Recovering lost ether, past and future

original image from flickr

I did not start this intending to write a little trilogy on the Parity Multisig hack and its efforts to recover it: I do however care a lot about the integrity of the ethereum community and I wanted to make an alert on the dangers related to a controversial split, and then I wanted to explore a more general opportunity to use the future reduction in ether issuance to deal with this and other similar issues in the future. Now I want to explore another idea that emerged from the last two ones on how to prevent a chain split. Here are my starting premises:

  • Community splits are bad and should be avoided
  • If a major client gives users the option to fork, then the end result will not be a popular vote but a split
  • On the other hand, shutting the door on an influential party that is requesting a fork might just force them to a fork

Incentives for Parity splitting: new ether

It’s a simple calculation really: let’s suppose the overall ethereum community decides not move forward with EIP999, but Parity implements it anyway on their very popular client. The probable result is that there will be a new blockchain, let’s call it Ethereum-999 (should we call it the under-millennial?), where over 500,000 ether that were previously stuck on Multisig contracts can now be accessed. How much will ether-999 be sold for? Cryptocurrencies are volatile and hard to price using traditional means so here I’ll use a simple model: the price of a fork is the likelyhood of that fork overtaking the original chain. Using that logic, at the moment of this writing, the market evaluates Bitcoin Cash having a 15% chance of overtaking bitcoin, Ethereum Classic having 3% chance of overtaking the main Ethereum chain and Bitcoin Gold (lol) having 0.9% chance of being taken seriously by anyone.

It’s hard to know what the market will bet on ether-999 but if Parity puts their development force behind it (even more in the unlikely event that they stop supporting the main chain) then it will be larger than 0, which is what they get for not splitting. A small percentage of access to $250 million dollars is still a lot of money.

Incentives for not splitting: new token

An obvious solution then would be to create a new token, called ether-recovery, and distribute it to all the parties affected by the multisig hack (and other categories of stuck ether). If the potential value of that new ether is larger than the potential value of a split (minus any losses associated with initiating a split) then a fork can be avoided. But what would give value to the new token?

Futures market for recovery

Let’s assume we create tokens for all classes of lost and stuck ether. Before tokens can be created these conditions would need to apply:

  • It’s not a recurring event: prevention is always better than recovery, so before a new token class is created it should be show that steps have been taken, either on protocol or in the UX of clients, to avoid these mistakes from happening in the future, as well as showing that if such events are still happening, they are in a much smaller scale.
  • Ether is provably not in circulation: having your ether stolen by a third party or claiming you lost the hard drive in the trash would not apply, ether needs to be provably lost forever.
  • Ownership can be cryptographically verified in an automated way: it should be possible to run a script and verify which key or keys had access to that ether. So while each token class is dealt in a case by case scenario, who gets assigned tokens in each case can be determined automatically without resorting to lawyers and judges.

After a token class is created, and the lost ether is assigned on a 1:1 basis, then the new token is set to be the children of a recovery contract that will hold any funds gathered towards that recovery. The contract keeps track of its own total ether balance and the sum of the supply of all tokens that are underneath it. Token holders can decide at any point “withdraw” from the account, at which point the following things happen:

  • Upon withdrawal, you get sent ether equivalent to the (amount of tokens you own) * (total balance of recovery account) / (total supply of recovery tokens). Meaning that if you own 0.01% of the recovery tokens, you get 0.01% of all ether on that account
  • The token is burnt and you are therefore forfeiting all future claims on recovery. Each new withdrawal therefore increases the portion of the pie of the current holders in any future recovery process.

If any fork is attempted that tries to remedy the given class of lost ether, then that token is immediately disconnected from the main contract, even if the fork fails to have meaningful traction (with some checks and balances to prevent low-effort forks just to disconnect tokens).

