin and is further discussed in Brown’s post above as well as at length by Robert Sams.

The last bucket, suitable for on-chain assets, is important to recognize because those virtual bearer assets (tokens) are endogenous to the network.  DMMS validators have the native ability to control them without some knob flipping by any sort of outside entity.  In contrast, off-chain assets are not controllable by DMMS validators because they reside exogenous to the network.  Whether or not existing legal systems (will) recognize DMMS validators as lawful entities is beyond the scope of this post.

Permissionless investments

What are some current examples of permissionless-related investments?

zooko permissionless

Source: Twitter

This past week I was in India working with a few instructors at Blockchain University including Ryan Charles.  Ryan is currently working on a new project, a decentralized version of reddit that will utilize bitcoin.

In point of fact, despite the interesting feedback on the tweet, OB1 itself, the new entity that was formed after raising $1 million to build out the Open Bazaar platform, is permission-based.

How is it permission-based when the DMMS validators are still permissionless?  Because OB1 has noted it will remove illicit content on-demand from regulators.

In an interview with CoinDesk, Union Square Venture managing partner, Brad Burnham stated that:

Burnham acknowledged that the protocol could be used by dark market operators, but stressed the OpenBazaar developers have no interest in supporting such use cases.  “They certainly won’t be in the business of providing enhanced services to marketplaces that are selling illegal goods,” he noted.

Based on a follow-up interview with Fortune, Brian Hoffman, founder of OB1 was less specific and a bit hand-wavy on this point, perhaps we will not know until November when they officially launch (note: Tor support seems to have disappeared from Open Bazaar).

One segment of permissionless applications which have some traction but have not had much (if any) direct VC funding include some on-chain/off-chain casinos (dice and gambling games) and dark net markets (e.g., Silk Road, Agora).  Analysis of this, more illicit segment will be the topic of a future post.

What are some other VC-funded startups that raised at least a Series A in funding, that could potentially be called permissionless?  Based on the list maintained by Coindesk, it appears just one is — Blockchain.info ($30.5 million).

Why isn’t Coinbase, Xapo or Circle?  These will be discussed below at length.

What about mining/hashing, aren’t these permissionless activities at their core?

Certain VC funded mining/hashing companies no longer offer direct retail sales to hobbyists, this includes BitFury and KnC Miner.  These two, known entities, through a variety of methods, have filed information about their operations with a variety of regulators.3  To-date BitFury has raised $60 million and it runs its own pool which accounts for about 16% of the network hashrate.  Similarly, KnC has raised $29 million from VCs and also runs its own pool, currently accounting for about 6% of the network hashrate.

What about other pools/block makers?  It appears that in practice, some require know-your-customer (KYC), know-your-business (KYB), know-your-miner (KYM) and others do not (e.g., selling custom-made hardware anonymously can be tricky).

  • MegaBigPower gathers KYC information.
  • Spondoolies Tech is currently sold out of their hardware but require some kind of customer information to fill out shipping address and customs details.  They have raised $10.5 million in VC funding.
  • GHash allows you to set up a pseudonymous account with throwaway email addresses (or via Facebook and Google+), but they have not published if they raised any outside funding
  • Most Chinese hashing and mining pools are privately financed.  For instance, Bitmain has not needed to raise funding from VCs (yet).  The also, currently, do not perform KYC on their users.  I spoke with several mining professionals in China and they explained that none of the big pools (Antpool, F2pool, BTC China pool, BW.com) require KYM at this time.  Over the past four days, these pools accounted for: 21%, 17%, 10% and 8% of the network hashrate respectively — or 56% altogether.  Update 7/29/2015: a representative at BTC China explained that: “Yes, we do KYC the members of our mining pool. We verify them the same way we KYC all registered users on BTCC.”
  • 21inc, not much more is known publicly at this time but if the idea of a “BitSplit” chip is correct, then what could happen is the following: as more chips are flipped on in devices, the higher the difficulty level rises (in direct proportion to the hashrate added).  As a result, the amount of satoshi per hash declines over time in these devices.  What this likely will lead to is a scenario in which the amount of satoshi mined by a consumer device will be less than “dust limit” which means a user will likely be unable to move the bitcoins off of the pool without obtaining larger amounts of bitcoin first (in order to pay the transaction fee).  Consequently this could mean the users will need to rely on the services provided by the pool, which could mean that the pool will need to become compliant with KYC/AML regulations.  All of this speculation at this time and is subject to changes.  They have received $121 million in VC funding.
  • As explained above, while individual buyers of hashing equipment, Bob and Alice, do typically have to “doxx” themselves up to some level, both Bob and Alice can resell the hardware on the second-hand market without any documentation.  Thus, some buyers wanting to pay a premium for hashing hardware can do so relatively anonymously through middlemen.4  This is similar to the “second-hand” market for bitcoins too: bitcoins acquired via KYC’ed gateways end up on LocalBitcoins.com and sold at a premium to those wanting to buy anonymously.

