Coauthored by Zubin Koticha
Alexis Gauba and Zubin Koticha are working on Cryptoeconomics Research at Blockchain at Berkeley. The team has written a working paper on 33% Attack Vectors in Proof of Stake and is actively working on many open problems in this space.
Algorand is a cryptocurrency protocol designed by Silvio Micali among others, which uses Byzantine Agreement (BA) to achieve consensus. It is similar to Proof of Stake in that voting power in the network is proportional to funds held, but it does not force network participants to bond coins to the protocol, and thus does not require staking. As such it lacks an incentive scheme; there are no prespecified rewards, punishments, or slashing conditions yet. Given that it is being pursued for deployment, we wished to conduct a crypteconomic analysis of the project. In this post, we aim to provide a justification for why it needs a formal incentive scheme.
In Algorand, participants selectively run a verifiable random function (VRF) every round to determine if they are a member of a “committee” comprised of validators and proposers. This cryptographic technique creates a rotating validator set, allowing individuals to know (and prove) that they are a validator in a round without releasing that knowledge to the rest of the network a priori. In a round, proposers (of which there might be multiple) propose blocks and the validators vote on the inclusion of these blocks, with voting power in proportion to the funds they have in the network. Consensus is achieved when the a prespecified threshold of validators agree on accepting the new block.
Micali states that, compared to Bitcoin, the Algorand protocol requires trivial computation, so “you don’t need incentives.” He also states that “We must use incentives as a last resort. I believe I can [make Algorand work without incentives], but I have no formal proof that I can, because these formal proofs are much harder than the proofs of [correctness in] Algorand.” However, Micali also admits that one might be able to devise “secure incentives” to create a more robust protocol and in the study of game theory and microeconomics, there is evidence that a cryptoeconomic proof of an incentive scheme’s optimality is feasible. We agree with his view that secure incentives could be created, and so in this post we provide key reasons as to why incentives (both positive and negative) are a necessity in Algorand. Many of the arguments we outline below can be applied to other non-PoW protocols.
We begin with an analysis of Algorand’s protocol with no incentives, and in doing so, we come across a number of difficulties that the network alone is unable to address. First, going back to Micali’s assertion that computation is trivial in Algorand, we contend that in this system, computation is not the only cost of being a validator. In order to validate and propose blocks, a network user must continuously access their private key to determine their VRF status (i.e. validator, proposer, or neither) in each round. It is generally advised that for individuals with large amounts of value stored in blockchain, to prevent attacks, they should leave their private keys in cold storage. Constant validation (needing to sign often) exposes this private key to the internet with a high frequency, leading to a high risk of exposure in the case of an attack. This would ostensibly lead a lot of honest individuals in the network to refrain from participating in the validation process (for security reasons) and thus cause a lack of liveness. In order to encourage liveness, we recommend implementing a block reward to compensate people for their private-key-exposure-risk.
Next, in any monetary system with financial assets and/or interest rates and inflation there is an opportunity cost to holding cash. In incentive-free Algorand, if there is no way for an honest validator to make a profit through maintaining the network (i.e. if there is no incentive scheme), then this individual’s money isn’t growing. That is, an individual with 1,000 Algorand-coins will continue to have only 1,000 coins regardless of how much good work they do. During that time, they could have bought assets, mining equipment, or government bonds etc. and increased the value of their holdings to more than 1000 Algorand-coins. For these honest validators, their protocol-following work is costing them the financial freedom to invest and earn interest.
At the infancy stage of a blockchain, the system’s token is valued at a low amount with a trivial market cap. Thus with negibible cost, an attacker can obtain a >33% attack stake through purchasing (called a Buyout attack) since the market cap is insignificant. In this case, bootstrapping the network with trusted nodes by pre-selecting a trusted set of individuals to connect to the network is seen as a potential solution. However, this defeats the purpose of a purely decentralized network. Even if these initial trusted nodes are manned by multiple entities, with each entity having some non-monetary incentive to support the network, there is no means of proving that these entities will follow through with such intent.
