R I P P L E
Is the Ripple Centralized or Decentralized?
An investigation in technology and corporate
One of the long-standing questions in the crypto-universe is whether Ripple is centralized or decentralized. Some say that Ripple is hideously centralized, others that it is more decentralized than Bitcoin. We are trying to get to the bottom of this. (I get commissions for purchases made through links in this post.)
When writing about Ripple (XRP), it is often said in the same breath that the cryptocurrency is highly centralized. This statement is so common that it is repeated by many under-questioned and only rarely justified. At the same time, many Ripple fans say that Ripple is not only not centralized, but even more decentralized than Bitcoin. Which would make the confusion complete. What now?
We’re trying to find an answer to this question here. We’ll look at many different factors, look at Ripple’s consensus mechanism, and try to come to some sort of decent assessment.
If you are wondering if a cryptocurrency is decentralized, you are lucky that there is a website that gives the first answer to this question: Arewedecentralizedizedyet.com. Ripple is doing pretty badly here.
There is only one client issued by Ripple (formerly Ripple Labs); a single entity controls more than 50 percent of the voting power (Ripple); 78 percent of the available coins are owned by the richest hundred addresses (Ripple is likely to be the largest); and there are no native incentives for nodes, such as the mining reward at Bitcoin. The cryptocurrency Ripple, one could say according to these values, is almost entirely under the control of Ripple.
The Finnish stock exchange Coinmotion, after taking up Ripple at the beginning of the year, described the cryptocurrency in a blog post as “extremely centralized”: “The Ripple network is a set of different applications from Ripple Labs. The stock market describes the company’s position in the Ripple universe as that of a monopolist. And BitMex Research, the research arm of a Bitcoin derivatives exchange known for its detailed reports on various aspects of the crypto ecosystem, concludes an analysis from early 2018 with these words:
“The Ripple system appears to be centralized for all practical purposes. It probably lacks many interesting technical features that Bitcoin has, such as resistance to censorship”.
The standard behavior of nodes “effectively gives the Ripple.com server full control over updating the ledger. At Ripple, the ledger is the account book in which the user’s credit is stored.
On the other hand, Brad Carlinghouse, CEO of Ripple, said already in October 2017: “Ripple is not centralized. To put it clearly: If Ripple disappeared today, XRP would continue to work. For me, this is the most important indicator that something is decentralized.” And David Schwartz, Ripple’s CTO, said in August 2018 that the issue of whether Ripple is decentralized was “wildly nuanced and misunderstood”. Ripple is based on an “inherently decentralized and democratic consensus mechanism that no party can control”. Ripple is even much more decentralized than Bitcoin and Ethereum, where a handful of mining lords have control over the blockchain. And as cryptocurrencies like Bitcoin and Ethereum become more centralized over time, Ripple becomes more decentralized.
So here we are. Some say totally centralized, others totally decentralized. How do we proceed from here?
What does it actually mean when we talk about “decentralization”?
A good start would probably be to discuss the question of what “decentralized” actually means. If we do not have a clear concept of it, it makes no sense to ask whether something is decentralized. Without it, any answer — “centralized” or “decentralized” — would be both right and wrong, because it depends on how we define decentralization. So what does decentralization mean?
It is probably impossible to give a definite answer. “Decentralization” is a more philosophical-political concept. Similar to “justice” or “freedom”, and thus always in the eye of the beholder. But there are a few possible clues:
- No single point of failure: A central network operates around one head. If this head is knocked off, the network no longer functions. It is the “single point of failure”. If a network does not have such a point, it is decentralized. A snake is centralized because you can cut its head off. It is not a hydra.
Similarly, no central party should be able to change the system or manipulate the account book with past transactions. Some people also go so far as to require a decentralized system that even the majority is unable to do so, but that a “consensus” is needed, which is another vague concept that could be translated into an “absolute, overwhelming majority”.
