Jekyll2022-12-26T10:42:40+00:00https://haseebq.com/feed.xmlhaseeb qureshiHaseeb Qureshi is an investor, software engineer, author, effective altruist, and former high-stakes poker pro. In his blog, he explores cryptocurrencies, blockchain, software, and altruism.Haseeb QureshiDeFi in Eth2: Cities, suburbs, and farms2020-07-29T00:00:00+00:002020-07-29T00:00:00+00:00https://haseebq.com/defi-in-eth2-cities-suburbs-and-farms<p>Ethereum today is <a href="https://blockchair.com/ethereum/charts/median-gas-price?granularity=week">incredibly congested</a>—it’s even more congested now than it was during the height of the ICO bubble.</p>
<p>This is impressive, but also worrying! Ethereum 2.0 is still a ways away, but the tiny island of Ethereum 1.0 is already populated to the point of saturation.</p>
<p><img src="https://cdn.substack.com/image/fetch/w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fbucketeer-e05bbc84-baa3-437e-9518-adb32be77984.s3.amazonaws.com%2Fpublic%2Fimages%2F19903bf8-b00b-4728-91c5-a0f7dc5719df_1200x630.png" alt="" />
<em>Artist’s rendition of Ethereum 1.0 (<a href="https://www.elitereaders.net/migingo-overpopulated-tiny-rock-island-lake-victoria-africa/">source</a>)</em></p>
<p>You’ve probably heard that Ethereum 2.0 is going to be sharded. Beyond base scalability improvements, sharding is how Ethereum 2.0 is going to scale to meet demand. </p>
<p>But many people have asked—will sharding really work for DeFi? After all, sharding breaks composability, and <a href="https://twitter.com/jessewldn/status/1182293551444451328">isn’t composability the main thing about DeFi</a>? (Money Legos™ and so on.)</p>
<p>Let’s draw out this line of thinking. </p>
<p>Ethereum 2.0 is going to create a bunch of shards, which will work like loosely connected blockchains. But all the DeFi stuff will end up living on a single shard, since it all wants to coagulate together.</p>
<p>So we’ll end up in the exact same place we started: one huge DeFi shard, massive congestion. </p>
<p><img src="https://cdn.substack.com/image/fetch/w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fbucketeer-e05bbc84-baa3-437e-9518-adb32be77984.s3.amazonaws.com%2Fpublic%2Fimages%2Fa48b96b6-3c7e-41ac-94d8-6658148f1b66_1028x1200.png" alt="" />
<em>The same crowded island, but a little bigger now. (<a href="https://twitter.com/GreekPictures/status/1117049992810770433/photo/1">source</a>)</em></p>
<p>In a sense, this vision is almost certainly correct. But it’s wrong in being alarmed about this: in fact, this is perfectly fine and to be expected!</p>
<p>Let me paint a thought experiment for you.</p>
<h2 id="cities-suburbs-and-farmland">Cities, Suburbs, and Farmland</h2>
<p>Imagine the day that Ethereum 2.0 launches with full smart contracts. On day one, it’s empty, like a fresh and untouched landscape. Eager Ethereum 1.0 settlers disperse across the shards.</p>
<p><img src="https://cdn.substack.com/image/fetch/w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fbucketeer-e05bbc84-baa3-437e-9518-adb32be77984.s3.amazonaws.com%2Fpublic%2Fimages%2Fc791cad4-4306-4be7-a7a5-2708f064c0ce_700x440.png" alt="" />
<em>Ethereum 2.0 on day one. (<a href="https://www.advancelandandtimber.com/">Source</a>)</em></p>
<p>Will they spread uniformly across this landscape?</p>
<p>Of course not! The first settlers will want to band together and form <strong>cities</strong>. </p>
<p>In cities, individuals live and work together because they benefit from coordination and proximity. In exchange for the increased productivity of living in a city, those settlers are willing to pay more in higher rents and more congestion (in Ethereum, gas prices).</p>
<p>But it’s worth it! These early cities are the centers of commerce. It might be too expensive for most people, but that’s okay. Those who benefit the most from being near the center of commerce are incentivized to move there.</p>
<p>This first city in Ethereum 2.0 will likely be the DeFi shard.</p>
<p><img src="https://cdn.substack.com/image/fetch/w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fbucketeer-e05bbc84-baa3-437e-9518-adb32be77984.s3.amazonaws.com%2Fpublic%2Fimages%2F872f4f7f-788a-43b7-a0b4-1a01017ce461_1000x499.png" alt="" />
<em>The city-like DeFi shard. Ah, the hustle and bustle of composability! (<a href="https://brewminate.com/the-market-revolution-in-early-america/">Source</a>)</em></p>
<p>That DeFi shard will be the place where the major DeFi protocols settle—those that benefit from high velocity and being connected to large liquidity pools for liquidations, flash loans, or whatever. Maybe there will be one major financial shard, like London, or two city shards with their own specializations, like New York City and Chicago. I expect if there is a second city shard, it will be for centralized exchange settlement, separated from DeFi and all of its chaos.</p>
<p>City shards will be expensive and high-throughput, with primarily high-value transactions (otherwise the gas cost would be too prohibitive).</p>
<p>But isn’t that awful? Wasn’t that what we were trying to avoid? Now normal people won’t be able to use the DeFi shard at all!</p>
<p>Ah, but hold on. The other shards will not be empty. Most people will live in the outskirts of the cities. You don’t need to live in Manhattan to occasionally trek up there when you want to buy something exotic. But most of the time, you’ll be just fine living on another shard and making it into the metropolis when you really need to—the DeFi shard is only a few minutes’ cross-shard transaction away. </p>
<h2 id="so-where-will-most-people-live">So where will most people live?</h2>
<p>I expect there will be two other kinds of shards: <strong>suburbs</strong> and <strong>farmlands</strong>.</p>
<p>Suburbs are places where lots of people will live at relatively low cost, and have access to decent services—not a ton, but enough to get by for most of their needs. If you want to do something fancy, like get a flash loan to refinance a multi-million dollar Maker vault into a recursively leveraged Compound position, then hey, you might have to take the train to the DeFi shard to do that.</p>
<p>But if you want to do something simple at the local corner store, like swap some ETH for DAI or buy some WBTC, that’ll be easy enough. Almost every ERC-20 will be cross-shard tokenized and available in the suburbs, and there will be local MMs for the most popular tokens and simple use cases. And like in real suburbs, most suburban shards will look pretty much the same.</p>
<p>Suburbs will see medium-throughput, medium-value transactions. It will be economical for most people to just park their assets here and live out their blockchain lives in middle-class tranquility.</p>
<p><img src="https://cdn.substack.com/image/fetch/w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fbucketeer-e05bbc84-baa3-437e-9518-adb32be77984.s3.amazonaws.com%2Fpublic%2Fimages%2Fc49dd149-56cc-4957-a12c-14840b0969e1_1100x733.png" alt="" />
<em>The blockchain ‘burbs. For us normies. (<a href="https://www.businessinsider.com/i-moved-from-city-to-suburbs-why-ill-stay#theres-a-lot-more-space-1">Source</a>)</em></p>
<p>Finally, there are the farmland shards. These are the rural areas that are empty of people. If you are a blockchain game that is mostly doing its own thing and doesn’t immediately need to interoperate with other assets, you can just settle all your game actions directly onto a farmland shard.</p>
<p>Or if you’re a <a href="https://cointelegraph.com/news/98-of-bsv-transactions-used-for-writing-weather-data-on-blockchain-report">weather app just dumping a bunch of data on-chain</a>, you’d rather do it in an unpopulated area, because why not? It’s not like that shard is being used for anything important. </p>
<p><img src="https://cdn.substack.com/image/fetch/w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fbucketeer-e05bbc84-baa3-437e-9518-adb32be77984.s3.amazonaws.com%2Fpublic%2Fimages%2F349858d7-5745-4c01-b4b9-2dd3483d60e7_1600x900.png" alt="" />
<em>Ah, perfect for dumping my homomorphically encrypted supply chain data! (<a href="https://www.microsoft.com/en-us/p/aerial-farmland-premium/9plwgl934r9q?activetab=pivot:overviewtab">Source</a>)</em></p>
<p>If there are pollutive activities that are uneconomical in cities or suburbs, take it to the boonies. There are no DeFi services or tokens to displace anyway. Out here, no one is all that bothered. Farmland shards allow for high-throughput, low-value transactions to your heart’s content.</p>
<h2 id="blockchain-urban-planning">Blockchain Urban Planning</h2>
<p>This vision of DeFi in Ethereum 2.0, if true, tells us two things.</p>
<p>First, yes, there will be congested shards on Ethereum 2.0! And the most congested shards will be the highest value parts of DeFi that benefit from composability. Nevertheless, DeFi will also expand cross-shard so it can provide some ancillary services in suburb shards, akin to the local branch of a national bank. </p>
<p>But sharding doesn’t mean that activity is uniformly spread across shards. That’s not only impossible—it’s economically stupid. Let high-value enterprises move into the cities, let boring families move to the suburbs, and let farmlands do their thing far away from the valuable real estate.</p>
<p><img src="https://cdn.substack.com/image/fetch/w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fbucketeer-e05bbc84-baa3-437e-9518-adb32be77984.s3.amazonaws.com%2Fpublic%2Fimages%2F6e408439-a9bf-4151-b5bf-e1669d221ed8_1140x500.png" alt="" />
<em>Heterogeneity = economic efficiency. (<a href="https://blogs.worldbank.org/sustainablecities/how-do-we-define-cities-towns-and-rural-areas">Source</a>)</em></p>
<p><em>(This also gives you a sense why <a href="http://fc20.ifca.ai/wtsc/WTSC2020/WTSC20_paper_7.pdf">programmatically load balancing contracts across shards</a> is unwise! We should assume that protocols and contract deployers are making rational choices about where to live. Uprooting a business from a city center and transplanting it onto farmland to “load balance the city” would be a disastrous mistake.)</em></p>
<p>You can think of sharding as offering a similar vision to interoperability as Cosmos or Polkadot. Many different blockchains, each specialized for certain economic equilibria, with a <a href="https://ethos.dev/beacon-chain/">superhighway</a> connecting them all. Except in Ethereum 2.0’s case, all those shards will speak the same language, share the same tooling, and benefit from the immense community that Ethereum has already garnered.</p>
<p>Ethereum 2.0 is a big and challenging vision. It carries a lot of execution risk. But at this point, I don’t think it’s possible for Ethereum to lose its status as DeFi’s largest city. It’s already the Wall Street of crypto, and it doesn’t look like there are any serious contenders to challenge its dominance. </p>
<p>In the meantime, will we have to pin our scaling hopes on layer 2? I see these as shopping malls built on top of Ethereum.</p>
<p>They’ll be an improvement, but it’s likely they won’t be enough. Impatient builders may instead construct makeshift suburbs and farmland around Ethereum 1.0, via bridges with other blockchains. In other words, if Ethereum 2.0 takes too long, outsource your minor cities to another blockchain like <a href="https://projectserum.com/">Serum</a> is doing, or wait for the Cosmos/Polkadot interoperability story to materialize. </p>
<p>Will DeFi wait for Ethereum 2.0, or will the germ just spread wherever it can? </p>
<p>For now, one thing is clear: <strong>DeFi is going to be too big for Ethereum as it currently exists today</strong>.</p>
<p>Where it grows from here, only time will tell.</p>
<hr />
<p><em>This piece was originally published on <a href="https://bankless.substack.com/p/defi-in-eth2-cities-suburbs-farms">Bankless</a>.</em></p>Haseeb QureshiEthereum today is incredibly congested—it’s even more congested now than it was during the height of the ICO bubble.What explains the rise of AMMs?2020-07-22T00:00:00+00:002020-07-22T00:00:00+00:00https://haseebq.com/what-explains-the-rise-of-amms<p>Imagine a college friend reached out to you and said, “Hey, I have a business idea. I’m going to run a market making bot. I’ll always quote a price no matter who’s asking, and for my pricing algorithm I’ll use <em><code class="language-plaintext highlighter-rouge">x * y = k</code></em>. That’s pretty much it. Want to invest?”</p>
<p>You’d run away.</p>
<p>Well, turns out your friend just described Uniswap. Uniswap is the world’s simplest on-chain market making operation. Seemingly from nowhere, it has exploded in volume in the last year, crowning itself the world’s largest “DEX” by volume.</p>
<p>If you haven’t paid close attention to what’s happening in DeFi in the last year, you’re probably wondering: what is going on here?</p>
<p><img src="https://miro.medium.com/max/1036/0*VucV5OzgXuqOET48" alt="Uniswap volume" />
<em>Uniswap v2 volume. Credit: <a href="https://uniswap.info/">Uniswap.info</a></em></p>
<p>(If you’re already familiar with Uniswap and AMMs, skip ahead to the section titled “<a href="https://medium.com/dragonfly-research/what-explains-the-rise-of-amms-7d008af1c399#e49e">The Cambrian AMM Explosion</a>.”)</p>
<p>For the uninitiated: Uniswap is an automated market maker (AMM). You can think of an AMM as a primitive robotic market maker that is always willing to quote prices between two assets according to a simple pricing algorithm. For Uniswap, it prices the two assets so that the number of units it holds of each asset, multiplied together, is always equal to a fixed constant.</p>
<p>That’s a bit of a mouthful: if Uniswap owns some units of token <em><code class="language-plaintext highlighter-rouge">x</code></em> and some units of token <em><code class="language-plaintext highlighter-rouge">y</code></em>, it prices any trade so that the final quantities of <em><code class="language-plaintext highlighter-rouge">x</code></em> and <em><code class="language-plaintext highlighter-rouge">y</code></em> it owns, multiplied together, are equal to a fixed constant, <em><code class="language-plaintext highlighter-rouge">k</code></em>. This is formalized as the constant product equation: <em><code class="language-plaintext highlighter-rouge">x * y = k</code></em>.</p>
<p>This might strike you as a weird and arbitrary way to price two assets. Why would maintaining some fixed multiple between your units of inventory ensure that you quote the right price?</p>
<h2 id="uniswap-by-example">Uniswap by example</h2>
<p>Let’s say we fund a Uniswap pool with 50 apples (<code class="language-plaintext highlighter-rouge">a</code>) and 50 bananas (<code class="language-plaintext highlighter-rouge">b</code>), so anyone is free to pay apples for bananas or bananas for apples. Let’s assume the exchange rate between apples and bananas is exactly 1:1 on their primary market. Because the Uniswap pool holds 50 of each fruit, the constant product rule gives us <code class="language-plaintext highlighter-rouge">a * b = 2500</code>—for any trade, Uniswap must maintain the invariant that our inventory of fruit, multiplied together, equals 2500.</p>
<p>So let’s say a customer comes to our Uniswap pool to buy an apple. How many bananas will she need to pay?</p>
<p>If she buys an apple, our pool will be left with 49 apples, but <code class="language-plaintext highlighter-rouge">49 * b</code> has to still equal <code class="language-plaintext highlighter-rouge">2500</code>. Solving for <code class="language-plaintext highlighter-rouge">b</code>, we get 51.02 total bananas. Since we already have 50 bananas in inventory, we’ll need 1.02 extra bananas for that apple (we’ll allow fractional bananas in this universe), so the price we have to quote her is 1.02 bananas / apple for 1 apple.</p>
<p>Note that this is close to the natural price of 1:1! Because it’s a small order, there is only a little slippage. But what if the order is larger?</p>
<p><img src="https://miro.medium.com/max/60/0*9Lxz-Fw5szjVzFps?q=20" alt="Uniswap curve" />
<em>You can interpret the slope at each point as the marginal exchange rate.</em></p>
<p>If she wants to buy 10 apples, Uniswap would charge her 12.5 bananas for a unit price of 1.25 bananas / apple for 10 apples.</p>
<p>And if she wanted a huge order of 25 apples—half of all the apples in inventory—the unit price would be 2 bananas / apple! (You can intuit this because if one side of the pool halves, the other side needs to double.)</p>
<p>The important thing to realize is that <em>Uniswap cannot deviate from this pricing curve</em>. If someone wants to buy some apples and later someone else wants to buy some bananas, Uniswap will sweep back and forth through this pricing curve, wherever demand carries it.</p>
<p><img src="https://miro.medium.com/max/60/0*z7XOwnC25gcKIvNj?q=20" alt="Uniswap curve" />
<em>Uniswap sweeping back and forth through its pricing curve after a series of trades.</em></p>
<p>Now here’s the kicker: if the true exchange rate between apples and bananas is 1:1, then after the first customer purchases 10 apples, our Uniswap pool will be left with 40 apples and 62.5 bananas. If an arbitrageur then steps in and buys 12.5 bananas, returning the pool back to its original state, Uniswap would charge them a unit price of only 0.8 apples / banana.</p>
<p>Uniswap would underprice the bananas! It’s as though our algorithm now realizes it’s heavy on bananas, so it prices bananas cheap to attract apples and rebalance its inventory.</p>
<p>Uniswap is constantly performing this dance — slightly moving off the real exchange rate, then sashaying back in line thanks to arbitrageurs.</p>
<h2 id="impermanent-loss-in-a-nutshell">Impermanent Loss in a Nutshell</h2>
<p>This should give you a sense for how Uniswap pricing works. But this still begs the question — is Uniswap <em>good</em> at what it does? Does this thing actually generate profits? After all, any market maker can quote prices, but it’s another thing to make money.</p>
<p>The answer is: it depends! Specifically, it depends on a concept known as <a href="https://medium.com/@pintail/uniswap-a-good-deal-for-liquidity-providers-104c0b6816f2">impermanent loss</a>. Here’s how it works.</p>
<p>Uniswap charges a small fee for every trade (currently 0.3%). This is in <em>addition</em> to the nominal price. So if apples and bananas always and forever trade at 1:1, these fees will simply accumulate over time as the market maker sweeps back and forth across the exchange rate. Compared to the baseline of just holding those 50 apples and bananas, the Uniswap pool will end up with more fruit at the end, thanks to all the fees.</p>
<p>But what if the real exchange rate between apples and bananas suddenly changes?</p>
<p>Say a drone strike takes out a banana farm, and now there’s a massive banana shortage. Bananas are like gold now. The exchange rate soars to 5 apples : 1 banana.</p>
<p>What happens on Uniswap?</p>
<p>The very next second, an arbitrageur swoops in to pick off the cheaply priced bananas in your Uniswap pool. They size their trade so that they purchase every banana that’s priced below the new exchange rate of 5:1. That means they’ll need to move the curve until it satisfies the equation: <code class="language-plaintext highlighter-rouge">5b * b = 2500</code>.</p>
<p><img src="https://miro.medium.com/max/60/1*bLfpm6lfuIPdKpVDh1xlpQ.gif?q=20" alt="Uniswap responding to a large trade" /></p>
<p>Running the math out, they’d purchase 27.64 bananas for a grand total of 61.80 apples. This comes out to an average price of 2.2 apples : 1 banana, way under market, netting the equivalent of 76.4 free apples.</p>
<p>And where does that profit come from? Of course, it comes at the expense of the pool! And indeed, if you do the accounting, you’ll see that the Uniswap pool is now down exactly 76.4 apples worth of value compared to someone who’d held the original 50 apples and 50 bananas. Uniswap sold off its bananas too cheaply, because it had no idea bananas had become so valuable in the real world.</p>
<p>This phenomenon is known as impermanent loss. Whenever the exchange rate moves, this manifests as arbitrageurs sniping cheap assets until the pool is correctly priced. (These losses are “impermanent” because if the true exchange rate later reverts back to 1:1, then now it’s like you never lost that money to begin with. It’s a dumb name, but oh well.)</p>
<p>Pools make money through fees, and they lose money via impermanent loss. It’s all a function of demand and price divergence — demand works for you, and price divergence works against you.</p>
<p>This is Uniswap in a nutshell. You can go a <a href="https://arxiv.org/pdf/1911.03380.pdf">lot</a> <a href="https://web.stanford.edu/~guillean/papers/constant_function_amms.pdf">deeper</a> of course, but this is enough background for you to understand what’s happening in this space.</p>
<p>Since its launch in 2018, Uniswap has taken DeFi by storm. This is especially amazing given that the original version of Uniswap was only about <a href="https://github.com/Uniswap/old-solidity-contracts/blob/master/contracts/Exchange/UniswapExchange.sol">300 lines of code</a>! (AMMs themselves have a <a href="http://blog.oddhead.com/2006/10/30/implementing-hansons-market-maker/">long lineage</a>, but constant product market makers are a <a href="https://old.reddit.com/r/ethereum/comments/55m04x/lets_run_onchain_decentralized_exchanges_the_way/">relatively recent invention</a>.) Uniswap is completely permissionless and can be funded by anyone. It doesn’t even need an oracle.</p>
<p>In retrospect, it’s incredibly elegant, one of the simplest possible products you could have invented, and yet it arose seemingly from nowhere to dominate DeFi.</p>
<h2 id="the-cambrian-amm-explosion">The Cambrian AMM Explosion</h2>
<p>Since Uniswap’s rise, there has been an explosion of innovation in AMMs. A legion of Uniswap descendants have emerged, each with its own specialized features.</p>
<p><img src="https://miro.medium.com/max/700/0*pZ-8-IHotoC30ijE" alt="AMM trading volume" />
<em>Uniswap, Balancer, and Curve trading volume. Source: <a href="https://explore.duneanalytics.com/queries/6097/source#12075">Dune Analytics</a></em></p>
<p>Though they all inherited the core design of Uniswap, they each come with their own specialized pricing function. Take <a href="https://www.curve.fi/">Curve</a>, which uses a mixture of constant product and constant sum, or <a href="https://balancer.finance/">Balancer</a>, whose multi-asset pricing function is defined by a multi-dimensional surface. There are even shifted curves that can run out of inventory, like the ones <a href="https://withfoundation.com/blog/we-are-empowering-creators-to-build-their-own-markets-on-ethereum">Foundation</a> uses to sell limited edition goods.</p>
<p><img src="https://miro.medium.com/max/700/0*TfURki3oti3_JFUg" alt="Curve's curve" />
<em>The Stableswap curve (blue), used in Curve. Source: <a href="https://www.curve.fi/stableswap-paper.pdf">Curve whitepaper</a></em></p>
<p>Different curves are better suited for certain assets, as they embed different assumptions about the price relationship between the assets being quoted. You can see in the chart above that the Stableswap curve (blue) approximates a line most of the time, meaning that in most of its trading range, the two stablecoins will be priced very close to each other. Constant product is a decent starting place if you don’t know anything about the two assets, but if we know the two assets are stablecoins and they are <em>probably</em> going to be worth around the same, then the Stableswap curve will produce more competitive pricing.</p>
