Tuesday, November 8, 2022

Matt Levine's "The Crypto Story": Part 1

Even if you're not a Bloomberg subscriber you can read Matt Levine's The Crypto Story with a free registration, or here, and I urge you to do so. It is long, about 40K words, but well worth the effort. It is remarkably good - lucid, comprehensive, balanced, accurate. It even has footnotes expanding on the details where he is oversimplifying for clarity of exposition.

Levine's magnum opus is in four parts:
  1. Ledgers, Bitcoin, Blockchain, in which he lays out the basics of Bitcoin's technology.
  2. What Does It Mean?, in which he discusses generalizations of Bitcoin, such as Ethereum.
  3. The Crypto Financial System, in which he discusses financial technologies such as exchanges, stablecoins and DeFi.
  4. Trust, Money, Community, in which he discusses the social and societal impacts.
This post is not a substitute for reading the real thing. Below the fold, some commentary on fragments of the first two parts. The second two parts will have to wait for a subsequent post, because even commenting on such a massive post gets way long. Block quotes without links are from Levine's article.

Levine explains why he's writing at such length:
I don’t have strong feelings either way about the value of crypto. I like finance. I think it’s interesting. And if you like finance—if you like understanding the structures that people build to organize economic reality—crypto is amazing. It’s a laboratory for financial intuitions. In the past 14 years, crypto has built a whole financial system from scratch. Crypto constantly reinvented or rediscovered things that finance had been doing for centuries. Sometimes it found new and better ways to do things.

Often it found worse ways, heading down dead ends that traditional finance tried decades ago, with hilarious results.

Often it hit on more or less the same solutions that traditional finance figured out, but with new names and new explanations. You can look at some crypto thing and figure out which traditional finance thing it replicates. If you do that, you can learn something about the crypto financial system—you can, for instance, make an informed guess about how the crypto thing might go wrong—but you can also learn something about the traditional financial system: The crypto replication gives you a new insight into the financial original.
My goal here is not to convince you that crypto is building the future and that if you don’t get on board you’ll stay poor. My goal is to convince you that crypto is interesting, that it has found some new things to say about some old problems, and that even when those things are wrong, they’re wrong in illuminating ways.

Ledgers, Bitcoin, Blockchain

Levine starts from the issue of trust in conventional digital financial systems:
A system of impersonal banking in which the tellers are strangers and you probably use an ATM anyway requires trust in the system, trust that the banks are constrained by government regulation or reputation or market forces and so will behave properly.

Saying that modern life is lived in databases means, most of all, that modern life involves a lot of trust.

Sometimes this is because we know them and consider them to be trustworthy. More often it means we have an abstract sense of trust in the broader system, the system of laws and databases and trust itself. We assume that we can trust the systems we use, because doing so makes life much easier than not trusting them and because that assumption mostly works out. It’s a towering and underappreciated achievement of modernity that we mostly do trust the database-keepers, and that they mostly are trustworthy.
The conventional digital financial systems have roots back in the days of punched cards and magnetic tapes, and have evolved incrementally since, so they are an inefficient mish-mash of awkwardly cooperating systems:
What if we rewrote all the databases from scratch, in modern computer languages using modern software engineering principles, with the goal of making them interact with one another seamlessly?

If you did that, it would be almost like having one database, the database of life: I could send you money in exchange for your house, or you could send me social reputation in exchange for my participation in an online class, or whatever, all in the same computer system.

That would be convenient and powerful, but it would also be scary. It would put even more pressure on trust. Whoever runs that one database would, in a sense, run the world. Whom could you trust to do that?
So there is a strong motivation to find a system that (a) works better but (b) requires less trust. The problem is that trust, even Regan-style "trust but verify", is such an enormous optimization over a truly trust-free system, that it is effectively impossible to eliminate it in practice, despite Satoshi's claims:
What Satoshi said he’d invented was a sort of cash for internet transactions, “an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party.” If I want to buy something from you for digital cash—Bitcoin—I just send you the Bitcoin and you send me the thing; no “trusted third party” such as a bank is involved.