- Aristocracy or equality: For some people, it is enough decentralization if there is no emperor, but only kings. For them, for example, the power structure of early medieval Europe, in which the kings, grand dukes, and prince-bishops of the various territories played their power games, was decentralized. Others, on the other hand, demand that there be no aristocracy either, but that all nodes in the network have equal rights.
- Freedom of permission and verification: One aspect of decentralization could be that the network must be free of permissions: Everyone must be able to participate, regardless of who they are or where they come from. It must work without trust. Some also require everyone to be able to verify the entire history of transactions from start to finish, to be absolutely certain that a transaction they have received is correct.
- Fairness: Coins should be fairly distributed. Where fair begins and ends is a question that is quite impossible to answer. But it should be clear that a cryptocurrency can hardly be considered decentralized if a single party has half of all coins. Power should also be fairly distributed in the ecosystem. A cryptocurrency can hardly be decentralized if one party has control over all relevant parts of the ecosystem.
That would give us some indicators. It is clear that cryptocurrency is more “decentralized” if these indicators are better met, and “centralized” if they are less met. However, this does not mean that they mark a clear limit as to when something is decentralized or centralized. Where this limit is set depends on one’s own needs. For one, it is enough if one coin has no central head; for the other, everything is centralized where he cannot calculate the blockchain on a microcomputer from Genesis on.
To apply these categories to Ripple now, we must first look again at how Ripple works.
How Ripple creates consensus in the network
If you are used to cryptocurrencies like Bitcoin, where proof of work by the Miner decides the valid chain, it is very counter-intuitive to understand how Ripple works. But it’s actually quite simple.
At its core, Ripple’s consensus is based on trust. Each node is connected to other nodes, and as soon as a transaction is accepted by a certain number of these nodes, it is accepted. In this way, the network comes to a consensus. That’s how simple it is. Not every node counts, but only so-called “validators”. Each node in the network connects to a freely selectable number of validators, and as soon as more than 80 percent signal a matching order of transactions, it accepts this order.
If the network has no consensus — i.e. if less than 80 percent of the nodes agree with the order of the transactions — it stops. Here I have not yet fully understood how this mechanism works, i.e. where the network comes from to consensus that it has no consensus, how the shutdown works, and how it can be reactivated.
You should also know that Ripple uses a different booking system than Bitcoin. While Bitcoin uses so-called “UTXOs” (Unspent Outputs) for transactions — which can be imagined as coins — Ripple uses “Accounts”. An address does not have a lot of “coins” (these are the UTXOs), but a balance, like a bank account. In certain time intervals, the entirety of these assets is stored with a snapshot as “Ledger” and shared in the network. As proof, a hash tree of this snapshot is shared on the network. This helps to check the update of the ledger. With this system, ripple nodes are able to simply throw away old transactions because the current credit is confirmed by the hash tree.
The tokens called XRP are Ripple’s native currency. They are limited in quantity, can no longer be created and transactions with them are, according to Ripple, uncensorable. The XRP serves as spam protection. So you need a small amount of XRP to open an account that is registered in the ledger, and you also need to destroy a small amount of XRP when signing a transaction. This amount increases if there is a spam wave on Ripple. This makes the XRP tokens deflationary in the long run.
On the other hand, there are other tokens that represent Dollar, Euro or Bitcoin. They are created by so-called “gateways” which hold the corresponding values in stock. Such tokens can be censored and frozen by the gateways.
The huge influence of Ripple Labs
Now to the role of the Ripple company in all this. This extends to several core areas of Ripple: first, the distribution of XRP tokens, second, the development of the software, and third, the creation of consensus.
Creation and distribution of XRP tokens
Ripple was originally a payment system without the XRP tokens, which had a rather manageable success. Sometime in 2012 or 2013 Ripple reinvented itself and introduced the XRP tokens. Of these, 100 billion were created. 80 billion of this was given to the now founded company Ripple Labs, 20 billion to the three founders Chris Larson (9.5 billion), Jed McCaleb (9.5 billion) and Arthus Britto (1 billion). While Jed McCaleb has thrown much of his XRP onto the market, Chris Larson has hoarded it. When XRP reached an all-time high of nearly three dollars in January 2019, Chris Larson’s assets briefly rose to more than 50 billion dollars, making him one of the richest people on Earth. According to a graph (no longer available), CTO David Schwartz also received over one billion XRP in 2013; it is known that he sold about 2.8 million XRP in April this year.