<p>Of course, there are infinitely many specific curves an AMM could adopt for pricing. We can abstract over all of these different pricing functions and call the whole category <a href="https://web.stanford.edu/~guillean/papers/constant_function_amms.pdf">CFMMs</a>: constant function market makers.</p>
<p>Seeing the growth in CFMM volume, it’s tempting to assume that they are going to take over the world — that in the future, all on-chain liquidity will be provided by CFMMs.</p>
<p>But not so fast!</p>
<p>CFMMs are dominating today. But in order to get a clear sense of how DeFi evolves from here, we need to understand when CFMMs thrive and when they do poorly.</p>
<h2 id="the-correlation-spectrum">The Correlation Spectrum</h2>
<p>Let’s stick to Uniswap, since it’s the simplest CFMM to analyze. Let’s say you want to be a Uniswap LP (liquidity provider) in the ETH/DAI pool. By funding this pool, there are two simultaneous things you have to believe for being an LP to be better than just holding onto your original funds:</p>
<ol>
<li>The ratio in value between ETH and DAI will not change too much (if it does, that will manifest as impermanent loss)</li>
<li>Lots of fees will be paid in this pool</li>
</ol>
<p>To the extent that the pool exhibits impermanent loss, <em>the fees need to</em> <em>more than make up for it</em>. Note that for a pair that includes a stablecoin, to the extent that you’re bullish on ETH appreciating, you’re also assuming that there will be a lot of impermanent loss!</p>
<p>The general principle is this: the Uniswap thesis works best when the two assets are mean-reverting. Think a pool like USDC/DAI, or WBTC/TBTC — these are assets that should exhibit minimal impermanent loss and will purely accrue fees over time. Note that impermanent loss is not merely a question of volatility (actually, highly volatile mean-reverting pairs are great, because they’ll produce lots of trading fees).</p>
<p>We can accordingly draw a hierarchy of the most profitable Uniswap pools, all other things equal.</p>
<p><img src="https://miro.medium.com/max/700/0*wSg1c3TKAGYlY58F" alt="Correlation spectrum" /></p>
<p>Mean-reverting pairs are obvious. Correlated pairs often move together, so Uniswap won’t exhibit as much impermanent loss there. Uncorrelated pairs like ETH/DAI are rough, but sometimes the fees can make up for it. And then there are the inverse correlated pairs: these are absolutely awful for Uniswap.</p>
<p>Imagine someone on a prediction market going long Trump, long Biden, and putting both longs in a Uniswap pool. By definition, eventually one of these two assets will be worth $1 and the other will be worth $0. At the end of the pool, an LP will have nothing but impermanent loss! (Prediction markets always stop trading before the markets resolve, but outcomes are often decided well before the market actually resolves.)</p>
<p>So Uniswap works really well for certain pairs and terribly for others.</p>
<p>But it’s hard not to notice that almost all of the top Uniswap pools so far have been profitable! In fact, even the ETH/DAI pool has been profitable since inception.</p>
<p><img src="https://miro.medium.com/max/700/0*Zf5xkN3t_ab-eQvy" alt="Uniswap returns" />
<em>Uniswap returns for ETH/DAI pool (vs holding 50/50 ETH/DAI). Source: <a href="https://zumzoom.github.io/analytics/uniswap/roi/">ZumZoom Analytics</a></em></p>
<p>This demands explanation. Despite their flaws, CFMMs have been impressively profitable market makers. How is this possible? To answer this question, it pays to understand a bit about how market makers work.</p>
<h2 id="market-making-in-a-nutshell">Market making in a nutshell</h2>
<p>Market makers are in the business of providing liquidity to a market. There are three primary ways market makers make money: designated market making arrangements (traditionally paid by asset issuers), fee rebates (traditionally paid by an exchange), and by pocketing a spread when they’re making a market (what Uniswap does).</p>
<p>You see, all market making is a battle against two kinds of order flow: informed flow, and uninformed flow. Say you’re quoting the BTC/USD market, and a fat BTC sell order arrives. You have to ask yourself: is this just someone looking for liquidity, or does this person know something I don’t?</p>
<p>If this counterparty just realized that a PlusToken cache moved, and hence selling pressure is incoming, then you’re about to trade some perfectly good USD for some not so good BTC. On the other hand, if this is some rando selling because they need to pay their rent, then it doesn’t mean anything in particular and you should charge them a small spread.</p>
<p>As a market maker, you make money on the uninformed flow. Uninformed flow is random — at any given day, someone is buying, someone is selling, and at the end of the day it cancels out. If you charge each of them the spread, you’ll make money in the long run. (This phenomenon is why market makers will <a href="https://www.bloomberg.com/opinion/articles/2018-10-16/carl-icahn-wants-to-fight-dell-again">pay for order flow</a> from Robinhood, which is mostly uninformed retail flow.)</p>
<p>So a market maker’s principal job is to differentiate between informed and uninformed flow. The more likely the flow is informed, the higher the spread you need to charge. If the flow is <em>definitely </em>informed, then you should pull your bids entirely, because you’ll pretty much always lose money if informed flow is willing to trade against you.</p>
<p>(Another way to think about this: uninformed flow is willing to pay above true value for an asset — that’s your spread. Informed flow is only willing to pay <em>below</em> the true value of an asset, so when you trade against them, you’re actually the one who’s mispricing the trade. These orders know something you don’t.)</p>
<p>The very same principle applies to Uniswap. Some people are trading on Uniswap because they randomly want to swap some ETH for DAI today. This is your uninformed retail flow, the random walk of trading activity that just produces fees. This is awesome.</p>
<p>Then you have the arbitrageurs: they are your informed flow. They are picking off mispriced pools. In a sense, they are performing work for Uniswap by bringing its prices back in line. But in another sense, they are transferring money from liquidity providers to themselves.</p>
<p>For any market maker to make money, they need to maximize the ratio of uninformed retail flow to arbitrageur flow.</p>
<p><em>But Uniswap can’t tell the difference between the two!</em></p>
<p>Uniswap has no idea if an order is dumb retail money or an arbitrageur. It just obediently quotes <code class="language-plaintext highlighter-rouge">x * y = k</code>, no matter what the market conditions.</p>
<p>So if there’s a new player in town that offers better pricing than Uniswap, like Curve or Balancer, you should expect retail flow to migrate to whatever service offers them better pricing. Given Uniswap’s pricing model and fixed fees (0.3% on each trade), it’s hard to see it competing on the most competitive pools — Curve is both more optimized for stablecoins <em>and</em> charges 0.04% on each trade.</p>
<p>Over time, if Uniswap pools get outcompeted on slippage, they will be left with majority arbitrageur flow. Retail flow is fickle, but arbitrage opportunities continually arise as the market moves around.</p>
<p>This failure to compete on pricing is not just bad — its badness gets amplified. Uniswap has a network effect around liquidity on the way up, but it’s also reflexive on the way down. As Curve starts to eat the stablecoin-specific volume, the DAI/USDC pair on Uniswap will start to lose LPs, which will in turn make the pricing worse, which will attract even less volume, further disincentivizing LPs, and so on. So goes the way of network effects — it’s a rocket on the way up, but on the way down it incinerates on re-entry.</p>
<p>Of course, these arguments apply no less to Balancer and Curve. It will be difficult for each of them to maintain fees once they get undercut by a market maker with better pricing and lower fees. Inevitably, this will result in a race to the bottom on fees and massive margin compression. (Which is exactly what happens to normal market makers! It’s a super competitive business!)</p>
<p>But that still doesn’t explain: why are all of the CFMMs growing like crazy?</p>
<h2 id="why-are-cfmms-winning">Why are CFMMs winning?</h2>
<p>Let’s take stablecoins. CFMMs are clearly going to win this vertical.</p>
<p>Imagine a big traditional market maker like Jump Trading were to start market making stablecoins on DeFi tomorrow. First they’d need to do a lot of upfront integration work, then to continue operating they’d need to continually pay their traders, maintain their trading software, and pay for office space. They’d have significant fixed costs and operating costs.</p>
<p>Curve, meanwhile, has no costs at all. Once the contracts are deployed, it operates all on its own. (Even the computing cost, the gas fees, is all paid by end users!)</p>
<p>And what is Jump doing when quoting USDC/USDT that’s so much more complicated than what Curve is doing? Stablecoin market making is largely inventory management. There’s not as much fancy ML or proprietary knowledge that goes into it, so if Curve does 80% as well as Jump there, that’s probably good enough.</p>
<p>But ETH/DAI is a much more complex market. When Uniswap is quoting a price, it isn’t looking at exchange order books, modeling liquidity, or looking at historical volatility like Jump would — it’s just closing its eyes and shouting <code class="language-plaintext highlighter-rouge">x * y = k</code>!</p>
<p>Compared to normal market makers, Uniswap has the sophistication of a refrigerator. But so long as normal market makers are not on DeFi, Uniswap will monopolize the market because it has zero startup costs and zero operating expense.</p>
<p>Here’s another way to think about it: Uniswap is the first scrappy merchant to set up shop in this new marketplace called DeFi. Even with all its flaws, Uniswap is being served up a virtual monopoly. When you have a monopoly, <em>you are getting</em> <em>all of the retail flow</em>. And if the ratio between retail flow and arbitrageur flow is what principally determines the profitability of Uniswap, no wonder Uniswap is raking it in!</p>
<p>But once the retail flow starts going elsewhere, this cycle is likely to end. LPs will start to suffer and withdraw liquidity.</p>
<p>But this is only half of the explanation. Remember: long before we had Uniswap, we had tons of DEXes! Uniswap has decimated order book-based DEXes like IDEX or 0x. What explains why Uniswap beat out all the order book model exchanges?</p>
<h2 id="from-order-books-to-amms">From Order Books to AMMs</h2>
<p>I believe there are four reasons why Uniswap beat out order book exchanges.</p>
<p>First, Uniswap is extremely simple. This means there is low complexity, low surface area for hacks, and low integration costs. Not to mention, it has low gas costs! This really matters when you’re implementing all your trades on top of the equivalent of a <a href="https://twitter.com/hosseeb/status/1226741309810982919">decentralized graphing calculator</a>.</p>
<p>This is not a small point. Once next generation high-throughput blockchains arrive, I suspect the order book model will eventually dominate, as it does in the normal financial world. But will it be dominant <em>on Ethereum 1.0</em>?</p>
<p>The extraordinary constraints of Ethereum 1.0 select for simplicity. When you can’t do complex things, you have to do the best simple thing. Uniswap is a pretty good simple thing.</p>
<p>Second, Uniswap has a very small regulatory surface. (This is the same reason why Bram Cohen believes <a href="https://twitter.com/backus/status/1039725425813946369">Bittorrent succeeded</a>.) Uniswap is trivially decentralized and requires no off-chain inputs. Compared to order book DEXes that have to tiptoe around the perception of operating an exchange, Uniswap is free to innovate as a pure financial utility.</p>
<p>Third, it’s extremely easy to provide liquidity to Uniswap. The one-click “set it and forget it” LP experience is a lot easier than getting active market makers to provide liquidity on an order book exchange, especially before DeFi attracts serious volume.</p>
<p>This is critical, because much of the liquidity on Uniswap is provided by a small set of beneficent whales. These whales are not as sensitive to returns, so the one-click experience on Uniswap makes it painless for them to participate. Crypto designers have a bad habit of ignoring mental transaction costs and assuming market participants are infinitely diligent. Uniswap made liquidity provision dead simple, and that has paid off.</p>
<p>The last reason why Uniswap has been so successful is the ease of creating <a href="https://pools.fyi/#/?tag=incentivized">incentivized pools</a>. In an incentivized pool, the creator of a pool airdrops tokens onto liquidity providers, juicing their LP returns above the standard Uniswap returns. This phenomenon has also been termed “liquidity farming.” Some of Uniswap’s highest volume pools have been incentivized via airdrops, including AMPL, sETH, and JRT. For Balancer and Curve, all of their pools are currently incentivized with their own native token.</p>
<p>Recall that one of the three ways that traditional market makers make money is through designated market making agreements, paid by the asset issuer. In a sense, an incentivized pool is a designated market maker agreement, translated for DeFi: an asset issuer pays an AMM to provide liquidity for their pair, with the payment delivered via token airdrop.</p>
<p>But there’s an additional dimension to incentivized pools. They have allowed CFMMs to serve as more than mere market makers: they now double as marketing and distribution tools for token projects. Via incentivized pools, CFMMs create a sybil-resistant way to distribute tokens to speculators who want to accumulate the token, while simultaneously bootstrapping a liquid initial market. It also gives purchasers something to do with the token—don’t just turn it around and sell it, deposit it and get some yield! You could call this poor man’s staking. It’s a powerful marketing flywheel for an early token project, and I expect this to become integrated into the token go-to-market playbook.</p>
<p>These factors go a long way toward explaining why Uniswap has been so successful. (I haven’t touched on “<a href="https://defiprime.com/initial-defi-offering">Initial DeFi Offerings</a>,” but that’s a topic for another day.)</p>
<p>That said, I don’t believe Uniswap’s success will last forever. If the constraints of Ethereum 1.0 created the conditions for CFMMs to dominate, then Ethereum 2.0 and layer 2 systems will enable more complex markets to flourish. Furthermore, DeFi’s star has been rising, and as mass users and volumes arrive, they will attract serious market makers. Over time, I expect this to cause Uniswap’s market share to contract.</p>
<p>Five years from now, what role will CFMMs play in DeFi?</p>
<p>In 2025, I don’t expect CFMMs the way they look today to be the dominant way people trade anymore. In the history of technology, transitions like this are common.</p>
<p>In the early days of the Internet, web portals like Yahoo were the first affordance to take off on the Web. The constrained environment of the early Web was perfectly suited to being organized by hand-crafted directories. These portals grew like crazy as mainstream users started coming online! But we now know portals were a temporary stepping stone on the path to organizing the Internet’s information.</p>
<p><img src="https://miro.medium.com/max/1060/0*Ngto7GUJt5ePZcQa" alt="Yahoo vs Google" />
<em>The original Yahoo homepage and the original Google homepage</em></p>
<p>What are CFMMs a stepping stone to? Will something replace it, or will CFMMs evolve alongside DeFi? In my next post, entitled <em>Unbundling Uniswap</em>, I’ll try to answer this question.</p>
<hr />
<p><em>Massive thanks to Hasu, Ivan Bogatyy, Ashwin Ramachandran, Kevin Hu, Tom Schmidt, and Mia Deng for their comments and feedback on this piece.</em></p>
<p><em>Disclosure: Dragonfly Capital does not hold a position in any of the assets listed in this article aside from ETH.</em></p>Haseeb QureshiImagine a college friend reached out to you and said, “Hey, I have a business idea. I’m going to run a market making bot. I’ll always quote a price no matter who’s asking, and for my pricing algorithm I’ll use x * y = k. That’s pretty much it. Want to invest?”Why Decentralization Isn’t as Important as You Think2020-03-31T00:00:00+00:002020-03-31T00:00:00+00:00https://haseebq.com/why-decentralization-isnt-as-important-as-you-think<p>If you’ve spent any time at all on crypto Twitter, you’re familiar with the web3 narrative. It goes like this: in the beginning, the web was “truly decentralized.” Against all odds, the World Wide Web won against the <a href="https://archive.fortune.com/magazines/fortune/fortune_archive/1994/04/18/79191/index.htm">corporatist designs</a> of companies like Microsoft, and cyberspace became the territory of hobbyists and hackers. The Internet was henceforth enshrined as a neutral platform. And any publisher, no matter how small or powerless, was free to set up shop in their own corner of the Web.</p>
<p>But eventually, this decentralized Eden fell from grace. Or so the story goes.</p>
<p>Now in Web 2.0, <a href="https://gs.statcounter.com/search-engine-market-share">93%</a> of searches happen through Google, <a href="https://gs.statcounter.com/browser-market-share">64%</a> of browsers use Chrome, and <a href="https://www.statista.com/statistics/241805/market-share-of-facebooks-us-social-network-ad-revenue/">79%</a> of social advertising dollars go to Facebook. A handful of companies now effectively control cyberspace.</p>
<p>Web3 advocates see public blockchains as the catalyst to reverse this trend. They want to put power back into the hands of users and replace Google and Facebook with open platforms—perhaps platforms that are owned collectively by their users, operated as public commons.</p>
<p>Some version of this story has been sold to <a href="https://www.economist.com/special-report/2018/06/28/blockchain-technology-may-offer-a-way-to-re-decentralise-the-internet">The Economist</a>, <a href="https://blogs.wsj.com/cio/2019/08/02/blockchain-marks-the-next-step-in-the-internets-evolution/">WSJ</a>, <a href="https://blogs.gartner.com/avivah-litan/2019/08/08/blockchains-big-bang-web-3-0/">Gartner</a>, and pretty much all of the tech press.</p>
<p>I believe this story, this decentralization fairy tale, is predicated on an error. It’s the same error that underlies most utopian projects.</p>
<p>Let me ask you this: why did Satoshi choose to make Bitcoin decentralized?</p>
<p>Actually, it’s a trick question. Satoshi didn’t have a choice. Bitcoin <em>had</em> to be decentralized, or else it wouldn’t have worked. Before Bitcoin, every previous attempt to create Internet-native money either went bankrupt or was forcibly shut down by the government (see <a href="https://en.wikipedia.org/wiki/DigiCash">DigiCash</a>, <a href="https://en.wikipedia.org/wiki/E-gold">E-gold</a>, or <a href="https://en.wikipedia.org/wiki/Liberty_Reserve">Liberty Reserve</a>).</p>
<p>So Satoshi made Bitcoin decentralized. He made it use proof-of-work mining to achieve permissionless consensus. He built in a P2P networking model so the network would be decentralized. And, eventually, he disappeared from the project entirely, so it would have no ostensible leader. He did this so Bitcoin could survive and have a chance of <a href="https://nakamotostudies.org/emails/satoshis-final-email-to-gavin-andresen/">fulfilling his vision</a> of permissioness decentralized money.</p>
<p>So here we are today. Bitcoin is a $100B+ currency, and it has spawned a renaissance of hundreds of cryptonetworks, all trying to innovate in digital finance. And now, invoking the spirit of Satoshi, they all argue and bicker about which of them are the most decentralized.</p>
<p>“Look how centralized your mining pools are!”</p>
<p>“You’re one to talk with your block size, you shitcoiner.”</p>
<p>“Well we have no pre-mine so we’re the real <em>decentralized</em> ones.”</p>
<p>What’s going on here? Why are they doing this?</p>
<p>In this article, I want to suggest: maybe we should stop worrying so much about decentralization. I know this is possibly the least popular position I could take in crypto, but before you reach for your pitchfork, hear me out. I think by the end of this piece, you’ll understand where I’m coming from. (And hopefully elect not to make me a human sacrifice.)</p>
<p>(Note: I recorded an <a href="https://unchainedpodcast.com/why-decentralization-isnt-as-important-as-you-think/">audio version</a> of this article if you prefer listening.)</p>
<h2 id="maxwells-bitcoin-daemon">Maxwell’s Bitcoin Daemon</h2>
<p>Entertain a thought experiment.</p>
<p>Imagine a parallel universe where your experience of Bitcoin was all an illusion. All of your direct experiences of Bitcoin were the same—it ran the same software, you clicked the same buttons, your UTXOs showed up on block explorers, all the command line interactions were the same. But there’s no decentralized network, there’s no P2P anything, there’s no actual decentralized consensus. Every Bitcoin transaction just runs on one giant Postgres database run by some dude in Canada.</p>
<p>(If you’ve actually read low-level Bitcoin code, then suspend your disbelief here for a second.)</p>
<p>All of the miners, the consensus, the hash rate explorers, they’re all just pinging this guy’s server. Whenever someone mines a block, they send it to the Canadian guy, and he inserts the block into his database and forwards it to everyone. Every external feature of the system looks exactly the same! The monetary policy, the block time, the scarcity, all of it. We still have a block size debate, we still have Twitter trolls, we still have Craig Wright, and we still have an inexplicable link between Bitcoiners and carnivorism.</p>
<p>It’s just not “decentralized.” That part is a mirage.</p>
<p>How would that world be different? What actual facts about the Bitcoin system would be different from the Bitcoin we know today? What features does Bitcoin have in our world that it doesn’t have in this thought experiment?</p>
<p>Think carefully about this.</p>
<p>Here’s the answer: almost none. It’s just as scarce, just as hard, just as much “better than gold.” The only material difference is one of risk: that maybe someday the Canadian police could kick down this guy’s door and make him turn off Bitcoin.</p>
<p>That would kill Bitcoin. That cannot be allowed to happen.</p>
<p>That’s why Bitcoin is decentralized. It’s decentralized to survive attempts at censorship, manipulation, or shutdown. But other than that, Bitcoin’s decentralization doesn’t actually <strong><em>do</em></strong> anything. Of course, it’s important for its image and its narrative—if it were not decentralized, at this point we would not see it as legitimate. But all of the material features of the system would basically be the same.</p>
<p>Thankfully, there’s no Canadian guy who controls Bitcoin. No one can turn Bitcoin off, and that’s great. But this perspective reveals something important about decentralization.</p>
<p>Satoshi made Bitcoin decentralized to solve a specific problem: that previous forms of Internet money kept getting shut down. A decentralized form of money is resilient to insolvency, attack, or censorship. But decentralization <em>wasn’t itself the point</em>. It was just a means to an end. The point was to make a form of Internet money that worked!</p>
