In support of the proof of work [un]fair launch

Disclaimer: I have no current or future interest in a new cryptocurrency launch, either personally or professionally. This piece is intended generally as a thought experiment, and is NOT an endorsement of any specific project. I do not recommend or condone the creation of any new base-layer cryptocurrencies.

Foreword

The presence of ASICs in Proof of Work systems has always been deeply contentious. At maturity, ASICs enhance the security of the network (by forcing miners to take a long term stake in the success of the protocol), but in the transitional phase, the first hardware manufacturer to build ASICs has a near-monopoly on the minting of new coins. This can lead to the existence of an informal form of seigniorage — minting money at a discount to its market value. Protocols which fork frequently are also exposed to this risk; developers effectively have the ability to determine which PoW function the chain will move to, giving them the ability to monetize their influence over the protocol. This is a potentially very insidious form of corruption, and it impairs the ‘fairness’ quality that PoW is known for. GPU chains also have the undesirable quality of being ‘nicehash-able’ — that is, attackable by renting commodity hardware for a short period of time. There is no long-term bond required to mine a GPU coin, as the hardware is repurposable and salable.

Introduction

New cryptocurrency launches are beset by a strange paradox: they typically require a single, authoritative entity to spearhead development, to manage the process of launch, and coordinate development for a meaningful period throughout its infancy. Generally, a considerable amount of upfront investment in R&D is required to create a differentiated protocol. All of these features tend to require the organizational and financial efforts of a single entity.

  • Buyers can obtain tokens for arbitrarily low prices, since they are not created in a costly manner through proof of work, but summoned out of thin air. Thus, the private rounds that predate public sales often consist of pure seigniorage
  • Tokens often end up being a bizarre mishmash of an informal investment contract, and an arcade token for unlocking network resources. This causes speculation to crowd out usage and leads to very confused theories of value accrual
  • Tokens sold to the public (or done obliquely, a la Telegram) closely resemble investment contracts in most sensible jurisdictions, and this tends to make the issuers subject to securities laws, whether they like it or not
  • Issuers that retain a large fraction of supply tend to retain authority in the network, especially if a Proof of Stake model is opted for. This hampers the path to decentralizing authority, as issuers tend to resist divesting their share of the network
  • Early backers can obtain disproportionate shares of supply for essentially free, and then costlessly retain that advantage in perpetuity if the network follows a PoS model. This is a potent force which chills the dispersion of tokens, as stakers are not compelled to sell. In PoW, by contrast, miners must constantly spend and invest to retain proportional network authority. In PoS, retaining stake is simply the cost of running a server
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

Why GPU fair launches might be a thing of the past

As someone who followed the Grin launch rather closely, I must admit that it felt like a nostalgic last foray into a prior era. I got a decidedly Proustian pang from watching the process play out. As if I had dipped my madeleine in the tea and been transported back to the glory days of PoW launches from 2012–14.

A proposal

Having rambled long enough, I’ll share what I have in mind. Let’s revisit what we’d like to optimize for:

  • we want the distribution period to be as long as possible
  • if being an early backer of the network does confer an advantage, it should be a temporary one and erode over time
  • a position of authority in the system should be costly to retain; it should not be costless to exert influence in perpetuity
  • being an early backer of the network should not grant you permanent anti-dilution rights
  • we want the system to work under existing securities laws in the U.S.: we want to disentangle the investment contract from the asset issued by the protocol
  • we want the network to be secure at inception (from a crypto-economic perspective)
  • we want the founding team to be able to meaningfully divest power and authority from the network; and
  • we want to inculcate a feeling of fairness and to minimize information asymmetries surrounding the network launch

The ASIC presale model

The basic idea is:

