In support of the proof of work [un]fair launch

Nic Carter
28 min readDec 27, 2019


Disclaimer: I have no current or future interest in a new cryptocurrency launch, either personally or professionally. This piece is intended generally as a thought experiment, and is NOT an endorsement of any specific project. I do not recommend or condone the creation of any new base-layer cryptocurrencies.


The presence of ASICs in Proof of Work systems has always been deeply contentious. At maturity, ASICs enhance the security of the network (by forcing miners to take a long term stake in the success of the protocol), but in the transitional phase, the first hardware manufacturer to build ASICs has a near-monopoly on the minting of new coins. This can lead to the existence of an informal form of seigniorage — minting money at a discount to its market value. Protocols which fork frequently are also exposed to this risk; developers effectively have the ability to determine which PoW function the chain will move to, giving them the ability to monetize their influence over the protocol. This is a potentially very insidious form of corruption, and it impairs the ‘fairness’ quality that PoW is known for. GPU chains also have the undesirable quality of being ‘nicehash-able’ — that is, attackable by renting commodity hardware for a short period of time. There is no long-term bond required to mine a GPU coin, as the hardware is repurposable and salable.

Mindful of these issues, I started thinking last year about how an ASIC launch might work. Not because I have any interest in participating in one, but simply because I find it interesting to think about these tradeoffs. This culminated in this tweet:

About a month later, Obelisk (a subsidiary of Nebulous) published their proposal for a commercial service, dubbed Launchpad, which could facilitate PoW launches with custom pre-built ASICs.

I put my tweet in this article to demonstrate that I’ve been ruminating on these ideas for a long time, and I’m not writing this opportunistically to lend ‘moral support’ to any specific launch. I have had this piece mostly written for a long time, but I neglected it because I figured that PoW launches were essentially defunct and that there wouldn’t be a great deal of interest in them.

In fact, I was wrong about the timeline — no such launch that I am aware of occured in the 12-month period following the tweet. But it has come to my attention that a few teams are contemplating similar launches today. Thus I felt that my thoughts on this matter might be useful. Not for the benefit of any particular team, but because this gives us an interesting canvas to evaluate issues that are critical to the social scalability and security of these networks, whether it’s Bitcoin or other PoW chains.

If someone is intent on launching a new public blockchain, I firmly think non-premined PoW is the best way to do it, for a number of reasons, which I’ll get into later in the article. But I feel that GPU launches are increasingly more difficult and risky. I cannot stop anyone launching a chain. But I think a careful analysis of the tradeoffs might encourage teams to do things more responsibly, or, at the very least, explore other parts of the design space.

Lastly — some of you will be upset by my musings around how a new generic blockchain might be launched. If this is the case, I’d recommend simply closing the tab and disengaging. Additionally, while I think Bitcoin is likely sufficient as far as non-state monies go, I am also not willing to permanently rule out the potential emergence of some other PoW blockchain. I don’t see why we’d need another one now, but I find it hard to believe that Bitcoin is both the first and last viable blockchain ever to be created. I’m not afraid of competition, either. I think Bitcoin has its own unique merits, and smaller launches don’t compete with it or impair it in any way. Since it’s entirely possible to me that we do end up with another PoW chain at some point, it’s worth thinking about how to launch them.

Just so I’m absolutely clear on this: I’m not endorsing any specific launch or coin, or even new PoW launches generally. In fact, I would generally discourage anyone from launching a new blockchain. They tend to be boondoggles or ghost towns. But I am not ruling out the potential existence of a new blockchain at some point in the future.


New cryptocurrency launches are beset by a strange paradox: they typically require a single, authoritative entity to spearhead development, to manage the process of launch, and coordinate development for a meaningful period throughout its infancy. Generally, a considerable amount of upfront investment in R&D is required to create a differentiated protocol. All of these features tend to require the organizational and financial efforts of a single entity.

But of course the backing of a corporate entity (or the more subtle, let’s-pretend-there’s-no-organization-pulling-the-strings-here model) is a critical point of centralization. This means that adversaries have very obvious buttons to press if the protocol grows too big or disruptive; generally speaking, anyone hostile to the network will have an abundant ability to interfere with it. Additionally, these administrative entities often choose to retain not only a large fraction of supply, but also discretion over decision making, trademarks, and vetoes over future development directions. Much like Engels’ quote around the “withering state” as the end result of a socialist utopia, the claimed “path to decentralization” in monetary protocols is closer to rhetoric than reality.

