First Principles of Crypto Governance
My dog, Leo, hates veterinarians and barks when he sees a sign pointing to the town where the veterinarian practices. He hated the vet because vet meant needles and shots. Apparently, he couldn't understand why the pain of the needle could actually protect it from a more serious, painful disease. Shots mean pain, and pain is bad. And yet, he walks through the sliding doors with his ears down and his moist eyes seeming to ask my father: "I know we love each other, why did you do this to me?" In , Leo chooses to believe in the heuristic that since his family always seems to act in his interest, any request (even a painful one) is likely to be part of this loving and caring mutual agreement. Dogs and humans have been friends for thousands of years, and in the vast majority of cases, the heuristic has proven useful, so it lives on.
The Heuristic of Benevolence, which is prevalent among founder-master-controllers and community members of crypto-decentralized organizations, may have similar origins. You guys have made me or someone else a lot of money so I should never doubt your pure intentions. Possibly for the same reason, the same benevolence heuristic becomes a heuristic of suspicion for anyone not originally involved in building the community (outsiders).
The problem with heuristics is that they are easily spoofed.
Oh Governance, Dear Minimizers
Last week's Dirt Roads discussed MakerDAO's recent governance cycle. Finally, three open questions are included:
Based on existing governance mechanisms and token distribution, do we trust Maker for censorship resistance?
Do we trust Maker to be a truly decentralized organization when a group of (arguably) consistent parties have enough voting power to outnumber so many institutional participants?
Do we think that Maker's structure can effectively handle use cases (and borrowers) that bring a minimum level of complexity and opacity?
These three questions can be summarized into one question: Can we think that the dominant governance framework of a cryptographic protocol can (natively) incentivize well-intentioned behavior while handling complex tasks? My hunch is that the answer to these questions is simply "no".
For Maker, like many other crypto projects, governance tasks are assigned to holders of the governance token $MKR. But more generally, holders of $MKR can vote on changes to the protocol — anyone can submit a proposal. Proposals will be voted on following the simplified process below.
Arguing about the most effective role assignments or alternate role mechanics is beyond the spirit of this article. What interests us is that the architects of the Maker governance framework recognized the risk of malicious governance attacks, and to counter it, they included a governance security model with the ability to delay the execution of certain proposals - allowing $MKR holders to collect enough consensus to call for an emergency shutdown followed by an orderly unwinding of the protocol itself.
The school of optimistic governance, pioneered by Aragon and Optimism, guides this concept by assuming that all proposals are voted on unless challenged in court within a certain period of time. These efforts are laudable and still valid in environments where the consequences of each decision are obvious, measurable ex ante, or have immediate impact. As the DAO's ambitions move beyond rigid and clearly defined boundaries, and towards complex tasks like increasing real-world credit through complex structures, it becomes clear that even an optimistic challenge window is not enough to ward off malicious attacks.
Irreducibility issues → Initially, most on-chain governance had to face very simple decisions: whether to whitelist ERC-20 tokens, increase or decrease parameters, activate or deactivate oracle feeds. Governance mechanisms have evolved to meet this need, and blockchain technology allows for a finer separation of tasks. But ambition is characteristic of humans, and the protocol gradually scales to use cases of complex ganglia rather than ordered collections of atomic decisions: should we start financing real-world credit, how active should our money management strategy be, how should we Dealing with the impact of our liquid staking service on the stability of the chain of origin, our role in the complex DeFi stack, and more. Scaling creates an irreducibility problem that engineers may not yet fully grasp. It is structurally impossible to continue expanding while modeling every possible case for decision making. We need to learn to live with the myriad extremes that will have any unforeseen effects. The effects of irreducibility can be catastrophic.
Two possible solutions → Available solutions go in two directions: (i) make governance mechanisms better suited to deal with unmeasured uncertainties and conflicts of interest, and (ii) reduce uncertainty through atomization of tasks and responsibilities sex. Although the second (decomposition, simplification, rigidity) is what we should pursue in the long run, uncertainty cannot be fundamentally eliminated, so developing a more uncertain decision-making framework is something we cannot escape.