When I put it like that, it sounds as if Satoshi invented a system in which I can send you Bitcoin and nobody else is involved. What he actually invented was a system in which lots of other people are involved.
Satoshi was not just wrong about "no trusted third party", because in practice Bitcoin transactions trust a lot of entities, including the core developers, and the few large mining pools. He was also wrong about the ability of Bitcoin to facilitate transactions involving off-chain "things" such as the notorious initial pizza. Pseudonymity, immutability, and the hour-long delay before finality make such transactions extremely risky. The normal mitigation for this kind of risk is an escrow service; a trusted third party. Is it possible to replace the escrow service with a "smart contract"? Alas, no. In Irrationality, Extortion, or Trusted Third-parties: Why it is Impossible to Buy and Sell Physical Goods Securely on the Blockchain Amir Kafshdar Goharshady shows that:
assuming that the two sides are rational actors and the smart contract language is Turing-complete, there is no escrow smart contract that can facilitate this exchange without either relying on third parties or enabling at least one side to extort the other.
One of Levine's achievements is that he next provides an accurate, readable explanation of Bitcoin's technology, starting from one-way functions through hashing, public-key encryption and digital signatures to the way Bitcoin implements a ledger:
The ledger is not really just a list of addresses and their balances; it’s actually a record of every single transaction. The ledger is maintained by everyone on the network keeping track of every transaction for themselves.

That’s nice! But now, instead of trusting a bank to keep the ledger of your money, you’re trusting thousands of anonymous strangers.
Everyone keeps the ledger, but you can prove that every transaction in the ledger is valid, so you don’t have to trust them too much.

Incidentally, I am saying that “everyone” keeps the ledger, and that was probably roughly true early in Bitcoin’s life, but no longer. There are thousands of people running “full nodes,” which download and maintain and verify the entire Bitcoin ledger themselves, using open-source official Bitcoin software. But there are millions more not doing that, just having some Bitcoin and trusting that everybody else will maintain the system correctly. Their basis for this trust, though, is slightly different from the basis for your trust in your bank. They could, in principle, verify that everyone verifying the transactions is verifying them correctly.
In the spirit of his "The crypto replication gives you a new insight into the financial original." he makes this point:
Notice, too, that there’s a financial incentive for everyone to be honest: If everyone is honest, then this is a working payment system that might be valuable. If lots of people are dishonest and put fake transactions in their ledgers, then no one will trust Bitcoin and it will be worthless. What’s the point of stealing Bitcoin if the value of Bitcoin is zero?

This is a standard approach in crypto: Crypto systems try to use economic incentives to make people act honestly, rather than trusting them to act honestly.
Note that the incentive is inherent to the system, not layered on via reputation or legal sanctions. In Cooperation among an anonymous group protected Bitcoin during failures of decentralization Alyssa Blackburn et al analyze how this incentive operated in the early days of Bitcoin, when multiple actors had the means and opportunity, but not the motive, to subvert the system (commentary here). But it is also worth noting that later, in 2014, GHash.io for extended periods held 51% of the mining power, as Dan Goodin reports in Bitcoin security guarantee shattered by anonymous miner with 51% network power:
on June 12, GHash produced a majority of the power for 12 hours straight,
GHash's ascendency to a majority miner comes even as its operators pledged never to cross the 51-percent threshold. It also comes less than a year after GHash was accused of using its considerable hashing power to attack a gambling site.
As Ittay Eyal and Emin Gün Sirer wrote at the time:
Overall, there is absolutely no reason to trust GHash or any other miner. People in positions of power are known to abuse it. A group with a history of double-expenditures just blithely went past the 51% psychological barrier: this is not good for Bitcoin.
Levine continues his impressively accessible explanation by correctly explaining the need for a Sybil defense and the way the Proof-of-Work implements it, connecting it to the idea of inherent economic incentives:
Proof-of-work mining is a mechanism for creating consensus among people with an economic stake in a system, without knowing anything else about them. You’d never mine Bitcoin if you didn’t want Bitcoin to be valuable. If you’re a Bitcoin miner, you’re invested in Bitcoin in some way; you’ve bought computers and paid for electricity and made an expensive, exhausting bet on Bitcoin. You have proven that you care, so you get a say in verifying the Bitcoin ledger. And you get paid. You get paid Bitcoin, which gives you even more of a stake in the system.
And he notes that, despite all the rhetoric about Bitcoin's 21M coin limit being deflationary, the Sybil defense mechanism is necessarily inflationary:
One important point about these mining rewards is that they cost Bitcoin users money. Every block—roughly every 10 minutes—6.25 new Bitcoin are produced out of nowhere and paid to miners for providing security to the network. That works out to more than $6 billion per year. This cost is indirect: It is a form of inflation, and as the supply of Bitcoin grows, each coin in theory becomes worth a little less, all else being equal. Right now, the Bitcoin network is paying around 1.5% of its value per year to miners.