<p>To Satoshi, decentralization was valuable insofar as it mitigated some other fundamental risk: censorship, platform security, corruption, etc. It’s the <em>properties decentralization gives us</em> that we care about, not decentralization itself.</p>
<h2 id="you-cannot-compete-on-being-more-decentralized">You cannot compete on being more decentralized</h2>
<p>As a crypto VC, I often hear from projects that claim they’re going to be “X, but decentralized.” Usually, this is the telltale sign of a bad pitch.</p>
<p>Here’s the problem with it: decentralization is a global, emergent property. These properties are almost impossible to compete on.</p>
<p>There’s a <a href="https://twitter.com/least_nathan/status/1050789388823670785">simple framework</a> for thinking about the properties of a network that I first learned from Nathan Wilcox. There are two axes: a property can be either global or local, and it can be either direct or emergent.</p>
<p><img src="https://unchainedpodcast.com/wp-content/uploads/2020/03/framework_Tony_Sheng.png" alt="" />
<em>Credit: Tony Sheng</em></p>
<p>Q1: local and direct properties. Think the local weather. It’s local to your city, and everyone in your city feels it, so it’s direct. People frequently choose which city to live in based on local and direct properties like the weather.</p>
<p>Q2: local and emergent. Think the voter turnout in your city. People in your city know what the voter turnout is, and it’s good for this number to be high, but nobody actually feels it directly. Even though people care in an abstract sense about civic engagement, it’s hard for cities to compete on having better voter turnout.</p>
<p>Q3: global and direct. Think global warming. Everyone in the world feels global warming directly, to differing degrees. But it’s hard for people to coordinate around solving the problem. That said, everyone feels it and everyone responds to its consequences.</p>
<p>Q4: global and emergent. These are the most insidious properties; they apply to everyone, but nobody experiences them directly. An example would be something like “privacy.” Not the kind of “your neighbors can see through your window” privacy, but more like “multi-billion dollar companies have lots of data on you, which is weird and uncomfortable, even though nothing obviously bad seems to happen because of it.”</p>
<p>And here is the problem. Decentralization is in the last category: it’s global, and indirect. Nobody feels it. You can feel latency, you can feel transaction fees, but networks ostensibly feel the same whether they’re centralized or decentralized. If the decentralization of your network drops, how would your users even know? As a general rule, it’s almost impossible for products to compete on the basis of global, emergent value propositions such as decentralization.</p>
<p>Now, you might counter: “This is not about competition between products, Haseeb! This is about building a better Internet!”</p>
<p>Fine! Go build a better Internet by yourself in your own personal Mastodon server. But that’s not enough for you—you want the world to join you. And rightly so! If you want that, you need to compete for the world’s attention, and you must compete on the merits. Decentralization in this context is not an advantage; it is a handicap. So be it. You can still win, if decentralization actually <em>lets you do things you couldn’t otherwise do.</em></p>
<p>This is why Bitcoin won despite being a decentralized network. It enabled something genuinely new: the permissionless transfer of uncensorable money. And Bitcoin has proved its value by being alive and well today, more than 10 years later, having successfully evolved past its unseemly adolescence (<a href="https://www.bloomberg.com/news/articles/2014-02-07/bitcoin-price-falls-as-mt-gox-exchange-halts-activity">Mt. Gox</a>, <a href="https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-announces-indictment-ross-ulbricht-creator-and-owner-silk-road">The Silk Road</a>, darknet markets). Bitcoin survived <em>because</em> it is decentralized.</p>
<p>But let’s be more specific. Many advocates claim that it’s the <em>developers</em> who will choose this new world. It’s the <em>developers</em> who are fed up with the walled gardens of the modern Internet. It’s the developers who’ll propel us into the decentralized future.</p>
<p>Okay. Let’s look closely at that.</p>
<p>We know developers today have a tough time building on decentralized blockchains: they’re slow, expensive, hard to use, and blockchains don’t have that many users yet. But the decentralization advocates will counter: <em>don’t you know the Twitter API story?</em> Twitter originally had an open API, but then when they <a href="https://www.macworld.com/article/1168222/twitter_app_makers_trying_to_figure_out_the_future.html">shut it down</a>, all of the entrepreneurs who were building on them had the rug ripped out from under them. Entrepreneurs don’t want to use APIs owned by someone else! That’s why web3 will win.</p>
<p>But here’s the problem: developers don’t care about “decentralization” either. When a developer is evaluating whether to use Linux, npm, React, or Twilio, they don’t give a damn whether they’re decentralized or not. Developers care about <em>risk</em>.</p>
<p>They want to minimize technical risk. They want to minimize the risk of their APIs dying on them. But they also want to minimize the risk that their users migrate away from the platform (or never show up to begin with); they care about the risk that the underlying tech breaks; they care about the risk that the tooling degrades or never improves, and so on.</p>
<p>Risk is a multidimensional vector. Decentralization mitigates some risks, but not others. I guarantee you that developers today are more comfortable building on what’s left of Twitter’s APIs than they are building on top of public blockchains. Twitter has <a href="https://qz.com/242483/how-many-of-twitters-active-users-are-actually-human/">38M accounts</a> regularly using their APIs, while total Dapp users are still well <a href="https://www.stateofthedapps.com/stats">below 1M</a>.</p>
<p>And to be clear, decentralization lowers some risks! The risk of censorship or shutdown are lower in a decentralized system. But are these really the primary risks I care about as a developer, rather than uptime, cost, or user churn? It depends on what I’m building!</p>
<p>And what risks does decentralization <strong>increase</strong>? What does it do to my P99 response time, or what’s the chance that fees spike on the network so my users go elsewhere? Is that set of trade offs worth it for me as a developer?</p>
<p>Look, I’m the first to celebrate the fields that crypto has disrupted so far. Crypto has brilliantly used its censorship-resistance to attack money and decentralize banking and finance. Brilliant! What do people hate more than banks?</p>
<p>But the web3 story says: nevermind all that. Instead, we should try to decentralize Uber and Airbnb, you know, two of the <strong>most beloved products</strong> <strong>in the world</strong> that <em>just</em> got started upending stagnant, decades-old pre-technological industries. And Google, you say? You mean one of the <a href="https://morningconsult.com/most-trusted-brands/">most trusted</a> brands in the US? Sure, let’s try to re-implement the most difficult computer science and data problems imaginable on Ethereum, the technological equivalent of a <a href="https://twitter.com/hosseeb/status/1226741309810982919">graphing calculator</a>.</p>
<p>Decentralization is valuable when it lets you do new things fundamentally better, not old things fundamentally worse. Web3 advocates are trying to pick a fight with the most beloved products in the world while handicapping themselves with decentralized architectures. If you want to win a fist fight, you probably shouldn’t choose the strongest guy in the room, especially when you’ve got one hand tied behind your back.</p>
<p>Innovate against products that suck. There are no shortage of them in this world. You’ll win if—and only if—decentralization is a genuine advantage.</p>
<h2 id="but-is-it-really-decentralized">But is it really decentralized?</h2>
<p>It’s vacuous to ask whether something is “really decentralized.” I wish this question would go away.</p>
<p>Let me give you two examples that illustrate why invoking the D-word is so unenlightening.</p>
<p>Decentralized Finance (DeFi) is commonly claimed to be more secure because it’s “decentralized.” By this they mean its code is implemented in smart contracts directly on a public blockchain.</p>
<p>Any normal programmer would retort: wait, why would it be secure just because it’s written in code?</p>
<p>And of course, nothing about DeFi <em>inherently</em> provides security! In fact, a single bug in these programs could wipe out all of the money inside. Just look at the <a href="https://blog.0xproject.com/post-mortem-0x-v2-0-exchange-vulnerability-763015399578">0x hack</a>, where an attacker could have stolen <em>all of the money in the system!</em> Then of course there is the <a href="https://www.coindesk.com/understanding-dao-hack-journalists">DAO hack</a>, the <a href="https://techcrunch.com/2018/07/10/bancor-loses-23-5m/">Bancor hack</a>, the <a href="https://www.palkeo.com/en/projets/ethereum/bzx.html">bZx attacks</a>—history is littered with examples like this. There is nothing at all inherent about DeFi that makes it secure.</p>
<p>Security starts with audited, open-sourced code that is written with best practices and, ideally, formally verified. But the number one thing that makes something secure is just being battle-tested with a lot of value at stake for a long time. <em>Just the same as with centralized systems.</em></p>
<p>Or let’s take another problem that is close to my heart: the oracle problem. People lose their common sense when it comes to the oracle problem, so it’s a good place to reality-test.</p>
<p>Put simply, the oracle problem asks: how can a blockchain learn about things that happened outside of it? By definition, someone has to report that information to the blockchain, but who do we trust to report that data, and how do we know the data is correct? Framed this way, the “oracle problem” is a question even a child can understand: how do we know someone is telling us the truth?</p>
<p>Let’s take Maker’s V1 oracle system. It essentially consisted of <a href="https://github.com/makerdao/community/blob/master/faqs/oracles.md">20 addresses</a>, most of which were anonymous, pushing prices on-chain. The oracle reported the median of all of these 20 prices. You might be tempted to ask “is that decentralized?”</p>
<p><strong>This is the wrong question.</strong> The right question to ask is: what are the risks of believing what this oracle tells us? What is the cost to manipulate the oracle? Whose reputations are involved? What has been the value at stake so far, and how long has the system functioned correctly? Whether it is decentralized or not is irrelevant to what we actually care about, especially if censorship is not the principal risk to the system.</p>
<p>Take a step back for a second. How is the oracle problem solved in the normal world? When someone wants to know the result of a sports game, what do they do?</p>
<p>They probably check ESPN. How centralized of them! And why do they trust ESPN’s scores? What complex crypto-economic game is ESPN playing such that we are comfortable trusting them?</p>
<p>One answer might be: well, if ESPN publishes an incorrect score, someone can sue them for damages. ESPN’s bank account can be appropriated by the legal system, so that’s the incentive for ESPN to behave honestly. Thus, we have good oracles thanks to the threat of litigation against ESPN.</p>
<p>This analysis is tempting, but it’s not quite right.</p>
<p>What do you think people would do for on-chain oracles if ESPN started publishing game results onto Ethereum? I’ll tell you: people would just use the ESPN scores. They’d use them instead of Chainlink or Augur or any of these other supposedly decentralized oracles, because they’d trust ESPN’s scores. This would be true even if ESPN expressly disavowed any legal liability for those scores!</p>
<p>Why? Why would people trust ESPN even though it’s not decentralized? (Saying it out loud, it suddenly sounds like a stupid question.)</p>
<p>Everyone knows why we trust ESPN’s scores: because of reputation. The value of ESPN’s reputation is so great that we understand ESPN wouldn’t jeopardize it. It transcends anything as simple as “they have X dollars at stake, but if they corrupt the oracle they could make Y.” In some sense, ESPN’s reputation backs every score they ever post. They have the same X dollars at stake for <em>the entire lifetime of their business</em>. You could think of this as somehow cross-margining all of their claims with all of the money they will ever make! You can’t do that with staking or bonds or any of the other craziness that people demand in crypto-economic games. Reputations are precisely how iterated games enable long-term value creation. Without reputations, there wouldn’t be enough capital in the world for us all <a href="https://twitter.com/lpolovets/status/1087898293307244544">to trust</a> each other.</p>
<p>So what of Maker’s oracle system? Why do so many <a href="https://medium.com/@BaptisteGreve/why-i-think-ethereum-will-succeed-33b802f49de">products in DeFi</a> use it? I don’t think it’s because it’s the “most decentralized.” I think the real answer is simple: reputation. People trust Maker’s reputation.</p>
<p>Of course, they also all know that technically, 15 individuals could collude and run off with the money! (And just as true, a single developer at ESPN could probably post a fabricated game score.) But I think people deep down intuitively understand that Maker—the brand, the DAO—has a reputation to keep up, no differently than ESPN does. And that reputation, in some way that’s hard to quantify, backs every price it ever posts on-chain. In some abstract sense, the Maker system has much more economic value behind its oracle than a naive system that requires bonds and slashing.</p>
<p>If we accept the notion that DAOs can be like companies, why wouldn’t we be willing to consider that DAOs can have reputations worth protecting?</p>
<p>Now, were MakerDAO a monopolist, we intuitively understand that its reputation would carry less weight. But MakerDAO leaves its front doors open to exit through <a href="https://github.com/makerdao/community/blob/master/faqs/emergency-shutdown.md">global settlement</a>. If MakerDAO messes up or is manipulated, its users won’t come back.</p>
<p>Many DeFi projects have chosen the Maker oracles despite their flaws. And to be clear, I don’t think Maker’s oracles are anywhere near the optimal oracle design. But they work! And developers intuitively understand why the Maker oracles are trustworthy.</p>
<p>Many researchers would consider it anathema to make such an imprecise security claim. If it’s not quantitative, if it’s not “X times Y = Z,” then it’s not proper cryptoeconomics.</p>
<p>I’ll say this: I don’t give a damn if your oracle is decentralized. I care if your oracle works under the threat model I care about. Both <a href="https://blockonomi.com/chainlink-pricing-anomaly/">Chainlink</a> and <a href="https://blog.coinfund.io/trolling-with-rep-c5b6e1e0461">Augur</a> have failed pretty badly in the past, despite being more decentralized than Maker’s oracle. I don’t think the Maker oracle is perfect. But it’s a lot better than most of what we see today.</p>
<h2 id="decentralization-is-not-a-binary">Decentralization is not a binary</h2>
<p>But here’s another problem with asking whether something is “truly decentralized”: decentralization is not a yes-or-no question. If you need a network that will survive targeted attacks by <a href="https://www.coindesk.com/nsa-reportedly-eyes-to-scrap-bitcoins-anonymity">three-letter agencies</a>, then probably even Bitcoin isn’t good enough. But most people don’t need that. Only you know how much decentralization you need, and any more decentralization than that probably isn’t doing anything.</p>
<p>Understand, at the margin, decentralization does not linearly reduce risk. It’s more like an S-curve. The first little bit of decentralization doesn’t really accomplish anything. Take Napster for example—Napster was <em>kind of</em> decentralized, in that it didn’t store files on their own servers. But Napster acted as the search index that let people discover other people’s files. So if someone shut down the Napster servers (as happened in <a href="https://en.wikipedia.org/wiki/A%26M_Records,_Inc._v._Napster,_Inc.#Vicarious_infringement">2001</a>), they basically shut down everything. All the little P2P elements of the Napster design were basically window dressing, because the whole system could be trivially foreclosed from the top.</p>
<p><img src="https://unchainedpodcast.com/wp-content/uploads/2020/03/Risk_decentralisation.png" alt="" /></p>
<p>Your early attempts to decentralize don’t accomplish anything until you’re decentralized enough to not be censored. It’s like trying to make a barrel waterproof—the first little bit of sealant doesn’t do anything until you actually plug every hole. At that point, you hit the elbow of the decentralization curve, where suddenly all the work you’re putting in makes a big observable difference to your shutdown risk.</p>
<p>Then, after you climb up the S, decentralizing the governance, the token ownership, the admin hooks, you hit a plateau where the system is basically censorship-resistant. You can invest more into distributing the hash rate further, or adding more nodes to the P2P system, or mitigating selfish mining or whatever, but for the most part, any change at the margin doesn’t actually change the properties of the system that much, for anyone. None of those systems can be taken down by script kiddies, and probably all of them can be taken down by a motivated nation state. Most of the arguments about decentralization at this end of the spectrum are just point-scoring.</p>
<p>Where do you think your favorite project is on this S-curve? I’d argue that most of the large decentralized networks are closer to the plateau than most people like to admit. Bitcoin is more decentralized today than Ethereum, certainly! Unlike Bitcoin, Ethereum’s inventor is still around to steward the project, and it has frequent planned upgrades. But on the spectrum of risk, Bitcoin is actually <em>not</em> <em>that much further</em> <em>along</em>. Both Bitcoin and Ethereum can be destroyed by nation states, and neither can be destroyed by organized actors on the Internet.</p>
<p>All I’m saying here is that there are diminishing returns to decentralization. This is obvious marginal analysis, but people seldom apply this to the concept of decentralization itself. Hence why we get neverending series of papers and blog posts sneering at how blockchains’ <a href="https://arxiv.org/abs/2001.09105">P2P networks</a> and <a href="https://coinmetrics.substack.com/p/coin-metrics-state-of-the-network-768">governance</a> aren’t <em>truly</em> decentralized.</p>
<p>It’s also possible that protocol risks don’t always decrease with decentralization! Decentralizing too fast also can introduce new risks that didn’t previously exist. I’ve never seen a centralized server that had a 51% attack, or a frontrunning vulnerability, or a fee sniping attack. And of course, you should not underestimate the power of responding quickly to a bug by shutting off your system. Centralized systems can much more effectively respond to threats and organize around technical leaders.</p>
<p>I’m reminded of how the computing industry rallied around its leadership in the wake of the <a href="https://www.theverge.com/2018/1/11/16878670/meltdown-spectre-disclosure-embargo-google-microsoft-linux">Spectre and Meltdown bugs</a>. In the face of industry-shaking vulnerabilities, swat teams across Intel, Microsoft, and Linux worked on patches while carrying out an industry-wide disclosure embargo. And in retrospect, it worked pretty well! This would have been much harder in a truly decentralized regime. Angela Walch, a law professor at St. Mary’s University, argues in <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3326244">Deconstructing Decentralization</a> that a “genuinely decentralized” project could not have secrets like this. In her words: “secrets reveal centralization.”</p>
<p><em>“The bug fixes, secret developer meetings, and mining pool concentration […] all reveal sites of concentrated—rather than diffuse—power. Yet in uncritically describing blockchain systems as decentralized, we skip over all of that.”</em></p>
<p>She’s absolutely right on her premises! (Although I reject the binary centralized-decentralized distinction.) But I arrive at a different conclusion: what this tells us is that the optimal equilibrium for a project is not currently “100% decentralized.” Climbing further up that S-curve yields diminishing returns, and the juice isn’t worth the squeeze yet.</p>
<p>That all having been said, there are many networks that failed to make it all the way through the decentralization S-curve. IOTA comes to mind for me; I’m sure you have your own favorite shitcoin. If you need to cross this chasm but fail, then decentralization really does matter.</p>
<p>But the biggest risk to many of these networks is not that their governance is too centralized; it’s that their governance is too <em>incompetent</em>. Sure, I want the governance of my blockchain to eventually be decentralized! But if you give me the choice, I’ll take world-class centralized governance over crappy decentralized governance any day of the week.</p>
<h2 id="beyond-decentralized-purity-culture">Beyond decentralized purity culture</h2>
<p>Despite all this, crypto communities love to point at each other and claim their competitors are “not really decentralized.” In a way it’s a perfect attack, because anything can always be <em>more</em> decentralized. It’s the original sin that every project carries. It transmutes decentralization into a virtue of purity, a universal moral failing, a ritual of self-flagellation.</p>
<p>But this decentralization purity culture is not just exhausting—it’s counterproductive.</p>
<p>I know I’m poking a bit of a hornet’s nest here. So let me be clear. Bitcoin would never have become what it is today, were it not decentralized. There is no other path to creating Internet-native digital gold.</p>
<p>But I don’t want to see the best minds of my generation obsessing over this single dimension and lose sight of the most important problems to solve.</p>
<p>Before we worry about decentralization, let’s worry about building things worth decentralizing in the first place. Let’s not forget, no one actually wants this stuff yet! No one knows what problems it will actually solve! It’s all still weird and complicated and impossible to use!</p>
<p>I agree with <a href="https://a16z.com/2020/01/09/progressive-decentralization-crypto-product-management/">Jesse Walden</a> on this point: projects ought to progressively decentralize as they figure out product market fit—that is, once they figure out what’s actually valuable to build. But for most everything in this space, product market fit is still a long way away. Until then, I think we can obsess a little less about being perfectly decentralized. Our focus should be on innovating and building better infrastructure for the digital economy.</p>
