Issues with the Layer Protocol and LRX.
The Layer Protocol is a project that aims to provide a ‘distributed reputation, incentive, and payments’ system on the Ethereum blockchain. The Layer Foundation is planning an ICO in Q3 and has released a whitepaper (v1.0.1) with technical specifications. Layer is intended to be used by ‘asset sharing’ services like Airbnb, Zipcar, or ride hailing companies as a way to look up and rate the trustworthiness of their users. Layer shares a founding team with Spin, a dockless bike and e-scooter startup, and the team’s stated plan is to bootstrap Layer with Spin as its first consumer.
(See Addendum for comment from the Layer team confirming that the Layer Protocol is centralized, trusted, and unverifiable.)
A brief description of the protocol
Layer allows a company to retrieve and update the reputation score of a user. The users are identified via a hash of a struct containing their email address, and/or phone number, and the last 4 digits of their credit card number. Agents on the network pay to participate, and are incentivized to behave, via an Ethereum Token named LRX. The whitepaper leaves some technical details unexplored, but describes the network’s agents as: users, asset providers, and the Layer Foundation. Its described technical components are: the Ethereum blockchain (hosting smart contracts which vend reputation scores and receive reputation input), Layer Nodes (which compute on demand aggregate reputation scores from ratings of individual transactions, and are not hosted on the blockchain), and a distributed backing store (which saves an immutable log of ratings off of the blockchain).
The network will attempt to incentivize proper use by collecting an (undefined) ‘bond’ from companies before allowing them to query for Users’ reputation scores, charging companies for each query, paying Layer Nodes to do reputation calculations and report them quickly, and holding a bond associated with Layer Nodes to punish them if they report a reputation score which is not in line with the majority. The various bonds and costs decrease in line with good behavior. The incentives are intended to keep companies from acting as free-riders by not contributing back to the network and to keep Layer Nodes honest.
Important undefined implementation details
Layer Nodes aren’t well defined in the paper. It’s stated that they run ‘open Layer-created applications’ to generate the Layer Reputation Score (LRS), and the stake, rewards, and signing schemes associated with them imply that anyone can run one. Similarly, the distributed backing store which saves the User-Provided Reputation Scores (PRS) is undefined beyond being immutable and decentralized. This again implies that the store is public à la IPFS, but its not definite. Also unstated is whether any of that data is encrypted. These issues are of fundamental importance to the network as described in the ‘problems’ section below.
The identity system is not well defined. Details of how end user accounts are created and updated are totally omitted. It’s stated that end users are identified only by their real world information (i.e. not some keypair forced down on confused Lyft riders), but this information is noisy. For example phone numbers will be recycled and then re-used by other users on other networks. If two different credit cards are used by the same person on two different services how will the network eventually merge those two accounts?
Identified Issues
The protocol as described has a couple of clear incentivization issues.
The public nature of the backing data store, or Layer Nodes, or blockchain.
The degree to which the project’s components are public isn’t explicitly defined in the paper. We know that Ethereum smart contract (and transactions with them) are public, it’s implied the Layer nodes are, and to facilitate the advertised ‘trustless’ nature of the project even the distributed backing store would have to be both public and unencrypted. (How else could one trust the output of the Layer node running unknown software?)
The public nature is however ostensibly at odds with the value of the information. Note: companies like Lyft spend huge amounts of resources combating fraud.
The Layer Protocol appears to assume all asset providers would chose to pay the bond to be part of its ecosystem. However it’s unclear what’s to stop real world asset providers from behaving parasitically. Why would I, as Lyft, not simply search the the backing data store for reputation input into my existing fraud risk estimation service? Or, if it’s hidden or encrypted, run a Layer Node with access to it. Or, if Layer Nodes are run only by the Layer Network, observe the public blockchain to collect asset providers’ input about users? Remember, companies like Lyft already have all of the information required to map a user hash to a real world user — by design.