  1. To finance this, they sell rights not to tokens, but to physical ASICs
  2. Together with trusted supply chain partners, they manufacture these ASICs ahead of launch
  3. These ASICs are sold to investors or, better yet, to the community of users who want to explicitly support the network in its early days. They are possibly securities, although I haven’t done the legal analysis here. (I am rather uncertain about this part.) These sales are booked as revenue for the issuing corporation
  4. The ASICs support a custom hash function (which is not being employed by any other blockchain)
  5. The developers keep this hash function a secret until the day of launch
  6. At launch, the hash function is disclosed, and a race kicks off among the ASIC manufacturers to build the second generation of ASICs
  7. Within 4-6 months, the first batch is rendered obsolete as new ASICs are manufactured, and the temporary monopoly on issued supply that early backers enjoyed is eroded
  8. Over time, the advantage that early miners enjoyed fades away
  9. The developers commit to never changing the PoW function
  10. The developers hold few/no coins and can exit the project if necessary or adopt a Red-Hat/ Commercial Open Source approach to managing the chain, retaining no explicit in-protocol authority
Image for post
Image for post

You get ASIC-tier security at inception

This is a big advantage over GPU PoW fair launches. As we learn more about the PoW security model, it’s clear that all but the largest GPU-mined networks are simply unsafe. Ethereum is probably an exception because it accounts for such a large fraction of the world’s GPUs, and they cannot be sold or rented in sufficient numbers. Aside from the structurally difficulty of acquiring sufficient hash power, this means that successfully attacking Ethereum would cause the value of GPUs worldwide to depreciate, which is a strong disincentive for any attacker. Aside from Ethereum though, most GPU mined coins are exposed to this risk of rented hardware being used to attack the chain, and we’ve seen copious examples of this. If you believe that dedicated hardware helps with security, then you will prefer the ASIC model. This approach gives you ironclad security from inception.

The investment contract-like element is firmly disentangled from the actual coins

In the case of an ICO, you have tokens which are presold to buyers. If these are understood to be investment contracts, or securities, this potentially compromises the entire supply of tokens, and inhibits their ability to circulate on exchanges. In an attempt to circumvent this, it has been argued that the investment contract covers only rights for future tokens, and that the tokens themselves are not the subjects of the investment contract. It’s under this reasoning that the ETH in the presale are understood to have likely been the subject of an investment contract, but the outstanding units of ETH at delivery of the blockchains were not themselves securities. I don’t really buy this distinction — at the very least, I find it tortured. I find it easier to simply distinguish the two.

You get PoW distribution AND developers can finance themselves in a limited capacity

The distributional advantages of PoW have, to date, not been very well documented, but I have a strong intuition that they lead to better dispersion of supply. Relative to the vanilla PoW launch, developers can also finance R&D and administrative costs involved in launching a new chain. And they’re not violating securities law. Sweet!

You get an arbitrarily long distribution period

Many have noticed that, as far as new monies are concerned, the existence of temporal contingency in distribution introduces an arbitrariness which limits the dispersion of the currency. In other words — short issuances (some ICOs were over in minutes) guarantee that the supply will be highly concentrated. Longer issuances give everyone a shot at obtaining the units of coins. This was part of the intuition behind the yearlong EOS ICO, which was a rather clever idea (aside from the fact that the crowdsale wallets had continuous outflows during that time, leading to conspiracies about recycling treasury funds back into the ICO). If you think about it, the EOS yearlong tokensale was somewhat akin to a PoW launch (with the exception being that the coins contributed to the crowdsale were not burned). Proof of Work gives you an extended permissionless distribution phase, although the decaying block reward means that new supply is much more abundant early on. Bitcoin’s issuance will last over 100 years, but over 80% of all Bitcoins have already been mined.

The rules of the game are very clear

One of the biggest issues with PoW chains in this day and age is ambiguity, especially around changing hash functions. When you have ambiguity, you have debate, and lobbying, and the possibility for developers to exploit their privileged status within the system. This is generally disastrous, and reduces social scalability, as well of the credibility of the system. If a small group of individuals if found to be abusing their protocol access to monetize, the system’s credibility is compromised. One alternative is to simply set the PoW function and commit to never changing it (this is essentially what Bitcoin has opted for, and why Bitcoin should never change its PoW unless something catastrophic occurs). That’s what this model calls for. No debate; no lobbying; no covert exploitation.