<p>That’s the real goal, if you ask me. Decentralization is merely, at times, the means to that end.</p>Haseeb QureshiIf you’ve spent any time at all on crypto Twitter, you’re familiar with the web3 narrative. It goes like this: in the beginning, the web was “truly decentralized.” Against all odds, the World Wide Web won against the corporatist designs of companies like Microsoft, and cyberspace became the territory of hobbyists and hackers. The Internet was henceforth enshrined as a neutral platform. And any publisher, no matter how small or powerless, was free to set up shop in their own corner of the Web.Flash Loans: Why Flash Attacks will be the New Normal2020-02-27T00:00:00+00:002020-02-27T00:00:00+00:00https://haseebq.com/flash-loans-why-flash-attacks-will-be-the-new-normal<p>Flash loans have been the center of attention lately. Recently two hackers used flash loans to attack the margin trading protocol bZx, <a href="https://www.palkeo.com/en/projets/ethereum/bzx.html">first in a $350K attack and later in a $600K copycat attack</a>.</p>
<p>These attacks were, in a word, magnificent. In each attack, a penniless attacker instantaneously borrowed hundreds of thousands of dollars of ETH, threaded it through a chain of vulnerable on-chain protocols, extracted hundreds of thousands of dollars in stolen assets, and then paid back their massive ETH loans. All of this happened in an instant—that is, in a single Ethereum transaction.</p>
<p><img src="https://miro.medium.com/max/540/0*SWR0W8H-jgWhn6xb" alt="" />
<em>Cover art by Carmine Infantino</em></p>
<p>We don’t know who these attackers were or where they came from. Both started with basically nothing and walked away with hundreds of thousands of dollars in value. Neither left any traces to identify themselves.</p>
<p>In the wake of these attacks, I’ve been thinking a lot about flash loans and their implications for the security of DeFi. I think this is worth thinking through in public.</p>
<p>In short: I believe flash loans are a big security threat. But flash loans are not going away, and we need to think carefully about the impact they will have for DeFi security going forward.</p>
<h2 id="what-is-a-flash-loan">What is a flash loan?</h2>
<p>The concept of a flash loan was first termed by Max Wolff, the creator of <a href="https://medium.com/marbleorg/introducing-marble-a-smart-contract-bank-c9c438a12890">Marble Protocol</a> in 2018. Marble marketed itself as a “smart contract bank,” and its product was a simple, yet brilliant DeFi innovation: zero-risk loans via a smart contract.</p>
<p><img src="https://miro.medium.com/max/401/1*jxZck-vRNIjKaT4EYiEBCQ.png" alt="" /></p>
<p>How can a loan have zero risk?</p>
<p>Traditional lenders take on two forms of risk. The first is default risk: if the borrower runs off with the money, that obviously sucks. But the second risk to a lender is illiquidity risk: if a lender lends out too many of their assets at the wrong times, or doesn’t receive timely repayments, the lender may be unexpectedly illiquid and not be able to meet their own obligations.</p>
<p>Flash loans mitigate both risks. A flash loan basically works like this: I will lend you as much money as you want for this <em>single</em> transaction. But, by the end of this transaction, you <em>must</em> pay me at least as much as I lent you. If you are unable to do that, I will automatically roll back your transaction! (Yep, smart contracts can <a href="https://eips.ethereum.org/EIPS/eip-140">do that</a>.)</p>
<p>Simply put, your flash loan is atomic: if you fail to pay back the loan, the whole thing gets reverted as though the loan never happened.</p>
<p>Something like this could only exist on blockchains. You could not do flash loans on, say, BitMEX. This is because smart contract platforms process transactions one at a time, so everything that happens in a transaction is executed serially as a batch operation. You can think of this as your transaction “freezing time” while it’s executing. A centralized exchange, on the other hand, can have race conditions such that a leg of your order fails to fill. On the blockchain, you’re guaranteed that all of your code runs one line after the next.</p>
<p>So let’s think about the economics here for a second. Traditional lenders are compensated for two things: the risk they’re taking on (default risk and illiquidity risk), and for the opportunity cost of the capital they’re lending out (e.g., if I can get 2% interest elsewhere on that capital, the borrower must pay me more than the risk-free 2%).</p>
<p>Flash loans are different. Flash loans literally have no risk and no opportunity cost! This is because the borrower “froze time” for the duration of their flash loan, so in anyone else’s eyes, the system’s capital was never at risk and never encumbered, therefore it could not have earned interest elsewhere (i.e., it did not have an opportunity cost).</p>
<p>This means, in a sense, there’s no cost to being a flash lender. This is deeply counterintuitive. So how much should a flash loan cost at equilibrium?</p>
<p>Basically, flash loans should be free. Or more properly, a small enough fee to amortize the cost of including the extra 3 lines of code to make an asset flash-lendable.</p>
<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kr">interface</span> <span class="nx">Lender</span> <span class="p">{</span>
<span class="kd">function</span> <span class="nx">goWild</span><span class="p">()</span> <span class="nx">external</span><span class="p">;</span>
<span class="p">}</span>
<span class="nx">contract</span> <span class="nx">FlashERC20</span> <span class="nx">is</span> <span class="nx">ERC20</span> <span class="p">{</span>
<span class="nx">using</span> <span class="nx">SafeMath</span> <span class="k">for</span> <span class="nx">uint256</span><span class="p">;</span>
<span class="kd">function</span> <span class="nx">flash</span><span class="p">(</span><span class="nx">uint256</span> <span class="nx">amount</span><span class="p">)</span> <span class="nx">external</span> <span class="p">{</span>
<span class="nx">balances</span><span class="p">[</span><span class="nx">msg</span><span class="p">.</span><span class="nx">sender</span><span class="p">]</span> <span class="o">=</span> <span class="nx">balances</span><span class="p">[</span><span class="nx">msg</span><span class="p">.</span><span class="nx">sender</span><span class="p">].</span><span class="nx">add</span><span class="p">(</span><span class="nx">amount</span><span class="p">);</span>
<span class="nx">Lender</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">sender</span><span class="p">).</span><span class="nx">goWild</span><span class="p">();</span>
<span class="nx">balances</span><span class="p">[</span><span class="nx">msg</span><span class="p">.</span><span class="nx">sender</span><span class="p">]</span> <span class="o">=</span> <span class="nx">balances</span><span class="p">[</span><span class="nx">msg</span><span class="p">.</span><span class="nx">sender</span><span class="p">].</span><span class="nx">sub</span><span class="p">(</span><span class="nx">amount</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}</span>
</code></pre></div></div>
<p style="text-align: center; display: block;"><em>h/t <a href="https://twitter.com/recmo/status/1229171153597386752">Remco Bloemen</a></em></p>
<p>Flash loans cannot charge <em>interest</em> in the traditional sense, because the loan is active for zero time (any APR * 0 = 0). And of course, if flash lenders charged higher rates, they’d quickly be outcompeted by other flash lending pools that charged lower rates.</p>
<p>Flash lending makes capital a true commodity. This race to the bottom inevitably results in zero fees or a tiny nominal fee. dYdX currently charges 0 fees for flash lending. AAVE, on the other hand, charges 0.09% on the principal for flash loans. I suspect this is not sustainable, and indeed, some in their community have <a href="https://medium.com/aave/flash-loans-one-month-in-73bde954a239">called for slashing fees to 0</a>. (Note that neither of the attacks we saw used AAVE as their flash lending pool.)</p>
<h2 id="what-are-flash-loans-useful-for">What are flash loans useful for?</h2>
<p>Flash loans were originally marketed on the premise that they’d primarily be used for arbitrage. Marble’s <a href="https://medium.com/marbleorg/introducing-marble-a-smart-contract-bank-c9c438a12890">breakout announcement</a> claimed:</p>
<blockquote>
<p>“With flash lending, a trader can borrow from the Marble bank, buy a token on one DEX, sell the token on another DEX for a higher price, repay the bank, and pocket the arbitrage profit all in a single atomic transaction.”</p>
</blockquote>
<p>And it’s true — by volume, most of the flash loans we’ve seen so far have been used for this kind of arbitrage.</p>
<p><img src="https://miro.medium.com/max/605/0*iEZ9lsff9ZXWMAft" alt="" />
<em>Flash loan usage on AAVE. Credit: AAVE</em></p>
<p>But volumes have been tiny. AAVE has originated barely over $10K of borrows since inception. This is miniscule compared to the arbitrage and liquidations market on DeFi.</p>
<p>This is because most arbitrage is performed by competitive arbitrageurs running sophisticated bots. They engage in on-chain <a href="https://twitter.com/phildaian/status/1116155253890613249">priority gas auctions</a> and use <a href="https://gastoken.io/">gas tokens</a> to optimize transaction fees. It’s a very competitive market — these guys are perfectly happy to keep some tokens on their balance sheet to optimize their earnings.</p>
<p>On the other hand, borrowing on AAVE costs about <a href="https://developers.aave.com/#gas-consumption">80K gas</a> and charges 0.09% of the principal — a steep price to pay for an arbitrageur competing over tiny margins. In fact, in most <a href="https://medium.com/aave/flash-loans-one-month-in-73bde954a239">AAVE arbitrages</a>, the borrower ended up paying more in fees to the lending pool than they took home.</p>
<p>In the long run, arbitrageurs are unlikely to use flash loans except in special circumstances.</p>
<p>But flash loans have other more compelling use cases in DeFi. One example is refinancing loans. For example, say I have a Maker vault (CDP) with $100 of ETH locked in it, and I drew a loan of 40 DAI from it—so I’ve got a $60 net position minus my debt. Now say I want to refinance into Compound for a better interest rate. Normally I’d need to go out and repurchase that 40 DAI to close out my CDP, which requires some up-front capital. Instead, I can flash borrow 40 DAI, close out the $100 CDP, deposit $60 of my unlocked ETH into Compound, convert the other $40 of ETH back into DAI through Uniswap, and use that to repay the flash loan. Boom, atomic 0-capital refinancing.</p>
<p>That’s pretty magical! It’s a great example of money legos™ at work. <a href="https://1x.ag/#/">1x.ag</a> actually built a margin trading aggregator that automates this kind of thing using flash loans. But as cool as flash loans can be, the bZx attackers showed us that they aren’t just fun and games.</p>
<h2 id="flash-attacks-have-big-security-implications">Flash attacks have big security implications</h2>
<p>I’ve increasingly come to believe that what flash loans really unlock are flash attacks — capital-intensive attacks funded by flash loans. We saw the first glimpses of this in the recent bZx hacks, and I suspect that’s only the the tip of the spear.</p>
<p>There are two main reasons why flash loans are especially attractive to attackers.</p>
<ol>
<li>Many attacks require lots of up-front capital (such as oracle manipulation attacks). If you’re earning a positive ROI on $10M of ETH, it’s probably not arbitrage — you’re likely up to some nonsense.</li>
<li>Flash loans minimize taint for attackers. If I have an idea of how to manipulate an oracle with $10M of Ether, even if I own that much Ether, I might not want to risk it with my own capital. My ETH will get tainted, exchanges might reject my deposits, and it will be hard to launder. It’s risky! But if I take out a flash loan for $10M, then who cares? It’s all upside. It’s not like the collateral pool of dYdX will be considered tainted because that’s where my loan came from — the taint on dYdX just sort of evaporates.</li>
</ol>
<p>You might not like that exchange blacklisting is part of the blockchain security model today. It’s quite squishy and centralized. But it’s an important reality that informs the calculus behind these attacks.</p>
<p>In the <a href="https://bitcoin.org/bitcoin.pdf">Bitcoin white paper</a>, Satoshi famously claimed that Bitcoin is secure from attack because:</p>
<blockquote>
<p>“[The attacker] ought to find it more profitable to play by the rules […] than to undermine the system and validity of his own wealth.”</p>
</blockquote>
<p>With flash loans, attackers no longer need to have any skin in the game. Flash loans materially change the risks for an attacker.</p>
<p>And remember, flash loans can stack! Subject to the gas limit, you could literally aggregate every flash loanable pool in a single transaction (upwards of $50M) and bring all that capital thundering down onto a single vulnerable contract. It’s a $50M battering ram that now anyone can slam into any on-chain pinata, so long as money comes out. This is scary.</p>
<p>Now, of course, you <em>shouldn’t</em> be able to attack a protocol by just having a lot of money. If the DeFi stack is as secure as it’s claimed to be, all this shouldn’t be a problem — what kind of protocol isn’t secure against a rich whale? Not accounting for that is just negligence, you might say.</p>
<p>And yet we acknowledge that Ethereum itself can be 51% attacked for <a href="https://www.crypto51.app/">less than $200K/hr</a>**. That’s not that much money! If Ethereum’s own security model is basically built around capital constraints, why are we so quick to scoff at DeFi applications that can be successfully attacked for $10M?</p>
<p>(** To be clear, I don’t believe these numbers—the figure conveniently ignores slippage and the dearth of supply—plus consensus-layer security and application-layer security are different beasts. But you get the point.)</p>
<h2 id="so-how-can-you-mitigate-against-flash-attacks">So how can you mitigate against flash attacks?</h2>
<p>Say I’m a DeFi protocol and I want to avoid getting flash attacked. The natural question might be — can I detect whether the user interacting with me is using a flash loan?</p>
<p>The simple answer is: no.</p>
<p>The EVM doesn’t let you read storage from any other contract. Thus, if you want to know what’s going on in another contract, it’s on that contract to tell you. So if you wanted to know whether a flash loan contract was actively being used, you’d have to ask the contract directly. Today many of the lending protocols don’t respond to such queries (and there’s no way to enforce that a flash lender does in general). Plus even if you tried to check, any such query could easily be misdirected using a proxy contract, or by chaining across flash lending pools. It’s simply not possible to tell in general whether a depositor is using a flash loan.</p>
<p>Take that in for a second. If someone is knocking on your contract’s front door with $10M, it’s impossible to tell whether it’s their own money or not.</p>
<p>So what real options do we have to protect against flash attacks? There are a few approaches we could consider.</p>
<ul>
<li>Convince flash lending pools to stop offering this service.</li>
</ul>
<p>Ha, just kidding. It’s crypto, you guys!</p>
<p>In all seriousness, trying to get lending pools to stop offering flash lending is like trying to stop noise pollution—it’s a classic tragedy of the commons. It’s in every protocol’s individual interest to offer flash loans, and there are legitimate reasons why their users want this functionality. So we can safely dismiss this. Flash loans aren’t going away.</p>
<ul>
<li>Force critical transactions to span two blocks.</li>
</ul>
<p>Remember, flash loans allow you to borrow capital within the span of a <em>single</em> <em>transaction</em>. If you require a capital-intensive transaction spans two blocks, then the user must take out their loan for at least two blocks, defeating any flash attacks. (Note: for this to work, the user has to have their value locked up between the two blocks, preventing them from repaying the loan. If you don’t think through the design correctly, a user could just flash attack in <em>both</em> blocks.)</p>
<p>Obviously this comes at a steep UX tradeoff: it means that transactions will no longer be synchronous. It sucks for users, and it’s a tough bullet to bite.</p>
<p>Many developers bemoan asynchronous smart contract operations, such as interacting with layer 2 or cross-shard communication in Ethereum 2.0. Ironically, asynchrony actually makes these systems secure against flash attacks, since you cannot traverse a shard or a layer 2 in a single atomic transaction. This means no flash attacks across ETH 2.0 shards or against DEXes on layer 2.</p>
<ul>
<li>Request on-chain proofs that a user’s prior balance wasn’t altered by a flash loan.</li>
</ul>
<p>We could defeat flash attacks if there were some way to detect what a user’s <em>real</em> balance was — that is, what their balance was before they took out the loan.</p>
<p>There’s no way to do that natively in the EVM, but you can sort of hack it. Here’s what you do: before a user interacts with your protocol, you demand a Merkle proof that demonstrates that at the end of the previous block, they had enough balance to account for the capital they’re currently using. You’d need to keep track of this for each user in each block. (Credit to Ari Juels for outlining this approach to me.)</p>
<p>This <em>kind of</em> works. Of course, it has some gnarly problems: verifying these on-chain proofs is <a href="https://github.com/lorenzb/proveth">incredibly expensive on-chain</a>, and no user in their right mind wants to generate them and pay the gas fees for this whole thing. Plus, users might have changed their balance <em>earlier in the same block</em> for perfectly legitimate reasons. So while theoretically it has some merit, it’s not a practical solution.</p>
<p>None of these three solutions I’ve proposed are particularly promising. I’m convinced that there is no good general defense against flash attacks.</p>
<p>But there are two specific applications that <em>do</em> have specific mitigations against flash attacks: market-based price oracles and governance tokens.</p>
<p>For market-based price oracles like Uniswap or OasisDEX, flash attacks make it so you <em>cannot under any circumstances</em> use the current mid-market price as an oracle. It’s child’s play for an attacker to move the mid-market price within a single transaction and manufacture a flash crash, corrupting the price oracle.</p>
<p>The best solution here is to use a weighted average of the last X blocks either via a <a href="https://en.wikipedia.org/wiki/Time-weighted_average_price">TWAP</a> or <a href="https://en.wikipedia.org/wiki/Volume-weighted_average_price">VWAP</a>. Uniswap v2 will offer this natively. There’s also <a href="https://medium.com/marbleorg/introducing-polaris-ced195dd798e">Polaris</a>, a generalized approach for offering moving averages for DeFi protocols. Ironically, this Polaris was also built by Max Wolff, the original creator of Marble. (Polaris is now abandoned, but much credit for Max for seeing around that corner.)</p>
<p>On-chain governance is its own can of worms. On-chain governance is usually determined by the coin-weighted voting among holders of the governance token. But if those governance tokens are in a flash lending pool, then any attacker can scoop up a giant pile of coins and bash on any outcome they want.</p>
<p>Of course, most governance protocols require those coins to be locked up for the voting period, which defeats flash attacks. But some forms of voting don’t require this, such as <a href="http://carbonvote.com/">carbon votes</a>, or <a href="https://medium.com/coinmonks/how-to-turn-20m-into-340m-in-15-seconds-48d161a42311">Maker’s executive contract</a>. With flash attacks now on the table, these forms of voting should be considered completely broken.</p>
<p>Ideally, it’d be great if governance tokens weren’t flash loanable at all. But this isn’t up to you as an issuer — it’s up to the market. Thus, all governance actions should require lockups to prevent against flash attacks. Compound’s new COMP token goes a step further by <a href="https://medium.com/compound-finance/compound-governance-5531f524cf68">time-weighting all protocol votes</a>, weakening even regular loan attacks against their governance token.</p>
<p>More broadly, all governance tokens must have timelocks. A timelock enforces that all governance decisions must wait a period of time before they go live (for <a href="https://compound.finance/developers/governance#timelock">Compound’s timelock</a>, it’s 2 days). This allows the system to recover from any unanticipated governance attacks. Even though MKR isn’t yet flash borrowable in bulk, MakerDAO was recently called out for being <a href="https://twitter.com/ameensol/status/1229848488621428736">vulnerable to this sort of attack</a>. It recently implemented <a href="https://vote.makerdao.com/executive-proposal/activate-the-dai-debt-ceiling-adjustment-set-dai-savings-rate-spread-set-sai-stability-fee-lower-surplus-auction-bid-set-governance-delay-module">a 24 hour timelock</a>, closing this attack vector.</p>
<h2 id="what-does-all-of-this-mean-for-the-long-term">What does all of this mean for the long term?</h2>
<p>I believe the bZx attacks changed things.</p>
<p>This will not be the last flash attack. The second bZx attack was the first copycat, and I suspect it will set off a wave of attacks in the coming months. Now thousands of clever teenagers from the remotest parts of the world are poking at all these DeFi legos, examining them under a microscope, trying to discover if there is some way they can pull off a flash attack. If they manage to exploit a vulnerability, they too could make a few hundred thousand dollars — a life-changing sum in most parts of the world.</p>
<p>Some people claim that flash attacks don’t change anything because these attacks were always possible if the attacker was well-capitalized. That’s both correct and incredibly incorrect. Most whales don’t know how to hack smart contracts, and most brilliant attackers don’t have millions of dollars lying around. Now anyone can rent a $50M wrecking ball for pennies. This changes the way every building needs to be constructed from now on.</p>
<p>After the bZx hacks, being hit by a flash attack will be as embarrassing as getting hit by re-entrancy after the DAO hack: you will get no sympathy. You should have known better.</p>
<p>Lastly, these episodes have gotten me thinking about an old concept in crypto: <a href="https://arxiv.org/pdf/1904.05234.pdf">miner-extractable value</a>. Miner-extractable value is the total value that miners can extract from a blockchain system. This includes block rewards and fees, but it also includes more mischievous forms of value extraction, such as reordering transactions or inserting rogue transactions into a block.</p>
<p>At bottom, you should think of all of these flash attacks as single transactions in the mempool that make tons of money. For example, the second bZx attack resulted in $645K profit in ETH in a single transaction. If you’re a miner and you’re about to start mining a new block, imagine looking at the previous block’s transactions and saying to yourself… <em>“wait, what? Why am I about to try to mine a new block for ~$500, when that last block contains $645K of profit in it??”</em></p>