The last strong conviction in favor of an incentive scheme goes into the question of Darwinistic principles that affect blockchain systems. Successful blockchains, like all other systems, are influenced by several different selective pressures that determine their ability to succeed and adapt. The honest validator above who has her money in an Algorand implementation without a reward-scheme is sacrificing monetary gain by bearing the opportunity cost of holding those Algorand-coins. All else being equal, if all honest validators were to see a fork of Algorand’s code which pays validators (even modestly), then at least some would leave the original fork to participate in validation on the new fork. This drain of honest validators would be extremely harmful to the network. Losing those who honestly maintain the network would lower the difficulty for an adversary to reach the Byzantine threshold of 33% command of the network. With fewer proposers, the likelihood of always having a live proposer decreases, leading to potential network slowdowns.
It is likely that some individuals may have extrinsic reasons (the good of their heart, morals, network effects) for why they might want not want to leave this blockchain. However, all aspects considered, most of those willing to honestly validate will choose a network in which they will be able to make some sort of fair income (and rightfully so).
We touch upon some distinct benefits of having a rewards scheme in a Proof of Stake protocol. A crucial component of blockchain protocols is in mitigating malicious behavior including censorship, denial of service, and formation of sybil identities, among others, which is accomplished through punishments to disincentivize such behaviors. However, these punishments cannot exist unless individuals put some funds at stake. There must be a means to incentivize this staking of funds, else they could accumulate more value in other financial growth vehicles. For individuals to put funds at stake, some sort of reward is necessary, and a rewards scheme is the mechanism which compensates individuals for their resources. Without specific economic incentives, there exists no framework to provably dictate that validators will act in accordance with the protocol.
Incentives also create a mechanism by which we can attain token stability. A bottleneck preventing the active use of Bitcoin is its unstable value. Deflation has been considered a boon to both BTC investors and miners; However, this deflation and price volatility essentially prevent it from being used as a viable currency for payments. This deflation has persisted despite the increase in the money supply that was written into the blockchain’s protocol from its genesis. If Bitcoin had lower or no rewards built into the protocol, it would have experienced even wider price deflation. Introducing incentives and thus an interest rate tempers the rapid price increase that occurs at the beginning of a coin’s usage, creating another modifiable parameter, which can be utilized to create stability in the network.
Another issue in Algorand which incentives can mitigate is that not all committee members are obligated to vote. Since blockchain participants don’t know which nodes are in the committee validator set for every round. If committee members do not provide proof to the network that they are actually part of the committee, the network has no way of knowing that they were validators and that they actively declined to validate. That is to say, there is no way to identify “offline validators” and to punish them. Therefore, in absence of punishments to prevent unavailability, there should be rewards for availability, else, many individuals would not be live and would not contribute to consensus even when the protocol specifies they should be contributing. Consider that only 10% of the honest nodes in the network are constantly validating and the rest are offline, and that just under 1/3 of the network is controlled by a single Byzantine adversary. If the adversary keeps all of her nodes online, then she would easily command more than ⅓ of online committee nodes (in fact, she would control x%). This makes it significantly easier for an adversary to control consensus.
This leads us into the relationship between blockchains and the game theoretical idea of “higher order thinking.” Given the benefits outlined above for incentivization in blockchains, and based on this theory of higher order thinking, individuals should feel insecure in their interactions with a protocol that lacks incentives. If they feel insecure, or at least believe that others will feel insecure interacting with such a protocol, then they will anticipate low adoption of that protocol and they will avoid it, especially in its early days. In essence, potential validators will choose another blockchain simply because they are aware of the arguments outlined above and because they know that others are aware of those arguments above, following the idea of higher order thinking.
Based on the above contentions, we delineate the need for an incentive scheme in Algorand to accompany Byzantine Agreement and make the protocol even more robust. Looking ahead, we intend on exploring the parameters necessary for such an incentive structure.