The initial advantage depreciates over time, providing the system with natural dispersion

Unlike something like a PoS token sold in a presale, the initial balance of power in the ASIC launch system changes dramatically over time. Initially, a select few have near-monopoly rights on supply. But this is a temporally limited advantage, and the appearance of new ASICs, or even simply the passage of time, and the depreciation that that brings, erodes that initial advantage. I want to emphasise that I consider this a good feature. Too much power granted to the early stakeholders in the network — plus the ability to retain this power, costlessly, in perpetuity, is a dysgenic feature. This massively inhibits the dispersion of the holder base. The presence of PoW is useful here. It induces constant selling on the part of miners, reducing their protocol-proximate privilege. The same cannot be said for staking. While in the case of the ASIC launch we have a privileged few early on, their advantage rapidly depreciates.

Image for post
Image for post
  • what is the shape of the supply curve such that the temporary monopoly on supply would be considered acceptable to future users?
  • how can ASIC buyers have confidence that no additional ASICs were covertly created?
  • can one-shot financing be sufficient to bootstrap a business building an open source protocol?
  • is the limited amount of seigniorage disqualifying in terms of creating a monetary asset?
  • are the ASICs themselves investment contracts/securities, or are they in the clear?
  • is it possible to build an ASIC supply chain that doesn’t concentrate with one or two entities having unilateral control over the hardware production process?

Objections

I will consider a few objections here.

If you applied this model to Bitcoin, six months of mining would represent 1.3m BTC, which is an excessively large fraction of supply

You can tune the shape of the supply curve however you like, to give the monopolists in those first 4–6 months an arbitrary fraction of supply. You could design the curve such that they get 0.1% of supply or 99.5% of supply. I think an issuer would probably aim to target something like 5–10% of supply for that initial period, but that’s a totally wild guess.

Why do you expect that the initial batch of ASICs will last 4–6 months? Why wouldn’t they last essentially forever and give ASIC buyers a permanent advantage?

If the protocol actually ends up being relatively significant, market cap-wise, then ASIC manufacturers will inevitably jump in and make ASICs for it. From conversations with ASIC manufacturers that I know, the shortest period it takes to make a useful ASIC for a new cryptocurrency algorithm is about four months, although I would happily take expert input here. FPGAs in this example wouldn’t suffice, because the existence of ASICs at inception means there’s a relatively high bar to clear in terms of competitive hardware. Either way, the point remains — I fully expect that the first miners would be met with competition within six months at the latest.

The ASICs in this example actually aren’t securities

This isn’t exactly an objection but I wanted to address it anyway. I’ll admit I don’t know the answer here. You definitely have to mix the ASICs with your own labor (and electricity) to get a return, so their value doesn’t purely derive from the efforts of a third party. I am just vaguely guessing that the ASICs might resemble an investment contract. I am not a lawyer. This isn’t legal advice. Either way, if they weren’t securities, that would be even better for the model. We’re trying to avoid violating securities law, remember.

The issuers are giving ASIC manufacturers total power. They could create extra ASICs and cheat the process

This is definitely a risk, so the ASIC manufacturers must be contractually bound or closely trusted by the issuing team. The risk is that they covertly create too many ASICs. There are potential ways of mitigating this. I haven’t put a lot of thought into it, but I feel like the team could set up a protocol similar to google authenticator where they give miners ciphertext to include in coinbase outputs for the first few months, to ensure that the blocks being mined are being created only by ASICs which are accounted for. I’m not sure. I think someone clever could come up with a better way to ensure that only members of a permissioned set of ASICs is permitted to mine for the period in which they have a temporary monopoly.

We don’t need any more blockchains. Stop helping people figure out how to issue new cryptocurrencies

I basically agree, but I’m not going to stop exploring these issues just because you don’t like the idea of new coins existing. We may well discover a reason to create another blockchain at some point. Who knows.