Notice a pattern?  There is a direct correlation between permissionless platforms and KYC/AML compliance (i.e., regulated financial service businesses using cryptocurrencies are permissioned-on-permissionless by definition).

Blockchain.info attempts to skirt the issue by marketing themselves as a software platform and for the fact that they do not directly control or hold private keys.5

This harkens back to what Robert Sams pointed out several months ago, that Bitcoin is a curious design indeed where in practice many participants on the network are now known, gated and authenticated except the transaction validators.

What about permissioned-on-permissionless efforts from Symbiont, Chain and NASDAQ?  Sams also discussed this, noting that:

Now, I am sure that the advocates of putting property titles on the bitcoin blockchain will object at this point. They will say that through meta protocols and multi-key signatures, third party authentication of transaction parties can be built-in, and we can create a registered asset system on top of bitcoin. This is true. But what’s the point of doing it that way? In one fell swoop a setup like that completely nullifies the censorship resistance offered by the bitcoin protocol, which is the whole raison d’etre of proof-of-work in the first place! These designs create a centralised transaction censoring system that imports the enormous costs of a decentralised one built for censorship-resistance, the worst of both worlds.

If you are prepared to use trusted third parties for authentication of the counterparts to a transaction, I can see no compelling reason for not also requiring identity authentication of the transaction validators as well. By doing that, you can ditch the gross inefficiencies of proof-of-work and use a consensus algorithm of the one-node-one-vote variety instead that is not only thousands of times more efficient, but also places a governance structure over the validators that is far more resistant to attackers than proof-of-work can ever be.

This phenomenon is something I originally dubbed “permissioned permissionlessness” for lack of a better term, but currently think permissioned-on-permissionless is more straightforward and less confusing.

What does this mean?

Permissioned-on-Permissionless

PoP blockchain
The Venn diagram above is another mental model I used at the BNY Mellon event.

As mentioned 3 months ago, in practice most block makers (DMMS validators) are actually known in the real world.

While the gating process to become a validator is still relatively permissionless (in the sense that no single entity authorizes whether or not someone can or cannot create proofs-of-work), the fact that they are self-identifying is a bit ironic considering the motivations for building this network in the first place: creating an ecosystem in which pseudonymous and anonymous interactions can take place:

The first rule of cypherpunk club is, don’t tell anyone you’re a cypherpunk.  The first rule of DMMS club is, don’t tell anyone you’re a DMMS.

The second bucket, neither censorship resistant nor trade finality, refers to the fact that large VC funded companies like Coinbase or Circle not only require identification of its user base but also be censor their customers for participating in trading activity that runs afoul of their terms of service.  Technically speaking, on-chain trade finality hurdles refers to bitcoin transactions not being final (due to a block reorg, a longer chain can always be found, undoing what you thought was a confirmed transaction).  This has happened several times, including notably in March 2013.

For instance, in Appendix 1: Prohibited Businesses and Prohibited Use, Coinbase lays out specific services that it prohibits interaction with, including gambling.  For example, about a year ago, users from Seals with Clubs and other dice/gambling sites noticed that they were unable to process funds from these sites through Coinbase and vice versa.

brian armstrong coinbase

Source: Twitter

The tweet above is from Brian Armstrong is the CEO of Coinbase, which is the most well-funded permissioned-on-permissionless startup in the Bitcoin ecosystem.  For its users, there is nothing permissionless about Bitcoin as they actively gate who can and cannot be part of their system and black list/white list certain activities, including mining (hashing) itself.6  It is not “open” based on common usage of the word.

In other words, contrary to what some Coinbase executives and investors claim, in an effort to extract value in a legally palatable manner, they must fulfill KYC/AML requirements and in doing so, effectively nullify the primary utility of a permissionless network: permissionlessness.  Furthermore, Coinbase users do not actually use Bitcoin for most transactions as they do not control the privkey, Coinbase does.  Coinbase users are not using Bitcoin on Coinbase, they are using an internal database.7 Or to use the marketing phrase: you are not your own bank, Coinbase is — which leads to a bevy of regulatory compliance questions beyond the scope of this post.8 However, once your bitcoins are out of Coinbase and into your own independent wallet where you control the private key, then you get the utility of the permissionless platform once more.