To truly commit to surrendering power, the founders of these projects must be comfortable with austerity and eventual irrelevance. It’s sometimes said that Satoshi’s second most brilliant insight, behind creating Bitcoin, was leaving the project. Lamentably, virtually no cryptocurrency founders since have followed his lead, preferring filthy lucre and a shot at joining the Davos class, alongside their fellow central bankers.

Numerous models of protocol financing have been attempted over the years: the bitcointalk premine, the more sophisticated ICO, the founders reward, the covert premine and backdated whitepaper, the instamine, the merged fork. The purists will maintain that nothing other than a proof of work fair launch (ensuring no seigniorage, not even for the developers) is sufficient to confer the founding team with the legitimacy to create a worldwide protocol.

They have a point: it’s vanishingly unlikely that, if a meaningful portion of the world switches to a neutral cryptocurrency protocol, that future buyers of the coin would find it acceptable to enrich founders who allocated themselves 20% or more of this global currency for free. Seigniorage — more generally, the distinct feeling of unfairness, or being cheated — leaves a particularly nasty taste in one’s mouth. This, rather than any technical foibles, will be the doom of most of those sexy new high-TPS VC-backed base layer protocols. These aren’t startups: these are monies, competing on credibility, neutrality, institutional stability, and fairness. Private equity is concentrated and unfair, but you don’t need to use Uber stock to buy your daily bread. For something as essential as money, fairness is critical. A deeply unfair launch is an ugly miasma, lingering nastily, poisoning the authenticity of the project.

The singular appeal of a Proof of Work launch is not simply in the distributional advantage that at-home mining gets you (although this is a potent and underrated feature). No, the most important feature of the PoW fair launch is that it ensures that it is impossible to acquire coins for below market rate. You can purchase the coins on the market or with electricity; no one is entitled to an insider deal. Compare this to a dev team premining an ERC20 and then dripping it out on the market over a period of years. This looks cosmetically the same a PoW. But it’s not — because that team was able to acquire all the coins for $0. It would be similar to PoW if the dev team took the funds they received in exchange for the coins and set them on fire.

Of course, the disadvantage inherent in the ‘fair launch’ is the fact that it’s challenging to monetize the network, especially early on. This is fine if developers are happy to work idealistically or altruistically. In Bitcoin, patrons eventually emerged, as the network came to be systemically important. Today, a rich and diverse set of patrons subsidize dozens of core developers to keep the chain running smoothly and work on long term infrastructure. This is perhaps the ideal model; but Bitcoin has the advantage of being the first, the most critically important, and not having venture backers to reckon with. Today, any new cryptocurrency struggles to distinguish itself. Obtaining sufficient traction to survive on patronage or donations is a tall order. And as far as front-loaded R&D goes, this is virtually impossible to finance without some sort of sale of future rights to protocol tokens. Many will point to the Grin case study here. Having made the somewhat anachronistic decision to aim for a proof of work fair launch targeted at GPUs, the Grin team struggled to monetize. Donations so far have been relatively scarce. A cautionary tale, to many.

Of course, those smugly deriding the weaknesses of the fair launch model tend to do so with the implicit intention of advertising straightforwardly exploitative launch models of their own. Let he who is without premine cast the first stone. Even though Grin has struggled for financing so far, its odds of becoming a significant monetary asset are not encumbered by securities laws issues, by the risk of the founder being arrested, or by the community becoming disenchanted as they are exploited by VCs dumping on them at the the first opportunity (For those who don’t believe me, read the fundraising decks of the crypto funds targeting token strategies. That language about low “time to liquidity” — that’s code for “we plan to exit our token positions at the public sale, because we want to secure a riskless return and dump this asset as soon as possible”).