<p>Instead of extending the chain, it’d be in your interest to go back and try to rewrite history such that <em>you </em>werethe flash attacker instead. Think about it: that transaction alone was worth more than 4 hours worth of honestly mined Ethereum blocks!</p>
<p>This is isomorphic to having a special super-block that contains 1000x the normal block reward — just as you expect, the rational result of such a super-block should be a dogpile of miners competing to orphan the tip of the chain and steal that block for themselves.</p>
<p><img src="https://miro.medium.com/max/1280/0*iUAd_QlkHfgajL6w" alt="" />
<em>Artist’s visualization of a miner dogpile. Credit: AP Photo/Denis Poroy</em></p>
<p>At equilibrium, all flash attacks should ultimately be extracted by miners. (Note that they should also end up stealing all on-chain arbitrage and liquidations.) This will, ironically, serve as a deterrent against flash attacks, since it will leave attackers unable to monetize their discoveries of these vulnerabilities. Perhaps eventually miners will start soliciting attack code through private channels and pay the would-be attacker a finder’s fee. Technically, this could be done trustlessly using zero-knowledge proofs. (Weird to think about, right?)</p>
<p>But that’s all pretty sci-fi for now. Miners obviously aren’t doing this today.</p>
<p>Why aren’t they?</p>
<p>Tons of reasons. It’s hard, it’s a lot of work, the EVM sucks to simulate, it’s risky, there would be bugs that would result in lost funds or orphaned blocks, it’d cause an uproar and the rogue mining pool might have a PR crisis and be branded an “enemy of Ethereum.” For now miners would lose more in business, R&D, and orphaned blocks than they’d gain by trying to do this.</p>
<p>That’s true today.</p>
<p>It won’t be true forever.</p>
<p>This lends yet another motivation for Ethereum to hurry up and transition to Ethereum 2.0. DeFi on Ethereum, while always entertaining, is absolutely and irrevocably broken. DeFi is not stable on a PoW chain, because all high-value transactions are subject to miner reappropriation (also known as <a href="https://arxiv.org/abs/1904.05234">time bandit attacks</a>).</p>
<p>For these systems to work at scale, you need finality—the inability for miners to rewrite confirmed blocks. This will protect transactions in previous blocks from getting reappropriated. Plus if DeFi protocols exist on separate Ethereum 2.0 shards, they won’t be vulnerable to flash attacks.</p>
<p>In my estimation, flash attacks give us a small but useful reminder that it’s early days. We’re still far from having sustainable architecture for building the financial system of the future.</p>
<p>For now, flash loans will be the new normal. Maybe in the long run, all assets on Ethereum will be available for flash loans: all of the collateral held by exchanges, all the collateral in Uniswap, maybe all ERC-20s themselves.</p>
<p>Who knows—it’s only a few lines of code.</p>Haseeb QureshiFlash loans have been the center of attention lately. Recently two hackers used flash loans to attack the margin trading protocol bZx, first in a $350K attack and later in a $600K copycat attack.The Life and Death of Plasma2020-01-27T00:00:00+00:002020-01-27T00:00:00+00:00https://haseebq.com/the-life-and-death-of-plasma<p><em>By Haseeb Qureshi and Ashwin Ramachandran</em></p>
<p>It was August 2017. The price of Ether was near an all time high, the Ethereum blockchain was exploding with usage, and the chain was buckling under the ever increasing demand. Researchers and developers were frantically searching for new scalability solutions. At blockchain conferences around the world, developers debated scaling proposals. The Ethereum community was desperate for a solution. In the middle of this frenzy the first version of the Plasma paper was released, promising a layer-2 scaling solution that could handle “nearly all financial computation worldwide.”</p>
<p><img src="https://miro.medium.com/max/783/0*pmSpCD5bi_0ER4MR" alt="" />
<em>TechCrunch reporting on Plasma</em></p>
<p>Fast forward to 2020. Ethereum is as slow as ever, and yet it has survived all the so-called Ethereum killers. Ethereum 2.0’s launch date keeps receding further into the future, and Plasma seems to have disappeared entirely with many development groups <a href="https://twitter.com/plasma_group/status/1215410533052055553">shuttering operations</a>.</p>
<p>And yet, new solutions such as optimistic and ZK rollup are being hailed as the best scaling solutions. But memory of Plasma seems to have vanished without a trace.</p>
<h2 id="so-who-killed-plasma">So who killed Plasma?</h2>
<p>Let’s go back to what it was like in early 2017. Ethereum had just gone mainstream for the first time, and there was limitless optimism about what would soon be possible. It was claimed that all valuable assets would soon be tokenized. Meetups in San Francisco were standing room only, and crowds materialized whenever Ethereum was mentioned. But Ethereum wasn’t scaling.</p>
<p>In the middle of this craze, Vitalik Buterin and Joseph Poon published<a href="https://plasma.io/plasma.pdf"> a paper</a>, where they introduced a new layer-2 scalability solution called Plasma.</p>
<p><img src="https://miro.medium.com/max/1600/0*7XuvIcVTIXPjoolQ" alt="" />
<em>Vitalik and Joseph Poon introduce Plasma at a meetup in San Francisco</em></p>
<p>Plasma claimed to allow Ethereum to scale to Visa-level transaction volumes, and its bold claims triggered a <a href="https://www.reddit.com/r/ethereum/comments/6sqca5/plasma_scalable_autonomous_smart_contracts/">wave of developer and community excitement</a>. Soon after, the Ethereum research community rallied around Plasma as the salvation to Ethereum’s scaling woes.</p>
<p><img src="https://miro.medium.com/max/794/1*S4LgcG7_5HiUJ84wL4FFXQ.png" alt="" /></p>
<p>But what exactly was Plasma, and why didn’t it end up fulfilling its promises?</p>
<h2 id="how-does-plasma-work">How does Plasma work?</h2>
<p>The original Plasma paper described a mechanism for constructing a MapReduce “tree of blockchains”. Each node in the tree would represent a unique blockchain that was connected to its parent, and all of these blockchains were arranged in a massive hierarchy. This initial specification, however, was vague and complex. Soon after its release, Vitalik simplified the spec in a new paper appropriately named <a href="https://ethresear.ch/t/minimal-viable-plasma/426">MVP</a> (Minimal Viable Plasma).</p>
<p><img src="https://miro.medium.com/max/638/0*ljhRM5ybxm635x4Y" alt="" />
<em>The Plasma “Tree of Blockchains”</em></p>
<p>MVP proposed a stripped-down version of Plasma: a simple UTXO based sidechain that would be safe under data unavailability. But what is a sidechain? And what does it mean for data to be unavailable? Before we delve into Plasma, let’s walk through what these terms mean.</p>
<p>A sidechain is simply a blockchain that is attached to another blockchain. Sidechains can be operated in many different ways, such as by a trusted third-party, a federation, or a consensus algorithm. For example, Blockstream participates in a federated sidechain on the Bitcoin network called <a href="https://blockstream.com/liquid/">Liquid</a>. Liquid allows for higher transaction throughput, which it achieves due to a tradeoff in its trust model. Users must trust the federation not to collude and steal funds. The chain operators in this context are the various members of the Liquid federation, such as Blockstream the company.</p>
<p><img src="https://miro.medium.com/max/971/0*P5GqjhzTyRI4R_kk" alt="" />
<em>Visualization of sidechain transfers (exemplified by Liquid). Credit: <a href="https://www.gakonst.com/sidechains2019.pdf">Georgios Konstantopoulos</a></em></p>
<p>A sidechain is attached to a larger blockchain (like Bitcoin) via a two-way peg. Users can deposit funds on the sidechain by sending them to a particular address or smart contract on the main chain. This is referred to as a peg-in transaction. To withdraw funds, users can perform the same operation on the sidechain to retrieve their funds on the main chain. This is referred to as a peg-out transaction. But how does this relate to Plasma?</p>
<p>As we saw in the example above, moving funds out of a sidechain requires one critical component: <em>trust</em>. Users must trust the operators of the sidechain not to abscond with funds.</p>
<p>But isn’t the main feature of blockchains trustlessness? What if users want to interact with a sidechain without trusting its operators?</p>
<p>This is precisely the problem Plasma was created to solve.</p>
<p>Plasma was designed to minimize the trust required of sidechain operators. That is, Plasma prevents funds from being stolen even if operators (or a consensus majority) misbehave.</p>
<p>But even if operators can’t outright steal funds, sidechains have another problem. What if the sidechain operators publish a block header, but refuse to publish the underlying transaction data? That would prevent anyone from verifying the correctness of the sidechain.</p>
<p>This concept is known as data unavailability. Plasma attempted to keep users safe even if operators withheld transaction data — in the event that an operator refuses to release data, all users would still be able to retrieve their funds and exit the sidechain.</p>
<p>Plasma made big promises about its security and scalability. It’s no surprise then that during the bull run of 2017, it was widely believed that Plasma would solve Ethereum’s scaling problems. But as the market sobered up in 2018 and the blockchain hype collapsed, a more realistic picture of Plasma began to crystalize. When it came to real-world deployments, Plasma posed more problems than solutions.</p>
<p>The first problem was that each user had to monitor and verify all transactions on the Plasma MVP chain to detect and exit in the case of malicious operator behavior. Transaction verification is expensive, however, and this monitoring requirement added significant overhead to participating in the Plasma chain.</p>
<p>Researchers also realized that it’s difficult for users to exit a Plasma chain. When a user attempts to withdraw funds from a Plasma MVP chain, they must submit an exit transaction and then wait a set period of time. This is known as the challenge period. At any time during the challenge period, any user can challenge another user’s exit by providing a proof that the exit is invalid (such as that they’re minting fake coins or stealing someone else’s coins). Thus, all exits can only be processed after the challenge period is over, which takes up to 1 week in some proposals.</p>
<p>But it gets worse.</p>
<p>Remember, even if an operator withholds data, we want users to be able to withdraw their funds from the Plasma chain. MVP handled this in the following way: if Plasma transaction data was withheld, each user needed to individually exit their own money based on the Plasma chain’s last valid state. (Note: to avoid a malicious operator frontrunning honest users, exits are prioritized in order of how long ago they last transacted.)</p>
<p><img src="https://miro.medium.com/max/700/0*Vioh2FqkxrNU1gAj" alt="" />
<em>Growth of Ethereum storage. Credit: <a href="https://raw.githubusercontent.com/ledgerwatch/eth_state/master/State_rent.pdf">Alexey Akhunov</a></em></p>
<p>In the worst case, if all users needed to exit a Plasma chain, the entire valid state of the chain would have to be posted on the Ethereum mainnet within a single challenge period. Given that Plasma chains can grow arbitrarily large, and that Ethereum blocks are already near capacity, it would be almost impossible to dump an entire Plasma chain onto the Ethereum mainnet. Thus, any stampede for the exits would almost certainly congest Ethereum itself. This is known as the mass exit problem.</p>
<p>As prices began collapsing in 2018, Ethereum followers started to realize that Plasma MVP wouldn’t be the silver bullet scaling solution they’d hoped for. There was simply no way to overcome its weaknesses. Plasma MVP was a dead end. All the while, Ethereum continued to struggle under its transaction load, and Ethereum 2.0 was still many years away.</p>
<h2 id="the-next-generation-of-plasma">The next generation of Plasma</h2>
<p>In mid-2018, as prices continued to crash, Ethereum’s research community continued their attempts to improve on Plasma, iterating on the Plasma MVP design. The new version they came up with was termed <a href="https://ethresear.ch/t/plasma-cash-plasma-with-much-less-per-user-data-checking/1298">Plasma Cash</a>.</p>
<p>According to Vitalik, who was one of its main designers, Plasma Cash would allow for arbitrarily high transactions per second and solve the problems that plagued its predecessor. Some even claimed that this new design would achieve hundreds of thousands of transactions per second.</p>
<p><img src="https://miro.medium.com/max/670/1*ZsQGreDRZs3hZBNJxoMLIw.png" alt="" /></p>
<p>First, let’s remember the issues with Plasma MVP.</p>
<ol>
<li>In the case of operator misbehavior, there was a mass-exit problem</li>
<li>Users had to wait an entire challenge period before withdrawing</li>
<li>Users had to monitor all transactions on the Plasma chain</li>
</ol>
<p>Plasma Cash held one primary advantage over MVP: by using a different data model, Plasma Cash could avoid the mass exit problem entirely. In Plasma Cash, all coins are represented as non-fungible tokens (NFTs), which makes it much easier to prove ownership of a set of coins. Simply put, users are responsible for proving ownership over their own coins and no one else’s. As a result, users only need to monitor their own coins and not the entire Plasma chain.</p>
<p>Plasma Cash also presented a new interactive challenge system that allowed users to easily withdraw funds in the case of operator misbehavior. Utilizing a new Merkle tree construction, known as a Sparse Merkle Tree, users could easily authenticate a coin’s history and ownership using inclusion proofs. In the case of operator misbehavior, a user would only need to post on-chain proof that they currently owned the coin (consisting of the 2 most recent transactions and their corresponding inclusion proofs).</p>
<p>However, Plasma Cash introduced a whole new set of problems.</p>
<p>Primarily, malicious users or past owners of a coin could issue faulty withdrawal attempts. Because users were required to prove ownership of their own coins, it was up to these users to actually catch and challenge fraudulent withdrawals of their money. As a result, Plasma Cash, like Plasma MVP, required users to remain online at least once every two weeks to catch faulty withdrawals during their challenge periods.</p>
<p>Additionally, to prove ownership of a coin, users would have to maintain that coin’s entire history and corresponding inclusion/exclusion proofs, leading to ever increasing storage requirements.</p>
<p>By late 2018, the price of Ether had hit rock bottom, and the utopian crypto optimism had evaporated. Plasma Cash, while an improvement over MVP, was not the Visa-scale solution Ethereum was promised, and its MapReduce “tree of blockchains” was now little more than a pipe dream. Most companies developing clients for Plasma Cash halted work, and their implementations were archived in a <a href="https://github.com/omisego/plasma-cash">half-finished state.</a></p>
<p>The Ethereum community was in limbo. While <a href="https://ethresear.ch/t/plasma-world-map-the-hitchhiker-s-guide-to-the-plasma/4333/21">new Plasma constructions</a> continued to emerge and marginally improved on their predecessors, the Ethereum community failed to rally behind any of them.</p>
<p>It seemed that Plasma was dead.</p>
<h2 id="enter-rollups">Enter Rollups</h2>
<p>Just as confidence in layer-2 hit bottom, a GitHub repo named <a href="https://github.com/barryWhiteHat/roll_up">roll_up</a> was made public by a pseudonymous user known as Barry Whitehat. This repo described a new type of layer-2 scaling solution: a Plasma-like construction with “bundled” up transactions, where instead of relying on operator trust, the correctness of the bundle could be attested to using an on-chain proof — a SNARK.</p>
<p>This SNARK ensures it is impossible for an operator to post malicious or invalid transactions, and guarantees that all sidechain blocks are valid.</p>
<p>Soon after, Vitalik released an <a href="https://ethresear.ch/t/on-chain-scaling-to-potentially-500-tx-sec-through-mass-tx-validation/3477">improved version</a> of Barry’s proposal he termed zk-Rollup. zk-Rollup became one of the highest ever viewed posts on Ethereum’s research forums. Vitalik’s proposal introduced a solution to prevent the data availability issues that plagued Plasma: posting side-chain transaction data on the Ethereum blockchain.</p>
<p>Publishing transaction data as function arguments meant it could be verified at the time of publication and then thrown away (so that it did not bloat Ethereum’s storage). zk-Rollup could avoid Plasma’s exit games and challenge periods entirely without trading off affordability or security. With zk-Rollup, one could use novel cryptography to solve all of Plasma’s layer-2 scaling dilemmas in one fell swoop.</p>
<p><img src="https://miro.medium.com/max/960/0*PHbHLyMPdNXwiwpX" alt="" /></p>
<p><img src="https://miro.medium.com/max/721/0*jwqlaAzuHVdFNDti" alt="" />
<em>Vitalik’s <a href="https://ethresear.ch/t/on-chain-scaling-to-potentially-500-tx-sec-through-mass-tx-validation/3477">zk-Rollup post</a></em></p>
<p>But zk-Rollup came with its own set of tradeoffs. Namely, validity proofs are computationally expensive to generate (details <a href="https://medium.com/starkware/validity-proofs-vs-fraud-proofs-strike-back-4d0bf90eed15">here</a>). These zk-SNARKS are produced every block and can take upwards of 10 minutes to generate while costing up to 350,000 gas per verification (post Istanbul). For reference, that’s about 3.5% of an entire block (was 8% pre Istanbul).</p>
<p>Additionally, it is currently not possible to deploy general smart contracts on zk-Rollup sidechains. Proposals are under development for specialized zero-knowledge VMs that would enable this, such as <a href="https://github.com/stellar/slingshot/tree/main/zkvm">zkVM</a> and <a href="https://github.com/scipr-lab/zexe">ZEXE</a>, but they still require lots of specialized knowledge to interact with them. For the most part, zk-Rollups limit general programmability.</p>
<p><img src="https://miro.medium.com/max/527/1*vZT8ezybGijoLGVdPa-75w.png" alt="" />
<em>zk-Rollup visualization. Credit: <a href="https://www.gakonst.com/sidechains2019.pdf">Georgios Konstantopoulos</a></em></p>
<p>By mid-2019, these new developments had re-energized the Ethereum research community. zk-Rollup seemed to solve many of the problems that had plagued the layer-2 narrative. Companies such as <a href="https://matter-labs.io/">Matter Labs</a> (one of our portfolio companies) and <a href="https://loopring.org/#/">LoopRing</a> began actively developing zk-Rollups, and both have testnet implementations live today. With optimizations, Matter Labs believes that it can achieve upwards of 2,000 TPS on its <a href="https://github.com/matter-labs/zksync">ZK Sync</a> network.</p>
<p>Additionally, Starkware (also a portfolio company) is building a variation on zk-Rollup they call <a href="https://medium.com/starkware/starkexchange-8045695b798">StarkExchange</a>. StarkExchange uses a STARK to prove the validity of sidechain transactions, but delegates the problem of data hosting off-chain (if the sidechain ever halts, exits are guaranteed through on-chain checkpointing). They are implementing a DEX in partnership with <a href="https://deversifi.com/">DeversiFi </a>with this design and will be launching on mainnet in the near future.</p>
<h2 id="a-dose-of-optimism">A dose of optimism</h2>
<p>But not everyone was pinning their hopes on zk-Rollups. One year after the release of the first zk-Rollup spec, John Adler and Mikerah introduced a design they called <a href="https://ethresear.ch/t/minimal-viable-merged-consensus/5617">Merged Consensus</a>. Merged Consensus enables off-chain consensus systems that are entirely verifiable on Ethereum without any fancy zero-knowledge cryptography. After its release, the Plasma Group released an extended version of the Merged Consensus design with the now well-known title: Optimistic Rollup.</p>
<p>While zk-Rollup relies on zk-SNARKs to verify and finalize every block, Optimistic Rollups take a different approach: what if you just assumed every single block was valid?</p>
<p>This works great in the happy path when everyone is playing nice, but we know operators can misbehave. So how does an Optimistic Rollup handle operator misbehavior?</p>
<p>The “optimistic” answer is to use fraud proofs. A fraud proof is a computational proof that an operator performed an invalid action. If the operator posts an invalid state transition, anyone can submit a proof that the transition was invalid and revert those transactions (for a period of about ~1 week). Since these proofs are non-interactive, they can be sent by anyone: they don’t require users to monitor their own coins for security.</p>
<p>Unlike zk-Rollups, however, Optimistic Rollups require 3–5x more transaction data to be posted on-chain (check out <a href="https://medium.com/starkware/validity-proofs-vs-fraud-proofs-strike-back-4d0bf90eed15">this post</a> by StarkWare for details). This data primarily includes witnesses such as signature data (which are not required by zk-Rollups, since it verifies those in zero knowledge). In the best case, optimistic rollup transactions will never need to be verified except in the case of fraud-proof submissions. On-chain witness verification and posting is expensive, however, and developers have explored <a href="https://ethresear.ch/t/introducing-bls-rollup/6463">aggregate signature mechanisms</a> that allow for inexpensive large-scale verification and reduced transaction data requirements. This optimization can increase the theoretical TPS of Optimistic Rollups from its current numbers of ~450 TPS all the way to potentially ~2,000 TPS.</p>
<p>Optimistic Rollups offer a very different set of tradeoffs from zk-Rollups. They are less expensive (assuming that fraud challenges are rare), but they trade off by being less safe — in other words, it’s always possible that transactions can be incorrectly applied and later reverted. This safety window can be as long as an entire week. As a result, users cannot be allowed to exit the chain for that safety window (otherwise, they could run off with someone else’s funds).</p>
<p>However, it’s possible to ameliorate these withdrawal issues by introducing a secondary market. A user could sell their exit rights to a third party liquidity provider in exchange for a small fee. (The liquidity provider would get paid for taking on the week-long illiquidity of the exit). This would allow for immediate exits from the rollup chain.</p>
<p>While zk-Rollups would require programmers to understand complex constraint systems and advanced cryptography, Optimistic Rollups allow for general smart contract deployment (e.g Solidity) and execution. This means that smart contract-based protocols such as Uniswap can be built on top of Optimistic Rollup sidechains.</p>
