Monday, December 10, 2018

Blockchain: What's Not To Like?

I gave a talk at the Fall CNI meeting entitled Blockchain: What's Not To Like? The abstract was:
We're in a period when blockchain or "Distributed Ledger Technology" is the Solution to Everything™, so it is inevitable that it will be proposed as the solution to the problems of academic communication and digital preservation. These proposals typically assume, despite the evidence, that real-world blockchain implementations actually deliver the theoretical attributes of decentralization, immutability, anonymity, security, scalability, sustainability, lack of trust, etc. The proposers appear to believe that Satoshi Nakamoto revealed the infallible Bitcoin protocol to the world on golden tablets; they typically don't appreciate or cite the nearly three decades of research and implementation that led up to it. This talk will discuss the mis-match between theory and practice in blockchain technology, and how it applies to various proposed applications of interest to the CNI audience.
Below the fold, an edited text of the talk with links to the sources, and much additional material. The colored boxes contain quotations that were on the slides but weren't spoken.

Update: the video of my talk has now been posted on YouTube and Vimeo.

It’s one of these things that if people say it often enough it starts to sound like something that could work,
Sadhbh McCarthy

I'd like to start by thanking Cliff Lynch for inviting me back even though I'm retired, and for letting me debug the talk at Berkeley's Information Access Seminar. I plan to talk for 20 minutes, leaving plenty of time for questions. A lot of information will be coming at you fast. Afterwards, I encourage you to consult the whole text of the talk and much additional material on my blog. Follow the links to the sources to get the details you may have missed.

We're in a period when blockchain or "Distributed Ledger Technology" is the Solution to Everything™ so it is inevitable that it will be proposed as the solution to the problems of academic communication and digital preservation. In the second of a three-part series Ian Mulvaney has a comprehensive review of the suggested applications of blockchain in academia in three broad classes:

    • Priority Claims
      • Claims about authorship of a paper
      • Reviews of articles
      • Tracking article versions from preprint to publication
      • Claims about generation of data
      • Linking research artefacts together
      • Claims about facts and micro statements
    • Resources
      • Access to compute time
      • Access to lab time
      • Tracking of physical reagents
    • Rights
      • Rights transfers around copyright, articles or journals
    blockchain in STEM - part 2
    Ian Mulvaney

    • Priority Claims
    • Access to Resources
    • Rights
    Mulvaney discusses each in some detail and doesn't find a strong case for any of them. In a third part he looks at some of the implementation efforts currently underway and divides their motivations into two groups. I quote:
    The first comes from commercial interests where management of rights, IP and ownership is complex, hard to do, and has led to unusable systems that are driving researchers to sites like SciHub, scaring the bejesus out of publishers in the process.

    The other trend is for a desire to move to a decentralised web and a decentralised system of validation and reward, in a way trying to move even further away from the control of publishers.

    It is absolutely fascinating to me that two diametrically opposite philosophical sides are converging on the same technology as the answer to their problems. Could this technology perhaps be just holding up an unproven and untrustworthy mirror to our desires, rather than providing any real viable solutions?
    This talk answers Mulvaney's question in the affirmative. I've been writing skeptically about cryptocurrencies and blockchain technology for more than five years. What are my qualifications for such a long history of pontification?

    This is not to diminish Nakamoto's achievement but to point out that he stood on the shoulders of giants. Indeed, by tracing the origins of the ideas in bitcoin, we can zero in on Nakamoto's true leap of insight—the specific, complex way in which the underlying components are put together.
    Bitcoin's Academic Pedigree,
    Arvind Narayanan and Jeremy Clark

    More than fifteen years ago, nearly five years before Satoshi Nakamoto published the Bitcoin protocol, a cryptocurrency based on a decentralized consensus mechanism using proof-of-work, my co-authors and I won a "best paper" award at the prestigious SOSP workshop for a decentralized consensus mechanism using proof-of-work. It is the protocol underlying the LOCKSS system. The originality of our work didn't lie in decentralization, distributed consensus, or proof-of-work. All of these were part of the nearly three decades of research and implementation leading up to the Bitcoin protocol, as described by Arvind Narayanan and Jeremy Clark in Bitcoin's Academic Pedigree. Our work was original only in its application of these techniques to statistical fault tolerance; Nakamoto's only in its application of them to preventing double-spending in cryptocurrencies.

    We're going to walk through the design of a system to perform some function, say monetary transactions, storing files, recording reviewers' contributions to academic communication, verifying archival content, whatever. Being of a naturally suspicious turn of mind, you don't want to trust any single central entity, but instead want a decentralized system. You place your trust in the consensus of a large number of entities, which will in effect vote on the state transitions of your system (the transactions, reviews, archival content, ...). You hope the good entities will out-vote the bad entities. In the jargon, the system is trustless (a misnomer).

    Techniques using multiple voters to maintain the state of a system in the presence of unreliable and malign voters were first published in The Byzantine Generals Problem by Lamport et al in 1982. Alas, Byzantine Fault Tolerance (BFT) requires a central authority to authorize entities to take part. In the blockchain jargon, it is permissioned. You would rather let anyone interested take part, a permissionless system with no central control.

    In the case of blockchain protocols, the mathematical and economic reasoning behind the safety of the consensus often relies crucially on the uncoordinated choice model, or the assumption that the game consists of many small actors that make decisions independently.
    The Meaning of Decentralization,
    Vitalik Buterin, co-founder of Ethereum

    The security of your permissionless system depends upon the assumption of uncoordinated choice, the idea that each voter acts independently upon its own view of the system's state.

    If anyone can take part, your system is vulnerable to Sybil attacks, in which an attacker creates many apparently independent voters who are actually under his sole control. If creating and maintaining a voter is free, anyone can win any vote they choose simply by creating enough Sybil voters.

    From a computer security perspective, the key thing to note ... is that the security of the blockchain is linear in the amount of expenditure on mining power, ... In contrast, in many other contexts investments in computer security yield convex returns (e.g., traditional uses of cryptography) ... analogously to how a lock on a door increases the security of a house by more than the cost of the lock.
    The Economic Limits of Bitcoin and the Blockchain,
    Eric Budish, Booth School, University of Chicago

    So creating and maintaining a voter has to be expensive. Permissionless systems can defend against Sybil attacks by requiring a vote to be accompanied by a proof of the expenditure of some resource. This is where proof-of-work comes in; a concept originated by Cynthia Dwork and Moni Naor in 1992. To vote in a proof-of-work blockchain such as Bitcoin's or Ethereum's requires computing very many otherwise useless hashes. The idea is that the good voters will spend more, compute more useless hashes, than the bad voters.

    The blockchain trilemma
    much of the innovation in blockchain technology has been aimed at wresting power from centralised authorities or monopolies. Unfortunately, the blockchain community’s utopian vision of a decentralised world is not without substantial costs. In recent research, we point out a ‘blockchain trilemma’ – it is impossible for any ledger to fully satisfy the three properties shown in [the diagram] simultaneously ... In particular, decentralisation has three main costs: waste of resources, scalability problems, and network externality inefficiencies.
    The economics of blockchains,
    Markus K Brunnermeier & Joseph Abadi, Princeton

    Brunnermeir and Abadi's Blockchain Trilemma shows that a blockchain has to choose at most two of the following three attributes:
    • correctness
    • decentralization
    • cost-efficiency
    Obviously, your system needs the first two, so the third has to go. Running a voter (mining in the jargon) in your system has to be expensive if the system is to be secure. No-one will do it unless they are rewarded. They can't be rewarded in "fiat currency", because that would need some central mechanism for paying them. So the reward has to come in the form of coins generated by the system itself, a cryptocurrency. To scale, permissionless systems need to be based on a cryptocurrency; the system's state transitions will need to include cryptocurrency transactions in addition to records of files, reviews, archival content, whatever.

    Your system needs names for the parties to these transactions. There is no central authority handing out names, so the parties need to name themselves. As proposed by David Chaum in 1981 they can do so by generating a public-private key pair, and using the public key as the name for the source or sink of each transaction.

    we created a small Bitcoin wallet, placed it on images in our honeyfarm, and set up monitoring routines to check for theft. Two months later our monitor program triggered when someone stole our coins.

    This was not because our Bitcoin was stolen from a honeypot, rather the graduate student who created the wallet maintained a copy and his account was compromised. If security experts can't safely keep cryptocurrencies on an Internet-connected computer, nobody can. If Bitcoin is the "Internet of money," what does it say that it cannot be safely stored on an Internet connected computer?
    Risks of Cryptocurrencies,
    Nicholas Weaver, U.C. Berkeley

    In practice this is implemented in wallet software, which stores one or more key pairs for use in transactions. The public half of the pair is a pseudonym. Unmasking the person behind the pseudonym turns out to be fairly easy in practice.