The solutions to this issue would involve encrypting the publicly available rating data, and so involve key exchange between the asset providers and a trusted centralized party (the Layer Foundation).
Usage data leakage
Similarly a company with access to the user’s identifying information can trivially inspect the public blockchain to see which competing services a user is using and how much they spend. This data is valuable. For example it’s entirely reasonable to expect Bird to use it to target high value Spin users with special promotions to incentivize them away from the rival network.
Layer Node Stake value vs. the value of the vended information.
The Layer Nodes are fully responsible for calculating the queried LRS and reporting them back to the asset providers. In that the asset providers are in the business of real world rentals, the potential value of returning a fraudulent LRS is high.
Layer Node accountability is done via majority consensus of ‘all’ responding Layer Nodes (presumably within some SLA). Should a node be slow or return a value out of agreement with the majority its stake is forfeit. Assuming non-trusted entities can run Layer nodes, this system as described is vulnerable to a Sybil attack (the creation of cheap duplicate identities). Should honest nodes be crowded out by coordinated lying nodes, the honest nodes’ stake will be forfeit.
This means it’s financially reasonable to attack Layer in order to gain fraudulent access to a real world asset.
A potential solution to this is to implement a post-hoc accountability process, and make Layer Nodes provide a long running bond relative to the value of the assets themselves. Bond value may even have to be high for each individual node if competing nodes could be brought down at the cost of a denial of service attack (either via the public internet or via other actions on the network). Another solution is to make Layer Nodes private, or only be run by the trusted parties in the Layer Foundation. The whitepaper doesn’t explicitly state that this isn’t already the case, it just heavily implies it.
Shared asset providers
Layer as currently described has no support for a two sided marketplace. How would this rating system work when the asset provider doesn’t own their assets?
Final thoughts.
In order to be a trustless decentralized system Layer must make its calculation verifiable. In order to do so the data in the system must be public, and the whitepaper shows that it is. However this data is high value, and high value public data directly incentivizes companies to free-ride; to use it without contributing back.
The only way to ‘fix’ this would be to do key exchange with a centralized, trusted, service. This would dispense with the value of using the blockchain as this system would no longer be trustless or verifiable. This would effectively render the Layer Protocol a SaaS enterprise, and companies would require contractual trust in the regular legal system before trusting them with their data.
Lastly, should Spin actually use Layer as their own reputation engine, they should expect competing companies to use the public data they provide as competitive intelligence.
Addendum
Derrick Ko, from Layer/Spin, and I had a brief discussion on a pre-release version of this post. Genuine thanks for engaging, Derrick!
[The Layer foundation as a trusted centralized party] is our intended goal […] we’ll be the issuing authority of private keys initially -Derrick
Derrick explain that the Layer Foundation will indeed be the centralized trusted party supporting the Protocol. All public data will be encrypted, and the layer nodes will be initially trusted (and later perhaps incentivized with the type of very large bond I described). He didn’t propose any way for the Layer Protocol to migrate off of this trusted setup. Note that an attempt to do this migration would lead to the significant public-data issues described in this post. (He also confirmed data would be stored in IPFS).
Layer will therefor be a centralized and trusted software service, in the same manner as a regular SaaS business. Reputation on Layer is not verifiable by the asset providers or users, and the Layer Foundation doesn’t have any plans to change this. This means any asset provider using Layer would be irresponsible not to have a regular, legally enforced, contract for services from the Foundation.
The Layer Protocol is made slower and more complex by building on the blockchain. It gains no clear benefits from using this stack.
These issues are fundamental to the project; I don’t expect any asset providers beyond Spin to engage with the protocol — but I wish the Layer team the best of luck proving me wrong.
Addendum part 2.
Layer shut down, and returned investor money, when Spin was acquired by Ford half a year after this was posted. Layer’s Telegram group received complaints about the currency in which the money was returned. The project’s source code was never released.
Layer was but one blip in the 2018 blockchain speculator frenzy. It’s founders, Euwyn Poon and Derrick Ko, work for Ford.