What are other permissioned-on-permissionless platforms?  Below are twenty-seven different companies that have raised at least a Series A (figures via CoinDesk) in alphabetical order:

  • Bitex.la: ($4 million)
  • BitGo: ($14 million)
  • BitGold: ($5.3 million)
  • Bitnet: ($14.5 million)
  • BitPay: ($32.5 million)
  • Bitreserve: ($14.6 million)
  • Bitstamp: ($10 million)
  • BitX: ($4.82 million)
  • BTC China ($5 million)
  • ChangeTip: ($4.25 million)
  • Chain: ($13.7 million)9
  • Circle: ($76 million)
  • Coinbase: ($106 million)
  • Coinplug: ($3.3 million)
  • Coinsetter: ($1.9 million)
  • Cryex: ($10 million)
  • GoCoin: ($2.05 million)
  • Huobi ($10 million)
  • itBit: ($28.25 million)
  • Korbit: ($3.4 million)
  • Kraken: ($6.5 million)
  • Mirror, formerly Vaurum: ($12.8 million)
  • OKCoin: ($11 million)
  • Ripple Labs ($37 million)
  • Vogogo ($21 million)
  • Xapo: ($40 million)

Altogether this amounts to around $492 million, which is more than half of the $855 million raised in the overall “Bitcoin space.”

What do these all have in common again?  Most are hosted wallets and exchanges that require KYC/AML fulfillment for compliance with regulatory bodies.  They require users to gain permission first before providing a service.

pie chart bitcoin funding
The chart above visualizes funding based on the schema’s explored in this post.  Based on a total venture capital amount of $855 million, in just looking at startups that have received at least a Series A, 57.5% or $492 million has gone towards permissioned-on-permissionless systems.  An additional $224 million, or 26.1% has gone towards mining and hashing.10

Permissionless-on-permissionless includes Blockchain.info, ShapeShift, Hive, Armory and a sundry of other seed-stage startups that collectively account for around $50 million or 5.8% altogether.  The remaining 10.6% include API services such as Gem and BlockCypher; hardware wallets such as Case and Ledger; and analytic services such as Tradeblock.  In all likelihood, a significant portion of the 10.6% probably is related to permissioned-on-permissionless (e.g., Elliptic, Align Commerce, Bonafide, Blockscore, Hedgy, BitPagos, BitPesa) but they have not announced a Series A (yet) so they were not included in the “blue” portion.

Ripple Labs

Why is Ripple Labs on that funding list above?  While Ripple is not directly related to Bitcoin, it is aggregated on the funding list by CoinDesk.

Is it permissioned or permissionless?  A few weeks ago I met with one of its developers, who said in practice, the validator network is effectively permissionless in that anyone can run a validator and that Ripple Labs validators will process transactions that include XRP.11

This past week, Thomas Kelleher tried to outline how Ripple Labs is some kind of “third way” system, that uses ‘soft permissions’ in practice.  There may be a case for granular permissions on a permissionless network, but it did not coherently arise in that piece.

For example, in early May, Ripple Labs announced that it had been fined by FinCEN for not complying with the BSA requirements by failing to file suspicious activity reports (SARs), including notably, on Roger Ver (who did not want to comply with its KYC requests).

In addition to the fine, Ripple Labs also implemented a new identification gathering process for KYC compliance, stating:

The Ripple network is an open network. No one, including Ripple Labs, can prevent others from using or building on the Ripple protocol as they desire. However, when Ripple Labs provides software, such as the Ripple Trade client, Ripples Labs may impose additional requirements for the use of the software. As such, Ripple Labs will require identification of Ripple Trade account holders.

We will ask you to submit personally identifiable information (PII) similar to what you would submit to open a bank account, such as full name, address, national ID number, and date of birth. Users may also be asked to upload their driver’s license or other identifying documents. We will use this information to verify your identity for compliance purposes. We take privacy seriously, so the information you provide during the customer identification process is encrypted and managed by Ripple Trade’s Privacy Policy.