The Ripple company has since been taking care of distributing these coins wisely and fairly. So far, the company has put around 25 billion XRP into circulation. By the end of 2017, the company had put 55 billion XRP into a trust fund to “make the amount of XRP determinable with certainty at all times,” as the company writes on its blog. Ripple has used a fiduciary feature of the XRP ledgers to freeze the XRP for a pre-determined period of time. With 55 contracts, one billion XRP was frozen each, one of which is released each month to probably be distributed or sold by Ripple at its discretion. Any XRPs left will be frozen again. Analysis firm CoinMetrics reports that there are discrepancies between what Ripple announced for the escrow system and how it was implemented, how Ripple accounted for the proceeds and how they were actually used.
Overall, it can be said that XRP’s money creation was absolutely centralized. The majority of the coins were distributed in a closed circle by founders who have benefited or are benefiting massively from every increase in value since then. Ripple is also responsible for the further distribution of the coins, even if this is limited to one billion XRP per month. In this sense, the creation of money at Ripple is much more central than it has ever been with political Fiat money. The result is one of the most unequal distributions of coins in the crypto-universe.
The development of the software
The Ripple software — i.e. the node implementation — is 100% the responsibility of the software developers at Ripple. The company advertises that it has hired some of the best developers in the world.
Ripple writes: “A team of full-time and world-class developers at Ripple maintains and improves the software underlying the XRP Ledger. Ripple acts as a steward and advisor for their best interests while establishing constructive relationships with governments and financial institutions around the world.” The software is open source and can be downloaded and, theoretically, modified by anyone. However, it may be practically impossible to introduce changes that aren’t nodded off by Ripple.
It can be said that the development of the Ripple software is completely concentrated on the Ripple company.
When BitMex tested a ripple validator, the authors of the analysis made the following observation: “The node operated by downloading a list of five public keys from the v1.Ripple.com server. These five keys are attributed to Ripple.com. The software points out that four of the five keys are necessary for a proposal to be accepted. Since the keys are all downloaded from the Ripple.com server, Ripple essentially has full control over how the ledger moves forward.”
This paragraph refers to how the nodes select the validators they trust: They visit a list on Ripple’s server and get public keys from it. The validators they select sign an update of the ledger with this key so that the BitMex node knows they are from them. Of course, the user is free to choose other validators, but as long as the default setting indicates Ripple, the company has virtually unlimited power.
By the end of 2017, Ripple would have agreed to BitMex’s findings. The company writes in a post that it “deliberately chose to be the most trusted validator operator on the network to go through the first phase of the XRP ledger development”. This decision is based on a decision for security and scalability to the detriment of decentralization. In spring 2017, Ripple provided the majority of these nodes with 25 validators.
However, in mid-2017 the company initiated a “decentralization strategy”. This includes that Ripple also includes external validators in the “Unique Node Lists” (UNLs), in which the trustworthy Ripple nodes are located, provided that these nodes fulfill certain conditions dictated by Ripple. At the beginning of the decentralization campaign, this list was published by Ripple and contained only Ripple nodes. However, the company plans to change this; for all two new nodes that meet Ripple’s criteria, the company will remove a separate node. The goal is not to run a validator at all.
The list of UNLs from which new nodes select trusted validators, however, is apparently still provided by Ripple. To date, the number of validators in the network has grown to 199, of which only about six, according to the charts, come from Ripple. Of these, however, only about 30 have a place in the UNL list; only a similarly small proportion of nodes have more than 100 inbound connections and more than 40 outbound connections, according to a node explorer. It is likely that this small group of nodes will make up the consensus in the Ripple universe among themselves.
