As you are probably aware, all is not well in the land of Ethereum. Code was written. Funds were raised. Mistakes were made. And now a large amount of ether deposited by a large number of individuals and organizations is locked. We know who it belongs to, we know where it is, we can see it through the grates of the proverbial protocol sewer, but we cannot reach it.
Before we get into solutions to the problem, let’s start with some background.
The Ethereum blockchain is ostensibly immutable — meaning that once something is written it can never be unwritten, and that once a change occurs it can never be reversed except via the same mechanism that allowed the change in the first place. (That “same mechanism” is not an option in this case because of a bug in the original code which allowed the smart contract in question to be self-destructed.)
To be clear, that immutability is by design, it’s novel, and it’s powerful. It allows us to ensure that, once a payment is sent, after a sufficiently long confirmation period, it can never be un-sent. It allows us to record facts in the blockchain at a particular point in time, like the birth of a child, facts that can always be verified in the future as long as at least one computer somewhere in the world still holds a copy of the Ethereum blockchain.
Most importantly, it prevents corruption. In the “real world,” wealthy, well-connected people have influence over the institutions that we are supposed to trust — corporations, banks, central banks, courts, governments — meaning that they don’t always have to play by the same rules as the rest of us. That’s one reason why many of us, myself included, struggle to trust such institutions today.
Ethereum was designed to be better than that. The logic is attractive: a decentralized, peer to peer “world computer” that runs tamper-proof code called smart contracts that are better than the “real” thing because they’re immutable, objective, and not subject to the whims of some particular court or jurisdiction on some particular day of the week.
On the basis of this alone, it’s easy to pass judgment in this case. Everyone using Ethereum as a platform is responsible for their use of the platform, bugs included. There are no refunds, no second chances. Caveat emptor. It doesn’t matter who you are, how wealthy or influential you are, we all play by the same rules. Code is law and immutability is immutability after all, right?
Most people arguing against rescuing the lost funds and establishing a procedure for other such retrievals get about this far in their reasoning without understanding the governance mechanisms that have gone into making Ethereum what it is today and that, for better or worse, continue to guide the future of the platform.
To be fair, Ethereum’s governance mechanisms are opaque. Attempts have been made to explain them but Ethereum governance isn’t well documented which means that a large portion of the community is unfamiliar with the process.
As a result, when contentious situations like this one arise, these same community members may feel disenfranchised by the process or worry that organizations such as Parity have “special privileges” or “special relationships” which afford them access to special treatment. Nothing could be further from the truth, but I don’t blame people for feeling this way when Ethereum governance is genuinely a black box to them. It’s our responsibility — the community’s responsibility, and the responsibility of those involved in governance today — to remedy the situation by a.) documenting and making explicit the current set of governance mechanisms and procedures, formal or informal as they may be, and b.) striving to improve those processes while taking into consideration the perspectives of all stakeholders.
I have a lot more to say about Ethereum governance but it’s beyond the scope of this essay. For now you’ll have to take my word that the process today is reasonable and open (anyone may submit an EIP, any core developer may join the all core devs call). See below for details on efforts I’m currently undertaking to improve the situation, and expect more on this topic soon.
About that immutability we talked about before: it’s not that simple. It’s never that simple. Those who make the case for immutability as the end-all-and-be-all of Ethereum are missing everything that’s happening behind the scenes — everything that’s happened to get Ethereum to the place it’s at today, and everything that’s happening, day by day, to take Ethereum to the place it can go.
Ethereum was built by humans for humans. It’s a next-generation computing platform for all of humanity. Humans are fallible and we need to recognize that. Humans are also endlessly creative and resourceful and industrious. We wouldn’t have Ethereum if not for the work of humans such as Vitalik and Gavin (I’ve met them both and I can assure you that, yes, they are indeed quite human) and Ethereum won’t ever amount to much if not for countless ongoing hours of human labor — I can speak to this as a core developer.
And that’s the real beauty of Ethereum, for me. It’s a step forward in the way humans coordinate with each other, but it’s also a step forward in the way humans and computers interface with one another. For the entire history of computing, the model of software development has been write, test, deploy, fix bugs, retest, redeploy. The humans own the code and the systems and have complete and utter control over them.
Ethereum adds a wrinkle: anyone can write and deploy code, but once that code is deployed, it’s beyond the reach of any one human, indeed beyond the reach of any one group of humans. Redeployment requires massive coordination. That coordination is hard by design: if it wasn’t, we’d be back to square one with centralized code where anyone could change a contract or the protocol any time they felt like doing so.
At the same time, however, to claim that Ethereum is completely immutable is simply not true. There have been five hard forks to date, i.e., five sets of protocol changes, and two previous irregular state transitions.¹ Each of these happened for a good reason. They must have — in order for them to have occurred, the interests of a vast number of people must have been pretty well aligned or else we’d have at least five alt-Etherea networks by now. The fact that the Ethereum community has only meaningfully split once and that the value of Ethereum Classic today is around 3% the value of Ethereum is testament to how well the community has coordinated such efforts up to now.