That’s lower than the inflation rate of the US dollar. Still, it’s worth noting. Every year, the miners who keep the Bitcoin system secure capture a small but meaningful chunk of the total value of Bitcoin. Bitcoin users get something for that $6 billion:
What they get is security:
When there are billions of dollars up for grabs for miners, people will invest a lot of money in mining, and it will be expensive to compete with them. And if you invested billions of dollars to accumulate a majority of the mining power in Bitcoin, you would probably care a lot about maintaining the value of Bitcoin, and so you’d be unlikely to use your powers for evil.
My only criticism of this chapter is that it leaves the impression that Satoshi Nakamoto was a genius whose invention of cryptocurrency was unprecedented. Although his overall design was very clever, it built on both:
  • The history of attempts to create a digital currency stretching back four decades detailed, for example, in Finn Brunton's Digital Cash.
  • Academic research on component technologies also dating back four decades, as detailed by Arvind Narayanan and Jeremy Clark in Bitcoin's Academic Pedigree (see here.

What Does It Mean?

One of the things that, as a finance journalist, really interests Levine is:
The wild thing about Bitcoin is not that Satoshi invented a particular way for people to send numbers to one another and call them payments. It’s that people accepted the numbers as payments.
That social fact, that Bitcoin was accepted by many millions of people as having a lot of value, might be the most impressive thing about Bitcoin, much more than the stuff about hashing.
And that:
Here’s another extremely simple generalization of Bitcoin:
  1. You can make up an arbitrary token that trades electronically.
  2. If you do that, people might pay a nonzero amount of money for it.
  3. Worth a shot, no?
As Bitcoin became more visible and valuable, people just … did … that? There was a rash of cryptocurrencies that were sometimes subtle variations on Bitcoin and sometimes just lazy knockoffs. “Shitcoins” is the mean name for them.
But the shitcoins were vastly less successful at being accepted as having a lot of value::
Socially, cryptocurrency is a coordination game; people want to have the coin that other people want to have, and some sort of abstract technical equivalence doesn’t make one cryptocurrency a good substitute for another. Social acceptance—legitimacy—is what makes a cryptocurrency valuable, and you can’t just copy the code for that.

That’s a revealing fact: What makes Bitcoin valuable isn’t the elegance of its code, but its social acceptance. A thing that worked exactly like Bitcoin but didn’t have Bitcoin’s lineage—didn’t descend from Satoshi’s genesis block and was just made up by some copycat—would have the same technology but none of the value.
Rank Symbol vs. BTC vs. ETH
1 BTC 1.0
2 ETH 0.49 1.0
8 DOGE 0.05
9 ADA 0.04 0.07
10 SOL 0.03 0.06
13 SHIB 0.02
Excluding metastablecoins and non-decentralized coins, and ordering by "market cap" as shown on coinmarketcap.com, we have this table. Note that the largest BTC-clone, DOGE, is "worth" one-twentieth as much, and that only because it is favored by the cult of Elon Musk. SHIB, which is a DOGE ripoff, but on Ethereum, is "worth" about 40% as much. The largest ETH competitor, ADA, is "worth" one-twelfth as much. Despite this, shitcoins have found a viable market niche as the basis for highly profitable pump-and-dump schemes.

Levine turns to the number 2 cryptocurrency:
Ethereum is a big virtual computer, and you send it instructions to do stuff on the computer. Some of those instructions are “Send 10 Ether from Address X to Address Y”: One thing in the computer’s memory is a database of Ethereum addresses and how much Ether is in each of them, and you can tell the computer to update the database.

But you can also write programs to run on the computer to do things automatically. One sort of program might be: Send 10 Ether to Address Y if something happens. Alice and Bob might want to bet on a football game, or on a presidential election, or on the price of Ether.
Ethereum isn't really a "big virtual computer". It is a very small, slow, expensive virtual computer with about 500GB of storage. In the heady days of last December Nicholas Weaver pointed out that:
Put bluntly, the Ethereum “world computer” has roughly 1/5,000 of the compute power of a Raspberry Pi 4!