    The security of the system depends upon the user and the software keeping the private key secret. This can be difficult, as Nicholas Weaver's computer security group at Berkeley discovered when their wallet was compromised and their Bitcoins were stolen.

    2-year Bitcoin "price" history
    The capital and operational costs of running a miner include buying hardware, power, network bandwidth, staff time, etc. Bitcoin's volatile "price", high transaction fees, low transaction throughput, and large proportion of failed transactions mean that almost no legal merchants accept payment in Bitcoin or other cryptocurrency. Thus one essential part of your system is one or more exchanges, at which the miners can sell their cryptocurrency rewards for the "fiat currency" they need to pay their bills.

    Who is on the other side of those trades? The answer has to be speculators, betting that the "price" of the cryptocurrency will increase. Thus a second essential part of your system is a general belief in the inevitable rise in "price" of the coins by which the miners are rewarded. If miners believe that the "price" will go down, they will sell their rewards immediately, a self-fulfilling prophesy. Permissionless blockchains require an inflow of speculative funds at an average rate greater than the current rate of mining rewards if the "price" is not to collapse. To maintain Bitcoin's price at $4K requires an inflow of $300K/hour.

    Ether Miners 10/10/18
    can we really say that the uncoordinated choice model is realistic when 90% of the Bitcoin network’s mining power is well-coordinated enough to show up together at the same conference?
    The Meaning of Decentralization,
    Vitalik Buterin

    In order to spend enough to be secure, say $300K/hour, you need a lot of miners. It turns out that a third essential part of your system is a small number of “mining pools”. Bitcoin has the equivalent of around 3M Antminer S9s, and a block time of 10 minutes. Each S9, costing maybe $1K, can expect a reward about once every 60 years. It will be obsolete in about a year, so only 1 in 60 will ever earn anything.

    To smooth out their income, miners join pools, contributing their mining power and receiving the corresponding fraction of the rewards earned by the pool. These pools have strong economies of scale, so successful cryptocurrencies end up with a majority of their mining power in 3-4 pools. Each of the big pools can expect a reward every hour or so. These blockchains aren’t decentralized, but centralized around a few large pools.

    At multiple times in 2014 one mining pool controlled more than 51% of the Bitcoin mining power. At almost all times since 3-4 pools have controlled the majority of the Bitcoin mining power. Currently two of them are controlled by Bitmain, the dominant supplier of mining ASICs. With the advent of mining-as-a-service, 51% attacks have become endemic among the smaller alt-coins.

    The security of a blockchain depends upon the assumption that these few pools are not conspiring together outside the blockchain; an assumption that is impossible to verify in the real world (and by Murphy's Law is therefore false). Similar off-chain collusion among cryptocurrency traders allows for extremely profitable pump-and-dump schemes.

    Since then there have been other catastrophic bugs in these smart contracts, the biggest one in the Parity Ethereum wallet software ... The first bug enabled the mass theft from "multisignature" wallets, which supposedly required multiple independent cryptographic signatures on transfers as a way to prevent theft. Fortunately, that bug caused limited damage because a good thief stole most of the money and then returned it to the victims. Yet, the good news was limited as a subsequent bug rendered all of the new multisignature wallets permanently inaccessible, effectively destroying some $150M in notional value. This buggy code was largely written by Gavin Wood, the creator of the Solidity programming language and one of the founders of Ethereum. Again, we have a situation where even an expert's efforts fell short.
    Risks of Cryptocurrencies,
    Nicholas Weaver, U.C. Berkeley

    In practice the security of a blockchain depends not merely on the security of the protocol itself, but on the security of the core software and the wallets and exchanges used to store and trade its cryptocurrency. This ancillary software has bugs, such as the recently revealed major vulnerability in Bitcoin Core, the Parity Wallet fiasco, and the routine heists using vulnerabilities in exchange software.

    Recent game-theoretic analysis suggests that there are strong economic limits to the security of cryptocurrency-based blockchains. For safety, the total value of transactions in a block needs to be less than the value of the block reward.

    Your system needs an append-only data structure to which records of the transactions, files, reviews, archival content, whatever are appended. It would be bad if the miners could vote to re-write history, undoing these records. In the jargon, the system needs to be immutable (another misnomer).

    Merkle Tree (source)
    The necessary data structure for this purpose was published by Stuart Haber and W. Scott Stornetta in 1991. A company using their technique has been providing a centralized service of securely time-stamping documents for nearly a quarter of a century. It is a form of Merkle or hash tree, published by Ralph Merkle in 1980. For blockchains it is a linear chain to which fixed-size blocks are added at regular intervals. Each block contains the hash of its predecessor; a chain of blocks.

    The blockchain is mutable, it is just rather hard to mutate it without being detected, because of the Merkle tree’s hashes, and easy to recover, because there are Lots Of Copies Keeping Stuff Safe. But this is a double-edged sword. Immutability makes systems incompatible with the GDPR, and immutable systems to which anyone can post information will be suppressed by governments.

    BTC transaction fees
    Cryptokitties’ popularity exploded in early December and had the Ethereum network gasping for air. ... Ethereum has historically made bold claims that it is able to handle unlimited decentralized applications  ... The Crypto-Kittie app has shown itself to have the power to place all network processing into congestion. ... at its peak [CryptoKitties] likely only had about 14,000 daily users. Neopets, a game to which CryptoKitties is often compared, once had as many as 35 million users.
    How Crypto-Kitties Disrupted the Ethereum Network,
    Open Trading Network

    A user of your system wanting to perform a transaction, store a file, record a review, whatever, needs to persuade miners to include their transaction in a block. Miners are coin-operated; you need to pay them to do so. How much do you need to pay them? That question reveals another economic problem, fixed supply and variable demand, which equals variable "price". Each block is in effect a blind auction among the pending transactions.

    So lets talk about CryptoKitties, a game that bought the Ethereum blockchain to its knees despite the bold claims that it could handle unlimited decentralized applications. How many users did it take to cripple the network? It was far fewer than non-blockchain apps can handle with ease; CryptoKitties peaked at about 14K users. NeoPets, a similar centralized game, peaked at about 2,500 times as many.

    CryptoKitties average "price" per transaction spiked 465% between November 28 and December 12 as the game got popular, a major reason why it stopped being popular. The same phenomenon happened during Bitcoin's price spike around the same time. Cryptocurrency transactions are affordable only if no-one wants to transact; when everyone does they immediately become un-affordable.

    Nakamoto's Bitcoin blockchain was designed only to support recording transactions. It can be abused for other purposes, such as storing illegal content. But it is likely that you need additional functionality, which is where Ethereum's "smart contracts" come in. These are fully functional programs, written in a JavaScript-like language, embedded in Ethereum's blockchain. They are mainly used to implement Ponzi schemes, but they can also be used to implement Initial Coin Offerings, games such as Cryptokitties, and gambling parlors. Further, in On-Chain Vote Buying and the Rise of Dark DAOs Philip Daian and co-authors show that "smart contracts" also provide for untraceable on-chain collusion in which the parties are mutually pseudonymous.

    ICO Returns
    The first big smart contract, the DAO or Decentralized Autonomous Organization, sought to create a democratic mutual fund where investors could invest their Ethereum and then vote on possible investments. Approximately 10% of all Ethereum ended up in the DAO before someone discovered a reentrancy bug that enabled the attacker to effectively steal all the Ethereum. The only reason this bug and theft did not result in global losses is that Ethereum developers released a new version of the system that effectively undid the theft by altering the supposedly immutable blockchain.
    Risks of Cryptocurrencies,
    Nicholas Weaver, U.C. Berkeley

    "Smart contracts" are programs, and programs have bugs. Some of the bugs are exploitable vulnerabilities. Research has shown that the rate at which vulnerabilities in programs are discovered increases with the age of the program. The problems caused by making vulnerable software immutable were revealed by the first major "smart contract". The Decentralized Autonomous Organization (The DAO) was released on 30th April 2016, but on 27th May 2016 Dino Mark, Vlad Zamfir, and Emin Gün Sirer posted A Call for a Temporary Moratorium on The DAO, pointing out some of its vulnerabilities; it was ignored. Three weeks later, when The DAO contained about 10% of all the Ether in circulation, a combination of these vulnerabilities was used to steal its contents.

