The DFINITY “Blockchain Nervous System”
DFINITY researches protocols and cryptography that enable decentralized networks to host high performance virtual computers of infinite capacity — with the aim of creating a revolutionary “decentralized cloud” where smart contract software can be used to recreate a wide variety of mainstream systems — and it has successfully produced novel techniques such as Threshold Relay, Validation Towers, Validation Trees and USCIDs (Unique State Copy IDs) that are becoming more widely acknowledged. Many of these completely rewrite the rulebook — for example, Threshold Relay chains increase security while pushing speed 50X faster than Ethereum today, greatly improving the user experience Dapps provide.
Our aim is to create a sister network for Ethereum that broadens out the options provided by the EVM ecosystem and helps further cement its leadership. To do this DFINITY must bring more than our new network protocols and cryptography, which we hope can be used by Ethereum too. To compliment Ethereum and truly broaden the options the ecosystem offers, DFINITY introduces the fundamental difference of governance by a novel decentralized decision-making system called the “Blockchain Nervous System” (or “BNS”).
This distributed intelligence is integrated into the network with special privileges that allow it to play the role of a benevolent decentralized superuser that can solve problems otherwise intractable without human intermediaries. The DFINITY network makes “The Code is Law” ethos contingent upon this distributed intelligence.
TIP if you are already convinced of the need for a Blockchain Nervous System, skip ahead to “How It Works”…
Before delving into how the DFINITY nervous system works, we shall review some of the events and needs that led to its creation.
1 Mt. Gox, Bitfinex and Other Token Thefts
I consider getting Goxxed and Finxxed as well-earned crypto scars, but ones that I want to learn from. For me, the Bitfinex hack was by far the worst. Today you can watch the $100M+ of stolen bitcoin move around the blockchain using block explorers but nothing can be done to retrieve them. Meanwhile, Bitfinex hasn’t even released a security analysis explaining what happened — which smells bad, but who knows what went on. The point is, when a large quantity of tokens get stolen on “The Code is Law” systems such as Bitcoin and Ethereum the only possible fix is to hard fork before they get lost in tumblers. But this is normally too difficult to pull off, or ends up inflicting widespread costs on the community.
This is a major problem. By allowing thieves to keep such enormous bounties we are nurturing a parasitic community of well-resourced hackers. If you lack morals and have the necessary skills, stealing crypto tokens like bitcoin has become a fantastically profitable career opportunity and the attacks are escalating.
For this reason I have come to believe decentralized networks need ways to mitigate such thefts without involving human intermediaries such as foundations, committees, mining conglomerates or other forms of direct human control that are antithetical and inimicable to the value of public blockchain networks — and such network-resident mechanisms should exist in addition to security enhancements such as Ledger hardware wallets. If we can reduce the likely returns associated with thefts, hackers will dedicate fewer resources and hacks will become fewer in number. Such network-resident mechanisms could also try to return stolen tokens.
Clearly then, a Blockchain Nervous System with privileged control over token ownership might serve at least one purpose.
Note several other features should be introduced to maximize the effectiveness of the BNS in repatriating stolen funds, which we will discuss in later posts.
2 The DAO and Faulty Systems
Whatever your views on The DAO, it was undoubtedly one of the most exciting experiments in finance ever conducted. Individuals from around the world invested tokens into a decentralized fund residing in cyberspace. In total, this fund collected 14% of all ETH in existence, simultaneously illustrating how enormous the demand for ETH could become and creating a huge risk for the ecosystem. However I was a heretical naysayer back then, not because I didn’t believe in concept per se, but because the design used contained numerous game theoretic flaws more readily apparent to a protocol designer (some old posts here 1, 2, 3). Eventually the undoing was not these subtle flaws but more mundane coding errors — The DAO’s software called into untrusted code without taking account of the possibility of reentrancy attacks.