This might be acceptable if the compute wasn’t also terrifyingly expensive. The current transaction fees for 30M in gas consumed is over 1 Ether. At the current price of roughly $4000 per Ether this means a second of Ethereum’s compute costs $250. So a mere second of Ethereum’s virtual machine costs 25 times more than a month of my far more capable EC2 instance. Or could buy me several Raspberry Pis.
Levine acknowledges but underplays the slow part, and omits the expensive part:
The way Ethereum executes programs is that you broadcast the instructions to thousands of nodes on the network, and they each execute the instructions and reach consensus on the results of the instructions. That all takes time. Your program needs to run thousands of times on thousands of computers.

Computers and network connections are pretty fast these days, and the Ethereum computer is fast enough for many purposes (such as transferring Ether, or keeping a database of computer game characters). But you wouldn’t want to use this sort of computer architecture for extremely time-sensitive, computation-intensive applications.
Levine correctly identifies one of the big problems with "smart contracts", as Ethereum programs are called. If Alice and Bob bet on a football game, how does the program know what the result was?
The standard solution in crypto is called an “oracle.” It’s a program that will periodically query some company or website that tracks the relevant information (election results, football scores, weather, etc.) and post the answer to the Ethereum blockchain. An oracle is essentially a way to bring information from the outside world (the real world, or just the internet) onto the blockchains.
So the end result of the bet depends on what the oracle says. It is just another program, which will have bugs and vulnerabilities. In particular, it will suffer from "garbage in, garbage out", giving rise to so-called oracle manipulation attacks:
A vulnerability arises when protocols relying on oracles automatically execute actions even though the oracle-provided data feed is incorrect. An oracle with deprecated or even malicious contents can have disastrous effects on all processes connected to the data feed. In practice, manipulated data feeds can cause significant damage, from unwarranted liquidations to malicious arbitrage trades.
Molly White reports on an example from October 23rd in Oracle manipulation attack on a QuickSwap market earns exploiter $188,000:
Adding to the recent string of oracle manipulation attacks is an attack on the miMATIC ($MAI) market on the QuickSwap decentralized exchange. An exploiter was able to manipulate the spot price of assets to borrow funds, ultimately making off with 138 ETH ($188,000) that they mixed through Tornado Cash. The vulnerability was due to the use of a Curve LP oracle, which contains a vulnerability that was disclosed by a security firm earlier that month.
And another from November 2nd in Oracle attack on Solend costs the project $1.26 million :
Solend announced that an exploiter had manipulated the oracle price of an asset on their platform, allowing them to take out a loan that left the platform with $1.26 million in bad debt.
And another from November 7th in Pando exploited for $20 million:
The defi protocol Pando suffered a $20 million loss when it was exploited with an oracle manipulation attack. The protocol suspended several of its projects in response to the hack, and wrote that they hoped to negotiate with the hacker to regain some of the stolen proceeds.
These attacks are happening weekly.

Levine's discussion of Ethereum's transition to Proof-of-Stake is clear:
When we discussed proof-of-work mining, I said that crypto systems are designed to operate on consensus among people with an economic stake in the system. PoW systems demonstrate economic stake in a cleverly indirect way: You buy a bunch of computer hardware and pay for a lot of electricity and do a bunch of calculations to prove you really care about Bitcoin. PoS systems demonstrate the economic stake directly: You just invest a lot of money in Ethereum and post it as a bond, which proves you care.