The 2014–18 era ICO was, for the most part, a disastrous financial instrument. I have never come across a single one that I felt was issued responsibly to the public. Once these stopped being accessible to the general public, they lost their sole advantage: wide, permissionless distribution (note that this is a native feature of PoW). The issues with ICOs, especially those opting immediately for a proof of stake authority model (instead of a PoW bootstrapping, as Ethereum wisely opted for), are numerous:

  • Insiders can purchase their own crowdsale, and covertly obtain an arbitrarily high fraction of supply for free (because they also get to collect the funds committed to the crowdsale)
  • Buyers can obtain tokens for arbitrarily low prices, since they are not created in a costly manner through proof of work, but summoned out of thin air. Thus, the private rounds that predate public sales often consist of pure seigniorage
  • Tokens often end up being a bizarre mishmash of an informal investment contract, and an arcade token for unlocking network resources. This causes speculation to crowd out usage and leads to very confused theories of value accrual
  • Tokens sold to the public (or done obliquely, a la Telegram) closely resemble investment contracts in most sensible jurisdictions, and this tends to make the issuers subject to securities laws, whether they like it or not
  • Issuers that retain a large fraction of supply tend to retain authority in the network, especially if a Proof of Stake model is opted for. This hampers the path to decentralizing authority, as issuers tend to resist divesting their share of the network
  • Early backers can obtain disproportionate shares of supply for essentially free, and then costlessly retain that advantage in perpetuity if the network follows a PoS model. This is a potent force which chills the dispersion of tokens, as stakers are not compelled to sell. In PoW, by contrast, miners must constantly spend and invest to retain proportional network authority. In PoS, retaining stake is simply the cost of running a server

My central point is this: the principal challenge in the administration of a new monetary commodity is not a technical one. Of course, your blockchain must have compelling technical features. But ultimately the difficulty lies in climbing the wall of indifference. At inception, no one cares about your system. At maturity, you need tens and possibly hundreds of millions of individuals to care. If you give early investors discounted access to a significant fraction of supply, and then give them powerful anti-dilution rights (while hoping/expecting that future individuals will use your network as working capital and tolerate some dilution, in effect subsidizing the early buyers who passively stake), you risk creating a patently unfair system in which the winners are a function of the arbitrary prehistory of the chain.

Attracting anyone to a network like this strikes me as profoundly unlikely. Why your chain? Why not an equivalent fair launch, where every owner worked for their coins, instead of receiving an allocation through some proximity to the founding team?

But, ICOs, premines, and founder-tax coins have a crucial advantage: the ability to subsidize work on the protocol, even prior to its launch. Naively presuming that, in 2019, not all the cryptocurrency protocols that will ever exist have already been launched, one might go as far as to say that subsidizing work on a protocol prior to its launch might be a desirable property. So can one mix and match the desirable qualities of a coin launch while avoiding the worst of them? I certainly think so. Let’s review three popular models:

Certainly more cons than pros in this case. In the U.S., selling rights to a cryptocurrency, especially to the general public, seems to be out of favor with our securities regulators. Not recommended. Additionally, giving early backers or big holders permanent, cheap-to-exercise anti-dilution rights dulls the dispersion of tokens, limiting its reach. We have fairly good data on this, thanks to the transparency that blockchains offer us. (I’d love to see a serious piece of work comparing the dispersion of ownership in PoS chains versus PoW chains. If you’re a researcher who is interested in taking this on, get in touch! I have data.)

A classic. The Bitcoin, Litecoin, Monero, and Grin model. A sensible approach, but difficult to bootstrap support, and reliant on community funding or patronage for ongoing support. Very effective and hard to kill if you can pull it off — but it requires a huge amount of community building to get traction. These appear to be getting less and less viable with time, especially as the financial stakes have grown. I’d expect that virtually all GPU launches today would be subject to the risk of insiders with prior knowledge of the algorithm covertly creating ASICs.

This this hybrid model, pioneered by Zcash. This is essentially equivalent to a vested premine. It better aligns incentives than a pure premine, as the allocations are not unlocked for a number of years. Nevertheless, the proposal has issues of its own: in the case of Zcash, the protocol has been racked with controversy over whether the administrator should receive additional protocol-derived funding. The spigot of seigniorage is very hard to turn off, once active.

At this point, you might be wondering why I don’t simply agitate for vanilla PoW fair launches. By this rubric they seem plainly superior. But they aren’t without their issues. I think it’s worth being realistic about GPU PoW launches. Let’s look at a couple recent case studies.

Why GPU fair launches might be a thing of the past

As someone who followed the Grin launch rather closely, I must admit that it felt like a nostalgic last foray into a prior era. I got a decidedly Proustian pang from watching the process play out. As if I had dipped my madeleine in the tea and been transported back to the glory days of PoW launches from 2012–14.