As a result of my involvement I reflected deeply on what happened. Three things became apparent. Firstly, it will take a long time for the developer community to fully internalize many of the additional design challenges involved in the creation of autonomous systems using smart contracts and some important systems will always turn up with flaws. Secondly, the intractability of potential problems will prevent an important contingent of the business community building on public compute networks because its senior decision makers will demand there is means to fix critical systems that get hacked or deadlocked. Thirdly, it’s probably not fair to leave mass market consumers without recourse for problems caused by flaws in autonomous smart contract code they cannot even read.
By the time The DAO hack occurred, the thinking regarding the Blockchain Nervous System was already advanced and it was accelerated enormously. Using its privileged access to the network the BNS can run arbitrary code to fixup broken systems like The DAO.
3 Accelerating Evolution
A few years ago I launched an MMO (Massively Multiplayer Online) game that ended up acquiring three million users. Back then I was based in the UK rather than Palo Alto, and although I eventually managed to raise venture capital as we hit one million users the early work was done by me and a small team without much money. Because of our constrained resources, our actions were driven by the need to drive R&D forward as efficiently as possible and scale-out our technical systems economically with demand. With respect to R&D, this meant that for the most part we relied upon test units and had to push major changes live without extensive testing processes and staging servers.
The great challenge was that at any one moment there would be many thousands of people playing the multiplayer game using clients connected to a virtual clustered game server based on a proprietary system called Starburst. Sometimes we made multiple releases of the client and server components daily, and our users actually came to look forward to the latest iteration so that rapid development became part of the feature set. To achieve this without ruining the gaming experience or worse leaving the network broken and users unable to connect, Starburst involved both inner and outer protocols. The inner protocol carried game-specific commands and functionality and changed regularly. The outer protocol was much more stable and took care of carrying messages, RPC and software versioning, allowing bad releases to be rolled back and users to be transitioned smoothly between software iterations during the gaming experience. These experiences are relevant to taking advanced blockchain networks mainstream.
Watching the difficulties involved in evolving the Bitcoin protocol I can see that is not how the DFINITY network can roll. The DFINITY network necessarily involves much more complex distributed protocols and engineering and developers are going to have to push the envelope with respect to making releases if we are to reach our final destination in good time. Furthermore, if issues such as the recent DOS attacks against Ethereum network emerge, DFINITY will better support the mass market by adopting mitigating fixes faster.
The Blockchain Nervous System can help us meet these challenges by managing protocol and software upgrades. A basic implementation is rather simply done. Instead of having Dapps connect directly to a core client such as geth or parity (two popular Ethereum clients) DFINITY wraps them with special reverse proxy software and has Dapps connect to that. The proxy software is aware of the Blockchain Nervous System and follows its instructions with respect to protocol upgrades. When the blockchain decides an upgrade must occur at some future block height, it downloads a client software installer from a network such as BitTorrent, IPFS or Swarm by the specified hash. At the appropriate moment, the proxy temporarily buffers requests and automatically upgrades the client without interrupting dependent Dapps and their users (upgrades are transparent).
Of course, the nervous system will need to take much more care pushing updates than was involved with my MMO. The introduction of severe flaws could affect the state of the virtual computer and also render the BNS unable to reach a decision on rolling back. Nonetheless, so long as DFINITY’s nervous system acts within appropriate tolerances, our bet is that by facilitating regular and transparent protocol upgrades without contentious hard forks it will empower DFINITY developers to drive impactful evolution forwards much faster.
4 More Security and Better Economics
Traditional decentralized networks such as Bitcoin and Ethereum involve simple economic models. The total issuance of their native tokens are fixed absolutely or approximately by the protocol and miners compete for token rewards by applying brute force computation to randomly win the right to publish blocks of transactions. As the eventual supply and rate of new issuance is fixed by the protocol, the token price primarily reflects changes in demand. Currently demand is mostly speculative in nature and price rises generate further demand and FOMO in a feedback loop. The balance between greed, fear and token issuance is highly unstable causing cyclical but unpredictable rises and falls in price.