This launch is actually quite unfair, as you’re suggesting creating a premine

Definitionally, this isn’t a premine. There is no “prior mine”. (I’ll admit that quibbling over definitions misses the point). What we have are the issuers monetizing their informational advantage. They know what hash function will be used, and they are selling that information in the form of purpose-built hardware. The mining is up to whoever the ASICs are sold to. They do get a temporary monopoly. Think of it like a taxi medallion which decomposes after six months. It’s clearly unfair. But having observed the Grin launch, and the ProgPoW debate, and the many Monero and Vertcoin “ASIC-resistance” hard forks, it’s very clear to me that developers are extremely susceptible to lobbying over PoW. I would prefer that the hash function is never changed, so that the rules of the game are fixed and the returns to lobbying are 0.

Developers shouldn’t monetize. They should work on these things altruistically. Otherwise you cannibalize intrinsic motivation

I pretty much agree! I think that one of the most perverse outcomes with protocol-funded rewards is that FOSS developers lose their incentive to contribute to the protocol, leaving it all to the professionals who are paid directly from that protocol-funded spigot. This essentially turns a FOSS project into a corporate one, obviating all the advantages of using FOSS in the first place.

Developers can’t sufficiently monetize under this configuration

Excessive developer monetization of a monetary protocol they develop is a very dangerous thing, in my opinion. At a certain threshold you have an operation which is primarily dedicated to extracting rent, rather than delivering computational services at commodity prices. Anything developers to do abuse their authority in the system — including extracting value in excess of the minimum required (which may well be 0) — undermines its credibility and raises the likelihood of users leaving for a less extractive system. I am generally of the belief that no protocol-funded monetization whatsoever is optimal. But if there is to be some, I would tolerate it under the conditions that it is temporary, limited, and does not give the developers permanent authority within the system. This meets those restrictions.

It’s too expensive to launch in this manner. Issuers won’t be able to sufficiently finance themselves

This is a fair critique. Instead of creating the tokens for ~free and selling them, developers have to literally create hardware and sell it. ASICs are generally quite expensive. I suppose it might vary on the type, but a decent run will cost millions of dollars. So the issuers will need to be able to charge a sufficiently high price to extract a margin. This has the interesting effect of “pricing” the offering.

Why go through all this trouble to launch in this convoluted way? Why not just do an ICO and retain a treasury for long term incentive alignment?

First of all, ICOs appear to be a violation of securities law in virtually every sensible jurisdiction. Going “offshore” probably won’t be enough, as many issuers will likely discover in 2020. This post is a proposal for an alternative to the PoW ‘fair’ launch, and the claim is that it improves along a couple directions. It’s not an alternative to ICOs. I believe that in today’s day and age (really anytime post the SEC DAO Report (released July 2017)), ICOs are largely unworkable from a regulatory perspective. Additionally, I think the ICO launch method will have a very hard time creating lasting monies.

ASIC manufacturing is a concentrated industry where foundry allocations and political connections determine the winners. You are ensuring the ASIC manufacturers will be kingmakers here

It’s true that cryptocurrency ASIC manufacturing is currently rather oligopolistic. For a rather eye-opening take on how the industry operates from a U.S. based ASIC manufacturer, read David Vorick’s take here. What’s interesting about the ASIC launch is that is actually strips power from the big manufacturers like Bitmain, and restores it to the issuers of the coin. A fair GPU launch just sets of an arms race among the big ASIC manufacturers over who can build ASICs fastest. When they get there, they intensely lobby the team to not change the algo (see the ProgPoW debate in Ethereum).

Any amount of seigniorage is disqualifying

I am not entirely sure that I would call this seigniorage, as it’s entirely possible that ASIC buyers lose money and end up effectively paying $1.10 for each dollar that they mint. It’s not guaranteed seigniorage, at least. ASIC buyers are taking on a degree of risk. That said, if the model works well, ASIC buyers will be minting coins below market rate — if there wasn’t the possibility of doing that, they wouldn’t participate. So there is potential seigniorage. If you feel that even the slightest amount of seigniorage permanently ruins the credibility of the project, this model won’t work for you. But if you feel, as I do, that a small amount of seigniorage can be very useful, even if it trades off against credibility, you might find this model attractive.

Why are you wasting your time thinking about this? We already have Bitcoin and we don’t need any new chains

I reserve the right to think and write about whatever I find interesting!

Partner, Castle Island Ventures. Cofounder, Coinmetrics.io

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store