The gossip going around about “$100m in VC-backed SPVs” was hyperbolic, but the launch certainly had problems. Initially hoping to stay ASIC-resistant in perpetuity, the developers ultimately opted for a pragmatic GPU-to-ASIC phased approach, envisioning a slow transition to an ASIC dominated network, but hoping for some more widely accessible GPU mining to begin with. There was a period of GPU mining, but some miners are now reporting to me that ASICs, or at least more efficient hardware (FPGAs), have begun to take a significant share of hashrate, somewhat ahead of the desired schedule. This isn’t exactly a failure, but it does illustrate the colossal difficulty inherent in the notion of ASIC resistance.

You are creating an enormous bounty for anyone to anticipate the PoW change, or to lobby the developers for a favorable outcome. The Grin developers did dither a little bit on the ultimate model for PoW (this was naturally a rather fraught discussion) and this ambiguity caused a lot of gnashing of teeth and lobbying efforts. It would have been far more efficient, overall, if resources had not been allocated to lobbying developers for a favorable hash function. Ultimately, the devs took extreme care to make the chain hostile to ASICs at inception, but they couldn’t stem the flow. They didn’t opt for ASICs right away due to a naive view that GPUs would dominate for the early history of Grin (and the difficulty coordinating this model with a distributed, non-corporate team), but ASICs (or at least FPGAs) appeared anyway.

Most ASIC resistant chains are beset by this same difficulty. They effectively create a massive bounty for teams to create FPGAs or ASICs and fly below the radar, hoping they aren’t discovered. Su Zhu says it well here:

You might imagine future teams would learn from this and bite the bullet, issuing ASICs right off the bat.

A proposal

Having rambled long enough, I’ll share what I have in mind. Let’s revisit what we’d like to optimize for:

  • we’d like to limit seigniorage; that is, we want virtually every participant to have the ability to obtain the tokens at market price, with relatively few exceptions to this rule
  • we want the distribution period to be as long as possible
  • if being an early backer of the network does confer an advantage, it should be a temporary one and erode over time
  • a position of authority in the system should be costly to retain; it should not be costless to exert influence in perpetuity
  • being an early backer of the network should not grant you permanent anti-dilution rights
  • we want the system to work under existing securities laws in the U.S.: we want to disentangle the investment contract from the asset issued by the protocol
  • we want the network to be secure at inception (from a crypto-economic perspective)
  • we want the founding team to be able to meaningfully divest power and authority from the network; and
  • we want to inculcate a feeling of fairness and to minimize information asymmetries surrounding the network launch

I believe virtually all of these qualities can be obtained in a model that has not been tried before:

The ASIC presale model

The basic idea is:

  1. Some developers create a new cryptocurrency protocol.
  2. To finance this, they sell rights not to tokens, but to physical ASICs
  3. Together with trusted supply chain partners, they manufacture these ASICs ahead of launch
  4. These ASICs are sold to investors or, better yet, to the community of users who want to explicitly support the network in its early days. They are possibly securities, although I haven’t done the legal analysis here. (I am rather uncertain about this part.) These sales are booked as revenue for the issuing corporation
  5. The ASICs support a custom hash function (which is not being employed by any other blockchain)
  6. The developers keep this hash function a secret until the day of launch
  7. At launch, the hash function is disclosed, and a race kicks off among the ASIC manufacturers to build the second generation of ASICs
  8. Within 4-6 months, the first batch is rendered obsolete as new ASICs are manufactured, and the temporary monopoly on issued supply that early backers enjoyed is eroded
  9. Over time, the advantage that early miners enjoyed fades away
  10. The developers commit to never changing the PoW function
  11. The developers hold few/no coins and can exit the project if necessary or adopt a Red-Hat/ Commercial Open Source approach to managing the chain, retaining no explicit in-protocol authority

Let’s consider the pros and cons of the model.

I think the primary advantages of the ASIC presale model are as follows:

You get ASIC-tier security at inception

This is a big advantage over GPU PoW fair launches. As we learn more about the PoW security model, it’s clear that all but the largest GPU-mined networks are simply unsafe. Ethereum is probably an exception because it accounts for such a large fraction of the world’s GPUs, and they cannot be sold or rented in sufficient numbers. Aside from the structurally difficulty of acquiring sufficient hash power, this means that successfully attacking Ethereum would cause the value of GPUs worldwide to depreciate, which is a strong disincentive for any attacker. Aside from Ethereum though, most GPU mined coins are exposed to this risk of rented hardware being used to attack the chain, and we’ve seen copious examples of this. If you believe that dedicated hardware helps with security, then you will prefer the ASIC model. This approach gives you ironclad security from inception.