    The loot was restored by a "hard fork", the blockchain's version of mutability. Since then it has become the norm for "smart contract" authors to make them "upgradeable", so that bugs can be fixed. "Upgradeable" is another way of saying "immutable in name only".

    Permissionless systems trust:
    • The core developers of the blockchain software not to write bugs.
    • The developers of your wallet software not to write bugs.
    • The developers of the exchanges not to write bugs.
    • The operators of the exchanges not to manipulate the markets or to commit fraud.
    • The developers of your upgradeable "smart contracts" not to write bugs.
    • The owners of the smart contracts to keep their secret key secret.
    • The owners of the upgradeable smart contracts to avoid losing their secret key.
    • The owners and operators of the dominant mining pools not to collude.
    • The speculators to provide the funds needed to keep the “price” going up.
    • Users' ability to keep their secret key secret.
    • Users’ ability to avoid losing their secret key.
    • Other users not to transact when you want to.

    So, this is the list of people your permissionless system has to trust if it is going to work as advertised over the long term.

    You started out to build a trustless, decentralized system but you have ended up with:
    • A trustless system that trusts a lot of people you have every reason not to trust.
    • A decentralized system that is centralized around a few large mining pools that you have no way of knowing aren’t conspiring together.
    • An immutable system that either has bugs you cannot fix, or is not immutable
    • A system whose security depends on it being expensive to run, and which is thus dependent upon a continuing inflow of funds from speculators.
    • A system whose coins are convertible into large amounts of "fiat currency" via irreversible pseudonymous transactions, which is thus an irresistible target for crime.
    If the “price” keeps going up, the temptation for your trust to be violated is considerable. If the "price" starts going down, the temptation to cheat to recover losses is even greater.

    Maybe it is time for a re-think.

    Suppose you give up on the idea that anyone can take part and accept that you have to trust a central authority to decide who can and who can’t vote. You will have a permissioned system.

    The first thing that happens is that it is no longer possible to mount a Sybil attack, so there is no reason running a node need be expensive. You can use BFT to establish consensus, as IBM’s Hyperledger, the canonical permissioned blockchain system does. You need many fewer nodes in the network, and running a node just got way cheaper. Overall, the aggregated cost of the system got orders of magnitude cheaper.

    Now there is a central authority it can collect “fiat currency” for network services and use it to pay the nodes. No need for cryptocurrency, exchanges, pools, speculators, or wallets, so much less temptation for bad behavior.

    Permissioned systems trust:
    • The central authority.
    • The software developers.
    • The owners and operators of the nodes.
    • The secrecy of a few private keys.

    This is now the list of entities you trust. Trusting a central authority to determine the voter roll has eliminated the need to trust a whole lot of other entities. The permissioned system is more trustless and, since there is no need for pools, the network is more decentralized despite having fewer nodes.

    Faults Replicas
    1 4
    2 7
    3 10
    4 13
    5 16
    6 19
    a Byzantine quorum system of size 20 could achieve better decentralization than proof-of-work mining at a much lower resource cost.
    Decentralization in Bitcoin and Ethereum Networks,
    Adem Efe Gencer Soumya Basu, Ittay Eyal, Robbert van Renesse and Emin Gün Sirer

    How many nodes does your permissioned blockchain need? The rule for BFT is that 3f + 1 nodes can survive f simultaneous failures. That's an awful lot fewer than you need for a permissionless proof-of-work blockchain. What you get from BFT is a system that, unless it encounters more than f simultaneous failures, remains available and operating normally.

    The problem with BFT is that if it encounters more than f simultaneous failures, the state of the system is irrecoverable. If you want a system that can be relied upon for the long term you need a way to recover from disaster. Successful permissionless blockchains have Lots Of Copies Keeping Stuff Safe, so recovering from a disaster that doesn't affect all of them is manageable.

    Source
    So in addition to implementing BFT you need to back up the state of the system each block time, ideally to write-once media so that the attacker can't change it. But if you're going to have an immutable backup of the system's state, and you don't need continuous uptime, you can rely on the backup to recover from failures. In that case you can get away with, say, 2 replicas of the blockchain in conventional databases, saving even more money.

    I've shown that, whatever consensus mechanism they use, permissionless blockchains are not sustainable for very fundamental economic reasons. These include the need for speculative inflows and mining pools, security linear in cost, economies of scale, and fixed supply vs. variable demand. Proof-of-work blockchains are also environmentally unsustainable. The top 5 cryptocurrencies are estimated to use as much energy as The Netherlands. This isn't to take away from Nakamoto's ingenuity; proof-of-work is the only consensus system shown to work well for permissionless blockchains. The consensus mechanism works, but energy consumption and emergent behaviors at higher levels of the system make it unsustainable.

    Additional Material

    It can be very hard to find reliable sources about cryptocurrencies because almost all cryptocurrency journalism is bought and paid for.

    When cryptocurrency issuers want positive coverage for their virtual coins, they buy it. Self-proclaimed social media personalities charge thousands of dollars for video reviews. Research houses accept payments in the cryptocurrencies they are analyzing. Rating “experts” will grade anything positively, for a price.

    All this is common, according to more than two dozen people in the cryptocurrency market and documents reviewed by Reuters.
    ...
    “The main reason why so many inexperienced individuals invest in bad crypto projects is because they listen to advice from a so-called expert,” said Larry Cermak, head of analysis at cryptocurrency research and news website The Block. Cermak said he does not own any cryptocurrencies and has never promoted any. “They believe they can take this advice at face value even though it is often fraudulent, intentionally misleading or conflicted.”
    Special Report: Little known to many investors, cryptocurrency reviews are for sale
    Anna Irrera & Elizabeth Dilts, Reuters
    See also: Crypto-shills, Jemima Kelly

    A recent example:

    The boxer Floyd Mayweather and the music producer DJ Khaled have been fined for unlawfully touting cryptocurrencies.

    The two have agreed to pay a combined $767,500 in fines and penalties, the Securities and Exchange Commission (SEC) said in a statement on Thursday. They neither admitted nor denied the regulator’s charges.

    According to the SEC, Mayweather and Khaled failed to disclose payments from three initial coin offerings (ICOs), in which new currencies are sold to investors.
    Floyd Mayweather and DJ Khaled fined over cryptocurrency promotion
    Dominic Rushe, The Guardian

    Some idea of the cryptocurrency milieu can be gained from Laurie Penny's Four Days Trapped at Sea With Crypto’s Nouveau Riche. Here's a taste:

    The women on this boat are polished and perfect; the men, by contrast, seem strangely cured—not like medicine, but like meat. They are almost all white, between the ages of 30 and 50, and are trying very hard to have the good time they paid thousands for, while remaining professional in a scene where many thought leaders have murky pasts, a tendency to talk like YouTube conspiracy preachers, and/or the habit of appearing in magazines naked and covered in strawberries. That last is 73-year-old John McAfee, who got rich with the anti-virus software McAfee Security before jumping into cryptocurrencies. He is the man most of the acolytes here are keenest to get their picture taken with and is constantly surrounded by private security who do their best to aesthetically out-thug every Armani-suited Russian skinhead on deck. Occasionally he commandeers the grand piano in the guest lounge, and the young live-streamers clamor for the best shot. John McAfee has never been convicted of rape and murder, but—crucially—not in the same way that you or I have never been convicted of rape or murder.

    On 7th December 2018 Bitcoin's "price" was around $3,700.

    Bitcoin now at $16,600.00. Those of you in the old school who believe this is a bubble simply have not understood the new mathematics of the Blockchain, or you did not cared enough to try. Bubbles are mathematically impossible in this new paradigm. So are corrections and all else
    Tweet from John McAfee, 7th December 2017

    Similarly, most of what your read about blockchain technology is people hyping their vaporware. A "trio of monitoring, evaluation, research, and learning, (MERL) practitioners in international development" started out enthusiastic about the potential of blockchain technology, so they did some research:

    We documented 43 blockchain use-cases through internet searches, most of which were described with glowing claims like “operational costs… reduced up to 90%,” or with the assurance of “accurate and secure data capture and storage.” We found a proliferation of press releases, white papers, and persuasively written articles. However, we found no documentation or evidence of the results blockchain was purported to have achieved in these claims. We also did not find lessons learned or practical insights, as are available for other technologies in development.