<p>The rollup family of solutions provide similar approaches to solving Plasma’s data availability issues and exit complexity, but all have the potential to far extend Plasma’s constructions. <a href="https://idex.market/eth/idex">IDEX</a>, for example, has built and deployed their own version of Optimistic Rollups and run a DEX on this construction. Similarly, <a href="https://medium.com/@fuellabs/announcing-the-fuel-v0-open-beta-565a2d340fc3">Fuel labs</a> has built a version of Optimistic Rollups that allows for UTXO style payments and ERC-20 token swaps. Plasma Group (now Optimism), recently announced their pivot to focus on Optimistic Rollups, and are aiming to offer general smart-contract capabilities on their platform (via their <a href="https://medium.com/plasma-group/introducing-the-ovm-db253287af50">OVM</a> construction).</p>
<h2 id="everything-that-rises-must-converge">Everything that rises must converge</h2>
<p>Plasma was ultimately much more than just a protocol. In a time of irrational exuberance, Plasma was the story that Ethereum needed to believe in. But its claims of boundless scalability turned out to be, with the benefit of hindsight, technological hubris. Only in moving past Plasma have we been able to deeply appreciate the tradeoffs inherent in layer-2 scaling.</p>
<p>As Ether prices have rebounded over the last year, so has optimism about Ethereum’s future. After nearly 3 years of searching for a secure, extensible, and robust scalability solution, the Ethereum research community has finally converged around rollups. Plasma and its cousins were noble first attempts, but a select group of innovators eventually created more realistic layer-2 designs that seem to have solved Plasma’s worst problems.</p>
<p><img src="https://miro.medium.com/max/1182/0*WF692AxocXAhh7m4" alt="" /></p>
<p>Some Plasma focused research groups, such as the Plasma Group, have <a href="https://twitter.com/plasma_group/status/1215410533052055553">moved on</a> to work on Optimistic Rollup solutions, but we believe the search for the final layer-2 scaling solution is just getting started. There are many contenders, and we expect the field to remain an active and exciting area of research and development.</p>
<hr />
<p>Thanks to <a href="https://medium.com/@tomhschmidt">Tom Schmidt</a>, <a href="https://medium.com/@gakonst">Georgios Konstantopoulos</a>, and <a href="https://medium.com/@ivanbogatyy">Ivan Bogatyy</a> for reviewing drafts of this post. For more of our writing, follow us on Twitter at <a href="https://twitter.com/ashwinrz">@ashwinrz</a> and <a href="https://twitter.com/hosseeb">@hosseeb</a>.</p>Haseeb QureshiBy Haseeb Qureshi and Ashwin RamachandranLaunching the Introduction to Cryptocurrency2020-01-10T00:00:00+00:002020-01-10T00:00:00+00:00https://haseebq.com/introduction-to-cryptocurrency<p>Today I’m launching <a href="https://nakamoto.com/introduction-to-cryptocurrency/">Introduction to Cryptocurrency</a>, an online course teaching the basics of programming cryptocurrencies. The first two modules are already released, and the remainder of the course will be coming out over the next few months.</p>
<p><img src="https://i.imgur.com/1D0ffzm.png" alt="Introduction to Cryptocurrency" /></p>
<p>Introduction to Cryptocurrency is a multidisciplinary exploration of cryptocurrencies from the ground up, spanning computer science, history, cryptography, and economics.</p>
<p>The course has nine modules in total:</p>
<ol>
<li><a href="https://nakamoto.com/a-brief-history-of-money/">History: money, the cypherpunks, and Satoshi Nakamoto</a></li>
<li><a href="https://nakamoto.com/hash-functions/">Cryptography 101: hashing, Merkle trees, and public-key crypto</a></li>
<li>Decentralization, P2P networking, and gossip protocols (not yet released)</li>
<li>Consensus, Byzantine fault-tolerance, and blockchains (not yet released)</li>
<li>Game theory and cryptoeconomics (not yet released)</li>
<li>Ethereum and decentralized computation (not yet released)</li>
<li>Smart contract development 101 (not yet released)</li>
<li>Smart contract security (not yet released)</li>
<li>Approaches to scaling cryptocurrencies (not yet released)</li>
</ol>
<p>I decided to make this Introduction to Cryptocurrency completely free, and I want to explain why.</p>
<p>When I first got into crypto, I had no idea where to start. There were no good educational resources—most textbooks and documentation were out of date, those that existed were poorly explained, and no one had laid out a clear path to learning this stuff. All of the important ideas were strewn across blog posts, articles, and Twitter conversations.</p>
<p>Eventually, I was able to get myself up to speed. But even today, there still are no good resources I’d confidently point a beginner towards. In my frustration, I decided a while back to write a <a href="https://medium.com/free-code-camp/the-authoritative-guide-to-blockchain-development-855ab65b58bc">short guide to blockchain development</a>. To my chagrin, that post blew up and became the entrance point for many developers into the blockchain space. And it wasn’t even that good! It made me realize how hungry people are for a clear curriculum for understanding crypto.</p>
<p>I’m a teacher at heart. So I decided to make the course I would’ve wanted to take when I first started.</p>
<p>If you are in the same place I was, then this course is for you. There is so much innovation left to wring out of blockchains, and it’s the next generation of developers who’ll have to pick up that mantle. I’m hoping that’s you.</p>
<p>The course is primarily designed for programmers. But even if you’re not a programmer, you should get some value out of it. I encourage you to check it out—at worst, you’ll come away with a deeper appreciation for what makes cryptocurrencies so captivating and disruptive.</p>Haseeb QureshiToday I’m launching Introduction to Cryptocurrency, an online course teaching the basics of programming cryptocurrencies. The first two modules are already released, and the remainder of the course will be coming out over the next few months.Another decade2020-01-06T00:00:00+00:002020-01-06T00:00:00+00:00https://haseebq.com/another-decade<p>I recently turned 30. When the decade began in 2010, I was still 20, a professional poker player, a college dropout, and deeply unhappy. What did I believe I’d be doing a decade later? I don’t think I knew, only that I definitely wouldn’t be playing poker anymore. I’d be doing something much more valuable to the world, I thought. But I had no idea what it might be.</p>
<p>I now manage a cryptocurrency venture capital fund. I can imagine in 2010, I’d be very confused reading that about my future self.</p>
<p>The skills demanded of me have changed a lot along the way, from poker player, to mental coach, to programmer, to entrepreneur, to now investor. It also has also meant that since I first came to Silicon Valley (almost 6 years ago), the skills I’m actively cultivating are very different.</p>
<p>One thing that hasn’t changed is that I’m constantly learning new things. The areas that I’m learning about these days are:</p>
<ul>
<li>Cryptocurrency-related stuff (computer science, cryptography, etc.)</li>
<li>Economic theory</li>
<li>Finance, banking, and financial regulation</li>
<li>History, with a focus on modern Chinese history</li>
<li>Venture capital broadly, along with other forms of investing</li>
</ul>
<p>And I’m actively working to improve different skills:</p>
<ul>
<li>Building up my network (especially of potential LPs, coinvestors, and entrepreneurs)</li>
<li>Actively maintaining relationships</li>
<li>Writing, speaking, negotiating</li>
<li>Conversational Mandarin (slow going process!)</li>
</ul>
<p>And then of course, getting better at investing itself. But that’s hard—it’s difficult to pinpoint what improving at investing even looks like on a day-to-day basis. But that’s what makes it so fun and intellectually demanding.</p>
<p>Looking back over the last decade, I don’t think I have too much to complain about. It was a wild ten years, full of changes and reorientations. If I had to guess, I’d expect the next decade to be slower, full of harder work, but less anxiety and turmoil. I’ve been through a couple careers already, and something tells me this won’t be the last. But probably the only one for this decade, assuming quantum computers don’t annihilate the crypto industry before then. (Kidding. Mostly.)</p>
<h2 id="how-my-beliefs-have-changed">How my beliefs have changed</h2>
<p>Over this last decade, I’ve felt my politics and worldview shifting underneath me. I thought this was worth examining.</p>
<p>When I first came to Silicon Valley, my politics was pretty left of center, but overall I was not particularly opinionated about politics. I felt very little personal connection to it in my life.</p>
<p>Since I’ve moved out here, I’ve noticed myself become more libertarian, more in favor of free markets, and much more technocratic in my worldview (basically that direct democratic institutions are fraught with issues that must be mitigated by scientific, well-designed policies). I have lower confidence in the efficacy of most government interventions, and I notice more often when they fail at their policy objectives. I am increasingly suspect of politically motivated rhetoric. I also basically believe that incentives explain almost everything in politics, and that it’s disqualifyingly naive to believe otherwise. Trump’s absurd parade of presidential realpolitik has served as a stark confirmation of this.</p>
<p>It’s hard to know how much of my changed beliefs is due to my environment and incentives. I believe a lot of these changes are due to becoming much more informed about economics, history, and game theory—but of course I’d believe that.</p>
<p>I’ve been thrust into a higher social echelon in the last few years (not myself personally, but the company I keep). I’ve noticed myself become more sympathetic to industrious wealth, which I distinguish from rent-seeking wealth or dynastic wealth. And still, I give away 33% of my pretax income, and it wasn’t that long ago that I was living off very little. I still have a fundamental affinity for the poor, and I’m deeply attracted to minimalism, frugality, and living in service to others.</p>
<p>At the same time, I’ve learned to ruthlessly trade off money for time whenever I can. I believe this has been essential to me maintaining a high degree of productivity, especially when living in a big city.</p>
<p>What else has changed? Ah, probably this too: my relationship with the Internet has changed.</p>
<p>I grew up on the Internet. As a nerdy kid growing up in Texas, it was my home away from home, my community and my intellectual sanctuary. I wanted the Internet to validate me, to assure me that I was smart and worthy. (Of course, by today the “Internet” just means the wider world.)</p>
<p>At some point in the last decade, that changed. I no longer want or need that. And as such, I’ve mostly distanced myself from networks like Twitter, Reddit, and Facebook. I still write and produce content of course. I want to help people, and the most scalable way to do that is through the Internet. I still love teaching, and I’ll always be a teacher at heart. But I don’t really care about winning any Internet status games. At this point, my principal motivation is lifting up those who are behind me.</p>
<p>But most of my values, I think, haven’t changed in the last ten years. I still believe in self-sufficiency. I still believe in shortcuts, though only when those shortcuts are harder than the straight path. I still believe in taking intelligent risks. I still believe in optimizing for the upside. I still believe the well-lived life is one full of challenge and responsibility.</p>
<p>Let’s see what this decade has to offer. Finally, as always, I’ll discuss my year-end donations.</p>
<h2 id="my-donations-for-2019">My donations for 2019</h2>
<p>I wasn’t working for a significant chunk of the year since I left Metastable and joined Dragonfly Capital. So while I’m still donating 33% of my pre-tax income, my donations are actually smaller than they were last year. Next year hopefully will see an uptick.</p>
<p>This year I’ve donated entirely through <a href="https://app.effectivealtruism.org/funds">EA Funds</a>. I’d strongly advocate for anyone else in a similar situation do the same. EA Funds are small 501(c)(3) charities managed by top (EA-aligned) analysts and researchers who are tasked with finding the most compelling underserved opportunities within a particular cause area.</p>
<p>Now that I’m a fund manager myself, the specialization really resonates. My time has become so scarce, it’s silly to believe that I could do a better job allocating capital than experts who are working on this full-time. Seeing the enormous delta between an expert and an amateur in my own field, I’d expect it to be no different in philanthropy.</p>
<p><img src="https://i.imgur.com/22ptAmE.png" alt="Effective altruism funds" /></p>
<p>This year I’ve split my donations into three buckets:</p>
<ul>
<li>50% into the <a href="https://app.effectivealtruism.org/funds/global-development">Global Health and Development Fund</a>, which aims to improve the health and economic empowerment of people around the world as effectively as possible.</li>
<li>25% into the <a href="https://app.effectivealtruism.org/funds/ea-community">Effective Altruism Meta Fund</a> which aims to empower the effective altruism movement and support the spread and application of more effective giving.</li>
<li>25% into the <a href="https://app.effectivealtruism.org/funds/far-future">Long-Term Future Fund</a>, which aims to address global catastrophic risks and ensure the flourishing of generations in the far future.</li>
</ul>
<p>Since last year, my donations to the far future have decreased. This is for three reasons: first, I’ve lowered my confidence in AI risk interventions (so far, AI risk organizations haven’t put out <em>that</em> promising of work), second, most AI risk organizations are no longer funding constrained, and third, I’ve become marginally less convinced that runaway superintelligence is all that likely (due in part to David Chalmer’s <a href="https://www.nyu.edu/gsas/dept/philo/faculty/block/M&L2010/Papers/Chalmers.pdf">paper on the subject</a>).</p>
<p>I want to always be giving to global health and development for the obvious reason that visible, low-risk, high-impact giving is an extremely powerful thing to amplify.</p>
<h2 id="in-2020">In 2020</h2>
<p>I’m working more and traveling more than I’ve ever done in my life. It’s been challenging, but immensely motivating. Actually, I’ve always wondered whether I could handle work of this intensity. Having done it for several months now, I can safely say: yes, yes I can. It’s kind of a relief to know that.</p>
<p>I’ve got a big project in the works that is going to be launching soon after the publication of this blog post. My guess that between that, other projects, and the demands of managing a fund, most of my time this year will be accounted for. But my goal is to keep being prolific, keep helping others, and inspire people along the way.</p>
<p>Here’s to another decade. (Also, crypto, if you could keep going up in this one, that’d be great.)</p>Haseeb QureshiI recently turned 30. When the decade began in 2010, I was still 20, a professional poker player, a college dropout, and deeply unhappy. What did I believe I’d be doing a decade later? I don’t think I knew, only that I definitely wouldn’t be playing poker anymore. I’d be doing something much more valuable to the world, I thought. But I had no idea what it might be.How DeFi cannibalizes PoS security2019-12-02T00:00:00+00:002019-12-02T00:00:00+00:00https://haseebq.com/how-defi-cannibalizes-pos-security<p>On-chain lending has become the most popular decentralized finance (DeFi) application today, with <a href="https://loanscan.io/loans?interval=1y">over $600M in loans originated this year</a> across MakerDAO, Compound, and dYdX. On-chain lending has the potential to disrupt traditional secured lending. But it seems it may do more than that: it might also disrupt proof of stake consensus.</p>
<p>Proof of Stake (PoS) in an alternative to Proof of Work in which a blockchain is protected by staked cryptoassets instead of by hash power. Many of the major networks launched in the last year have been PoS networks (Tezos, Algorand, Cosmos, etc.), and many more are due to arrive in the next year.</p>
<p>A PoS system is secure when there are lots of coins actively staked for the network. In most PoS algorithms, so long as 2/3rds of all the staked assets are owned by honest actors, the blockchain will be secure.</p>
<p>Now imagine you are an attacker trying to break a PoS system. How would you go about it?</p>
<p>At a high level, there are two avenues of attack: you could accumulate 1/3rd of all of the outstanding stake, but that’s hard and expensive. The second approach is that you could convince the current set of stakers to stop staking and then take over the much cheaper network.</p>
<p>The second approach sounds attractive in principle, but how could you get the current set of stakers to stop staking? Here’s a simple way: offer them more attractive yield elsewhere.</p>
<p>PoS only works if stakers are incentivized to stake, and they’re only incentivized to stake if the rewards are big enough. But if they can get better returns elsewhere, then you should expect a rational staker to unstake their assets and put them wherever they earn a higher return. If this siphons demand away from the staking, the network becomes less secure.</p>
<p>In a very literal sense, on-chain lending markets directly compete with staking — meaning they directly compete with the protocol being secure!</p>
<p>You probably get the intuition that there’s an important interaction here we need to understand. But how exactly does one analyze something like this?</p>
<h2 id="simulating-staking-games">Simulating staking games</h2>
<p>The best way to model a complex economic system like Ethereum DeFi is through a technique known as agent-based simulation. In agent-based simulations, you model a large number of agents with different strategies and risk profiles and then let them loose on each other. By watching how the emergent system evolves (and replaying the experiment thousands of times with different parameters), you can get statistical confidence in how the network behaves under different scenarios.</p>
<p>Tarun Chitra from Gauntlet did precisely this in his <a href="https://docsend.com/view/697feid">most recent paper</a>, <em>Competitive equilibria between staking and on-chain lending**,</em> where he analyzes how on-chain lending interacts with PoS staking, assuming <a href="https://en.wikipedia.org/wiki/Modern_portfolio_theory">economically rational</a> stakers. (Economically rational meaning: each agent has a portfolio of assets that are either lent, staked, held, or traded, and each agent has a slightly different risk profile. They rebalance the assets in their portfolio to maximize their risk-adjusted returns.)</p>
<p><img src="https://miro.medium.com/max/1600/0*PK0urC0y1Vp0lQZw" alt="" /></p>
<p>Staked supply of ETH vs lent supply of ETH over time</p>
<p>The above figure is a single simulation of how the ETH in Compound (orange line) and the ETH staked (blue line) change over time assuming Bitcoin-esque deflationary block rewards.</p>
<p>Here’s basically what the figure says: initially, most ETH holders were staking their ETH. But over time, the block reward fell and the return for staking ETH no longer looked attractive versus lending on Compound, so almost everyone rebalanced their ETH over into Compound. (You can ignore the original flip between lending and staking, this is due to random initialization.)</p>
<p>Tarun makes several theoretical closed-form predictions that are verified by simulations. But the most important point is this: PoS chains cannot safely use deflationary monetary policy. If a PoS block reward is decreasing over time, then its long-run equilibrium will be for almost all assets to be lent, not staked.</p>
<p>But let’s take it a step further. What could an attacker do, knowing this?</p>
<p>If the attacker subsidizes an on-chain lending market and pays a better long-term rate, that will drive stakers away from staking toward lending. Then, once on-chain staking is drained, they could go in and dominate the barren staking market.</p>
<p>In Compound, of course, the way you drive down borrow rates is by simply borrowing out of the asset pool. The risk model then automatically adjusts the interest rate upward. As the attacker keeps borrowing, the rates for lending increase, more and more stakers transition into lending, and slowly the security of PoS gets drained. This may lead to a snowball effect: as onlookers see the total stake shrinking, they now want to go short ETH, further increasing the borrow demand on Compound. You can imagine the staking network is like a sweater, and the attacker is pulling on a single thread: the interest rate. As the attacker pulls, the sweater responds to the pressure, the thread gets longer and longer, until soon enough, the attacker has unspooled the whole thing.</p>
<p><img src="https://miro.medium.com/max/800/1*NF2GfKqV8PrMtEu8ExX6TQ.png" alt="" /></p>
<p>Of course, the attacker needs to borrow assets in Compound to do this, meaning they must put up collateral to borrow. But if they collateralize with USDC or tokenized Bitcoin, then the attacker can have no price exposure to ETH while attacking the network. The analogue of this attack in a PoW chain would require taking a large short position off-chain. But in PoS, an attacker can perform this attack while hedging out all of their price risk, all without anyone’s permission, all on-chain.</p>
<p>This is a surprising result! It seems like DeFi and consensus are completely orthogonal, but competitive lending markets actually have major consequences for the security of PoS.</p>
<h2 id="ok-so-what-does-this-mean-for-pos">OK, so what does this mean for PoS?</h2>
<p>First off, let’s take a moment to reflect: holy crap, Turing-complete blockchains are complicated! Adding smart contracts to a blockchain seems like it should be a purely application-layer decision. But smart contracts enable complex markets like Compound, which interact in non-obvious ways with the underlying security of the chain (see PoW <a href="https://pdfs.semanticscholar.org/9908/cb202fd0fcdce903bf164ede26e59a3027f1.pdf">time bandit</a> or <a href="https://medium.com/arwensecure/moving-arwens-ethereum-smart-contract-to-create2-4451e685f7a1">forking</a> attacks for similar examples). We often talk about <a href="https://www.binance.vision/glossary/layer-2">“layer 1” or “layer 2”</a>, but unlike with the OSI model for traditional computing, blockchains are full of leaky abstractions.</p>
<p>It also reminds us: we can’t keep pretending that blockchains are closed systems whose only incentives are internal to the protocol. Blockchains are too complex and interconnected to analyze in a vacuum. In this regard, the real-world security of PoS is still poorly understood.</p>
<p>So long as a PoS network is in an open ecosystem, any on-chain lending market can cannibalize its security by offering higher yields. In fact, even if the system does not directly support smart contracts (like Cosmos ATOMs), if the staking asset can be tokenized and transferred cross-chain, a tokenized lending market on another chain could have the same effect!</p>
<p>Is it silly to worry about this?</p>