The remainder of this post will be devoted to an initial formalization of the problem. When things get complicated, I believe there is value in developing a simplified version of reality. Our idea is to use such a framework to understand the key forces at play and try to design mechanisms that incentivize benign influences while mitigating malign ones.
optimistic governance game
I decided to design a game. Let me clarify: game theory and the theory of economic behavior pioneered by John von Neumann and Oscar Morgenstern, which put mathematical rigor as the foundation of modern economics, have been abused and misused by the crypto brothers for far too long, I have no intention of being part of it. These games will not be game theory, but gonzo math. Like Gonzo News, the purpose of writing the set of equations described below is to provide atmosphere of what is going on, not to provide the symbolic tools needed to distill a solution. However, formalizing human interaction in the context of protocol governance is an ambitious undertaking that I hope will spark the interest of others with more skills and time than I do.
I first built an Optimistic Governance Game (OGG). In OGG, all those involved in the governance of the protocol are good people and intend to maximize the economic value generated by the protocol itself - an important norm. In this simplified game configuration, we assume that participants/voters receive a proposal externally and have the ability to pass or vote based on an arbitrary governance mechanism (i.e. voting function).
The voting function V for proposal i takes as input a vector of all votes of N participants. In OGG, we can assume that each participant has one vote. The output of the voting function is 0 (ding) or 1 (pass)
There are only two types of proposals: benign proposals and malicious proposals. Well-meaning proposals have a positive effect on all voters—and thus the protocol, while malicious proposals confer large benefits to supporters (who are outside the voter group) at the cost of potentially breaking the protocol.
The expected cost of being breached depends on the assigned probability function and the value V each voter assigns to the protocol. For simplicity, we can assume that all well-meaning proposals have the same payoff, and that all voters assign the same value to the agreement—and that this value is much higher than the potential value of a single passing proposal. Since all voters have similar preferences and are supporters outside the governance set, we can generalize the above functions from a protocol perspective.
As expected, we cannot say in advance whether an offer is benign or malicious. We need to think in terms of probability. We can rewrite the expected payoff function of a generalized proposal as follows:
We also know that the ill effects of malicious proposals only become apparent after an indeterminate time delay—and only indirectly, i.e., by observing the survival of the protocol. In other words, if at the end of the OGG - i.e. by time T - the protocol is still intact, our best guess is that governance has not passed the malicious proposal and we have won the OGG.
Finally, the protocol, the sum of all voters, when faced with voting for or against a generalized first proposal, aims to maximize the expected value function below. This objective is an assumption of OGG, since voters could theoretically be assigned very different objective functions.
The probability of being destroyed is equal to the probability of a vicious outcome before the end of the OGG
Given the very simple structure of OGG, most results are trivial. However, they are worth reflecting on:
- Supporters are motivated to go big → Since the protocol breach event is a nuclear issue, supporters are incentivized to present proposals to voters that also provide high immediate benefits
- Main motivation for looking good → higher (perceived) density of benevolence simplifies decision making for voters
- Illiquidity has a premium → Delayed proposals, or better proposals with delayed outcomes, are more easily digested by the decision-making process
- Value maximization is not survival maximization → Expected value maximizing strategies may lead to a very different set of optimal decisions than protocol survival maximization
realistic governance game
Things get more interesting if we spice up the game a little bit. Reality, especially DAO reality, is much more complex than our OGG. For the sake of our discussion, I want to focus on a few key differences:
- Voters can also be supporters → There is a partial overlap between voters and supporters, be it good or bad proposals - therefore we will use the term participant to include both voters and supporters
- Malicious proposals are very beneficial to their supporters → Private (non-common) benefits of malicious proposals may greatly outweigh the private impact on their supporters of protocol being broken
- Private and protocol perspectives are different → individual voter/supporter’s private reward function differs significantly from protocol-wide reward function due to diversification and time horizon mismatch
In the Realistic Governance Game (RGG), we can rewrite the objective function as follows, now distinguishing between good and bad supporters. We assume that neither proposals nor votes cost anything.
Good actor → a moral actor The objective function is very similar to the generalized OGG case.