The investment contract-like element is firmly disentangled from the actual coins

In the case of an ICO, you have tokens which are presold to buyers. If these are understood to be investment contracts, or securities, this potentially compromises the entire supply of tokens, and inhibits their ability to circulate on exchanges. In an attempt to circumvent this, it has been argued that the investment contract covers only rights for future tokens, and that the tokens themselves are not the subjects of the investment contract. It’s under this reasoning that the ETH in the presale are understood to have likely been the subject of an investment contract, but the outstanding units of ETH at delivery of the blockchains were not themselves securities. I don’t really buy this distinction — at the very least, I find it tortured. I find it easier to simply distinguish the two.

In the case of the ASIC presale, you very clearly distinguish the investment contract from the coins themselves. If there’s anything which is security-like, it’s the ASIC sold to investors (although, as noted, it’s entirely possible that these aren’t even securities, as end users have to actually operate them and feed them with electricity, obviating the ‘efforts of third parties’ prong of Howey). The actual coins themselves are totally in the clear, in my opinion, since they are issued by the protocol in the manner of a conventional fair launch. I think we have copious evidence that fair launch tokens are not understood to be securities by the SEC. This gives potential users really convenient assurances that the trading of the asset won’t suddenly be restricted to security token trading venues. This is one of the greatest advantages of the model.

You get PoW distribution AND developers can finance themselves in a limited capacity

The distributional advantages of PoW have, to date, not been very well documented, but I have a strong intuition that they lead to better dispersion of supply. Relative to the vanilla PoW launch, developers can also finance R&D and administrative costs involved in launching a new chain. And they’re not violating securities law. Sweet!

You get an arbitrarily long distribution period

Many have noticed that, as far as new monies are concerned, the existence of temporal contingency in distribution introduces an arbitrariness which limits the dispersion of the currency. In other words — short issuances (some ICOs were over in minutes) guarantee that the supply will be highly concentrated. Longer issuances give everyone a shot at obtaining the units of coins. This was part of the intuition behind the yearlong EOS ICO, which was a rather clever idea (aside from the fact that the crowdsale wallets had continuous outflows during that time, leading to conspiracies about recycling treasury funds back into the ICO). If you think about it, the EOS yearlong tokensale was somewhat akin to a PoW launch (with the exception being that the coins contributed to the crowdsale were not burned). Proof of Work gives you an extended permissionless distribution phase, although the decaying block reward means that new supply is much more abundant early on. Bitcoin’s issuance will last over 100 years, but over 80% of all Bitcoins have already been mined.

Comparing a PoW launch to a generic ICO, it’s very clear that permissionless access in a newly-launched ICO is impossible. Tezos straddled this transition, following a no-KYC crowdsale with a subsequent forced KYC process to unlock user Tezzies. I would imagine that all subsequent ICOs (to the extent that they do occur) will follow suit. The difference with PoW is that you are acquiring coins from a protocol. While ASIC suppliers might ask for KYC, generally speaking, mining is a much less permissioned environment than ICOs or crowdsales. Add in the reality that electricity is much more globally available than access to capital markets, and PoW looks very attractive. A protocol retailing off coins in exchange for electricity over a long period of time is an extremely potent means to issue an asset to a global audience. No one has devised a better way so far.

The rules of the game are very clear

One of the biggest issues with PoW chains in this day and age is ambiguity, especially around changing hash functions. When you have ambiguity, you have debate, and lobbying, and the possibility for developers to exploit their privileged status within the system. This is generally disastrous, and reduces social scalability, as well of the credibility of the system. If a small group of individuals if found to be abusing their protocol access to monetize, the system’s credibility is compromised. One alternative is to simply set the PoW function and commit to never changing it (this is essentially what Bitcoin has opted for, and why Bitcoin should never change its PoW unless something catastrophic occurs). That’s what this model calls for. No debate; no lobbying; no covert exploitation.