The lesson for me is that you cannot take the human out of governance. It’s just not possible. Maybe someday some future genius, human or artificial, will invent a perfect piece of software that never needs to be updated or redeployed. Maybe someone will come up with a perfect governance system that never needs to be amended. If you want to live in a world truly ruled by code, where we can never make changes, be my guest, but to me, well, that’s tantamount to rule by the machines.
And that world is not Ethereum, at least not the Ethereum I know and not the Ethereum I’m working to create, because Ethereum is a system of and by and for humans.
I, for one, feel relieved by that. Rule by the machines scares me. At the end of the day, we’re just a bunch of people, flesh and blood, we’re all more or less the same, we’re stuck on this planet together and we need to make the best of the situation. I think most of us in this community would agree that our existing “real world” systems are pretty terrible and that Ethereum and its related technologies give us a unique, perhaps once in humanity opportunity to build something better, to build something to last. But we have to admit that it’s a work in progress and that we’re not there yet, not even close.
Dogmatism and zealotry are scary. They’re what cause wars, schisms, waste blood and treasure. They’re not characteristic of the kind of world I want to live in, the world I want my kids to grow up in. I want to live in a world where well-intentioned human beings work together to solve emergent problems and find “Getting More” outcomes. It’s pretty clear to me that such an outcome is not only achievable in this case, it’s also pretty clear how to get there (more on this in a moment).
Conflict like this should be an opportunity for us to come together, show what we’re made of, and show that what we’re building is the next step in the evolution of human systems and governance. Vitalik’s right, blockchain people “aren’t that different from people anywhere else” and are no better at the end of the day than other people, but we do have some magic powers the rest of the world does not. We’re still relatively small. Our movement is young and idealistic and optimistic and has yet to realize even a fraction of its potential. We have powerful tools at our disposal that humans have never had before. And by and large we are similar: we’re a self-selecting bunch.
Humans write code and humans make mistakes, and we need to recognize that and fix it where we can.
If not perfect immutability, then what is it that sets Ethereum apart? What’s better about what we’re building?
We’re building a system with better governance and better incentives — not a system with “zero governance” (anarchy) or “governance by the machines” (mecharchy²). A system void of arbitrary decisions, censorship, funds seizure, and chargebacks. A transparent system where all are held accountable and all have the opportunity to participate in a fair governance process and all play by precisely the same rules — a set of transparent rules known to everyone. Perfect immutability is not required to realize this vision. In fact, we can only achieve this vision with a flexible, mutable set of rules. The important part isn’t that the rules never change, it’s the process by which the rules are developed.
I think the path forward should look something like the following:
- Let’s understand and document existing governance mechanisms better, and let’s work to educate and enfranchise more people in the process so that people don’t feel it’s arbitrary or favors any particular group. To this end, I’ve volunteered to write a chapter on Ethereum governance for the upcoming Mastering Ethereum book (reach out if you’re interested in contributing).
- Let’s work hard to improve governance.³ To this end, I’ve participated actively in the Fellowship of Ethereum Magicians, a new technical governance initiative, and I’ve organized a public meetup on The Philosophy of Ethereum Governance to occur next week in Toronto immediately preceding EdCon (the event is at capacity but will be recorded and live-streamed).
- Let’s consider better ways to gather community sentiment about this and other contentious issues. We don’t currently have any good system: only those with the strongest feelings are incentivized to join the debate on social media such that we never hear from the silent majority, and coin vote polls are unfortunately imperfect and tend towards plutocracy. More creative attempts to solve the Sybil problem would be a great first step.
- Let’s think outside the box, look at the big picture, and evaluate more creative solutions such as EIP-1015 by Alex Van de Sande.
- And, yes, let’s establish a framework for people to recover from their mistakes for when all else fails, such as EIP-867: Standardized Ethereum Recovery Proposals (ERPs).
On the last point, because I know it’s the most contentious: why should we have such a framework? Three reasons.
One, ethics demands it. If you find a wallet on the street and it’s within your power to return the wallet to its owner, funds intact, and furthermore that it would cause you no undue burden to do so, the ethically right thing to do is to return that wallet. I don’t know what value systems other members of the community subscribe to but to me this one is a no brainier. This is not a new idea even in Ethereum: Vitalik proposed such a framework as far back as 2016, long before the Parity wallet issue.
Two, it’s in the best interest of the network and of the ecosystem to do so. There’s an argument to be made that many of the actors who lost funds in this particular situation were blameless at best and negligent at worst (keep in mind that Parity itself had no funds in the affected contract⁴), and that those funds, once recovered, would be reinvested in further developing the ecosystem. See, for instance, the list of ecosystem projects Parity is working on.
I’m actually less interested in this argument because, strictly speaking, it’s not even required for the ethical case: what you do with the dollars in your wallet is none of my business and shouldn’t affect my decision to return the wallet to you.⁵ I’m more interested in the case against a ledger fork. It’s pretty clear that an Ethereum fork would have enormous economic cost for the ecosystem and unpredictable results.