This is more efficient, in two ways. First, it uses less electricity. ... Second, PoS more directly measures your stake in the system. You demonstrate your stake in Ethereum by 1) owning Ether and 2) putting it at risk28 to validate transactions. To take control of the PoS system and abuse it for your own nefarious purposes, you need to own a lot of Ether, and the more you own, the less nefarious you’ll want to be. “Proof of stake can buy something like 20 times more security for the same cost,” Vitalik has argued. ... The capital investment isn’t in computers but in the relevant cryptocurrency. The transaction is very close to: “Invest a lot of cryptocurrency and then get paid interest on that cryptocurrency.”
This is the Golden Rule, "he who has the gold makes the rules". Or Mark 4:25:
For he that hath, to him shall be given: and he that hath not, from him shall be taken even that which he hath.
And the extraordinary Gini coefficients of cryptocurrencies mean that he that hath already hath almost all of the gold. But this is mitigated slightly, as he explains, by staking services:
in fact a lot of Ethereum validation runs through crypto exchanges such as Coinbase, Kraken, and Binance, which offer staking as a product to their customers. (The biggest is a thing called Lido Finance, which isn’t an exchange but a sort of decentralized staking pool.) The customers keep their Ether with the exchange anyway, so they might as well let the exchange stake it for them and earn some interest.
The problem with this is the lack of decentralization. As I write, Lido, Coinbase and Kraken between them have nearly 53% of all the stake. This isn't great, but it is actually better than Proof-of-Work Ethereum, which last November had 2 mining pools with nearly 54% of the mining power.

The reward for staking is one of the "new things to say about some old problems" that Levine finds interesting:
Crypto has found a novel way to create yield. ... You can deposit your crypto into an account, and it will pay you interest. It will pay you interest not for the reason banks generally do—because they’re lending your money to some other customer who will make use of it—but because you are, in your small way, helping to maintain the security of the transaction ledger.
Where does the interest come from? Part is from the block reward, and part is from transaction fees:
generally speaking, the more you offer to pay for gas, the faster your transaction will be executed: If Ethereum is busy, paying more for gas gets you priority for executing your transactions. It is a shared computer where you can pay more to go first.
Well, yes, but there are two problems with "pay more to go first":
  • As I discussed here, there is a fixed supply of computation but a variable demand for it. The result is a variable price for computation. In practice, fees are low when few people want to transact, but spike enormously when everyone does. This chart shows that while now, in the "crypto winter" the average ETH transaction fee is around 77 cents, during the Luna/Terra crash it spiked by a factor of 32. You are in a blind auction for fees, so are motivated to overpay.
  • The fact of "pay-for-priority" is what enables front-running and other forms of Miners' Extractable Value. It is likely that the profitable trade you spotted will be front-run by a bot that spots your pending transaction and offers to pay more.
Here is an example of an MEV bot in action:
One such bot, known as 0xbadc0de, earned a windfall when a trader tried to sell 1.8 million cUSDC (USDC on the Compound protocol) – notionally worth $1.85 million – but only received $500 in assets in return due to low liquidity. The MEV bot, however, profited 800 ETH (~$1 million) from arbitrage trades surrounding the sale.
Levine returns to the financial aspects:
Here’s another important difference between Ethereum and Bitcoin. Bitcoin never raised money; Ethereum did.
You could imagine Vitalik saying: “OK, we are a company, we’re Ethereum Inc., we’re going to start the Ethereum blockchain and make money from it, and we’ll sell shares in Ethereum Inc. to raise the money to build the blockchain. Sell 20% of Ethereum Inc. for cash, get the cash, build the blockchain and, I don’t know, collect royalties.
They sold tokens. In July 2014 they sold Ether “at the price of 1000-2000 ether per BTC, a mechanism intended to fund the Ethereum organization and pay for development,” according to Ethereum’s white paper. In all, they sold about 60 million Ether for about $18.3 million, all before the technology itself went live. Ethereum’s genesis block was mined in July 2015. Today there is a total of about 122 million Ether outstanding. Some of that, like Bitcoin, comes from mining or, now, validating. But almost half of it was purchased, before Ethereum was launched, by people who wanted to bet on its success.
It worked out well for those investors; that 60 million Ether is worth billions of dollars today.

But as a “whole new financing model,” it’s a mixed bag. Many people, particularly securities regulators, think it’s good that startups usually can’t raise money from the general public without at least a business plan. And there’s a sense in which this sale—the Ether “pre-mine,” or “initial coin offering” (ICO)—was the original sin of crypto as a financing tool. A lot of other crypto teams copied Ethereum’s approach, writing up vague plans to build some project and then raising money by preselling tokens that would be useful if the project ever happened.
As he writes, the resulting high level of fraud was inevitable:
When ragtag groups of hackers with no business plan can raise millions of dollars from anyone with an internet connection, they all will. The odds that any particular one of those non-business-plans will succeed are low. The odds that any particular one will be a scam are high.
He then discusses the persistently wrong idea that "putting things on the blockchain" will make the world better:
How to make this connection is largely an unsolved problem, and quite possibly an unsolvable one, but also an important one. Crypto’s financial system is well-developed and has some advantages in openness and permissionless innovation over the traditional financial system. If you could ingest the physical world into that financial system, you’d have something cool.
The unsolvable part of this is the "oracle problem" that is fundamental to "smart contracts".