Source of recovery funds

When receiveing a recovery token, all owners are implicitly accepting a social contract in which all recovery efforts will help fund the main contract. These can be many:

  • Donations: this might be a hard sell as many of the affected parties are not people in humanitarian crisis, but often corporations or people are otherwise in a comfortable situation. But given that not forking is a benefit for all, some people or institutions might make a gesture of good will to try to avoid the split
  • EIP1015: when ethereum changes from PoW to PoS, the block reward can be significantly reduced to reflect the lower cost of Casper security. Instead of throwing the difference away this EIP proposes a platform to decide, via a smart contract, worthy recipients of the block reward to various uses. If the community votes so, then funding recovery could be one of them.
  • Services: a large amount of the funds gathered in the multisig where ICOs, for Musiconomy and Polkadot, for instance. Donating to the recovery fund could in itself create a new token that affected parties could provide some service to.
  • Future Insurance of Contracts: we will explore this in the next section

An important aspect is that all these options don’t need to happen in order for the token to have value: the value of the recovery token will reflect the chances that any of these will work at any point in the future. For example, in order to have a portion of the block rewards to be used towards recovery, these actions would all need to happen: Casper becomes ready for deployment, EIP1015 is approved and implemented AND enough signalling contracts vote for this particular use of rewards (and still, it can be a small amount or not last for very long).

A recovery token is unlikely ever to reach a 1 ether parity, but that doesn’t matter: as long as the recovery token is worth potentially more than a possible minority split, then the rational economic choice of all affected actors will be not to fork. And since both can be seen as indicators of chance, the market will be comparing the chance of a minority fork overtaking the main chain, versus the chance of a total recovery of funds via the token.

Future Insurance on contracts

You might be unconvinced that donations would compensate for the immense losses or doubt the viability of implementing other recovery options using future hard forks that are less controversial. You might even be in the camp that people should have to pay for their own mistakes (or mistakes from entities they trusted) and that we should focus on the future. This section is for you.

This recovery contract is meant for ether that has already been lost, but what about future lost tokens? If they are added to the recovery token side, they risk just further dilluting an already very poor pie and could be another governance nightmare. Unless we turn this on a potential profitable venture: staking ether as insurance.

In order to create a new class of possible recoverable tokens these would be the steps:

  • Describe exactly what class of contract or application would be covered by the token
  • Lock up ether for a predetermined period of years
  • One recover-ether is issued for each ether locked up (independently on how many ethers are on the affected contracts)
  • The issuer can then sell their recovery-ether for their clients, ICO participants, users or whoever he wants to use the guarantee
  • If the ether in the described scenario happens, then the recovery process is activated and the ether is redeemed at 90% rate (the remainder 10% goes to the general insurance fund of all tokens and the victim gets an equivalent amount of new recover token)
  • If nothing happens after the given amount of years, then the recover-ether tokens are destroyed and the issuer can have their locked ether back (and keep the profits of the sale)
  • If the clients want a continuing insurance after the years passed, then they can go back to step 1

Governance decisions, like which token to accept or not, as well as judging decisions on either a given scenario fits the description of “lost” ether, will all be done via some sort of delegated vote by all the holders of current recover-ether. This aligns the interests of all the potential victims of loss with the profit of the fund as a whole: if the fund stops accepting new applicants or refusing to help an insured party when it needs, then it will affect negatively the future profit of the funds and therefore affect the chances of all parties to be fully restored.

This scheme basically transforms the previous “victims” of lost ether into “shareholders” of a general smart contract insurance fund. But why would someone want to start an insurance fund with over 500 thousand ether in “liabilities” instead of doing just a “traditional” ICO? Because the affected parties of those contracts (which goes beyond the parity multisig and a lot of early users of ethereum) comprises of many of the most technically capable developers (including one of the ethereum founders) and a diverse set of early ethereum users, a captive audience that would help create a network effect that many other new startups would kill (or better airdrop) for. And if the insurance system is seen as having great future potential, it becomes possible that a recover ether to be traded at higher than 1 ether.

In one action we could: