On the Origin of Cardano

This article is part of the ongoing “Origin” series that tracks the emergence and evolution of smart contract projects in the cryptocurrency ecosystem. Today we’ll look at Cardano and the ways it could supplant today’s dominant platform, Ethereum.

Cardano is a project that aims to create a next generation smart contract platform and ecosystem by learning from and improving on lessons learned in the Bitcoin and Ethereum communities. The project claims to be “the first blockchain platform to evolve out of a scientific philosophy and a research-first driven approach.” The project’s goals include improved scalability, security, governance, and interoperability with traditional financial systems and regulations. Whereas Cardano’s design focus and approach to meeting these goals are somewhat different than Ethereum’s, Cardano’s innovations can be directly compared with those of Ethereum.

Like Ethereum, Cardano has a funded non-profit organization, The Cardano Foundation, that supports the research and development of the protocol, as well as community development. Much of this research and development is currently led by the for-profit technology company, IOHK, working in conjunction with researchers at several universities. Charles Hoskinson and Jeremy Wood were both involved with the Ethereum project in its early days but left to found IOHK in 2014. Much of IOHK’s funding comes from a five-year contract with Emurgo, a blockchain applications company that is looking for a platform with better support for regulatory oversight.

A crowdsale of Cardano’s Ada token raised approximately $62 million. The Ada token is named after Ada Lovelace, a 19th century mathematician recognized as the first computer programmer and daughter of the poet Lord Byron. Cardano’s first major release, named Byron, went live on September 29, 2017, launching the Cardano mainnet.

Although having a live mainnet puts Cardano a step ahead of all the Ethereum challengers we’ve looked at thus far, Cardano is still many steps behind Ethereum in terms of deployed technology. The Cardano network is still in a bootstrap state, with all consensus nodes under the control of IOHK and partners, no smart contract support, and many key innovations still under development. However, those innovations are well-documented in IOHK’s extensive research library, and online documentation, as well as in peer-reviewed academic journals. This gives us an excellent basis on which to compare Cardano to Ethereum, so let’s dive into the details.

Performance and Scalability

All the platforms we’ve looked at thus far utilize some form of Proof of Stake (PoS) consensus to achieve fast, deterministic block times, and Cardano is no exception. The Ouroboros protocol used in Cardano is a chain-based PoS protocol, where in each time slot a leader, randomly chosen from a pool of stakeholders, produces the next block, which links to the previous one in the chain. Unlike BFT-style PoS algorithms, where validators finalize (i.e. permanently agree on) blocks as they are produced, blocks become canonical with increasing probability as more blocks are built on top of them (like in proof of work schemes).

The probability of any stakeholder being selected as the leader is proportional to the size of their stake — the percentage of all coins they control, either by direct ownership or via delegation. As transactions are recorded in blocks, the stake distribution (i.e. the set of stakeholders and their respective stakes) used for leader selection changes. To deal with a changing stake distribution, Ouroboros defines the notion of an epoch as some number of slots in which the stake distribution is fixed. It is either hardcoded (in the initial bootstrapping stage) or (in later stages) computed from a snapshot of the blockchain at a sufficiently deep block. At the beginning of each epoch a set of leaders is chosen and each is assigned the right to produce a block in a specific slot. The leaders and slot assignments are chosen based on the fixed stake distribution and a random seed, which is generated by a multi party computation (MPC) among stakeholders in the previous epoch.

To ensure that leaders are incentivized to always follow the protocol, Ouroboros introduces a check on block production via transaction endorsing. In each epoch a set of input endorsers is assigned to each slot based on stake. The input endorsers are responsible for endorsing transactions to be included in the block produced by the leader. The leader’s block is only valid if all the transactions it includes have been endorsed by an eligible input endorser. Each epoch rewards leaders, input endorsers, and MPC participants to ensure that following the protocol is an equilibrium when all players are rational.

This structure of economic rewards enables the protocol authors to develop several proofs about properties of the system, which has led IOHK to proclaim Ouroboros the “first provably secure proof of stake algorithm.” The safety and liveness proofs presented are based on assumptions of a partially synchronous network with an honest majority and an upper limit on how long honest nodes may be offline. These assumptions may work well for permissioned blockchains and the commercial applications envisioned by Emurgo, but perhaps not as well for a permissionless world computer. The assumptions underpinning Ouroboros security have been criticized as “unrealistic”, “impractical for a global blockchain”, and “way too convenient”.

The last critique above came from Vlad Zamfir, who is leading research on Ethereum’s Casper The Friendly Ghost (TFG) protocol. In contrast to Cardano’s approach, Casper TFG is designed to address the faults that are likely to occur on an open public blockchain, rather than make assumptions that may only hold for permissioned chains.

Whereas Ouroboros and Casper TFG both employ economic rewards to achieve safety and liveness, Casper TFG also incorporates penalties based on fault attribution. Casper TFG is proven safe without any synchrony assumptions and it’s likely to be proven live under partial-synchrony. Moreover Casper TFG assumes no bounds on being offline and addresses attacks from majority coalitions. The design of Casper TFG takes into account faults that are likely to occur on an open public blockchain, rather than making assumptions that may only hold for permissioned chains. Neither Ouroboros nor Casper TFG has been deployed on an open public blockchain with significant assets at stake.

Another way Cardano hopes to use Ouroboros to scale is by partitioning transactions to different sets of elected leaders. According to Cardano’s vision paper, this is “trivial” to do. However, there doesn’t appear to be any additional information at this time on how blocks from different partitions fit together or how input endorsers would coordinate to prevent double spends across partitions. Ethereum’s EIP 648 describes a mechanism for parallelizing transaction processing that works in the existing block structure and thus might be deployed before Cardano accomplishes the same.

Cardano’s vision paper hints at using similar techniques to implement sharding but it’s unclear how much progress (if any) has been made on this front. Sharding is under active research in the Ethereum community but is still years away from production. Sharding is so far off for both Cardano and Ethereum that no clear advantage can be inferred for either project at the current time.

With expectations of very high transaction throughput, Cardano hopes to build a scalable network that doesn’t require every node to process every transaction. Their plan is to use the Recursive Internetwork Architecture (RINA) technology to accomplish this, though not much detail has been provided to date.

At the present time scalability and performance are major issues for Ethereum, and its scaling solutions are in various stages of research and development. Although Cardano has presented some ideas for scaling, the implementations are still a long way off. The first version of Ouroboros deployed with the Byron release is completetely centralized, with only IOHK-controlled nodes participating in consensus. Community participation via delegated staking will begin with the Shelley release (2018) and work on scaling will continue through 2019 and 2020. So it is not clear if or when Cardano will be able to gain a practical performance and scalability advantage over Ethereum, which will also evolve over the next 2–3 years.

Governance

The Cardano project aims to learn from and improve on the governance mechanisms of Bitcoin and Ethereum. The goal is to create a more formalized process that reduces the perceived gridlock of the Bitcoin process without creating the appearance of centralized governance that has been blamed for Ethereum’s community split. Criticisms of Bitcoin’s and Ethereum’s informal governance processes are highly subjective but it is a fact that both have experienced hard forks and fractured communities due to the failure to reach agreement on governance issues.

Like Tezos, DFINITY, and other platforms experimenting with decentralized governance processes, Cardano intends to provide on-chain mechanisms for making decisions about the future of the protocol. The goal is to prevent community splits and keep pace with innovation by having a well-defined process for making decisions that everyone can accept. The hypothesis is that if users feel represented by a fair “rule of law” system, they may be less likely to resort to forking over simple protocol changes and more likely to stay invested even when they don’t get their way. Cardano plans to implement this by creating a constitution that lays out in detail the mechanism for agreeing on protocol updates and a program for creating and voting on Cardano Improvement Proposals in a transparent and censorship-free way.

One key governance concern that Cardano hopes to automate is platform sustainability — the mechanism by which the decentralized Cardano community can continue to pay for things it needs. Right now both Cardano and Ethereum have well-funded foundations that fund specific development and community building projects. If it turns out that the funds raised in a one-time ICO don’t generate an eternal source of funding for these organizations (unthinkable, I know), Cardano has a plan. The idea, which is not new, is to create a treasury system, funded by transaction fees, to support future development. Stakeholders decide how to spend treasury funds by voting on proposed projects (i.e. Cardano Improvement Proposals).

Cardano hopes to realize a long-term vision of expressing Cardano Improvement Proposals in terms of machine understandable specifications that can be tested and verified using software tools. A less ambitious governance process, which is slated to arrive with the Shelley release of the platform, starts out with IOHK making all improvement proposals and evolves to provide “an increasingly better mechanism for gaining consent for them.”

There are some well known issues with democratic processes in general, and specifically with on-chain voting. Whether proposals under vote are machine understandable or just human readable, they will be highly technical, and are unlikely to be fully understood by the average stakeholder. Stakeholder votes will be informed by abstracted explanations from a small tech-savvy minority that understands how the proposals really work. Getting enough users to participate such that the result of any vote is representative of the whole community is also a challenge. If some form of delegated voting is employed, it can give a small cartel of delegates (e.g. stake pools) too much power to change the rules and enrich themselves at the expense of other users.

Ethereum’s PoS researcher Vlad Zamfir has articulated the difference between stake-based voting in PoS, which provides minimal power with strong penalties for abuse, and stake-based voting on proposals, which provides maximal power with essentially no accountability. He argues that on-chain voting is dangerous because it forces rule changes on full nodes, removing an important check and balance provided by informed node operators. Similarly, Ethereum founder Vitalik Buterin argues that, because of these known issues, stakeholder voting systems shouldn’t be the single mechanism for all governance, but just one component that is checked by other mechanisms such as miner voting, user voting, core developers, and established norms.

It remains to be seen whether or not the on-chain mechanisms based on stakeholder voting that Cardano proposes can overcome these challenges to facilitate protocol evolution and bind communities together. In the near term, Ethereum’s less formal off-chain processes do not seem to be impeding innovation or enacting contentious hard forks just to make users whole. When Parity, a company founded by Ethereum creator and thought leader Gavin Wood, published proposals to hard fork to resurrect over 500 thousand ETH that was frozen in Parity multisig wallets by a deleted contract, those proposals were met with strong resistance by prominent members of the Ethereum community. Ethereum governance has evolved and may be shedding its reputation for haphazard bail outs.

Cardano’s long-term governance vision includes “the creation of a modular regulation DAO that can be customized to interact with user written smart contracts in order to add mutability, consumer protection and arbitration”, however their greatest and most immediate advantage may come from eradicating the need for bail outs in the first place. The root cause of both the debate on Parity’s hard fork proposals, as well as the Ethereum hard fork that actually resulted in a community split, was the exploit of vulnerabilities in Solidity code that could have been avoided entirely with better software development languages, tools, and processes. Cardano appears poised to deliver significant improvement in these areas.

Smart Contract Security

The design of the Cardano Computation Layer (CCL), Cardano’s smart contracts platform, is heavily focused on making it easier to provide guarantees that a smart contract behaves as designed without hidden vulnerabilities. The CCL consists of two layers: a formally specified virtual machine and language framework, and formally specified languages that facilitate automated verification of human readable smart contract code.

The lowest layer, called IELE, provides a virtual machine designed to make building formal verification tools easy, and a universal language framework for translating smart contracts from higher-level languages into executable instructions. Research and development of IELE is funded by IOHK and led by UIUC Professor and founder of Runtime Verification, Grigore Rosu. Rosu and team are applying insights from their research on KEVM, a formal semantics in the K framework for the Ethereum Virtual Machine, and KLLVM, a formal semantics in K for LLVM, to build a more secure and efficient virtual machine.

Unlike the EVM, which is a stack-based machine, IELE will be a register-based machine, like LLVM. IELE will have an unbounded number of registers and will also support unbounded integers. Avoiding the use of a bounded stack and not having to worry about stack or arithmetic overflow will make specification and verification of smart contracts significantly easier. Like Ethereum, IELE will use gas to limit resource usage and prevent DoS attacks. This presents some challenges to formal verification that are considered “tricky but manageable” by the research team. IELE leverages the K framework to simplify the development of automated tools that verify smart contracts match specifications. This allows IELE to support smart contracts written in any programming language that has a formal semantics in K.

One such language may be Simon. Briefly described in the Cardano vision paper, Simon is a highly constrained, domain specific transaction language that provides a precisely specified set of basic financial transaction primitives that can be combined to create more complicated contracts with verifiable properties. Not much else has been written about Simon, but it is reportedly inspired by concepts from the paper Composing contracts: an adventure in financial engineering, by Simon Peyton Jones and colleagues.

Simon Peyton Jones is one of the principal designers of Haskell, a statically typed, purely functional language that is often used in applications where runtime bugs have a high cost (it is used to implement Ouroboros). Haskell’s design makes it amenable to automated verification tools that can identify and eliminate defects early in the software development process. Another Haskell designer and ACM Fellow, Phil Wadler, is a programming languages advisor to IOHK, so it’s no surprise that Cardano’s primary high level, general purpose smart contract language, Plutus, incorporates many of the concepts behind Haskell.

Plutus is a statically typed, functional language with a human readable, Haskell-like syntax. Like Haskell, Plutus translates to a simpler language, Plutus Core, that makes formal verification easier. Formal verification tools can help developers to reason about contracts and to prove certain properties about the behavior of the smart contract. These proofs can be a powerful tool to highlight and eliminate the primary sources of contract vulnerabilities such as handling of invalid input, type mismatches, nonobvious unintended code paths, confusion around scope, typos, overflows, etc. For example, a proof of the property that there is no code path in which the owner of a contract can be changed would have prevented vulnerabilities that led to both exploits of the Parity multisig wallet. This specific property is obvious in hindsight; it’s entirely possible for important properties to be left out of a formal specifications, allowing vulnerabilities that only becomes obvious after they are exploited. So, while formal verification is a very powerful tool, it is only as effective as the human being(s) ability to cover all bases when creating a specification.

Cardano plans to support other high level languages, including Solidity. However it supports Solidity for “for low assurance applications [and Plutus] for higher assurance applications requiring formal verification.” While it’s hard to imagine any smart contract writer choosing the low assurance option, support for Solidity will make it easier for Ethereum developers and perhaps some existing contracts to migrate to Cardano. The primary reason for developers and contracts to migrate to Cardano, however, won’t be its support for Solidity, but rather its ability to reduce the risk of vulnerabilities that put funds at risk. If IELE, Plutus, and supporting verification tools can enable the development of smart contracts that are demonstrably free of the types of vulnerabilities that plague Solidity code, Cardano could become the platform of choice for deploying contracts that need better security around the funds they control (i.e. all smart contracts)

In order for Ethereum to remain the dominant smart contracts platform, it will need to adapt, by upgrading its smart contract language and tool chain before a better alternative exists. The Ethereum community is developing new programming languages such as Bamboo and Viper that are more suitable for formal verification and constrained such that many vulnerabilities can be discovered by compilers rather than by hackers. These languages compile to EVM code, so it would be necessary to formally verify both the high-level code as well as the EVM bytecode produced (and/or the compiler producing the bytecode). Currently there are multiple projects in the Ethereum community investigating the formal verification of smart contracts and the Ethereum virtual machine itself. Ethereum is in a race to eliminate the regular occurrence of high profile exploits of Solidity contracts before a competing platform does.

Conclusion

The Cardano project promises to bring several innovations to the smart contracts platform space. It is working with professors from universities around the world to incorporate peer reviewed academic research into its design, more so than any platform we’ve looked at thus far, including Ethereum. It has developed a “provably secure” proof of stake protocol that should work well in permissioned networks and may work well enough for a public, global, permisionless blockchain. It is trying to improve on the perceived shortcomings of Bitcoin and Ethereum governance, while borrowing governance ideas from other blockchains. Its verification-focused design of a smart contracts platform could provide a demonstrably more secure alternative to Ethereum.

Perhaps the biggest threat Cardano poses to Ethereum is that its innovations in language and VM design address the security concerns that are Ethereum’s Achilles’ heel. Exploits of Solidity vulnerabilities have resulted in significant loss of funds and created crises for the Ethereum community. As long as Solidity remains Ethereum’s only viable option for writing smart contracts, all Ethereum contracts will be subject to the risk of exploit and the community will be limited to reactive solutions, such as relying on white hat hackers to rescue funds and enacting bail out hard forks. This situation is only acceptable because an alternative platform offering preventive solutions does not exist today. With IELE, Simon, and Plutus, Cardano is designed from the ground up to enable formal verification tools that can eliminate vulnerabilities before they are deployed. If Ethereum cannot solve its vulnerability problem before Cardano delivers a better alternative it may lose its position of dominance to a more secure platform. However, Cardano has lot of work to do before it can be considered a viable alternative platform, so there is still plenty of time for Ethereum to adapt.

A platform is only as secure as its weakest link and it remains to be seen whether the Ouroboros PoS protocol can secure a global, permissionless network with significant value at stake. If not, Cardano may find a niche in providing high assurance applications on permissioned networks. One advantage of Cardano’s strict separation of computation layer (IELE + languages) from settlement layer (Ouroboros) is that each can change independently. If the Ouroboros-based settlement layer is not suitable for global blockchains, then the great work being done at the computation layer could be ported to a different settlement layer that does. It’s conceiveable that Ethereum could incorporate Cardano’s innovations in language and VM design to solve its smart contract security issue. In any case, thanks to the research coming from the Cardano project, we can look forward to more secure smart contract platforms in the future, and regular exploits of Solidity contracts becoming a thing of the past.

Thanks to Christopher Mead and Steven J. Owens for their input on early drafts.

Special shout out to DecStack, the Virtual Co-Working Spot for CryptoCurrency and Decentralized App Projects, for their help and encouragement.

If you’d like to support this series with an ETH donation, please send it to 0x7e83982eb92502ad5d38c400ba2af7b135469ac9

Your support allows and encourages me to devote more time to these articles and is greatly appreciated.