<p>We talked about what an active attack might look like, and maybe the capital costs seem too high to you. But this could happen even without anyone acting nefariously! It could simply be VC-funded projects subsidizing their own interest rates, trying to outcompete each other, inadvertently driving down network security. The net result would be the same: a dangerously insecure consensus layer.</p>
<h2 id="how-can-pos-systems-defend-against-this">How can PoS systems defend against this?</h2>
<p>At a high level, a staking network has two options to fight this: either force on-chain lending markets to cap their interest rates, or compete with the lending markets by offering even better returns to stakers.</p>
<p>This first strategy would be akin to imposing capital controls. This is obviously not possible on permissionless blockchains — even if it were, borrowers and lenders could simply set up the same markets off-chain or through a neighboring interoperable chain.</p>
<p>The only realistic way that this can be defended against is by using flexible monetary policy to offer competitive rates when necessary. Any fixed inflationary regime is vulnerable to this kind of attack, since an attacker always knows exactly how much they need to subsidize the lending market in order to cannibalize stakers.</p>
<p>This defense is analogous to a central bank adjusting its interest rate to achieve its economic goals. A PoS network must use its issuance rate as a tool that adapts to real-time market pressures.</p>
<p>In that sense, Ethereum is actually on good ground today, since it has not committed to any fixed monetary policy. But going forward, all PoS networks must be mindful of this tradeoff. There are both on-chain governance and off-chain governance approaches that can work here, but if a PoS protocol wants to remain secure in perpetuity, it must have adaptive monetary policy.</p>
<p>For further details, check out <a href="https://docsend.com/view/697feid">the paper</a>! It’s got some cool diagrams and charts that I didn’t include here. And big kudos to Tarun and the Gauntlet team for this fascinating work. (If you’re thinking through the incentive mechanisms of your protocol/application and could use some help with modeling, you should reach out to the Gauntlet team.)</p>
<p>Disclosure: Gauntlet is a portfolio company of Dragonfly Capital.</p>
<p>Thanks to Tarun Chitra, Ivan Bogatyy, and John Morrow for their feedback on drafts of this post.</p>Haseeb QureshiOn-chain lending has become the most popular decentralized finance (DeFi) application today, with over $600M in loans originated this year across MakerDAO, Compound, and dYdX. On-chain lending has the potential to disrupt traditional secured lending. But it seems it may do more than that: it might also disrupt proof of stake consensus.Ethereum is now unforkable, thanks to DeFi2019-10-31T00:00:00+00:002019-10-31T00:00:00+00:00https://haseebq.com/ethereum-is-now-unforkable-thanks-to-defi<p><em>By Haseeb Qureshi and Leland Lee</em></p>
<p>After the DAO hack of 2016, the Ethereum community was faced with an existential quandary: should the community roll back the chain to revert the DAO hack, or let the hacker get away? Those who said yes forked away to what is now called Ethereum. But those who said no, who didn’t roll back, they are now known as Ethereum Classic. This is a classic example of blockchain statecraft: by creating a new fork, a minority coalition can effectively secede from the majority.</p>
<p>But Ethereum will never again have a meaningful minority fork, in large part because of DeFi’s inherent fragility.</p>
<h2 id="a-thought-experiment">A thought experiment</h2>
<p>Imagine that <a href="https://eips.ethereum.org/EIPS/eip-1057">ProgPoW</a>, a controversial EIP, is merged into the codebase and will be deployed in an upcoming Ethereum upgrade. The EIP, which bricks the current generation of ASIC miners, is so polarizing that the community breaks out into infighting.</p>
<p>Soon they divide into distinct factions: anti-ProgPoW and pro-ProgPoW. Reddit and Twitter users change their online handles to signal their allegiances. A civil war is brewing, and everyone must take sides.</p>
<p>In the meantime, DeFi operators watch anxiously. Their hands are tied: they cannot pick sides too early. Why? Because for a DeFi operator, picking the correct fork is critical to their system surviving, and nobody wants to be blamed for instigating additional conflict.</p>
<p>Let’s say that USDC is the first to cross the Rubicon. <a href="https://www.centre.io/">CENTRE</a>, the organization that issues USDC, announces that they are not supporting ProgPoW, and USDC will not be redeemable on the ProgPoW fork. Of course, this means that USDC will become completely worthless on the ProgPoW fork—after all, USDC is a system of record for dollar-backed IOUs. Only one system of record can correspond to the real liabilities of CENTRE, and so the USDC ledger is effectively meaningless on the other chain.</p>
<p><img src="https://miro.medium.com/max/2556/1*ddErvEmxRQmX5I5fXKsm3Q.png" alt="" /></p>
<p>On seeing this, all DeFi operators are forced to now follow USDC’s lead. They cannot defy CENTRE. The reasons for this are subtle, and increasingly define Ethereum DeFi. Composability both rules and constrains everything.</p>
<hr />
<p>As the second most used stablecoin in decentralized finance (or DeFi), USDC represents 99% of all fiat-backed stablecoins locked in DeFi applications.</p>
<p><img src="https://miro.medium.com/max/1115/1*S_DB-qGEYYcHIADc-RFiBQ.png" alt="" /></p>
<p>All other fiat backed stablecoins have negligible usage in DeFi. But so what, you might say—this is a problem that the market can solve. Let other stablecoins like Tether and TUSD, which have billions in circulation, step up and take USDC’s place.</p>
<p>But what about the existing financial instruments that use USDC, directly and indirectly? DeFi could hypothetically survive without USDC, but given how deeply entangled it all is, it’s incredibly challenging to extricate it quickly and safely.</p>
<h2 id="the-pain-of-separation">The pain of separation</h2>
<p>Any DeFi app that does not follow USDC needs to have a coordinated extraction process: post fork, everything denominated in USDC will become worthless. Given the composability of DeFi, this removal has to be coordinated across the entire ecosystem. Just imagine what this would look like:</p>
<ul>
<li>Fixed term USDC loans or derivatives would have to be prematurely terminated (Dharma and Nuo Network).</li>
<li>As people run for the exits and try to sell out of their USDC positions, arbitrageurs (who convert the USDC into USD) would not be able to divest fast enough, and USDC would plummet in price.</li>
<li>Bank runs might occur on contracts like Compound where the majority of USDC is actively being lent out, <a href="https://medium.com/@ameensol/what-you-should-know-before-putting-half-a-million-dai-in-compound-fafdb2645f77">preventing lenders from taking out their deposits</a>. This would drive up the borrowing rates for USDC.</li>
<li>Holders of USDC in passive positions would have to come online, which may be difficult for those using cold storage.</li>
<li>Operators of DeFi abstraction layers like <a href="https://outlet.finance/">Outlet.finance</a> or <a href="https://www.astrowallet.io/">Astrowallet</a> would have to integrate alternative stablecoins.</li>
</ul>
<p>Facing such a bloody unwinding process, DeFi operators would have no choice but to side with CENTRE and throw all of their weight behind the USDC-blessed fork, regardless of where community opinion came down. Were they to defect, the damage would be more than just a technical hiccup: the real harm would come from disruption and lost of trust from their users. Financial systems and smart contracts are based on the assumption of predictability, and when that is violated, users are unlikely to return.</p>
<p>Were DeFi operators to not move in lockstep, the decentralized financial ecosystem would be thrown into pandemonium. This is a classic game theory situation: the incentives are overwhelmingly in favor of coordination, so all of DeFi is forced to move together.</p>
<p>So all of DeFi sides with USDC. But what about the people who commit to the opposite fork?</p>
<h2 id="the-valley-of-d-eth">The valley of D-ETH</h2>
<p>Imagine a small cohort goes through with the fork. Still optimistic, they brand their chain Decentralized ETH, or D-ETH. What will they find on the new chain waiting for them? As in all forks, the entire state of all smart contracts will be ported over—but without the operators to keep them running, what will happen?</p>
<p><img src="https://miro.medium.com/max/1732/1*92IGnoOnZkSs2IpOah0nkA.png" alt="" /></p>
<p>Oracles stop posting data feeds. There are no more prices. Anything that used a price feed is now broken.</p>
<p>All centralized stablecoins are now worthless. Tether, USDC, TUSD, PAX, all gone. Most operators freeze the contracts, making the tokens now untransferable and unredeemable. For smaller stablecoins, no one even bothers.</p>
<p>Any borrowers who used USDC as collateral have walked away with free tokens. Of course, unless the borrowed tokens were Dai, they’re effectively worthless—there isn’t even a market for D-REP (the forked REP token) because Augur is no longer functioning. All long-dated Augur bets have become effectively debased. Not enough D-REP holders show up to report on outcomes. No UI even points to the D-ETH version, though there are complicated instructions someone posted in a Github issue somewhere. Eventually, the contract stops being poked entirely.</p>
<p>A few contracts still work, like 0x and Uniswap, since they don’t require any external actors. But liquidity is scant, as the prices of all the D-tokens have collapsed, and nothing is correctly priced anymore. The moment the fork goes live, smart arbitrageurs race to snipe 0x orders and Uniswap markets that are incorrectly priced post-fork.</p>
<p>And then of course, there’s the elephant in the room: Maker. It has too much D-ETH at stake in the minority fork to just ignore it. They could let the system ride out, but because the system is now backed with D-ETH instead of ETH, the system will be instantly undercollateralized post-fork. Almost every CDP must be liquidated, and the <a href="https://github.com/makerdao/community/blob/master/faqs/liquidation.md#what-happens-during-a-liquidation">D-PETH must be auctioned off for D-Dai</a> (which the system burns to deleverage itself). But there is little demand for the D-PETH that gets auctioned off, and most D-Dai holders are not paying attention to the minority fork, so the D-Dai supply is depressed. This leads to a massive undersupply of D-Dai and an oversupply of D-PETH being mass-sold into the market, causing a <a href="https://arxiv.org/abs/1906.02152">deleveraging spiral</a> and huge price spike for D-Dai.</p>
<p>Seeing this writing on the wall, Maker governance decides to simply trigger <a href="https://developer.makerdao.com/dai/1/api/top">global settlement</a> on the minority fork. It’s not worth the headache. All D-Dai on this chain gets liquidated and eventually converted into D-ETH balances. The D-Dai holders who are paying attention claim their D-ETH balances. But when they turn around to sell their new D-ETH, all the selling causes a rush for the exits, crashing the price for all other D-ETH holders.</p>
<p>This causes anything dependent on D-Dai to instantly break. Uniswap D-Dai markets, Compound D-Dai markets, Augur v2, almost anything that uses D-Dai is now fundamentally broken. Even if they have fail safes in place for global settlement, most operators don’t have the infrastructure and deployment processes to manage their system on two chains, so many simply write it off.</p>
<p>All websites, interfaces, block explorers, and wallets ultimately point to the majority chain. Game operators like CryptoKitties lock their D-ETH contracts so as not to confuse their users. The minority chain is so barren as to be basically an empty blockchain.</p>
<p>If you imagine the movie version of this saga, the minority chain looks like an abandoned metropolis. Towering buildings sitting empty, alarms going off with nobody to respond, smoke billowing in the distance. There’s no one to even bother rebuilding for.</p>
<p>The minority community grumbles about conspiracies. But once D-ETH liquidity slows to a trickle, it becomes clear exchanges won’t list the debased D-ERC-20s. Economics can no longer tie the revolutionaries together. The early volunteer developers stop showing up, the community withers away, and the project is finally abandoned like all the <a href="https://masterthecrypto.com/ethereum-hard-forks-guide-ethereum-classic-etherzero-metropolis/">other ETH forks</a> that have been lost to history.</p>
<h2 id="the-value-of-eth">The value of ETH</h2>
<p>What this little thought experiment tells us is: Ethereum is not what it used to be. In 2016, Ethereum was still a proof of concept, and ETC could plausibly claim to be a better vision of how the “world computer” should evolve. But today, it’s clear that ETH is valuable because of the <em>systems that exist on top of it</em>. Unlike Bitcoin, whose ledger is simple enough that forks are functionally airdrops, ETH’s ecosystem is incredibly complex. Because its applications are intertwined with unforkable components, the entire system is rendered unforkable. Any minority fork is doomed to obscurity.</p>
<p><img src="https://miro.medium.com/max/2070/1*n1Lxzbe2ONDDkruQiXYu7A.png" alt="" /></p>
<p>DeFi is ultimately the kingmaker of any future governance crisis—users, miners, and developers certainly have a voice, but the chaos that would be unleashed by unraveling DeFi ties everyone else’s hands. With all of the new higher-level financial applications coming online in the next year, DeFi is liable to only become more fragile.</p>
<p>If there can never be another ETC-like fork, then it seems that “<a href="https://medium.com/@FEhrsam/blockchain-governance-programming-our-future-c3bfe30f2d74">governance-by-fork</a>” will become a thing of the past. Welcome to the post-forkable era.</p>
<p><em>Thanks to Dan Robinson and Tarun Chitra for their feedback and insight on this piece.</em></p>Haseeb QureshiBy Haseeb Qureshi and Leland LeeSo you want to build a crypto startup?2019-10-04T00:00:00+00:002019-10-04T00:00:00+00:00https://haseebq.com/so-you-want-to-build-a-crypto-startup<p>I’m a crypto VC. That means I spend my days talking to crypto entrepreneurs, hearing pitches, and evaluating products. The first thing you realize working in this industry is that pretty much everyone is winging it. (That applies to me, but it especially applies to founders.)</p>
<p>Crypto moves at a lightning pace compared to most industries, but there’s no good blueprint for what we’re doing here. We don’t know how large the market will be, how to value companies, what metrics to focus on, or whether most of these products are even valuable. There are no IPOs or fully validated success stories beyond Bitcoin itself. This leaves founders and investors to figure it out as they go. The inevitable result of this is that there are a lot of weird companies in crypto; you’ve probably noticed this.</p>
<p>So I’ve decided to write this guide to building a crypto startup. I have worked in a crypto startup and co-founded one myself, but most of this advice is gleaned from observing many entrepreneurs more successful than myself building companies in this space. This will not be an exhaustive guide—it’s impossible for any document to be the final word on building a company—but consider this one investor’s outline of what I think about when looking at a startup’s trajectory.</p>
<p>Let’s take it from the top.</p>
<h2 id="so-you-want-to-start-a-crypto-startup">So you want to start a crypto startup.</h2>
<p>Before you go any further, ask yourself: do you know enough about crypto to start a crypto company yet?</p>
<p>When I wanted to take a swing at my first crypto startup idea, I had embarrassingly little understanding of the blockchain ecosystem. It took me a while to appreciate just how little I actually knew—and how bad my initial ideas were!</p>
<p>If you are not deeply familiar with crypto, its culture, its products, and the history of the industry, then you should spend some time learning first. The fastest way to learn is by joining another crypto startup. Spending time in the trenches is the ultimate education in any industry. This is precisely what I did in my time at <a href="https://web.archive.org/web/20170905002210/https:/21.co/">21</a> (now known as Earn.com).</p>
<p>Read voraciously, go to meetups, read newsletters, play around with the tech, and immerse yourself in the community.</p>
<p>Let’s say you’re now pretty familiar with the industry—you get what it’s all about. There’s a second consideration before starting a crypto startup: are you technical?</p>
<p>If you aren’t technical, you will almost always need a technical cofounder if you want to build anything valuable. Wrestling with crypto requires deep technology chops, and a solo non-technical founder rarely gets funded. Of course, the best way to find cofounders is by working at another startup, so good thing you already did that.</p>
<p>As for assembling a team, the best teams are comprised of friends, or otherwise, people who have worked together before. Remember, the <a href="https://playbook.samaltman.com/#team">#1 cause of company failures is cofounder breakups</a>. If you haven’t built up enough trust with your cofounders, you’re less likely to mesh well, stick together, and ultimately build a great business.</p>
<p>There’s also no need to jump directly into starting a company! Don’t incorporate before you’re ready to make that degree of commitment. It’s perfectly reasonable to start with a small project or consulting gig with your co-founders first. That will help you figure out how you work together and whether you’re a good fit before pursuing something larger.</p>
<p>The last question you should ask yourself is, why do you want to build this startup? Is it for money? Fame? Or because the world needs the thing you want to build, and you’re the only one who can build it?</p>
<p>A word to the wise: startups that are primarily motivated by making money seldom do. I don’t know why—it just doesn’t seem to bring out the best in people. On the other hand, startups that are motivated by an obsessive desire to change something in the world are the ones that tend to survive when the going gets tough.</p>
<p>Keep this in mind.</p>
<p>(Note: so far, this is mostly standard startup advice, so if this is new to you, you should definitely check out the <a href="https://startupclass.samaltman.com/lists/readings/">YC startup school</a>.)</p>
<p>But let’s say you’re convinced, you’re ready to build a crypto startup. Then it’s time to enter the ideation phase.</p>
<p><em>“The ideation phase”? But I already have my idea!</em></p>
<p>No. You need to workshop many ideas, because your first idea, sorry to break it to you, is probably bad. In fact, it’s almost certainly bad. It takes a long time to find good ideas in this industry.</p>
<p>Blockchains are complicated, confusing, and full of intellectual tar pits. Furthermore, blockchains are completely open platforms—that means pretty much anyone in the world can launch a competing crypto product. This means most of the straightforwardly good ideas have already been attempted. If you’ve come up with an idea, it’s probably either been tried before, or it’s such a bad idea it’s not even worth trying.</p>
<p>Genuinely good ideas are rare. Arriving at a one takes a long process of refinement and distillation.</p>
<h2 id="ideation">Ideation</h2>
<p>There’s a truism in Silicon Valley that “<a href="https://krit.com/blog/tips-for-first-time-founders">ideas don’t matter, execution is everything</a>.” Like most startup advice, this is great advice not because it is true, but because it is useful.</p>
<p>In reality, ideas obviously matter. A bad idea, <a href="https://pmarchive.com/guide_to_startups_part4.html">no matter how well-executed</a>, will only end in wasted years of your life.</p>
<p>So how can you spot a good idea? The best way is by deeply studying the domain you’re trying to attack. Balaji Srinivasan describes this as “<a href="https://spark-public.s3.amazonaws.com/startup/lecture_slides/lecture5-market-wireframing-design.pdf">the idea maze</a>.”</p>
<blockquote>
<p>“A good founder is thus capable of anticipating which turns lead to treasure and which lead to certain death. A bad founder is just running to the entrance of (say) the “movies / music / filesharing / P2P” maze or the “photosharing” maze without any sense for the history of the industry, the players in the maze, the casualties of the past, and the technologies that are likely to move walls and change assumptions.”</p>
</blockquote>
<p>First become an expert in your respective idea maze. Interested in building a DEX? A lending business? A market making firm? A new layer 2 mechanism? There is a rich history that precedes you, and you should study the other players in the maze, both living and dead, to understand how the maze is laid out. How do these businesses make money? Who are their customers? How did they differentiate? What features did they launch that drove their successes?</p>
<p><img src="https://miro.medium.com/max/1600/0*ug3KNe4e6IAnrZZv" alt="" /></p>
<p>If you have no idea what maze to even pursue, I’d suggest engaging in this exercise: how do you believe the crypto landscape will change two years from now? Don’t build another layer 2 or another smart contract platform — people realized that was a problem a couple years ago, and by now they’re already very far along. You’re late to that race. You need to think about what will become more valuable in the future when your product finally reaches maturity. This requires vision and some conviction about how the future of crypto will evolve.</p>
<p>What will be different about the world by then, driving demand for your new product? Maybe it’s that we’ll have high-throughput L1s, maybe it’s that more real-world assets will get tokenized, maybe it’s mature interoperability—whatever it is, you’ll have to peer into the future and project what the market will need.</p>
<p>On the other hand, there are some idea mazes that we are pretty sure only contain dead ends; any entrepreneur that enters them is likely doomed to failure.</p>
<p>The following are some ideas that got funding in the ICO boom, but are now mostly un-fundable. For whatever reason, they still float around as cached ideas. Here are just a few of them from my own perspective (if your idea is in here, I would be happy to be proven wrong):</p>
<p>A new fiat-backed stablecoin. Unless you’re Facebook or JP Morgan, there are simply too many stablecoins at this point for yours to be competitive or differentiated. Even if Tether goes belly-up, there’s a lineup of fiat-backed stablecoins with strong distribution that are ready to take its place.</p>
<p>A decentralized stablecoin that is slightly different than another major design. (Crypto-collateralized, algorithmic, etc.) It’s too late to start from scratch here, and the decentralized stablecoins that exist have not demonstrated enough demand to warrant competitors. Retail investors have shown they’re unwilling to differentiate between stablecoin designs (for obvious reasons—they are all supposed to have the same price).</p>
<p>“Bitcoin-killers.” Sorry to break it to you, but Bitcoin has already killed all the Bitcoin killers. The reason why Bitcoin is king has little to do with technology, so competing with Bitcoin on the basis of tech is unwise.</p>