    We fared no better when we reached out directly to several blockchain firms, via email, phone, and in person. Not one was willing to share data on program results, MERL processes, or adaptive management for potential scale-up. Despite all the hype about how blockchain will bring unheralded transparency to processes and operations in low-trust environments, the industry is itself opaque. From this, we determined the lack of evidence supporting value claims of blockchain in the international development space is a critical gap for potential adopters.
    Blockchain for International Development: Using a Learning Agenda to Address Knowledge Gaps
    John Burg, Christine Murphy, & Jean Paul Pétraud

    I highly recommend David Gerard's book Attack of the 50-foot blockchain, and his blog. Others to follow include Arvind Narayanan and his group at Princeton, Nicholas Weaver at Berkeley, Emin Gün Sirer and the team at Cornell who blog at Hacking, Distributed, and Jemima Kelly and the FT Alphaville team.

    Every time the word "price" appears here, it has quotes around it. The reason is that there is a great deal of evidence that the exchanges, operating an unregulated market, are massively manipulating the exchange rate between cryptocurrencies and the US dollar. The primary mechanism is the issuance of billions of dollars of Tether, a cryptocurrency that is claimed to be backed one-for-one by actual US dollars in a bank account, and thus whose value should be stable. There has never been an audit to confirm this claim, and the trading patterns in Tether are highly suspicious. Tether, and its parent exchange Bitfinex, are the subject of investigations by the CFTC and federal prosecutors:

    As Bitcoin plunges, the U.S. Justice Department is investigating whether last year’s epic rally was fueled in part by manipulation, with traders driving it up with Tether -- a popular but controversial digital token.

    While federal prosecutors opened a broad criminal probe into cryptocurrencies months ago, they’ve recently homed in on suspicions that a tangled web involving Bitcoin, Tether and crypto exchange Bitfinex might have been used to illegally move prices, said three people familiar with the matter.
    Bitcoin-Rigging Criminal Probe Focused on Tie to Tether
    Matt Robinson and Tom Schoenberg, Bloomberg

    Social Capital has a series explaining Tether and the "stablecoin" scam:
    Tether's problems are in addition to the problems caused by exchanges' habit of losing their customers' coins (already in 2014 it was estimated that 6.6% of all Bitcoin in circulation had been stolen), front-running their trades, money laundering, "painting the tape", preventing customers withdrawing their funds, faking trading volume, and so on.

    John Lewis is an economist at the Bank of England. His The seven deadly paradoxes of cryptocurrency provides a skeptical view of the economics of cryptocurrencies that nicely complements my more technology-centric view. My comments on his post are here. Remember that a permissionless blockchain requires a cryptocurrency; if the economics don't work neither does the blockchain.

    You can find my writings about blockchain over the past five years here. In particular:
    More detail on the bugs in The DAO:

    The DAO was designed as a series of contracts that would raise funds for ethereum-based projects and disperse them based on the votes of members. An initial token offering was conducted, exchanging ethers for "DAO tokens" that would allow stakeholders to vote on proposals, including ones to grant funding to a particular project.

    That token offering raised more than $150m worth of ether at then-current prices, distributing over 1bn DAO tokens.

    [In May 2016], however, news broke that a flaw in The DAO's smart contract had been exploited, allowing the removal of more than 3m ethers.

    Subsequent exploitations allowed for more funds to be removed, which ultimately triggered a 'white hat' effort by token-holders to secure the remaining funds. That, in turn, triggered reprisals from others seeking to exploit the same flaw.

    An effort to blacklist certain addresses tied to The DAO attackers was also stymied mid-rollout after researchers identified a security vulnerability, thus forcing the hard fork option.
    The Hard Fork: What's About to Happen to Ethereum and The DAO,
    Michael del Castillo, Coindesk

    The DAO heist isn't an anomaly; here's a recent example (click through to the Medium post):

    ICO token Oyster PRL was exit-scammed by its founder, “Bruno Blocks” — who nobody has ever met — who took 3 million tokens via a deliberately-maintained back door in the smart contract code. How does this keep happening? Fortunately, the developers are on the case … by printing 27 million new tokens for themselves.
    David Gerard

    Exit scams are rife in the ICO world. Here is a recent example:

    Blockchain company Pure Bit has seemingly walked off with $2.7 million worth of investors’ money after raising 13,000 Ethereum in an ICO. Transaction history shows that hours after moving all raised funds out of its wallet, the company proceeded to take down its website. It now returns a blank page.
    ...
    This is the latest in a string of exit scams that took place in the blockchain space in 2018. Indeed, reports suggested exit scammers have thieved more than $100 million worth of cryptocurrency over the last two years alone. Subsequent investigations hint the actual sum of stolen cryptocurrency could be even higher.
    South Korean cryptocurrency startup reportedly pulls a $2.7M exit scam
    The Next Web

    More detail on the lack of decentralization in practice:

    in Bitcoin, the weekly mining power of a single entity has never exceeded 21% of the overall power. In contrast, the top Ethereum miner has never had less than 21% of the mining power. Moreover, the top four Bitcoin miners have more than 53% of the average mining power. On average, 61% of the weekly power was shared by only three Ethereum miners. These observations suggest a slightly more centralized mining process in Ethereum.

    Although miners do change ranks over the observation period, each spot is only contested by a few miners. In particular, only two Bitcoin and three Ethereum miners ever held the top rank. The same mining pool has been at the top rank for 29% of the time in Bitcoin and 14% of the time in Ethereum. Over 50% of the mining power has exclusively been shared by eight miners in Bitcoin and five miners in Ethereum throughout the observed period. Even 90% of the mining power seems to be controlled by only 16 miners in Bitcoin and only 11 miners in Ethereum.
    Decentralization in Bitcoin and Ethereum Networks,
    Adem Efe Gencer, Soumya Basu, Ittay Eyal, Robbert van Renesse and Emin Gün Sirer

    More on the lack of decentralization highlighted by Balaji S. Srinivasan and Leland Lee in Quantifying Decentralization, with their use of the "Nakamoto coefficient":


    "Ethereum’s smart contract ecosystem has a considerable lack of diversity. Most contracts reuse code extensively, and there are few creators compared to the number of overall contracts. ... the high levels of code reuse represent a potential threat to the security and reliability. Ethereum has been subject to high-profile bugs that have led to hard forks in the blockchain (also here) or resulted in over $170 million worth of Ether being frozen; like with DNS’s use of multiple implementations, having multiple implementations of core contract functionality would introduce greater defense-in-depth to Ethereum."
    Analyzing Etheruem's Contract Topology,
    Lucianna Kiffer, Dave Levin and Alan Mislove

    More detail on pump-and-dump (P&D) schemes:

    P&Ds have dramatic short-term impacts on the prices and volumes of most of the pumped tokens. In the first 70 seconds after the start of a P&D, the price increases by 25% on average, trading volume increases 148 times, and the average 10-second absolute return reaches 15%. A quick reversal begins 70 seconds after the start of the P&D. After an hour, most of the initial effects disappear. ... prices of pumped tokens begin rising five minutes before a P&D starts. The price run-up is around 5%, together with an abnormally high volume. These results are not surprising, as pump group organizers can buy the pumped tokens in advance. When we read related messages posted on social media, we find that some pump group organizers offer premium memberships to allow some investors to receive pump signals before others do. The investors who buy in advance realize great returns. Calculations suggest that an average return can be as high as 18%, even after considering the time it may take to unwind positions. For an average P&D, investors make one Bitcoin (about $8,000) in profit, approximately one-third of a token’s daily trading volume. The trading volume during the 10 minutes before the pump is 13% of the total volume during the 10 minutes after the pump. This implies that an average trade in the first 10 minutes after a pump has a 13% chance of trading against these insiders and on average they lose more than 2% (18%*13%).
    Cryptocurrency Pump-and-Dump Schemes
    Tao Li, Donghwa Shin and Baolian Wang

    A summary of the bad news about vote-buying in blockchains:

    The existence of trust-minimizing vote buying and Dark DAO primitives imply that users of all on-chain votes are vulnerable to shackling, manipulation, and control by plutocrats and coercive forces. This directly implies that all on-chain voting schemes where users can generate their own keys outside of a trusted environment inherently degrade to plutocracy, ... Our schemes can also be repurposed to attack proof of stake or proof of work blockchains profitably, posing severe security implications for all blockchains.
    On-Chain Vote Buying and the Rise of Dark DAOs
    Philip Daian, Tyler Kell, Ian Miers, and Ari Juels

    Source
    Here is a typical day on the Bitcoin blockchain. It is averaging 3 transactions/sec, and has a queue of an hour's worth of them waiting to be confirmed. Back in 2010 testing showed:
    VisaNet handles an average of 150 million transactions every day and is capable of handling more than 24,000 transactions per second.
    Eight years ago that was about 5,800 times as many transactions/sec on average, using much less electricity than Austria to do it.