Whereas in Proof-of-Work systems participation is fundamentally mediated by the cost of electricity, in Proof-of-Stake systems participation is mediated by the cost of acquiring such native tokens. The problem is that while the cost of electricity is relatively stable, the cost of acquiring the native tokens fluctuates wildly with their market price. In a quasi Proof-of-Stake system such as DFINITY mining clients connect to the network using a “mining identity” that is acquired by making a security deposit in tokens. The danger is that if the token price drops dramatically during a market crash, an adversary might be able to inexpensively secure enough to control the network by creating sufficient new mining identities to overcome the fault bounds. Indeed, he might take actions to cause such a market crash specifically with such a goal.
Fluctuation in native token value is a multidimensional security issue even on Proof-of-Work networks because it affects incentives. What we see is that DFINITY has a unique opportunity to address the longstanding issues through its nervous system. Essentially the nervous system can dynamically change any economic parameter it likes using its privileged access to the network’s internals. For example, if the price of dfinity participation tokens crashes it can increase the number that must be deposited, and if the situation persists it can also increase mining rewards to shore up its backbone. Potentially, it can even choose to prevent a glut of miners forming by throttling back the issuance of new identities and forcing applicants to wait in a pool.
As we shall see, the Blockchain Nervous System’s decisions are informed by an underlying desire to increase the value of dfinity participation tokens. The expectation is that the hidden hand of the market will drive it to make the most judicious possible decisions regarding security, network scaling and token issuance. The estimate is that the system will become much more efficient, incorporating just the right amount of computational capacity and reducing the issuance of dfinities driving up their value and increasing network security when compared with traditional models.
5 Killing Assassination Markets, et al
Autonomous blockchain systems built with smart contracts will prove to be one of the most powerful technology constructs ever seen, making it possible to reengineer critical functions such as Uber and mass messaging in open form without intermediaries. Essentially, they provide the opportunity to relocate critical business functions such as the sharing economy away from geographically rooted intermediaries into the fabric of cyberspace and the Internet itself. Incredible potential benefits for world society flow from this, but autonomous systems are also potentially dangerous, and the danger they present could threaten the existence of their supporting networks.
Take for example assassination markets. Some extreme cryptoanarchists have argued for them, suggesting that their presence might keep people’s behavior in check in a decentralized world. Personally speaking I disagree — much more likely they would simply be used by nasty people to destroy their competitors. But whatever your view one thing is for sure, and that is that governments will react strongly to such things, including ISIS slave markets, child pornography exchanges, and other obviously nefarious things. As protocol designers we seek to make our networks unstoppable so they can survive even government attack, but the presence of these kinds of systems may prompt coordinated international action that greatly reduces the ability of public blockchains to deliver on their incredible promise quickly.
The Blockchain Nervous System offers a solution. Recall that its underlying objective is to maximize the value of dfinity participation tokens and thus it is driven by the invisible hand of the market. Since it has absolute control over the network, it can choose to freeze hosted systems that it believes invite attacks, expose its users to extreme regulatory pressure or exclude mainstream users from co-hosting. Decisions will involve tradeoffs. If the BNS behaves too restrictively, too unpredictably, too arbitrarily, is too draconian or closes down fringe systems unfairly, many users will be dissuaded from building on the network. Our bet is that the hand of the market will help DFINITY strike the optimal balance.
How It Works
The design for the first iteration of the BNS is surprisingly simple. Proposals can be submitted to the BNS for a fee. The BNS then decides on proposals using votes made by human-controlled “neurons” that automatically follow each other, rather like in a liquid democracy system. The BNS adapts and learns to make better decisions as neurons respond to stimuli and feedback. Decisions get made by neuron follow relationships cascading in a manner that is non-deterministic due to timing. Each neuron is operated using special client software run by its owner on the edge of the network. The chain-resident portion of the BNS has access to privileged op codes in the EVM, which it uses to execute proposals it adopts.
Anyone can create and run neurons and earn “thought mining” rewards for running them. New neurons are created by making a security deposit of dfinities to the Blockchain Nervous System. The relative voting power of a neuron is proportional to the size of the deposit it holds. To retrieve the deposit inside a neuron, its owner must dissolve it which takes three months (in the current design — we are considering making it take even longer). This creates a strong incentive to contribute to good decision making since if the BNS makes poor decisions the value of dfinities stuck inside neurons is likely to fall.