The initial advantage depreciates over time, providing the system with natural dispersion

Unlike something like a PoS token sold in a presale, the initial balance of power in the ASIC launch system changes dramatically over time. Initially, a select few have near-monopoly rights on supply. But this is a temporally limited advantage, and the appearance of new ASICs, or even simply the passage of time, and the depreciation that that brings, erodes that initial advantage. I want to emphasise that I consider this a good feature. Too much power granted to the early stakeholders in the network — plus the ability to retain this power, costlessly, in perpetuity, is a dysgenic feature. This massively inhibits the dispersion of the holder base. The presence of PoW is useful here. It induces constant selling on the part of miners, reducing their protocol-proximate privilege. The same cannot be said for staking. While in the case of the ASIC launch we have a privileged few early on, their advantage rapidly depreciates.

Let’s unite everything in a big chart, to compare how the alternative launch methods deal with various downsides.

While I think this is an interesting and attractive model for a new launch, there are certainly some open questions still, especially as we’ve never seen it done in the wild. These are some of mine:

  • is it possible to extract a margin on ASICs sufficient to render this a profitable enterprise?
  • what is the shape of the supply curve such that the temporary monopoly on supply would be considered acceptable to future users?
  • how can ASIC buyers have confidence that no additional ASICs were covertly created?
  • can one-shot financing be sufficient to bootstrap a business building an open source protocol?
  • is the limited amount of seigniorage disqualifying in terms of creating a monetary asset?
  • are the ASICs themselves investment contracts/securities, or are they in the clear?
  • is it possible to build an ASIC supply chain that doesn’t concentrate with one or two entities having unilateral control over the hardware production process?

What do you think? Worth trying or a pointless waste of time? I’m curious to hear your thoughts. I feel that launch methods are generally under-covered, so I hope that this post kicks off some discussion, regardless of whether this model is considered viable.


I will consider a few objections here.

If you applied this model to Bitcoin, six months of mining would represent 1.3m BTC, which is an excessively large fraction of supply

You can tune the shape of the supply curve however you like, to give the monopolists in those first 4–6 months an arbitrary fraction of supply. You could design the curve such that they get 0.1% of supply or 99.5% of supply. I think an issuer would probably aim to target something like 5–10% of supply for that initial period, but that’s a totally wild guess.

Why do you expect that the initial batch of ASICs will last 4–6 months? Why wouldn’t they last essentially forever and give ASIC buyers a permanent advantage?

If the protocol actually ends up being relatively significant, market cap-wise, then ASIC manufacturers will inevitably jump in and make ASICs for it. From conversations with ASIC manufacturers that I know, the shortest period it takes to make a useful ASIC for a new cryptocurrency algorithm is about four months, although I would happily take expert input here. FPGAs in this example wouldn’t suffice, because the existence of ASICs at inception means there’s a relatively high bar to clear in terms of competitive hardware. Either way, the point remains — I fully expect that the first miners would be met with competition within six months at the latest.

The ASICs in this example actually aren’t securities

This isn’t exactly an objection but I wanted to address it anyway. I’ll admit I don’t know the answer here. You definitely have to mix the ASICs with your own labor (and electricity) to get a return, so their value doesn’t purely derive from the efforts of a third party. I am just vaguely guessing that the ASICs might resemble an investment contract. I am not a lawyer. This isn’t legal advice. Either way, if they weren’t securities, that would be even better for the model. We’re trying to avoid violating securities law, remember.

The issuers are giving ASIC manufacturers total power. They could create extra ASICs and cheat the process

This is definitely a risk, so the ASIC manufacturers must be contractually bound or closely trusted by the issuing team. The risk is that they covertly create too many ASICs. There are potential ways of mitigating this. I haven’t put a lot of thought into it, but I feel like the team could set up a protocol similar to google authenticator where they give miners ciphertext to include in coinbase outputs for the first few months, to ensure that the blocks being mined are being created only by ASICs which are accounted for. I’m not sure. I think someone clever could come up with a better way to ensure that only members of a permissioned set of ASICs is permitted to mine for the period in which they have a temporary monopoly.

We don’t need any more blockchains. Stop helping people figure out how to issue new cryptocurrencies

I basically agree, but I’m not going to stop exploring these issues just because you don’t like the idea of new coins existing. We may well discover a reason to create another blockchain at some point. Who knows.