    Source
    S&P500 companies are slowly figuring out that there is no there there in blockchains and cryptocurrencies, and they're not the only ones:

    Still new to NYC, but I met this really cool girl. Energy sector analyst or some such. Four dates in, she uncovers my love for BitCoin.

    Completely ghosted.
    Zack Voell

    65 comments:

    David. said...

    Cullen Roche clearly debunks this founding narrative of the cryptocurrency cult:

    “Governments are big bad terrible entities that will print money and ruin society and we can create a better form of decentralized money that won’t inflate our living standards away.”

    David. said...

    Just to illustrate how far from reality the hype around blockchain and cryptocurrency is, three successive stories at /. this morning link to:

    1) Mike Orcutt's Ethereum thinks it can change the world. It’s running out of time to prove it:

    "The reason Devcon feels so upbeat despite these storm clouds is that the people building Ethereum have something bigger in mind—something world-changing, in fact. Yet to achieve its goal, this ragtag community needs to crack a problem as complicated as any of the toe-curling technical challenges it faces: how to govern itself. It must find a way to organize a scattered global network of contributors and stakeholders without sacrificing “decentralization”—the principle, which any cryptocurrency community strives for, that no one entity or group should be in control."

    Good luck with that! At least Orcutt shows some level of skepticism.

    2) Paul Sawer's LinkedIn: ‘Blockchain developer’ is the fastest-growing U.S. job:

    "Using data gleaned from the LinkedIn Economic Graph, which serves as a “digital representation of the global economy” by analyzing the skills and job openings from across 590 million members and 30 million companies, LinkedIn found that “blockchain developers” has grown 33-fold in the past four years. In this case, “emerging jobs” refers to the growth of specific job titles on LinkedIn profiles in the period between 2014 and 2018."

    3) Olga Kharif's Ranks of Crypto Users Swelled in 2018 Even as Bitcoin Tumbled:

    "The number of verified users of cryptocurrencies almost doubled in the first three quarters of the year even as the market bellwether Bitcoin tumbled almost 80 percent, according to a study from the Cambridge Centre for Alternative Finance. Users climbed from 18 million to 35 million this year."

    David. said...

    The insanity continues:

    "As President Donald Trump threatened to allow a government shutdown if Congress did not provide funding for his proposed wall along the Mexican border, a Republican congressman from Ohio offered up alternative routes to getting the wall built: through Internet crowdfunding or through an initial coin offering.
    ...
    Rep. Davidson told NPR's Steve Inskeep that the donations could come from anyone and be gathered in a number of ways."You could do it with this sort of, like, crowdfunding site," Davidson explained. "Or you could do it with blockchain—you could have Wall Coins."

    David. said...

    Barry Ritholtz takes prophets to the woodshed:

    "Fundstrat’s Tom Lee’s 2018 forecast for $25,000 Bitcoin was reduced last month to $15,000 by year-end. (The cryptocurrency recently traded at about $3,650.) As foolish as that sounds, it was modest compared to the rest of the asylum. Michael Novogratz forecast that “$40,000 was possible by the end of 2018.” Kay Van-Petersen of Saxo Bank predicted Bitcoin would rise to $50,000 to $100,000 by the end of this year. John McAfee, the eccentric tech entrepreneur, has called for $1 million Bitcoin by 2020. Analogizing crypto to the internet, Tim Draper doubles McAfee, coming in at $2 million.

    All of these are notable not just for being wrong, but for their sheer recklessness."

    David. said...

    Jemima Kelly reports that one of the most-touted "stablecoin" companies ran headlong into the regulations:

    "Remember Basis, the “stablecoin” backed by . . . stability? Back in June we broke the news that Stanford economist, and author of the “Taylor rule”, John Taylor had joined the project. Well, it's shutting up shop.

    Basis had a big idea — it wanted to marry traditional monetary theory with cryptonomics, to deliver “a stable cryptocurrency with an algorithmic central bank”.
    ...
    The ambitious proposition didn't really convince us, but it did convince many. It had some big financial backers: Silicon Valley VC heavyweights Andreessen Horowitz and Bain Capital Ventures invested, alongside billionaire hedge fund manager Stanley Druckenmiller, and Kevin Warsh, a former governor of the Federal Reserve. A total of $133m was raised (in late 2017, mid-cryptomania, we should point out).

    That money is now being given back to investors, however, and Basis is closing down. The reason? Regulators appear to have told them that “bond tokens” and “share tokens” are a bit like “bonds” and “shares” and need to be treated as such."

    David. said...

    Businessweek's cover is Rhymes with Bitcoin. After a whole year of "price" collapse, piling on is fine, although it would have been better before the massive pump-and-dump. But it is a shame that, for example, Lionel Laurent's The Messy Political Story of Bitcoin gets so much wrong, including the credulous belief that Bitcoin actually delivers the promised anonymity and decentralization.

    Nouriel Roubini's The Big Blockchain Lie is much better:

    "Yet far from ushering in a utopia, blockchain has given rise to a familiar form of economic hell. A few self-serving white men (there are hardly any women or minorities in the blockchain universe) pretending to be messiahs for the world’s impoverished, marginalized, and unbanked masses claim to have created billions of dollars of wealth out of nothing. But one need only consider the massive centralization of power among cryptocurrency “miners,” exchanges, developers, and wealth holders to see that blockchain is not about decentralization and democracy; it is about greed."

    David. said...

    In March 2016 Tim Swanson wrote What is the difference between Hyperledger and Hyperledger?, a fascinating look at the backstory of Hyperledger.

    David. said...

    Jeff Wise's ‘My Power to Demolish Is Ten Times Greater Than My Power to Promote’ How John McAfee became the spokesman for the crypto bubble. should be required reading for anyone still trapped in one of the cryptocurrency cults:

    "Though McAfee had not been an early adopter of crypto, by chance he had happened to craft the perfect persona for touting it. He had both a credible claim to technical expertise and enough of a moral taint to come across as savvy. Just as candidate Trump claimed that he alone could clean up the swamp because he had decades’ experience buying off politicians, McAfee’s self-advertised misbehavior made him plausible as a guide to a marketplace awash with con artists."

    David. said...

    Combining blockchain and emulation, its Blockchain for the Apple ][!

    David. said...

    More evidence that cryptocurrency exchanges are manipulating the market. From the Blockchain Transparency Institute's December report:

    "we have calculated the true volume of the CMC top 25 BTC trading pairs. Most of these pairs actual volume is under 1% of their reported volume on CMC. We noted only 2 out of the top 25 pairs not to be grossly wash trading their volume, Binance and Bitfinex."

    David. said...

    The Economics of Cryptocurrency Pump and Dump Schemes by JT Hamrick et al is anoterh look at the epidemic of cryptocurrency pump-and-dump schemes:

    "We identified 3,767 different pump signals advertised on Telegram and another 1,051 different pump signals advertised on Discord during a six-month period in 2018. The schemes promoted more than 300 cryptocurrencies. This comprehensive data provides the first measure of the scope of pump and dump schemes across cryptocurrencies and suggest that this phenomenon is widespread and often quite profitable. This should raise concerns among regulators. We then examine which factors that affect the “success” of the pump, as measured by the percentage increase in price near the pump signal. We find that the coin’s rank (market capitalization/volume) is the most important factor in determining the profitability of the pump: pumping obscure coins (with low volume) is much more profitable than pumping the dominant coins in the ecosystem."

    But note, as David Gerard writes:

    "How hard are the Bitcoin price pumpers pushing the price? 20 December 2018 was Bitcoin’s single highest trading volume day in its entire history."

    David. said...

    Nicholas Weaver makes the same fundamental point as I did:

    "The whole point of proof-of-*whatever* is really not about "security" but preventing sybils: someone from spinning up a gazillion validators and voting themselves all the money. PoW, PoS, they all fail to do this well."

    Cheap blockchain = insecure blockchain.

    David. said...

    Nancy Nakamoto's The Princess Bride and The Mystery of the Tether Business Model is an elegant explanation of why Tether should be treated skeptically.

    David. said...

    Last Thursday was Bitcoin's tenth anniversary, celebrated appropriately by Jemima Kelly in Happy birthday bitcoin. Your gift: a log chart in The Times with a study in the different impact of log-linear vs. linear charts.

    David. said...