Neurons disburse thought mining rewards to their owners by issuing new dfinities. The rewards are proportional to the size of the security deposit the neuron contains and the proportion of decisions the neuron participates in. For example, if the BNS sets the rate of return at ~10% paid in epochs of some thousands of blocks, a neuron containing 100 dfinities that participates in all decisions will return ~10 dfinities to its owner over the year. However if the neuron only participates in half of all decisions, the same neuron would produce just ~5 dfinities.
When a neuron is created two keys are specified. One key is a “delegate” and enables a neuron to vote. The other key is a “master” that should be kept in cold storage, which can be used to dissolve the neuron and retrieve its deposit or issue a new delegate. Neurons are operated by special client software that is typically installed on a user laptop or secure server and runs in the background, constantly monitoring the chain-resident portion of the BNS (which is implemented using smart contracts that have access to privileged op codes) to see if any new proposals have been submitted. This client software is configured with the delegate key used to vote by calling into the chain-resident BNS contracts.
When a user opens their neuron client software, it displays the proposals stored by the blockchain resident portion of the BNS. Proposals have types such as “Economics”, “Policy”, “Protocol”, “Client Upgrades”, “Fixup Resident” and “Freeze Resident”. If a proposal has not been decided, then a neuron may vote if it has not already done so (with the weight of the vote depending upon how many dfinities are deposited inside the neuron). When voting manually, the user can choose between three types of vote: “Adopt”, “Reject” and “Pass”. Pass votes are used to indicate the neuron participated in the decision process but wishes the outcome decided by neurons with stronger opinions.
Automatic Voting By Follows
Generally speaking, neuron controllers (owners) will not wish to vote manually on most of the proposals. For example, only a small proportion of people in the community are really qualified to make decisions on complex protocol changes. Clearly, incentivizing neuron owners to vote on decisions without the necessary expertise would be a recipe for disaster. Instead, they are asked to lend their security to good decision making by configuring their neuron to follow the votes of other neurons they think can make good decisions. The user does this by configuring follow lists for each proposal type. For example, with respect to protocol proposals, a neuron client might be setup to follow neurons known to belong to core developers and respected theorists.
The Follow Graph and Cascading To Decisions
The configuration of follow lists in the client software creates a form of directed graph, albeit one whose edges exist on the clients and are unknowable. The graph is a representation of trust relationships within the community that is dynamically updated by the decentralized community of neuron owners as they receive new information and observe the voting history of neurons they follow and the success of the resulting decisions. In practice, many community participants will come to advertise personal neuron addresses in places such as reddit and twitter bios. Voting power is easily hidden — a person can publicize a neuron containing a single dfinity, and follow it with another private neuron containing their main deposit.
If a neuron controller does not manually vote on a proposal before the timeout, the client software automatically examines the follow list configured for the type of the undecided proposal. In the simplest form of configuration, this is a priority list, although other follow mechanisms are possible. The client first checks the blockchain to see if the highest priority neuron has voted on the proposal and automatically follows by voting the same way if it has. Otherwise, the client temporarily backs off, and when it returns then checks to see whether either of the top two neurons have voted, following the highest priority if several voted, ad infinitum, until if necessary it is willing to follow any neuron.
In reaching decisions the underlying trust graph is of primary importance, although the process is non-deterministic since timing affects the follow relationships that are applied. Decisions are typically reached by neurons cascading. That is, when certain highly followed neurons vote, they will be followed by large parts of the graph due to transitive trust relationships. Nonetheless, graph itself and the follow actions taken are entirely distributed across the many thousands of neuron client software instances participating in the BNS. The BNS decides on a proposal using a system similar to Wait For Quite Voting rather than traditional quorums.
Acting on Decisions
Once the BNS adopts a proposal, the next steps depend upon its type. Generally speaking, there are two kinds of action — passive and active. A passive action occurs when the BNS adopts a proposal that alters the telemetry of the system. For example, a proposal might make an amendment to a constitution that guides the community of neuron holders, or change the mining reward issued per block. Here the updated values are simply written to data members/fields of the BNS smart contract, allowing respectively, the URL of the current constitution to be found, and the mining client software to retrieve the current block reward used by the protocol.