This launch is actually quite unfair, as you’re suggesting creating a premine

Definitionally, this isn’t a premine. There is no “prior mine”. (I’ll admit that quibbling over definitions misses the point). What we have are the issuers monetizing their informational advantage. They know what hash function will be used, and they are selling that information in the form of purpose-built hardware. The mining is up to whoever the ASICs are sold to. They do get a temporary monopoly. Think of it like a taxi medallion which decomposes after six months. It’s clearly unfair. But having observed the Grin launch, and the ProgPoW debate, and the many Monero and Vertcoin “ASIC-resistance” hard forks, it’s very clear to me that developers are extremely susceptible to lobbying over PoW. I would prefer that the hash function is never changed, so that the rules of the game are fixed and the returns to lobbying are 0.

So in this case we have a transparently unfair model, as contrasted with a (potential) covertly unfair situation which people naively think is fair. The latter would be disastrous. Imagine a chain which was ASIC resistant, forked to a new PoW, for which it later emerged that the developers had custom-designed hardware, while everyone else mined with GPUs. This would constitute an exploitation of the community, and a breach of trust. This is entirely possible within the framework of ASIC-resistant coins, and I expect it to happen at some point. I’m proposing a situation with temporally limited unfairness, which decomposes over time, and becomes pretty explicitly fair thereafter.

Developers shouldn’t monetize. They should work on these things altruistically. Otherwise you cannibalize intrinsic motivation

I pretty much agree! I think that one of the most perverse outcomes with protocol-funded rewards is that FOSS developers lose their incentive to contribute to the protocol, leaving it all to the professionals who are paid directly from that protocol-funded spigot. This essentially turns a FOSS project into a corporate one, obviating all the advantages of using FOSS in the first place.

This specific configuration is a very limited monetization. The developers sell ASICs at the price that the market will tolerate, and that’s the only chance they have to directly monetize their protocol access. Later on, they can think about adopting the Red Hat/ COSS / Blockstream model, where they monetize their protocol-specific expertise. But this model also empowers the initial issuers/developers to exit the project without destroying it. Because they do not have permanent authority in the network, as would be the case with an issuing team retaining a large fraction of PoS tokens, for instance.

Developers can’t sufficiently monetize under this configuration

Excessive developer monetization of a monetary protocol they develop is a very dangerous thing, in my opinion. At a certain threshold you have an operation which is primarily dedicated to extracting rent, rather than delivering computational services at commodity prices. Anything developers to do abuse their authority in the system — including extracting value in excess of the minimum required (which may well be 0) — undermines its credibility and raises the likelihood of users leaving for a less extractive system. I am generally of the belief that no protocol-funded monetization whatsoever is optimal. But if there is to be some, I would tolerate it under the conditions that it is temporary, limited, and does not give the developers permanent authority within the system. This meets those restrictions.

It’s too expensive to launch in this manner. Issuers won’t be able to sufficiently finance themselves

This is a fair critique. Instead of creating the tokens for ~free and selling them, developers have to literally create hardware and sell it. ASICs are generally quite expensive. I suppose it might vary on the type, but a decent run will cost millions of dollars. So the issuers will need to be able to charge a sufficiently high price to extract a margin. This has the interesting effect of “pricing” the offering.

If the ASICs are expected to have a monopoly on issuance in the first six months, and 10 percent of supply will be issued in that period, the value of the fully diluted supply will roughly be 10 times what buyers pay for the ASICs. This establishes a floor for the required valuation of a project for issuers to be able to monetize in this manner. Let’s say it costs $5m to create a run of 1000 ASICs (it may well be much more — I don’t know much about hardware). Developers need to collect a decent chunk to finance R&D, let’s say another $5m. So they need to be able to retail the ASICs for $10m collectively, or $10,000 each. Let’s also say they decide to issue 10% of supply in the first 6 months and they think the ASICs will hold up for that period. This means that the chain has to be priced by the market at a $100m valuation in the aggregate (at the time of the ASIC sale) for the issuers to collect sufficient margins.

Why go through all this trouble to launch in this convoluted way? Why not just do an ICO and retain a treasury for long term incentive alignment?