    Blockchains are immutable, right? Not so much. Dan Goodin reports on the latest double-spending" attack:

    "Attackers have stolen almost $500,000 worth of the Ethereum Classic digital currency by carrying out a compute-intensive hack that rewrote its blockchain, officials with Coinbase, one of the leading crypto currency exchanges, said on Monday."

    According to coinmarketcap.com, ETC is the 18th biggest cryptocurrency, with a "market cap" of $523,350,707. But that's not enough to keep it secure. Only a few of the biggest altcoins have enough mining power relative to their "price" to deter 51% attacks.

    David. said...

    In "Proof-of-Work" Proves Not to Work from 2004, Ben Laurie and Richard Clayton analyzed Cynthia Dwork and Moni Naor's 1992 proposal to use proof-of-work to mitigate spam. From their abstract:

    "We attempt to determine how difficult that puzzle should be so as to be effective in preventing spam. We analyse this both from an economic perspective, "how can we stop it being cost-effective to send spam", and from a security perspective, "spammers can access insecure end-user machines and will steal processing cycles to solve puzzles". Both analyses lead to similar values of puzzle difficulty. Unfortunately, real-world data from a large ISP shows that these difficulty levels would mean that significant numbers of senders of legitimate email would be unable to continue their current levels of activity. We conclude that proof-of-work will not be a solution to the problem of spam."

    Hat tip to commentor Clive Robinson at Schneier on Security.

    David. said...

    Tracing stolen bitcoin by Ross Anderson sparked an interesting discussion of the many legal frameworks about the proceeds of crime.

    David. said...

    Alex Tarrabok's Bitcoin is Less Secure than Most People Think is a detailed discussion of Eric Budish's The Economic Limits of Bitcoin and the Blockchain. It is worth reading.

    David. said...

    The 51% attacks on Ethereum Classic continue, at a cost of $4903/hr. Catalin Cimpanu reports:

    "Coinbase also updated its original report with details on another 12 double-spend attacks, bringing the total of stolen funds to 219,500 ETC (~$1.1 million)."

    David. said...

    In Why the Ethereum Classic hack is a bad omen for the blockchain, Russell Brandom explains the rash of 51% attacks and quotes Nicholas Weaver:

    "As Weaver puts it, it’s “a nice illustration of how proof-of-waste schemes cannot be both efficient and secure.” The more it costs to mine a block, the more expensive it is to outspend the honest miners for long to reverse a transaction. Electricity prices vary from miner to miner, but Weaver estimates that the Bitcoin network currently runs through about $300,000 in electricity each hour, while the smaller Ethereum network runs at roughly $100,000 per hour. For Weaver, any coin much smaller than that is at risk of a 51 percent attack. Ethereum Classic clocks in at roughly $5,000 per hour."

    David. said...

    Izabella Kaminska is back, contrasting McKinsey's pre- and post-price-crash reports on blockchain. She bolds these quotes from the latest:

    "The bottom line is that despite billions of dollars of investment, and nearly as many headlines, evidence for a practical scalable use for blockchain is thin on the ground."

    and:

    "The fact was that billions of dollars had been sunk but hardly any use cases made technological, commercial, and strategic sense or could be delivered at scale."

    David. said...

    Joseph Bonneau's Hostile blockchain takeovers complements Eric Budish's work with a detailed analysis of "Goldfinger attacks", those aimed at discrediting a currency that the attacker is shorting.

    David. said...

    More on the McKinsey report in Blockchain’s groundbreaking, world-shaking, life-changing technology revolution has been cancelled by Terence Corcoran.

    David. said...

    Matt Levine writes about how exchanges are the roach motels of cryptocurrencies:

    "I feel like I am constantly reading about transaction limits for withdrawals of money from the crypto ecosystem, while I much less frequently read about transaction limits for putting money in. Similarly anti-money-laundering and know-your-customer procedures seem to constrain people from taking money out of cryptocurrencies more than they constrain people trying to put money in. It is an odd one-way ratchet."

    David. said...

    Yet another theoretical attribute of blockchains, censorship resistance, turns out to be problematic in practice, as MIT's The Download reports in China will now officially try to extend its Great Firewall to blockchains:

    "The Cyberspace Administration of China (CAC) will require any “entities or nodes” that provide “blockchain information services” to collect users’ real names and national ID or telephone numbers, and allow government officials to access that data.

    It will ban companies from using blockchain technology to “produce, duplicate, publish, or disseminate” any content that Chinese law prohibits."

    David. said...

    Louis DeNicola reports:

    "Collectively, U.S. investors who have sold their bitcoin incurred realized losses of approximately $1.7 billion. As for those who haven’t sold yet, their unrealized losses total an approximate $5.7 billion."

    David. said...

    Bitmex has a report on Tracking US$24 billion Of Tokens ICO Makers Allocated To Themselves:

    "This report is based on tokens where the team controlled holding’s were worth an astonishing US$24.2 billion on issuance (in reality liquidity was too low for this value to be realized). Today this figure has fallen to around US$5 billion, with the difference primarily being caused by a fall in the market value of the tokens, alongside US$1.5 billion of transfers away from team address clusters (possibly disposals)."

    David. said...

    Amy Castor's The curious case of Tether: a complete timeline of events is an impressive compilation .

    David. said...

    Larry Cermak maintains a spreadsheet of losses from exchanges being hacked or "hacked". The running total is now $1.1 billion (based on "prices" at the time the loss was discovered).

    David. said...

    It isn't just your cryptocurrency that gets stolen from exchanges. Cryptoline reports that:

    "According to reports coming from CCN, a hacker is selling hacked KYC data on the dark web, data which the hacker claims to have collected from some of the cryptocurrency exchanges such as Poloniex, Binance, Bittrex and Bitfinex.
    ...
    The ad put up by the hacker is said to have been up and running since July 2018 and the hacked KYC data discloses personal information ranging from drivers licence, ID cards to passport data."

    KYC is "Know Your Customer", part of the anti-money-laundering regulations.

    David. said...

    Now we know why Trump wants to invade Venezuela. It is currently the base for the McAfee 2020 presidential campaign. Ben Munster's A Presidential Campaign in Exile has interviews with some of the campaign staffers.

    Tip of the hat to David Gerard.

    David. said...

    Munawar Gul is a Bitcoin enthusiast. His The Fall of the Blockchain Hype Men is a diatribe against the explosion of patents littering the blockchain space, and the way big corporations are using them to defend their permissioned blockchain implementations:

    "Recently over at Devcon 4, the annual developers conference for Ethereum. Vitalik Buterin told Quartz why he’s distressed about Corporations Patenting everything about Blockchain.

    Behind the scenes, companies like IBM, Bank of America, Barclays, MasterCard and Alibaba are in a race with one another to file patents on blockchain-based systems.

    Even more surprising is the fact that China being so tough on Cryptocurrencies is leading the race in the number of blockchain related patent applications."

    So another reason not to like blockchain is that it will be infested with patent trolls.

    David. said...

    MIT's Technology Review retorts that Just two hacker groups may have stolen $1 billion in cryptocurrency:

    "Blockchain analytics firm Chainalysis spent around three months tracking funds that had been stolen in known hacks. It was able to link much of that money to two groups, which it dubbed Alpha and Beta. If the group’s analysis is correct, then the two groups would account for 60% of all publicly reported crypto-heists."

    Even the crime is centralized!

    David. said...

    David Gerard takes cryptocurrencies and blockchains to the woodshed in The Buttcoin Standard: the problem with Bitcoin. Go read it.

    David. said...

    Dan Goodin's Digital exchange loses $137 million as founder takes passwords to the grave describes yet another reason not to trust cryptocurrency exchanges:

    "A cryptocurrency exchange in Canada has lost control of at least $137 million of its customers’ assets following the sudden death of its founder, who was the only person known to have access the the offline wallet that stored the digital coins. British Columbia-based QuadrigaCX is unable to access most or all of another $53 million because it’s tied up in disputes with third parties."

    David. said...

    LongHash has an interesting interview with Emin Gün Sirer:

    "The protocols that we have are not very good at scaling to large numbers of participants, they have built in forces toward centralization. In proof of work currencies, economies of scale, ability to acquire cheap electricity and access to supply chains mean that there will always be a few hardware manufacturers that dominate the mining industry. We’ve seen that Bitcoin mining tends toward centralization, and certain groups become more and more prominent. The only force aiding us is that these mining concerns operate in a competitive industry, and there’s high turnover. But right now, just a few players can easily launch 51% attacks and can censor transactions if compelled."

    He's a lot less skeptical than I am about Proof of Stake.

    David. said...