In other words, Ripple Labs was just fined by FinCEN for doing the very thing that Kelleher wants you to believe he is not required to do.   All new Ripple Labs-based “wallets” (Ripple Trade wallets) require user info — this likely means they can control, suspend and block accounts.12  All eight of the main Ripple gateways are also obliged to gather customer information.  The current lawsuit between Jed McCaleb and Ripple Labs, over the proceeds of $1 million of XRP on Bitstamp, will probably not be the last case surrounding the identification and control of such “wallet” activity (e.g., specific XRP flagged).

Thus, while the Ripple network started out as permissionless, it could likely become permissioned at some point due to compliance requirements.  Why?  If you download and install rippled, in practice you are going to use the default settings which rely on Ripple Labs core nodes. In practice, “choose your own” means “choose the default” for 99% percent of its users, ergo Ripple Labs sets the defaults.13 In a paper recently published by Peter Todd, he explained there is no game theoretic advantage to selecting non-default configurations which were not discussed in Kelleher’s essay.

Bob cannot choose his own rules if he has to follow compliance from another party, Ripple Labs. The UNL set may converge on an explicit policy as nodes benefit from not letting other nodes validate (they can prioritize traffic).14

I reached out to Justin Dombrowski, an academic who has spent the past year independently studying different ledger systems for a variety of organizations.  In his view:

I have a hard time thinking of Ripple as anything but plain permissioned because I have a hard time thinking of a realistic circumstance under which an active user wouldn’t also have an account subject to KYC, or be indirectly connected to one. Sure, I can run a node for the purpose of experimenting with some Ripple app I’m developing, but at the end of the day I expect to be payed for that app. And I could mine for free—and yeah, in that case the network is permissionless for me—but that’s a atypical, trivial example I’d think. Ripple is theoretically permissionless, but practically not because incentives align only with permissioned uses.

As Dombrowski noted, things get taxonomically challenging when a company (Ripple Labs) also owns the network (Ripple) and has to begin complying with financial service regulations.  This trend will likely not change overnight and until it explicitly occurs, I will probably continue to put an asterisk next to its name.

Challenges for DMMS validators in a permissioned-on-permissionless world

Over the past month, I have been asked a number of questions by managers at financial institutions about using public / communal chains as a method for transferring value of registered assets.

For instance, what happens if Bank A pays a fee to a Bitcoin or Litecoin miner/mining pool in a sanctioned country (e.g., EBA concerns in July 2014)?

In February 2015, according to a story published by Free Beacon, Coinbase was on “the hot seat” for explicitly highlighting this use-case in an older pitch deck because they stated: “Immune to country-specific sanctions (e.g. Russia-Visa)” on a slide and then went on to claim that they were compliant with US Treasury and NY DFS requirements.

Another question I have been asked is, what if the Bitcoin or Litecoin miner that processes transactions for financial institutions (e.g., watermarked tokens) also processes transactions for illicit goods and services from dark net markets?  Is there any liability for a financial institution that continues to use this service provider / block maker?

Lastly, how can financial institutions identify and contact the miner/mining pool in the event something happens (e.g., slow confirmation time, accidentally sent the wrong instruction, double-spend attempt, etc.)?  In their view, they would like to be able to influence upgrades, governance, maintenance, uptime (i.e., typical vendor relationship).

Trade-offs

In the Consensus-as-a-service report I used the following chart showing trade-offs:permissioned tradeoffsI also used the following diagram to illustrate the buckets of a permissioned blockchain:

permissioned chains
Recall that the term “mintette” was first used by Ben Laurie in his 2011 paper describing known, trusted validators and was most recently used in Meiklejohn (2015).

The general idea when I published the report several months ago was that permissionless-on-permissioned (what effectively what Ripple sits) is untenable in the long-run: due to regulatory pressure it is impossible to build a censorship-resistant system on top of a permissioned network.

Ryan Shea pointed this out in his recent piece, noting that:

Permission-ed blockchains are useful for certain things but they are limited in what they can do. Fully decentralized, permission-less, censorship-resistant applications CANNOT be built on them, which for many is a deal-breaker.

What does this mean for your business or organization?  Before deciding what system(s) to use, it is important to look at what the organizations needs are and what the customer information requirements are.

Conclusions

As explored above, several startups and VC funds have unintentionally turned an expensive permissionless system into a hydra gated permissioned network without the full benefits of either.  If you are running a ledger between known parties who abide by government regulations, there is no reason to pay the censorship-resistance cost.  Full stop.15

fixing bitcoin

[The optics of permissioned-on-permissionless]

Most efforts for “legitimizing” or “fixing” Bitcoin involves counteracting features of Bitcoin that were purposefully designed such that it enables users to bypass third parties including governmental policies and regulations.  Businesses and startups have to fight to turn Bitcoin into something it isn’t, which means they are both paying to keep the “naughty” features and paying to hide them.  For example, if Satoshi’s goal was to create a permissioned system that interfaces with other permissioned systems, he would likely have used different pieces — and not used proof-of-work at all.