First of all, ICOs appear to be a violation of securities law in virtually every sensible jurisdiction. Going “offshore” probably won’t be enough, as many issuers will likely discover in 2020. This post is a proposal for an alternative to the PoW ‘fair’ launch, and the claim is that it improves along a couple directions. It’s not an alternative to ICOs. I believe that in today’s day and age (really anytime post the SEC DAO Report (released July 2017)), ICOs are largely unworkable from a regulatory perspective. Additionally, I think the ICO launch method will have a very hard time creating lasting monies.

This is still a hypothesis, but I strongly feel that the most important trait of a novel monetary system is a widely dispersed ownership. It starts with a GINI of 1 and its objective is to get to a reasonable level of dispersion with time. Now I don’t mean perfect equality of outcome — such a thing is impossible, and it’s unclear how that would even work. Every adult in 2019 receiving an equal entitlement to a share of the new monetary system? What about future humans? Unborn children? Even if mechanically possible, a global UBI would still be exposed to immense temporal contingency — privileging the interests of people today.

Airdrops don’t appear to work very well. Stellar’s attempt to distribute their coins as widely as possible has been a truly dismal failure. Something received for free tends not to be valued by the recipient. No surprise. Proof of Work is a potentially superior system. Miners must work for their share. They must commit time and effort to mining. This distribution method is truly underappreciated. If Ethereum succeeds, it will be in large part because it was mineable for 5+ years on commodity GPUs. Delaying the switch to PoS (which I argue above dulls the dispersion of coins) was a saving grace, in my opinion. As stated, this is still just an intuition. But I feel that PoW’s distributional qualities are very underrated. Many of these closely held monetary protocols will face the sisyphean task of getting users to store value in their currency.

ASIC manufacturing is a concentrated industry where foundry allocations and political connections determine the winners. You are ensuring the ASIC manufacturers will be kingmakers here

It’s true that cryptocurrency ASIC manufacturing is currently rather oligopolistic. For a rather eye-opening take on how the industry operates from a U.S. based ASIC manufacturer, read David Vorick’s take here. What’s interesting about the ASIC launch is that is actually strips power from the big manufacturers like Bitmain, and restores it to the issuers of the coin. A fair GPU launch just sets of an arms race among the big ASIC manufacturers over who can build ASICs fastest. When they get there, they intensely lobby the team to not change the algo (see the ProgPoW debate in Ethereum).

In this situation, the team works with an ASIC manufacturer of their choice to create ASICs for launch, and ASIC manufacturers then have the opportunity to make chain-specific hardware subsequently. What is very clear is that the early returns to mining will not accrue to the big ASIC manufacturers. If they exist, they will accrue to the community members who purchased the ASICs from the issuers. This is overall a significant improvement. I’ll add that there’s an awkward transition that virtually every ASIC resistant chain has to and will make as they eventually capitulate and embrace ASICs. Choosing to trumpet ASIC resistance, coordinating a couple hard forks, and eventually accepting the inevitability of ASICs is to create a huge amount of ambiguity that ASIC manufacturers can and do exploit. I much prefer a game where the rules are explicit from day 0.

Lastly, there’s the possibility to create ASICs which aren’t as exposed to supply chain idiosyncrasies that SHA-256 ASICs currently require. The kingmakers for Bitcoin ASICs are the foundries, which privilege the big ASIC manufacturers who can pre-pay for access and compete for allocations. Some alternative technologies like optical Proof of Work purport to inculcate a fairer ASIC manufacturing processes. I haven’t independently verified this, but this is the claim. If so, ASICs of that sort would be easier to mass-produce in a greater variety of settings.

Any amount of seigniorage is disqualifying

I am not entirely sure that I would call this seigniorage, as it’s entirely possible that ASIC buyers lose money and end up effectively paying $1.10 for each dollar that they mint. It’s not guaranteed seigniorage, at least. ASIC buyers are taking on a degree of risk. That said, if the model works well, ASIC buyers will be minting coins below market rate — if there wasn’t the possibility of doing that, they wouldn’t participate. So there is potential seigniorage. If you feel that even the slightest amount of seigniorage permanently ruins the credibility of the project, this model won’t work for you. But if you feel, as I do, that a small amount of seigniorage can be very useful, even if it trades off against credibility, you might find this model attractive.

Why are you wasting your time thinking about this? We already have Bitcoin and we don’t need any new chains

I reserve the right to think and write about whatever I find interesting!



Nic Carter

Partner, Castle Island Ventures. Cofounder,