Active actions involve the BNS reaching outside of its own smart contracts to modify existing artifacts on chain, directly overriding “The Code is Law”. For example, the BNS might have adopted a proposal to freeze a smart contract forbidden by the constitution, such as an assassination market, or wish to run arbitrary code in privileged mode to fix some broken system. Active actions necessarily involve execution of special op codes that we have added to the EVM (Ethereum Virtual Machine). This is actually possible with minimal modifications to the Solidity compiler, and the smart contracts of the BNS can invoke the op codes as normal assembly.
Proposal Fees & Deposits
The amount of work involved in evaluating some types of proposals can be substantial. For example, imagine that an autonomous system run by some consortium reaches an unexpected state and deadlocks, and consortium members wish to propose a fix. This consortium will need to create a proposal that provides three critical pieces of information: (i) an argument and proof that they have “moral authority” to request a fix (ii) a description and proof of the precise problem at hand, and (iii) the address of privileged smart contract code they uploaded to the blockchain that the BNS could run to fix the problem (note that although privileged code can be uploaded to the blockchain, only the BNS can actually run it).
The proposal must be evaluated in stages. Firstly an attempt will be made to establish moral authority. In our system fixup example, the work would start from a URL included in the proposal that links to supporting pages on the websites of consortium members and other proofs such as Twitter posts, and even direct contact information. Those examining the proposal will want to be reassured that the “proof of authority” pages have not simply been uploaded by a hacker with access to multiple sites, and that the degree of moral support within the community for the fix is overwhelming. Significant research is required, which may involve live human contact via Skype or other media.
Having established moral authority, the next step would be to evaluate the issue described and verify that a real problem has indeed occurred due to some design flaw or hack. If passed, this work prepares the investigator for the final and most expensive stage of the analysis, which involves examining the code of the proposed fix and verifying that it would indeed rectify the situation correctly. The danger is that the fix might either directly or indirectly affect other “innocent” smart contract systems over which the proposer has no moral authority, which is completely unacceptable. To make sure this cannot happen, multiple validators must be involved in the analysis and all must agree.
Clearly, substantial work and expense will be involved in this. In practice, such analysis work may be performed by independent persons who are retained and paid by the BNS. Their work in turn will be reviewed by other parties in the ecosystem, and eventually by people who are “high” in the relevant decision graph. To address the costs involved, the BNS requires two kinds of payment to be attached to all proposals. In this example, which describes a system fixup proposal, the payments will of course be substantial.
The first payment is a non-refundable fee in dfinities that will be retained by the BNS, which reflects the payments it makes to researchers in the ecosystem as bounties for providing analysis of proposals and more generally the rewards it pays to neuron holders. The second payment is a security deposit in dfinities that is refundable on the proposal being adopted, whose general purpose is to prevent submission of spam proposals (more relevant to proposal types involving lower fees) and to incentivize the submission of high quality proposals.
Twin Tracks & Omnipotence
A proposal by a DFINITY team member (Timo Hanke) has that two types of accounts and contracts are actually offered by the network, one which is subject to the full power of the BNS, and another that the BNS can only freeze and unfreeze. The purpose is to provide sanctuary from the risks of unwanted side effects — real or perceived — when account owners and contract creators are very confident of security and correctness. This proposal carries much merit, but one thing must always be born in mind: the BNS can upgrade the protocol when it wishes, and is therefore ultimately omnipotent.
What the BNS Desires, General Security and Curing Insanity
The omnipotence of the BNS is highly important. When the DFINITY network goes live in 2017 (Copper release), it will come with a “genesis constitution” whose purpose is to guide and coordinate neuron holders. In essence, this first constitution will reflect an ethos summarized as “no vice or violence”. However, the existence of the constitution does not actually constrain how neurons vote. Furthermore, the BNS can amend the constitution as it desires and we expect the constitution to rapidly evolve over time. Does then the BNS have any principles guiding its actions that remain constant and invariant?