    I was remiss in not pointing out that at the same time in 2003 as we published the LOCKSS protocol using decentralized consensus and proof of work, Vivek Vishnumurthy, Sangeeth Chandrakumar and Emin Gün Sirer published Karma, an actual cryptocurrency using decentralized consensus and proof of work. Both teams started work about the same time in 2002, so the ideas were in the air then.

    David. said...

    Edward Robinson's Crypto Is Over: Paris Fintech Summit Returns to Disrupting Banks reports:

    "With the top 10 crypto assets down 80 percent in the last 12 months and skepticism mounting, many fintech pros concluded that the technology may not be ready for prime time, especially in an industry this heavily regulated.
    ...
    Perhaps nothing drove that point home more than the face-off between Gottfried Leibbrandt, the chief executive officer of Swift, and Brad Garlinghouse, the CEO of San Francisco’s Ripple Labs Inc. Swift is a 46-year-old cooperative that directs trillions of dollars in cross-border payments between thousands of banks. Garlinghouse has repeatedly vowed to leapfrog Swift’s 1970s-conceived system with a faster, cheaper blockchain-like one."

    So what about Ripple?

    "Nobody uses Ripple Labs’ tech — Ripple’s “200+ Institutional Clients” Claim Is A Scam. “Not a single one of Ripple’s clients appears to be real, or an actual client.”
    ...
    Remember how Ripple Labs claimed a “partnership” with Santander — and told the press things like “We are covering 50% of all the FX payments the Santander Group does annually,” then tweeted them from the official Ripple account? It turns out they’re talking about an iPhone app, “Santander One Pay FX,” which uses Ripple’s xCurrent. The app has 17 ratings and one review — almost nobody uses it. It turns out that “covering” means the app is available in Spain, UK, Brazil and Poland — which together contain 50% of Santander’s customers — and does not in any way mean that those customers use it."

    David. said...

    Josh Reviews Everything has An Interest Rates Primer for Cryptocurrency Folks:

    "The market for personal loans in cryptocurrency isn’t exactly huge, so the main source of demand to borrow bitcoin comes from people who want to short it. As the demand to short bitcoin through futures grows, the futures price will trade at a wider discount to spot, and the implied bitcoin interest rate will move higher.

    And this is what’s been happening since mid-November, when bitcoin prices collapsed below $6000 and never looked back. The demand to short bitcoin in the futures market increased; so the futures started trading at a bigger discount to spot; and that increased the implied bitcoin interest rate."

    So he computes:

    "the implied interest rate for BTC is about 20.2% annualised."

    Tip of the hat to Barry Ritholtz.

    David. said...

    Hyping stablecoins to compete with Tether is hard:

    "five unaffiliated OTC desks all told CoinDesk there was no demand for GUSD among their trading networks. OTC traders said it appears a high percentage of perceived GUSD trading activity is concentrated on exchanges that they do not use.

    “The trading volume is dictated by [Gemini’s] actions and has nothing to do with the market, per se,” said one anonymous OTC trader who has worked with GUSD.

    According to CoinMarketCap, the exchanges with the highest GUSD trading volume include OEX, Hotbit, Bitrue and Fatbtc. Gemini has no direct association with these exchanges.

    In particular, OEX and Fatbtc are both ranked on the Blockchain Transparency Institutes’ advisory list. The nonprofit estimated that over 98 percent of those exchanges’ activity comes from automated trades, which typically involves bots rather than real users."

    David. said...

    Bruce Schneier joins the chorus pointing out that there's no there there in blockchain technology:

    "Do you need a public blockchain? The answer is almost certainly no. A blockchain probably doesn’t solve the security problems you think it solves. The security problems it solves are probably not the ones you have. (Manipulating audit data is probably not your major security risk.) A false trust in blockchain can itself be a security risk. The inefficiencies, especially in scaling, are probably not worth it. I have looked at many blockchain applications, and all of them could achieve the same security properties without using a blockchain—of course, then they wouldn’t have the cool name."

    David. said...

    I've observed before that mining a public blockchain these days necessarily involves hosting content that allows the authorities to jail you at a moment's notice in almost all jurisdictions, such as child porn.

    Now Bitcoin SV, one of the increasingly many forks of Staoshi's original, has raised its transaction size limit to 100KB, allowing much bigger and better content to be stored immutably in its blockchain. And, naturally, as David Canellis reports in BitcoinSV ‘feature’ exploited to store child abuse imagery on the blockchain, among the first content to take advantage of this feature is child porn:

    "A change to the Bitcoin Satoshi’s Vision (BSV) protocol has inadvertently led to child exploitation material being posted to its blockchain, forcing apps and block explorers into actively monitoring the network for illegal content."

    Filtering blockchains for illegal content is problematic because, as Nicholas Weaver points out in his talk for Enigma, it opens the blockchain up to a very simple and effective attack:

    "In late 2017 the Bitcoin network hit a capacity limit which caused fees to enter a death spiral, so if you wanted your transaction to go through you had to outbid everyone else, This is exploitable. Someone could spam the network whenever its below the death spiral point, shutting it down at will. And when it is above, do nothing but laugh.

    Keep this up until the network installs spam filters, and then the attacker starts a more interesting game: tuning spam not to get through the filters but to have the filters trigger false positives. How well would a currency work if 1-2% of transactions are randomly blocked by spam filters?

    Ethereum seems a particularly ripe target, with a full blockchain of over 2TB and working sets measured in the 100s of GB. What happens if an attacker adds a 0 or two to those numbers?"

    David. said...

    Paul Krugman's thread on Niall Ferguson joining the recapitulation of the failed Basis stablecoin features his opinion:

    "I'm on record as saying that crypto is a mishmash of technobabble and libertarian derp. But I guess that I should add that it's also a giant draw for sufferers from Dunning-Kruger syndrome"

    David. said...

    David Gerard provides another example of the reason crypto "price" is in quotes:

    "An upset Mt. Gox creditor analyses the data from the bankruptcy trustee’s sale of bitcoins. He thinks he’s demonstrated incompetent dumping by the trustee — but actually shows that a “market cap” made of 18 million BTC can be crashed by selling 60,000 BTC, over months, at market prices, which suggests there is no market."

    David. said...

    The FT's Alphaville has two fun reads. Camilla Hodgson's Anatomy of a Cryptocurrency Scam starts:

    "In November this guesting Alphavillian wrote an article for the Financial Times about the falling price of bitcoin (what's new?). Half an hour later we received a direct Twitter message from an account saying it was a good time to invest in the cryptocurrency, which could become a “second source of income.”

    They said with an investment of $300 in crypto, on trading platform Crypto365, we could earn $3,000 in five days."

    And Elon Musk continues to provide Izabella Kaminska with material for the Billions of Blistering Barnacles series such as:

    "Paper money is going away, and crypto is a far better way to transfer value than pieces of paper, that’s for sure."

    David. said...

    Mike Orcutt's Once hailed as unhackable, blockchains are now getting hacked is an overview of vulnerabilities including 51% attacks,

    "Toward the middle of 2018, attackers began springing 51% attacks on a series of relatively small, lightly traded coins including Verge, Monacoin, and Bitcoin Gold, stealing an estimated $20 million in total. In the fall, hackers stole around $100,000 using a series of attacks on a currency called Vertcoin. The hit against Ethereum Classic, which netted more than $1 million, was the first against a top-20 currency."

    And bugs in "smart contracts":

    "Last month, Tsankov’s team at ChainSecurity saved Ethereum from a possible repeat of the DAO catastrophe. Just a day before a major planned software upgrade, the company told Ethereum’s lead developers that it would have the unintended consequence of leaving some contracts on the blockchain newly vulnerable to the same kind of bug that led to the DAO hack. The developers promptly postponed the upgrade and will give it another go later this month."

    David. said...

    Eric Hellman's "Blockchain for Libraries" is Snake Oil is not just right about blockchain, but about snake oil too! The video of Eric's talk is here.

    Although I have a couple of quibbles:

    - Slide 7 says "Participants can be anonymous" but means pseudonymous. And "Consensus mechanism prevents double-spending.–Secure- except for bugs" but ignores 51% attacks. It should say "Consensus mechanism makes double-spending costly" but in many cases now it isn't costly enough.

    - Slide 14 says LOCKSS uses Byzantine Fault Tolerance, which is wrong. It uses an original consensus mechanism that is related to BFT but is statistical in nature.

    David. said...