Levine discusses the idea of Web3 as a reaction to the centralized, closed FAANGs controlling the Internet and making lots of money:
But web3 will be when people build decentralized open community-controlled protocols for the internet again and also make lots of money. Because the decentralized protocols won’t be owned by big tech companies, but they won’t be free and owned by no one, either. They’ll be owned by their users.

Just kidding: They’ll be owned by venture capitalists who buy tokens in these projects early on and who are the biggest boosters of web3.
Levine doesn't explain why the VCs are the "biggest boosters of web3". As I explained in List And Dump Schemes it is because investing in the tokens allows them to outsource the securities fraud to the founders. He makes another good point about the financial implications of owning Bitcoin or other cryptocurrencies:
But another thing you get is a share in the Bitcoin project. Not a share of actual stock, but still a chance to profit from the success of Bitcoin. If this digital cash thing takes off, then lots of people will want Bitcoin to use to buy sandwiches, and there will be a lot of demand for Bitcoin. But only 21 million Bitcoin will ever exist. So each Bitcoin will be more valuable as more people decide to use Bitcoin as their way to transfer digital cash.

That logic never quite made sense. A convenient currency for digital cash transfer has a stable value, and the rising value of Bitcoin makes it less useful as a currency: If your Bitcoin keep going up in value, you should not spend them on sandwiches. Bitcoin as an appreciating asset will be a bad currency. Still, it worked well enough. Bitcoin is used enough for digital transfers of value that it became valuable, and early adopters got rich.

This is a key financial innovation of crypto:
Crypto built an efficient system to make the customers of a business also its shareholders.
Levine explains why this matters:
It’s hard to build a network-effects business from scratch. Early users of a network-effects business won’t get much out of it, because there’s no network yet. You might as well just wait until there are more users. The economics of crypto tokens reverse that. Early users of a crypto network get tokens cheap, and if the network takes off later, then their tokens will be worth a lot. Now there’s an advantage to being early.
But this has a major downside. The "shareholders" have two concerns. First, they are heavily invested in finding the Greater Fool to make their number go up and, second, they are worried that the Greater Fool might buy one of the multitude of other coins instead of theirs. Because even in good times the supply of Greater Fools is limited, and because the supply of alternative coins is effectively unlimited, this leads to the corrupt and toxic discourse so prevalent around cryptocurrencies. Examples include Bitcoin maximalists and the XRP army.

In practice I think Levine is wrong about how this works. It is possible that it would work for a coin used as a medium for trade, but even BTC isn't that. For the token of a "network-effects business" it doesn't work. Lets take the example of Helium Network, lavishly funded by A16Z. The idea was that the equivalent of miners would run WiFi hot-spots and be rewarded with HNT. Users of the hot-spots would buy HNT to pay for their use.

First, as the "price" chart shows, Helium was another of A16Z's List And Dump Schemes (down 92% from the peak). It turns out that almost all of these token-based systems turn out to enrich VCs and insiders at the expense of what Levine calls "the customers". For the details, see Fais Khan's "You Don't Own Web3": A Coinbase Curse and How VCs Sell Crypto to Retail. Especially in the "crypto winter", it has become hard to ignore this track record.

Second, the question is "who are the customers?". The hot-spot owners are the ones who get rewarded in HNT, but they aren't the customers of the service. They are more like employees, the ones doing the work that runs the service. The customers are the ones paying actual money into the scheme, the users of the hot-spots. They only briefly hold HNT and are thus not shareholders. In fact, to the customer the idea that the token's "price" would go up is a bug, not a feature. It represents the service increasing its prices.

There is a lot more in this chapter, including discussions of DAOs, blockchain-based identity, whether "uncensorable" is achievable, NFTs and the metaverse. It is all so good its hard to find parts to comment on, so I won't.

The remaining two chapters are shorter, so the follow-up post should be shorter too (I hope)

No comments:

Post a Comment