The answer is yes. Arguably the BNS has a single aim: to grow the market value of dfinities in the long term, which approximately equates to attracting more users and increasing network security, performance, capacity and efficiency. The reason is that each neuron has significant dfinities deposited inside that can only be retrieved by dissolving the neuron in a process that takes months. If the BNS consistently makes decisions that grow the user base and improve the network, then the value of these dfinities will surely increase. On the other hand, the markets will enact swift retribution the if the BNS makes an obviously bad decision.
Market speed makes malfeasance and other such short term strategies uninteresting for rational neuron holders. For example, should the BNS modify the protocol and even make a “special award” to neuron holders, the value of dfinities would drop so fast that they would almost certainly suffer a net loss. Even if the BNS decided to do something subtle like restrict the creation of new neurons and increase thought mining rewards unjustifiably, the markets would likely react interpret this as a signal that the security provided by decentralization had been undermined and quickly correct downwards. How then might things go wrong?
There are two main risks. The first is that an adversary commandeers the BNS through the brute force acquisition of neurons and forces through adoption of bad proposals. To achieve this he must acquire massive quantities of dfinities: many users will create neurons to earn thought mining rewards and participate in a new chapter in crypto, and they holders will have to be overcome. If he purchases the required dfinities on the markets, the adversary will force the price higher, greatly exacerbating the costs involved and making him prefer theft. Unless he wishes to harm the DFINITY network at any cost, he must try to recoup his losses by shorting dfinities on the market, but in practice this will be an extremely difficult strategy to pull off profitably.
The second risk, which in my view is more pertinent, is that of demagogues rising from the community of neuron holders. A shock to the system, such as a fall in the value of dfinities after a problem with a protocol upgrade, might precipitate such an event. One might imagine an individual widely advertising their neuron address and promising to “Make DFINITY Great Again”. While the demagogue might believe the proposals they forced through were helpful, very likely in practice they would have undermined the wisdom of the crowd and lead the network towards disaster. There is only one solution here: to advance the sophistication of the community of neuron holders as fast as possible so that demagogues cannot influence them easily.
But what if the unthinkable happened and the BNS did go mad? For example, imagine if an adversary managed to have a proposal adopted that froze every major system that DFINITY hosted! In fact, this situation would not necessarily spell the end for the network. DFINITY clients hold state assigned to them using a versioning system — also used for faster synching of reconnecting nodes — so it changes can be reversed. This would involve a “real” hard fork where DFINITY clients would be reconfigured to revert state changes, and also, crucially, the disabling of neurons that voted for the bad proposal. The importance of this last point cannot be overstated — in extremis following bad neurons can cost well intentioned neuron holders dearly, which is why follows should never be carelessly configured.
The Importance of Privacy
One dimension of security we did not mention in the foregoing is privacy. The neurons are managed at the edge of the network for a reason — at a fundamental level, it makes the follow graph and decision process unknowable, since it will be impossible for an adversary to collect the state of the thousands of privately operated client instances distributed around the Internet. This prevents an adversary targeting critical nodes in the graph, for example via extortion or kidnapping, to increase his chances of having proposals adopted. Furthermore, it also means that such critical nodes cannot be held accountable for decisions, for example by angry owners of systems that are frozen, or governments or agencies that believe legal liabilities should stem from decision making.
The BNS enables DFINITY to be a suitable sister network for Ethereum. Developers can choose to run their Dapps on either, and the choice will fundamentally depend on tradeoffs — whether you trust your system and its dependencies are unhackable and unbreakable such that you prefer “The Code is Law”, or whether you feel the AI-managed environment provided by the BNS is safer or for policy reasons you require a means of recourse for hacks, deadlocks and other technical issues to be present.
The introduction of the BNS introduces the concept of an environment in cyberspace that is governed algorithmically without direct human intermediaries or controllers. If it works, it might just solve many problems we currently face. It also leapfrogs the simplistic inflationary mining reward schedules first introduced by Bitcoin, and introduces sophisticated multi-dimensional flexible economic governance using multiple parameters driven by only one goal: the ultimate success of the network. At DFINITY we’re super excited to see what the BNS does, and it will be present in the initial Copper Release of the network.