Sometimes, Vitalik likes to mention the Hive fork from Steem when talking about game theory in blockchain consensus and governance. He did so again today on his blog. Here's the link: Moving beyond coin voting governance.
Vitalik is also famous for criticizing delegated Proof of Stake by saying it will lead to bribery and voting cartels. Today, he presented a much more balanced view. It is a must-read if you are interested in governance and decentralization.
Hive's governance is at risk
The number one argument in favor of Hive's DPOS is the lockup. It takes 13 weeks to power down, so investors who stake are incentivized to act with a long-term view that benefits hive. Any person engaging in vote selling is hurting their own stake.
However, this argument will soon be meaningless once Hive.loans launches.
For those who don't know, hive.loans will be a way to use a hive account as collateral, enabling the exchange of an account with hive power for liquid hive by giving up the private keys.
This opens up the possibility of vote-selling on hive as short-term incentives become stronger. Vitalik also mentioned lockups as an ineffective way to enforce coin voting governance:
Some DAO protocols are using techniques like timelocks to limit one's ability to participate against these kinds of attacks, but ultimately timelocks are bypassable; as far as security systems go, timelocks are more like a paywall on a newspaper website than they are like a lock and key.
He also links to a great article on timelocks and their problems: Bypassing Smart Contract Timelocks.
In Hive's case, the power down can only be bypassed through centralized services because hive doesn't support smart contracts on layer 1. This will probably mean that bypassing the lockup will cost a fee, which is better than nothing and provides some long-term incentive for investors. But it isn't enough.
I personally believe that right now, Hive is in a fantastic place regarding its governance. The token is well distributed, and I don't know any significant bad actor with massive influence engaging in vote selling.
However, this doesn't mean that it will always remain so. We need to take measures in advance to have sound governance forever because hard forking is very painful and should be the ultimate last resort measure.
Solutions
In his blog, Vitalik talks about many solutions grouped under 3 categories.
- Limited governance
- non-coin-voting governance
- Skin in the game
Solution two requires either Proof of personhood, which means KYC accounts, or Proof of participation, a way to verify that a human has a single account even if we don't know who it is.
Both of these solutions are unlikely to be applicable on hive. KYC accounts are not a solution. I believe most people here would agree that this is not wanted. In addition, I can't see Proof of Participation working well enough to prevent people from creating two accounts and gaming the system. Maybe that will be possible in the future, but there are no concrete examples right now.
So we can eliminate solution 2 from the discussion.
Solution 1: limited governance
I found two of Vitalik's propositions to be interesting for hive.
Adding time delays: Hive already does this. A recent powerup cannot affect governance. 30 days are needed for the stake to begin being useful. This is very effective against malicious powerups from exchanges like Binance did in the Steem takeover.
However, what if a large stake is powered up anonymously without declaring any intentions? Someone could power up millions of hive and wait 30 days without talking to anyone or casting any governance vote. Once the time delay expires, one could suddenly make a big vote with harmful consequences.
Therefore, Vitalik's proposed time delay could be beneficial on hive:
a governance decision made at time T only takes effect at eg. T + 90 days. This allows users and applications that consider the decision unacceptable to move to another application (possibly a fork)
For instance, we could add a time delay for protocol hardforks. If 17 witnesses approve a hardfork, then it doesn't happen for 30 days. If the chain is under attack, we can hardfork to another chain while avoiding consequences.
This would have been EXTREMELY useful in the Steem takeover because a 30-day time delay would have allowed witnesses and whales like @theycallmedan to get 4 more weeks' worth of steem power downs before being stolen their funds. This would have amounted to millions of dollars saved in total.
Be more fork friendly: When under attack, forking is a stressful operation, I'm sure many of us remember.
Setting up most of the dev work in advance can be done. There could be a step-by-step guide on how to hardfork hive, and we could even set some emergency DAO funds that could be unlocked only for such reasons. Obviously, it's impossible to unlock funds in a decentralized way when under attack, so The DAO emergency fund could be unlocked according to a snapshot of the hive voting stake taken a month ago.
For example, Justin Sun somehow takes over hive again. He now has a majority stake. We want to fork and unlock the emergency fund to sell as much hive as possible and use it for the next hardfork.
To unlock the fund, we need approval from 17 old witnesses voted in a month before the takeover, and we need x% of the staked hive one month ago to approve the emergency unlock.
This would be a significant disincentive for attackers, as they will get dumped on very heavily. Furthermore, they can't confiscate those funds, assuming we also implemented the fork delay, because they can't change the rules in a minute.
Solution 3: skin in the game
As mentioned before, the power down time is no longer enough as we will bypass it. So we need skin in the game for day-to-day voting to provide the right long-term incentives instead of short-term vote selling.
We have already succeeded at this for reward pool distribution. We got rid of vote-selling and bid bots by tweaking the parameters to encourage better curation with the EIP on hardfork 21 (I might be wrong about that number).
We now need to do this for governance voting, as the effectiveness of the power down will disappear soon. Vitalik proposed 3 different strategies which are already well researched or implemented.
I honestly cannot judge how effective those strategies can be or how difficult it is to implement them. But I think the community should start to think about this and propose similar or different solutions before we become a complete mess like EOS.
Comment below any idea you have or make posts about that. The sooner we come up with something concrete, the less risk we take. Layer 0 won't last forever.
I dont think the effeciveness of the powerdown will disapear with the introduction of Hive.Loans.