    ROFLMAO at Catalin Cimpanu's Cryptocurrency wallet caught sending user passwords to Google's spellchecker. The sub-head says it all:

    "Coinomi wallet bug sends users' secret passphrases to Google's Spellcheck API via HTTP, in plaintext."

    Sadly, this appears typical of the competence level of programmers in the crypto wallet space.

    David. said...

    It turns out that cryptocurrency exchanges are the roach motel of personal finance. Cory Doctorow writes:

    "The latest group of Hacking Team war criminals to find themselves reaccepted into polite society is the staff of Neutrino, a startup acquired by the cryptocurrency company Coinbase, to do forensic tracking of blockchain transactions.

    Many Coinbase users have concluded that they do not want to entrust their finances to a company that includes these unsavory characters, and so was born the #DeleteCoinbase movement to coordinate divestiture from the company.

    However, Coinbase will only allow you to delete your account if it has a zero balance, free of "dust" (infinitesimal residues left behind from fractional cryptocurrency transactions) and users are finding it impossible to rid themselves of their dust, which Coinbase insists is merely an accident and nothing to do with not wanting disgruntled users to leave."

    David. said...

    David Gerard notes that:

    "Coinbase buys Neutrino, a startup founded by Hacking Team, a hacker group with an extensive track record of selling surveillance technology to oppressive governments, whose CEO regularly signed his emails with old Fascist slogans. Why did Coinbase buy Neutrino? Because their previous data analysis provider was selling Coinbase customer data to third parties!"

    David. said...

    Anyone who thinks that using cryptocurrencies is a way of avoiding the attention of law enforcement should read today's news post from David Gerard. He notes, in order:

    1) Morgan Rockoons pled guilty to wire fraud for the "Bitcointopia" scam.

    2) The US has charged the founders of OneCoin with wire fraud - there wasn't even one coin.

    3) 1pool/1broker has to pay a $421,000 fine and refund their customers bitcoin even though they were based outside the US.

    4) Two Australian exchanges got suspended for links to organized crime and drugs.

    5) The Canada Revenue Agency is auditing Bitcoin users. Here's the 13-page questionnaire to give some idea of the answers users need to be prepared with.

    6) Remember that wash trading is illegal: "Crypto Integrity found that up to 88% of reported volumes in February were artificial at some of the highest reported volume exchanges. On some less liquid trading pairs, the group estimates up to 100% of the volume is fake."

    Gerard also links to Kyle Gibson's informative 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents.

    David. said...

    Tim Copeland's The complete story of the QuadrigaCX $190 million scandal is unlikely to be the "complete story" but it is very informative.

    David. said...

    David Gerard comments on the big news in cryptocurrrencies, that Tether has finally admitted that USDT is not actually backed one-for-one by actual USD in a bank account. Bitfinex'ed takes a bow!

    David. said...

    Bitwise Asset Management's detailed comments to the SEC about BTC/USDT trading on unregulated exchanges:

    "demonstrate in multiple different ways that approximately 95% of this volume is fake and/or non-economic in nature, and that the real market for bitcoin is significantly smaller, more orderly, and more regulated than commonly understood."

    Hat tip to msmash at /..

    David. said...

    Hugh Son reports Bank of America tech chief is skeptical on blockchain even though BofA has the most patents for it.

    David. said...

    In The Bank of Hodlers [sic] (sigh), Jemima Kelly uses the example of the Enron fiasco to explain that decentralizing utility functions like electricity and banking isn't a good idea:

    "The problem is, just like with the California example, every time deregulation, decentralisation and automation has taken foot in the financial world, bad things have tended to follow. Most of the time what is revealed is that middlemen or rent-seekers weren't actually eliminated or disempowered, but rather regenerated into new forms. Meanwhile, where algos took on the responsibility for human judgments, they were easily gamed, and introduced all sorts of new risks into the system. Those bad things then justified the return of regulation and the effective reformulation of human-overseen processes that “recentralise” the industry."

    David. said...

    Flaws in Bitcoin make a lasting revival unlikely from The Economist is a good summary:

    "the cryptocurrency fiasco has exposed three deep and related problems: the extent of genuine activity is hugely exaggerated; the technology does not scale well; and fraud may be endemic."

    David. said...

    In Inside the rise and fall (and rise?) of crypto mining giant Bitmain, the South China Morning Post's Zheping Huang writes a fascinating account of the rise of Bitmain to dominate the Bitcoin mining chip business, and its subsequent troubles, leading to a failed IPO and irresolvable differences between the co-CEOs:

    "Beijing-based Bitmain Technologies on Tuesday called off its plan to go public in Hong Kong after its application lapsed after six months. The failure of what was billed as potentially the world’s largest crypto-related IPO adds to news of retrenchments. A new CEO has been appointed to replace the two main founders, who had previously shared the role."

    Tip of the hat to David Gerard.

    David. said...

    My talk referred to Tether, an allegedly asset-backed "stablecoin". But it didn't cover the alternative form of "stablecoin", the algorithmic variety. Fortunately, Ben Dyson at the Bank of England repairs the omission. Using the example of "Basis", a proposed stablecoin that never actually materialized, he concludes:

    "Whilst algorithmic stablecoins like Basis manage to eliminate the need for trust in a third party, they instead end up being heavily dependent on investor belief and confidence. As long as all users believe that the coin will be stable, their behaviour ensures that it will be stable, but if some users start to lose confidence and sell, the coin risks falling into a downward spiral.

    What does this mean for issuers and users of algorithmic stablecoins? If these stablecoins are destined to lose their stability, then over a long-enough time frame, buyers of algorithmic stablecoins will make significant losses. But the initial sellers of these coins – the founders and share-holders – will make significant gains, since they sold something created at no cost (the coins) in exchange for fiat currencies. If the peg fails, then the end result will have been a significant transfer of wealth from the buyers to the issuers."

    The talk pointed out that regular cryptocurrencies such as Bitcoin depend on a belief that the "price" will rise, and thus transfer wealth from later to earlier adopters. So too "stablecoins" depend on a belief that the "price" will be stable. Since, as Dyson shows, this is very unlikely to true, they will transfer wealth from later to earlier adopters.

    David. said...

    Jemima Kelly dives into the depths of "Solution to Everything™" self-parody with Blockchain for Brexit: a wonderfully terrible idea:

    "The thing is though, the more this idea gets bandied about, the more the blockchainers expose the ridiculousness of their other ideas. Where an open-minded and uninformed reader might have (wrongly) bought into the idea that a blockchain can help combat the illegal fishing of tuna or ensure clinical trial integrity, they are likely to draw a line at the idea that blockchain can in any way solve a problem as intractable as Brexit. Or for that matter, solve the utter lack of any form of consensus in Parliament."

    David. said...

    In A 'Blockchain Bandit' Is Guessing Private Keys and Scoring Millions reports what happened after a researcher tried "1" as the private key for an Ethereum address:

    "the researchers not only found that cryptocurrency users have in the last few years stored their crypto treasure with hundreds of easily guessable private keys, but also uncovered what they call a "blockchain bandit." A single Ethereum account seems to have siphoned off a fortune of 45,000 ether—worth at one point more than $50 million—using those same key-guessing tricks."

    David. said...

    The New York Attorney General has sued Bitfinex and has apparently discovered an $850M hole in Tether's reserves.

    David. said...

    Izabella Kaminska's We all become MF Global eventually, Tether edition has a detailed run-down on the history behind the New York AG's suit against Bitfinex.

    David. said...

    Tether's general counsel admits that Tether isn't 100% backed by cash after all:

    "Tether has cash and cash equivalents (short term securities) on hand totaling approximately $2.1 billion, representing approximately 74 percent of the current outstanding tethers."

    David. said...

    Tether's missing $850M apparently vanished into Crypto Capital. David Gerard reports that:

    "Crypto Capital were the money transmitters for troubled crypto exchange Bitfinex and dubious dollar-substitute coin Tether. They operated in the US through a company called Global Trading Solutions. The founder of GTS, Reggie Fowler, was indicted on Tuesday. The US Government has filed a motion to detain Fowler as a flight risk. And it’s amazing.

    Reggie Fowler is an American football player turned businessman. His most recent brush with fame was when the Alliance of American Football, an attempt to form a new football league, collapsed after Fowler withdrew funding.

    Fowler had to withdraw funding for the AAF because the Department of Justice had seized his bank accounts in October 2018 — just after Bitfinex had started sending money through Global Trading Solutions."

    Fowler was caught with $14,000 in counterfeit $100 bills, among other details casting doubt on his financial operations.

    Note that future comments on this topic will appear on this more recent version of the talk.