<p>The window for Ethereum-killers is fast-closing, and in general I don’t think they’re fundable anymore. There are already ~10 in the pipeline launching within the next two years; unless you have a profound distribution advantage, yours will probably be too late to be seriously competitive.</p>
<p>Blockchain for X. X can be advertising, oil and gas, <a href="https://bananacoin.io/">bananas</a>, whatever. It’s the same pattern as happened with “social networks for X,” or “Uber for X” — almost all of these are unnecessary and don’t successfully solve the problem they seek to solve. Especially if you try to monetize by adding a payment token for this mini-economy.</p>
<p>Let me develop this intuition for you, because so many would-be founders land on some variant of this.</p>
<p>Blockchain was first invented to solve the problem of creating decentralized money. Many people, myself included, initially assumed that blockchain technology could be generalized to solve many different coordination problems.</p>
<p>So far, that thesis has come out negative. We have not seen blockchains work in pretty much anything outside of money and property rights.</p>
<p>I don’t think this is an accident or just a matter of being too early. It seems, rather, that very few coordination problems have the particular shape such that technology alone can solve them.</p>
<p>It’s tempting to look at a fragmented ecosystem with players who are not cooperating and think “hey, I bet a blockchain could solve this.” I’ve looked at hundreds of startups pitching solutions that look like this. After digging deeply enough into them, the pattern is almost always that a blockchain alone will not solve the problem. Often these startups do not sufficiently understand why the players in their domain are not coordinating (usually, it’s because the dominant market participants are incentivized not to cooperate).</p>
<p>Alternatively, lots of “blockchain for X” plays are really about just getting everyone onto a common data standard. Unfortunately, this doesn’t actually have all that much to do with the unique properties of blockchain and is hard for other reasons.</p>
<p><img src="https://miro.medium.com/max/500/0*fuObAMZLpy-ot6Kv" alt="" /></p>
<p>Global, permissionless, programmable money and property is actually new. They were the first thing we created blockchains for, and up until now, they seem to be the only <em>fundamentally novel thing</em> we can do using this technology. I encourage you to search in that direction, as that’s what I believe most of the innovation in this industry will build on top of.</p>
<p>Building for customers who don’t exist yet. I see this all over the place. It’s really hard to build a product for people who aren’t here yet. It’s like trying to build iOS apps before the iPhone was invented.</p>
<p>This extends to building for the Fortune 100. They are not using blockchain. Yes, I know they say they are. They’re not; they’re running toy proof-of-concepts out of their innovation departments. This is analogous to cloud computing in 2004: for now, it’s a fancy buzzword that gets corporate innovation guys excited, but it’s way too early for decision makers to actually transition their infrastructure. Skip big corporates for now, and expect them to start using blockchain en masse 5–10 years from now. (Note: If you are a Fortune 100 company using blockchain in production in a meaningful way, I’d love to hear about it.)</p>
<p>You might argue: <em>but crypto is so new! It’s going to change the world! It’s going to result in a totally new world with completely changed norms around money! That’s where my customers will come from!</em></p>
<p>Fine. But all of the great crypto companies that exist today built something that at least <em>someone</em> wanted at the time. Those people might have been a small group: cypherpunks, ETHheads, crypto traders, whatever. But don’t fall into the trap of building for a cohort that doesn’t exist at all.</p>
<p>The best way to bet on a future trend is by building for a small customer base that you believe will grow. Don’t posit a customer base that doesn’t yet exist and try to imagine their future preferences. You will wind up building for no one, with no feedback, and no idea whether you’re making any progress. For a startup, that’s pretty much purgatory.</p>
<p>Building for crypto influencers. This is another common trap for crypto startups. In most industries, if you build a product that influencers will love, millions of other customers will follow. But crypto is a weird space — the preferences of crypto influencers are very unrepresentative of crypto customers.</p>
<p><img src="https://miro.medium.com/max/1228/0*HXq06Qrd3zNEJD5Z" alt="" />
<em>(These numbers are very loose approximations.)</em></p>
<p>If you went off crypto influencers, you’d assume most crypto consumers are paranoid cypherpunks who run their own full nodes and never hold their crypto on exchanges. In reality, this describes a vanishingly small slice of crypto users. Most crypto users hold their coins on exchanges, have no idea how to navigate a command line, and have never even heard of Austrian economics. They care a lot more about making money and a good UX than about decentralization.</p>
<p>Building in unfriendly regulatory jurisdictions. If you are building anything that interacts with thorny regulations (which at this point is almost everything in crypto), the jurisdiction in which you build your company matters a lot. If you’re building a global product, that means places like Hong Kong, Singapore, and Switzerland are great places to locate your crypto company. On the other hand, if you build a crypto company in New York City, you’re paying exorbitant salaries and rents only for regulators to repeatedly jab you in the eye.</p>
<p>That doesn’t mean that no successful companies are built in New York, but you should weigh the advantages against the costs. If you’re doing anything in the exchange space, DeFi, or are otherwise trying to build a global company (as much of crypto tries to be), consider your regulatory strategy carefully. Most entrepreneurs tend to gloss over this, but picking a jurisdiction from the outset is one of the most pivotal decisions for your company’s future.</p>
<p>That said, don’t be afraid of regulation! Regulation starts off as an impediment, but it can also serve as a powerful moat after you’ve established your business. On the other hand, you can’t really afford to spend all of your money talking to lawyers before you’ve got a business to speak of.</p>
<p>Once you feel your idea has been well-workshopped, you should flesh it out into a broader plan. Slava Akhmechet has a great <a href="https://www.defmacro.org/2019/03/26/startup-checklist.html">20-point checklist you should go through with your startup idea</a>.</p>
<h2 id="validating-your-idea">Validating your idea</h2>
<p>You’ve now got the rough contour of what you’re doing. It’s time to go to validate it. Attend local meetups. Go to hackathons. Talk to other entrepreneurs. Tell everyone smart about your idea and get their feedback (<a href="https://sivers.org/multiply">saf</a><a href="https://sivers.org/multiply">eguarding your idea</a> is a huge antipattern).</p>
<p>Build a proof of concept. Show it off online or at a hackathon. Get people excited about your work. Many of the greatest crypto projects were built this way—InstaDapp was <a href="https://medium.com/makerdao/check-out-the-maker-api-winners-of-ethsf-hackathon-4f761a1542d2">first built at a hackathon</a> (it was originally named CryptoPay) and <a href="https://blog.bitmex.com/bitmex-technology-scaling-part-1/">BitMEX launched their janky “alpha” exchange</a> before they were able to raise external capital.</p>
<p>Spend as much time as possible talking to your users, figuring out their pain points, which products they’re using and where those products fall short. By now you should also know who your actual customers are going to be. Are they speculators? Traders? DeFi users? Exchanges?</p>
<p>If you’re working on something that’s more like basic science (think deep tech, a new blockchain, etc.), it’s going to be harder to get user validation. If that’s the case, you should be talking to lots of technologists and projects that might want to build on top of you. Design feedback is invaluable at this stage. But mostly, expect to be architecting and building on your own.</p>
<h2 id="raise-money-or-dont">Raise money! (or don’t)</h2>
<p>Let’s assume you’ve validated your idea and you are now confident it’s worth turning into a business.</p>
<p>The next question is: do I need to raise money? Often, the answer is: hell no! If your business is not capital-intensive, or cheap to prototype and get off the ground, then you might not need to raise money at all. <a href="https://coinmarketcap.com/">CoinMarketCap</a>, the largest crypto price aggregator, started as <a href="https://www.wsj.com/articles/the-programmer-at-the-center-of-a-100-billion-crypto-storm-1516708800">one engineer’s side project</a> while he worked full time at an enterprise software company in New York—no traditional venture money. It’s now one of the largest advertising-driven businesses in crypto.</p>
<p>But many companies are capital-intensive (or just need to move faster to beat out competitors) and will need to raise venture capital. If that’s you, then let’s walk through what you’ll need to pull off a fundraise.</p>
<p>First, you need to prepare a deck. If you’re doing something technical, you’ll also need a white paper. (Why a white paper? Mostly because the crypto industry has cargo culted Bitcoin and Ethereum. It’s dumb, but best to follow industry norms here.)</p>
<p>Your deck is very important. It needs to convey what your project actually does (you’d be surprised how few do this clearly!). It also needs to convey how your project works. If as an investor I can point out any obvious weaknesses, attacks, or oversights that you don’t address, that does not give me confidence that you’ve fully thought through your system.</p>
<p>Your deck should also describe your economics and why your token / equity captures value. And given that it’s 2019, you need to include an at least plausible go-to-market strategy. “Build it and they will come” is no longer convincing given the thousands of crypto projects you’ll be competing against.</p>
<p>You should also start thinking about valuation. This doesn’t need to be in your deck, but you should consider how you will pitch pricing your company when the conversation arises. With early stage deals, this is usually done using comparables. Looking at projects that are in the same space, have similar quality, and raised in the same market cycle, how were they valued? (It won’t do you any good to comp against a project that fundraised in 2017; that was a very different market, and no one will price you the same.)</p>
<p>If you’ve never made a deck before, you can’t go too wrong following the <a href="https://slidebean.com/blog/startups-airbnb-pitch-deck">Airbnb</a> structure.</p>
<p>Now that you have that, you need to pitch an actual VC.</p>
<p>How do you get in front of VCs? The answer is pretty much always through their network, meaning you need an intro. This can be through another VC, or, ideally, through an entrepreneur they’ve worked with. (This is why it’s a good thing you’ve already done so much networking.)</p>
<p>Don’t count on cold approaching VCs at a conference, and don’t use LinkedIn. I honestly don’t know of a VC who’s made an investment in this space through a cold email unless the VC was already familiar with the project. Because crypto is such a global industry, we get so many random inbound pitches from all over the world, many of which are outright scams; there is simply no way we can diligence them all. Almost every VC firm in Silicon Valley will tell you: <a href="https://www.inc.com/paul-grossinger/the-critical-value-of-the-exceptional-referral.html">get</a> <a href="https://techcrunch.com/2015/06/08/how-to-win-the-attention-of-potential-investors/">a</a> <a href="https://www.inc.com/jason-freedman/how-to-get-introductions-to-venture-capital-firms.html">warm</a> <a href="https://stripe.com/au/atlas/guides/ama-marc-andreessen#raising-money-from-vcs">intro</a>, and it’s doubly true for crypto VCs.</p>
<p>But if you come referred, you’ll usually cut through the noise. Of course, <a href="https://venturehacks.com/elevator-pitch">there’s an art to warm intros too</a>.</p>
<p>Finally, once you’re fundraising, you’ll want to set an explicit deadline on your fundraise—both to build urgency and to signal your seriousness (also because VCs are busy and will often hit snooze on your fundraise if you let them). You should also set a deadline because fundraising is genuinely a waste of your time as a founder. You want to get fundraising done, out of the way, and then get back to building your business.</p>
<p>So who should you raise money from? First, you want to be mindful of what stage you’re raising for. You want to make sure the stage of money you’re raising aligns with the fund you’re talking to. a16z Crypto and Paradigm are amazing crypto funds, but they are both large, later-stage funds that in general can only write big checks—$500K pre-seed deals simply aren’t worth their time, since such a check would comprise less than 0.2% of their portfolio. But smaller funds like us are perfectly happy to write $250K-$500K checks. There are also active angel investors and family offices who are happy to invest at even earlier stages.</p>
<p>It’s always worthwhile to diligence your investors by chatting with entrepreneurs who’ve worked with them. In crypto especially, it’s rarely a good idea to take money from just anyone willing to throw it at you. The delta between “smart money” and “dumb money” is particularly large in an opaque industry like crypto. There have been many horror stories about investors kicking out founders, suing the company, or blocking subsequent rounds of funding. You want investors who actually understand what you’re building and are aligned with you for the long run.</p>
<p>That said, entrepreneurs often assume that raising money is simply a grading problem. You, as an entrepreneur, receive a grade based on the ranking of the VC firm that you raise from. But this is the wrong way to think about it. Raising money is not just a grading problem, but also a <em>matching problem</em>. VCs are matching you to what they need in their portfolio. If they are already heavy on exchanges, or they have a strong DeFi thesis, or they don’t have enough smart contract platform exposure, that will often determine whether you are a better fit for one VC or another. Alternatively, if they already know you, they will be better off investing in you than in another entrepreneur with whom they have a weaker relationship (or whom they just don’t want to work with!).</p>
<p>So talk to lots of investors. And a word to the wise: don’t over-optimize for valuation, especially in the early stages. I know this sounds self-serving coming from an investor, but you’ll hear this again and again. Valuation, early on, just doesn’t matter as much as picking the right partners, setting a good growth trajectory for your company, and not over-raising or overpromising to your investors. If you’re successful, you’ll make most of the money later on, not on your early fundraises.</p>
<p>It’s counterintuitive enough to be worth spelling out: raising too much money usually spells doom for a company. We all know of huge ICO projects that over-raised capital and are now sitting on their hands, unsure how to iterate on their tens of millions of dollars, locked into a business plan that no longer makes sense. And of course, all that money you raise is not an <em>exit</em> — it doesn’t end up in your bank account. It sits in your company’s coffers to try to somehow build your business. When there’s no clear path forward, companies tend to stagnate and devolve into politics and infighting. It’s not a place you want to end up.</p>
<p>If you’re doing an equity raise, your deal mechanics should look like standard startup financing (I recommend <a href="https://www.amazon.com/Venture-Deals-Smarter-Lawyer-Capitalist/dp/1118443616">Venture Deals</a> if you want to go deep here). But for token raises, there’s a whole separate playbook.</p>
<h2 id="token-deal-structure">Token deal structure</h2>
<p>Much ado has been made of corporate structure in crypto when it comes to tokens. Generally speaking, SAFTs are now out of favor compared to equity that comes with token rights (i.e., shareholders of your company will automatically be granted any tokens the company creates). But most good crypto investors can do either equity or tokens. Discuss it with your investors and your legal counsel.</p>
<p>You want to think carefully about the token distribution. Some rough rules of thumb are that you shouldn’t give the team more than 15–20% of the token supply, and investors no more than 30% of the supply. If VCs own more than that, your coin risks being panned as a “VC coin.” You want it to be more widely distributed than that.</p>
<p>On the other end of the spectrum, some token founders will sell far too little of their token. By selling a small portion of the network at as high a valuation as possible, they hope to maximize their ownership stake and make a bunch of money on paper. This is a huge, huge mistake. Say it with me — tokens 👏 are 👏 not 👏 equity.</p>
<p>The point of your token distribution is to <em>distribute your token</em> as widely as possible. Why? Because tokens are supposed to be global, decentralized, and money-like. In other words, a token becomes valuable <em>because</em> it is distributed. Owning 80% of a company would make you a savvy owner, but owning 80% of a token would make that token worthless. You should be excited distributing tokens because it makes your stake in that token more valuable.</p>
<p>Should you do a foundation? Where should you do it? What should the arrangement be between a foundation and the company?</p>
<p>As much as I’d love to definitely answer these questions, the reality is—nobody is really sure, and there are no best practices yet. In short, we’ve seen just about every model go horribly south, and it’s too early to say that any model has gone <em>well</em>. We’ve seen just about everything, and my guess is that this will continue evolving in the near future. Your best bet is probably just to talk to your investors, the entrepreneurs you trust, and sketch out a good approach you are are all willing to bet on.</p>
<h2 id="go-to-market">Go to market</h2>
<p>Go to market, distribution, there are many terms for the same thing. It’s the most neglected thing in crypto.</p>
<p>How will you attract your initial users? What distribution channels can you use? What kind of viral loop or referral program will you use to attract new users? What do you expect your customer acquisition cost (CAC) to be? What about your CAC-payback? You should have a plan more concrete than “promoting through influencers” or “market making.” To be successful in 2019, you’ll need some creativity.</p>
<p>If you’re doing a token, you also need to consider how to distribute your token supply beyond your pre-launch investors. Unfortunately, there’s no easy answer here either.</p>
<p>ICOs used to be the standard, but today they’re less and less common. <a href="https://coinlist.co/">CoinList</a> lets you reach accredited investors, but many of those folks are just looking to flip your token, and there’s a lot of cross-over with VCs. <a href="https://www.coindesk.com/coinbase-adds-dai-as-first-stablecoin-in-crypto-exchanges-earn-program">Earn</a> lets you distribute the token to Coinbase users while educating them on your product, but it’s not as turn-key. IEOs can be kind of shady depending on the venue, but they let you distribute the coin to a more global investor base (just be sure you’re legally covered, especially when it comes to US customers). Airdrops are a thing, but I don’t know of any non-fork coin that’s successfully been adopted on the basis of airdrops. There are creative approaches such as Handshake <a href="https://medium.com/coinmonks/understanding-the-handshake-airdrop-and-reserved-names-428d9e90b560">airdropping to Github accounts</a> and Stellar <a href="https://www.stellar.org/blog/keybase-stellar-lumens-spacedrop/">airdropping to Keybase users</a>, but the unfortunate truth is that <a href="https://coinmetrics.substack.com/p/coin-metrics-state-of-the-network-5d7">most airdrops are never claimed</a>.</p>
<p>If you’re building pure crypto, open source your code. Once you’re post-launch, if you want any hope of being eventually decentralized, this is a prerequisite. You have to bring the community into the fold of what you’re building, and they won’t trust it if they can’t participate in its development. You will also gradually want to extract your company from a central operational role in the business if possible. Good models to learn from here are Maker, Cosmos, and Ethereum. Cosmos in particular established a lot of the best practices around new network launches: see <a href="https://medium.com/coinmonks/breaking-down-the-cosmos-game-of-stakes-5cbc538bcedb">Game of Stakes</a> and their <a href="https://blog.cosmos.network/the-3-phases-of-the-cosmos-hub-mainnet-fdff3a68c4c0">phased releases</a>. All software will have inevitably have bugs, but you want to catch as many of these as possible in realistic adversarial conditions.</p>
<p>Unlike the Internet, crypto is global from day one. That implies that no matter where your company is founded, you must eventually build a global team with boots on the ground around the world. Whether you’re from the US, Europe, or Asia, you want to have a presence in each of those geographies to build awareness and relay the needs of your different communities. It’s not enough to simply focus on your local geography.</p>
<p><img src="https://miro.medium.com/max/1297/0*Dc1W7KTLxS-WyKFh" alt="" />
<em>Credit: <a href="https://www.chappuishalder.com/wp-content/uploads/2019/06/Publication_Crypto-traders-06-2019.pdf">Chappius Halder</a> (note: this data doesn’t track China, which likely has more crypto traders than North America)</em></p>
<p>Finally, you must keep iterating on UI/UX. This is probably the most important frontier for crypto, and I suspect more and more businesses will differentiate on user experience rather than core technology. Taylor Monahan has <a href="https://medium.com/mycrypto/building-confidence-not-dapps-d8a3bc1f29d1">written eloquently</a> on the importance of communicating clearly to your user, and Austin Griffith has continually pushed the frontier of <a href="https://www.youtube.com/watch?v=4yq1wcwKHQk">crypto onboarding</a>.</p>
<p>Build stuff! Get users! Hire great people! Iterate!</p>
<p>From here on out, I don’t think there’s any more general advice I can give you. Your company will have its own unique needs and challenges, and it’s on you and your team to figure them out.</p>
<p>Wherever you are in this process, I hope this guide has been helpful in nudging you in the right direction. And I look forward to seeing what you build!</p>
<p><em>Thanks to Ivan Bogatyy, Tarun Chitra, Ali Yahya, Alexander Pack, Casey Caruso, Leland Lee, and Lucas Ryan for reviewing drafts of this post.</em></p>Haseeb QureshiI’m a crypto VC. That means I spend my days talking to crypto entrepreneurs, hearing pitches, and evaluating products. The first thing you realize working in this industry is that pretty much everyone is winging it. (That applies to me, but it especially applies to founders.)