What you are missing about hive.loans is the liquidity. No way there will be say 50M HIVE liquidity on hive loans to be any real threat... even if 10M move around that will be noticeable.
Good point. I would counter that the illusion can be damaging on its own.
For instance, if there's 10 million in liquidity, which is definitely achievable, even the biggest stakeholders could start vote-selling and then try to get out before everyone else.
Every person with a million hive power could just sell his vote while things get gradually worse. At some point a few of those people will cash out instantly and maybe at this point others will be concerned about liquidity.
This could create a situation similar to a 'run on the bank' while keeping short term incentives alive because of stakeholder shortsightedness. People who sell votes are usually not the brightest anyway.
Obviously it's not that dramatic and we don't know how it will all play out, but better be safe than sorry.
Nice will dig into this. I would love to have a 1v1 recorded talk with Vitalik about governance one day.
Like a genesis block, probably hive is the genesis of proof of community.
Just off the top of my head:
You must have skin in the game governance. 1p1v, even with magic that makes it, so you don't KYC is a no go. This will either turn into mob rule, or people with zero skin in the game can sell their votes for pennies profitably. Stake-based is the only solution as a foundation if we're talking security of base layer gov as it puts greed above all else and requires a money attack to take over in which we can always fork as a last resort.
Time locks are the backbone of making any voting system work; without lockups, exchanges will run your chain to earn BP rewards. It also makes attacks very easy and swift to leave and not face damages. You don't have vote-selling on Hive for a reason; it isn't because we are just a bunch of great people, it's because we are locked in, and great witnesses don't accept bribes. The only witnesses that accept bribes are the ones not good enough to be elected by merit. Since I'm locked in, last thing I want is to sell my vote for next to nothing compared to the value I have locked, witnesses earn crumbs compared to large stakeholders, so it's not like you get a ton for selling your vote anyway. So I want the best in there, and we have had 5 years now with no vote-selling, I know every single witness in the top 30, and I know none of them have ever sold their votes for money. You cant say that about any other chain, and there are a ton of reasons for that, social status on a social blockchain, long lockup, rep to become validator on dpos, etc. etc. ill kill it here prob make a post lol
Exactly the strongest argument is the lock up. However, the lock up can be avoided using things like hive.loans by @klye. This is why I wrote the post.
We need to look for new ways to incentivize long-term thinking before bypassing lock ups becomes too easy. It will probably not happen with hive.loans alone because of liquidity, but some day it might become easy.
We have a lot of time but it's always better to plan early.
ya i forgot the second half of my comment. The attack vector for lock ups is to target a large stakeholder and buy the stake/private keys. With things like loan markets and the ability to sell your account keys with mutlisigs with ease, it becomes a more precise way to attack stake based systems as the money attack does not move the price and if the attacker is there to destroy, they don't mind the long lock-up (after an attack no one will want to buy your account, as that will be more savvy people, but exchanges MM bots, dexes and money still up that does not know an attack took place can still be exit liquidity)
So this comes down to the stakeholders as always, can enough top wallets be targetted to sell quick enough before anyone realizes. That is a tough issue and kinda new to me to think about as we never had to face this as an issue with hive due to not real way to trade accounts in a trustless way. but as we get closer to that tech, it will be an issue we will need to explore.
To add, this is less of an issue now, as the price of Hive is cheap, and large wallets are large for a reason because we believe in this tech. But in theory, as the price starts to ballon, larger early speculators would be more open to selling large otc accounts. So right now, it's a pretty much nonissue; you're not getting any of the top wallets and nothing close to being able to do a hostile takeover. But as distribution comes in and newer large stakeholders form, this becomes a more clear attack vector.
100% agree. Right now it's not a concern, but at some point the tech will be there and funds will have small allocations to hive without caring much about it.
A good starting point to find other defenses is Vitalik's Solution 3 in the blog. I'm sure we can come up with other ways too with enough time. But it's important to start thinking about this stuff.
Also, it might never be enough to be an attack vector, but will definitely be enough to cause some shitty governance decisions, like one bad witness or one useless proposal.
He definitely has some good ideas. the wait for forking being one.
a governance decision made at time T only takes effect at, e.g., T + 90 days. This allows users and applications that consider the decision unacceptable to move to another application (possibly a fork)
This is very interesting tbh. On paper, this would mean people have a chance to "flee" - during the Steem vs. Tron battle, I felt like Hodor holding up a giant door from the attackers, but as we all power down, the door was inevitably knocked down, and some of us got eaten.
Yeah I agree. It is straightforward and very effective.
@tipu curate
Upvoted 👌 (Mana: 0/87) Liquid rewards.
Hey Marki! Sorry to message you here but I could not find you on Discord!
I wanted to ask for your vote for the PIZZA token team as both a HIVE and Hive-Engine witness. We run active nodes for both and are actively working to both build on HIVE and showcase existing tools (such as TribalDex offerings) to help make this thing of ours more attractive to new and existing users. We would love your support!
Our HIVE witness is @pizza.witness and we're working super hard to get into the top 50 (getting super close!).
Our Hive-Engine witness is @pizza-engine (currently ranked #19)
Thank you so much for your consideration! !PIZZA
@marki99! I sent you a slice of $PIZZA on behalf of @thebeardflex.
Did you know you can trade $PIZZA on Hive-Engine, Tribaldex, or LeoDex? (3/20)