However, as we have already hinted, we have now listed the expected payoff for each individual participant n because: (i) the time horizon of an individual actor in the RGG is likely to be different from that of the protocol—that is, a single A participant may still sell his voting rights and right to leave, and (ii) the damage to a single RGG participant is likely not to be nuclear damage given the damage sharing and portfolio diversification. These differences increase the risk tolerance of good players; players have an incentive to "take their chances" on proposals that have a non-negligible core opportunity for the protocol.
Bad players → However, what happens to bad players is more interesting. A bad actor is someone who consciously proposes a malicious proposal, has a private interest in that proposal, and consciously votes for it.
The incentives for bad actors to deviate are much higher: (i) only potential losses (rather than extraordinary gains) cancel each other out, and (ii) losses can be more easily avoided due to better visibility of malign outcomes. Bad actors have enormous incentives to come up with malicious proposals and lobby good players to minimize the perceived damage to the harsh protocol. In other words, there are strong incentives for everyone to deviate and become bad actors.
In this simplified representation, motivation to deviate is positively related to:
- Requisitionability→Relative size of private bias benefits
- Mutualization → community size, or total number of participants
- Uncertainty → Perceived risk of encountering bad advice
- Urgency → Probability of malicious influence
- Risk aversion → Surprisingly, risk aversion incentives turn out to be bad guys
However, the system is not static. This means that more malicious actors will be attracted to large and uncertain communities, and their motivations are so high that they are prepared to dedicate significant resources to tide them over. This can create a death spiral for communities without the right checks and balances.
Both OGG and RGG are extremely simplified gonzo math games. Still, they're a good start, and could force us to look in the mirror and look beyond the personalization of rhetoric when designing our coordination mechanisms.
Some protocols, including Maker, remain loyal to the "tyranny of no structure" - h/t @Dermot_Oryordan, a defense of a purist approach where the center of interest (token holders, borrowers, $ Formalization of DAI holders, core unit members, representatives, minorities, protocols) is resisted in the interests of decentralization. But, as Joe Freeman puts it in her immortal essay:
“Contrary to what we like to believe, there are no unstructured groups. Any group of people of any nature, coming together for any purpose, however long, will inevitably construct itself in some way. […]
This means that targeting an unstructured group is just as useful and deceptive as targeting an "objective" new story, "worthless" social science, or a "liberal" economy. […] This idea becomes a smoke screen for the strong or the lucky to establish unquestioned supremacy over others. "
Whether this is intentional or not is irrelevant. But using our simplified model, homogeneous voter/supporter groups imply increased uncertainty, mutualization, and potential expropriation. To me, Maker's governance design is a poor design because it encourages adverse selection (among borrowers) and impunity for bad actors.
However, there are also good examples of cryptocurrency governance. On June 10th, @skozin posted a proposal on Lido's forum to establish a LDO+stETH dual governance mechanism for the liquidity staking protocol. Recognizing that there is an agency problem where the voters ($LDO holders) are not the ones (primarily stakeholders) who suffer the breach, proponents propose a set of ideas that align with the framework we outlined in the RGG:
- Narrow governance through rigidity → reduce uncertainty
- Delayed implementation of ballot proposals → less urgency
- Introduce veto/anti-veto system for $stETH → reduce mutualization
- Implement (partial) malicious resource destruction → reduce expropriability
The proposal explicitly acknowledges that it is impossible to identify all potential attack vectors or edge cases ex ante, and instead adopts a first principles-based approach that, while acknowledging the existence of conflicting interests, stimulates an adversarial (and costly) governance debate .I would urge anyone involved in designing governance principles to pass this proposal through and through. This is something that deserves a symbolic representation.
A dual governance system is not the only possible path. Worth mentioning for a deeper analysis are Pocket Network's stake working mechanism, DXDdao's reputation-based voting, reputation and participation decay mechanism, and apparently Ethereum's EIP-5114 soul binding. The space for research and design of governance mechanisms for uncertainty-dense environments is vast and fascinating. We really can't build anything complex on top of the fragile base layer of human interaction.
Extremism that opts for ready-made solutions is good for politicians. But we are not politicians, we are here to stay, and our goal is not to jump ship before it burns. We have no choice but to bow our heads; learn, research, test, iterate and dream.