It is therefore positive to note that Ripple has indeed reduced its influence on consensus-building arbitrarily. The group of nodes that determine consensus, however, remains relatively small; and Ripple’s influence on which nodes are trusted by others remains immense, as the company determines its default setting with the release of the software and continues to maintain the most important list of validators.
Can Ripple’s consensus mechanism be decentralized at all?
Of course, the influence of Ripple, the company, is huge. Nobody would deny that. However, what CEO Garlinghouse says may be true: even if the company disappeared, the Ripple network would still exist. This at least meets a very basic requirement of decentralization. In addition, the influence of a single actor is not a systemic property of a cryptocurrency, but merely a temporary state. The fact that Ripple has such a large influence does not mean that it always has to be that way. The more interesting question is, therefore: Is Ripple, the system, able to drive a decentralized network?
For some, the great influence that Ripple has on the trust of its customers is in itself a reason not to consider the network capable of decentralization. At Bitcoin, there is a hard, cryptographic proof of which chain is valid: the sheer amount of energy used for proof of works. Anyone can verify that for themselves. With Ripple, there is only trust in the majority of nodes. This could make the system vulnerable to corruption, abuse of trust, and so on. As Friedrich von Hayek said: “The governments of this world have at all times misused the trust of the peoples in them to manipulate money. Why should things be any different with Ripple?
On the other hand, it could well be that Ripple has managed to develop a mathematical function that is very resistant to abuse or drastically limits its consequences. The continuous flow of ledgers tested by Hash trees (i.e. credit balances) should make it very difficult even for a majority to manipulate the system. But here I have to admit that I have reached the limit of my knowledge. I can’t judge the power of a cartel of validators, and it’s hard for me to say anything about how and what individual nodes can lose if 80 percent of the validators they choose betray them. Another difficult question is who decides that the network will shut down when it no longer has consensus, and who will turn it back on. Is this even possible without handing control over to a central office?
For many Bitcoiners, another feature of the system might speak against decentralization: The nodes and validators usually only download a number of current ledgers. This is practical because it saves the tedious synchronization of a node, as known from Bitcoin. The full blockchain — which begins with the creation of the 100 billion ripples — already requires nine terabytes. And that’s where Ripple isn’t being used as many Ripple fans promise in the future. A point will be reached relatively quickly where it will be more or less impossible to calculate the current ledgers from the beginning, even for large institutions with powerful supercomputers and warehouses full of SSD disks. Will it even be possible to determine whether the history of transactions — and the entire balance of XRP — is correct?
Finally, there is the question of incentives for nodes. At Bitcoin, mining nodes have massive incentives, to be honest, and invest in strong systems. These incentives do not exist at Ripple. The nodes are operated on a more or less voluntary basis. Sometimes it is said that such a node helps institutions such as banks, for example, to get a fluid contact to the Ripple network while at the same time helping its stability and security. But is that really enough? Doesn’t decentralization need incentives that strike a balance? Wasn’t that exactly Satoshi’s game theoretical stroke of genius?
The circle closes …
A little we end up where we started: Decentrality is subjective. Ripple certainly meets some of the requirements of a decentralized system, especially when you see the gigantic impact of Ripple Labs as a temporary phase that might pass if the XRP ledger becomes the Planetary Earth account book as planned. Then banks and central banks may invest in XRP developers, maintain their own node lists and invest in validator farms — while the money supply of XRP has long since been distributed into many hands. The company Ripple would then have done its job and made itself unnecessary. It would be conceivable but does not have to be so.
For people who have stricter decentralization requirements, Ripple in its current state is a nightmare of centralism despite its unmistakable progress. For many, Ripple’s consensus model is likely to make it impossible for Ripple to ever meet the high demands for decentralization for several reasons. If Ripple continues to be used and is highly scalable, it would be in the hands of a small cartel, and it would be completely opaque whether it cheats the public.
So, as we said at the beginning, it is in the eye of the beholder.