To be clear, I don’t think forks should be prevented “at any cost.” The fork is a critical part of the blockchain governance mechanism and it’s what sets us apart from dysfunctional “real world” governance structures by allowing a disenfranchised or dissatisfied sub-community to peacefully exit and establish their own system. The fork remains an important escape hatch when all other options have failed. But to the extent that other means remain to resolve a dispute — in this case, many do, and Parity has committed to exploring them — those means should be tried before falling back on a fork.
Three, I haven’t heard any convincing arguments against it. I won’t debunk each argument here; this article does a pretty good job of that already. I’ll just speak to the one argument that I consider at least somewhat valid: the slippery slope argument. If we make an exception this one time, surely anyone similarly impacted by lost funds should have the right to submit an ERP. (To be clear, by voicing my support for EIP-867, I am explicitly endorsing this idea.)
As a core developer and as a participant in the existing Ethereum governance process I have some idea how much work goes into evaluating, debating, and implementing recovery proposals such as EIP-999. I will grant that Ethereum governance is immature and that resources are limited and that we probably do not presently have the resources to evaluate hundreds or thousands of ERPs.
At the same time, however, I’m simply not worried about this becoming a problem. Why? Ethereum governance is extremely flexible by design and we’ve found a way to accommodate an order of magnitude more EIPs than we did previously. There’s no reason to believe that we won’t be able to establish processes and procedures and to recruit additional help, human or machine, to handle a greater load of EIPs, ERCs, and ERPs — that will happen with or without EIP-867. We’ll cross that bridge when we get there, and it’s no reason not to continue forward progress.
One interesting concept that has come up throughout this debate is the Schelling fence: the idea that, when faced with the prospect of a slippery slope, we can pre-commit to a reasonable lower bound constraint.
People arguing for a “Schelling fence at absolute zero” misunderstand the concept of a Schelling fence and confuse it with a simple Schelling point. The whole point of a Schelling fence is to recognize that sometimes we need to relax our constraints and that, when doing so, it’s prudent to consider the future and to carefully select a new boundary.
I personally see no problem with using the following criteria for funds recovery suggested by Micah Zoltu:
- The funds can be proven (probabilistically to some target degree) to be inaccessible by anyone.
- The funds have a plausible/believable/provable story as to how they became frozen that must have a root cause of “human error.”
- The funds are not currently accessible by a human (either provably or probabilistically).
- The funds were not intentionally burned by someone (this includes an attacker or a devious smart contract author).
My vision of the future for Ethereum is not rule by the machines, nor rule by code. It’s rule by rational, constructive, well-intentioned, economically incentivized human beings brought together by selfish and selfless inclinations alike. In a sufficiently well-designed system it makes no difference. Call it a bank, call it a nation, call it whatever you like. I elect to be a citizen of the Nation of Ethereum because it’s our best chance for a brighter future, and I invite you to join us to build it and ensure that it’s governed as well as it possibly can be.
Disclosure: I have a personal relationship with at least one party affected by the Parity wallet issue. I do not personally hold any affected funds, nor do I have any stake in any affected organizations.
1: The five Ethereum hard forks, in order, were Homestead, DAO Fork, Tangerine Whistle, Spurious Dragon, and Byzantium. The first irregular state transition was the DAO Fork, which reassigned balances from a set of “drain accounts” to a refund contract. The second occurred as part of EIP-161: State Clearing in Spurious Dragon. In the latter case, the state was not altered as part of the hard fork. Instead, a protocol change was made which allowed previously created, empty accounts to be deleted and removed from the state. After the hard fork a series of transactions was fired to effect this change. There is a subtle difference between these two types of state change, but I’d argue that they effectively amount to the same thing.
2: I’m not aware of a word for “rule by machines” but it seems about time we come up with one. I just invented “mecharchy” but it has a nice ring to it, doesn’t it?
3: To be clear, seeking to “improve” governance is not the same as seeking to “formalize” or “institutionalize” governance. As Vlad Zamfir helpfully points out, institutionalization leads to fairness but it can also be risky: what if the institution sucks? Since we’re so early in the process of developing blockchain governance in general and Ethereum governance in particular, I think our time today may best be spent understanding and documenting and educating rather than formalizing.
4: The largest portion of the lost funds belong to the Web3 Foundation which collaborates with Parity but is a separate legal and financial entity with a much broader scope of work.
5: If I know that you’ll use the funds to do something illicit then I may be less inclined to return the funds, but that raises further ethical and philosophical questions such as, How can I possibly know for sure ex ante how you will use your funds?
About the author: Lane Rettig is an independent Ethereum core developer and a member of the ewasm team. He participates in and helps organize the All Core Devs meetings. He also founded and helps run Crypto NYC, a Manhattan-based co-working space and community that strives to make blockchain and other distributed consensus technology accessible to all humans. Find him on Twitter at @lrettig.