The commercial logic of this (largely) VC-backed endgame seems to be: “privatize” Bitcoin through a dozen hard forks (the block size fork is the start of this trend that could also change the 21 million bitcoin hard-cap).16

It seems increasingly plausible that some day we may see a fork between the “permissionless-on-permissionless” chain (a non-KYC’ed chain) and the “permissioned-on-permissionless” chain (a fully KYC’ed chain) — the latter comprising VC-backed miners, hosted wallets, exchanges and maybe even financial institutions (like NASDAQ).  The motivations of both are progressively disparate as the latter appears uninterested in developer consensus (as shown by the special interest groups wanting to create larger blocks today by ignoring the feedback from the majority of active core developers and miners).  At that point, there is arguably minimal-to-no need for censorship resistance because users and miners will be entirely permissioned (i.e. known by/to participating institutions and regulators).

When drilling down, some of the permissioned-on-permissionless investment appears to be a sunk cost issue: according to numerous anecdotes several of these VCs apparently are heavily invested in bitcoins themselves so they double down on projects that use the Bitcoin network with the belief that this will create additional demand on the underlying token rather than look for systems that are a better overall fit for business use-cases.17

This raises a question: is it still Bitcoin if it is forked and privatized?   It seems that this new registered asset is best called Bitcoin-in-name-only, BINO, not to be confused with bitcoin, the bearer asset.18

If the end game for permissionless systems is one in which every wallet has to be signed by something KYC/KYB approved, it appears then that this means there would be a near total permissioning of the ledger.  If so, why not use a permissioned ledger instead for all of the permissioned activity?

The discussion over centralized versus institutionalized will also be discussed in a future post.

[Acknowledgements: thanks to Richard Apodaca, Anton Bolotinsky, Arthur Breitman, Richard Brown, Dustin Byington, Justin Dombrowski, Thomas Kelleher, Yakov Kofner, Antony Lewis and John Whelan for their feedback.]

Endnotes

  1. See Does Smart Contracts == Trustless Multiparty Monetary Computation? []
  2. Thanks to Richard Brown for this insight. []
  3. In raising funds, they have “doxxed” themselves, providing information about founders and management including names and addresses.  They are no longer pseudonymous. []
  4. Thanks to Anton Bolotinsky for this insight. []
  5. Are there any other non-mining projects that are VC funded projects that do not require KYC?  A few notable examples include ShapeShift (which de-links provenance and does not require KYC from its users) and wallets such as Hive and Armory.  All three of these are seed-stage. []
  6. For more about know-your-miner and source of funds, see The flow of funds on the Bitcoin network in 2015 []
  7. Perhaps this will change in the future.  Coinbase users can now send funds both on-and-off-chain in a one-click manner. []
  8. Learning from the past to build an improved future of fintech and Distributed Oversight: Custodians and Intermediaries []
  9. Chain is working with NASDAQ on its new issuance program which requires KYC compliance.  In contrast, I created a new account for their API product today and it did not require any KYC/KYB. []
  10. See What impact have various investment pools had on Bitcoinland?  It bears mentioning that BitFury raised an additional $20 million since that post, bringing the publicly known amount to around $224 million. []
  11. Visited on July 2, 2015 []
  12. Using similar forensics and heuristics from companies like Chainalysis and Coinalytics, Ripple Labs and other organizations can likely gather information and data on Ripple users prior to the April 2015 announcement due to the fact that the ledger is public. []
  13. Two years ago, David Schwartz, chief cryptographer at Ripple Labs, posted an interesting comment related to openness and decentralization on The Bitcoin Foundation forum. []
  14. Thanks to Jeremy Rubin and Roberto Capodieci for their feedback. []
  15. Thanks to Arthur Breitman for this insight. []
  16. Thanks to Robert Sams for this insight. []
  17. Richard Apodaca, author of the forthcoming Decoding Bitcoin book, has another way of looking at VCs purchasing bitcoins, that he delves into on reddit twice. []
  18. One reviewer suggested that, “this would cease being bitcoin if the measuring stick is what Satoshi wanted.” []