Vlad Zamfir – How to Create a Crypto-Economic Protocol From Scratch

Creating a crypto-economic protocol is hard, as we’ve discovered over the past year of writing the Crystal whitepaper. There are often non-obvious attack vectors, and closing those attack vectors can themselves open up other attack vectors

That’s why I was incredibly interested in Vlad’s talk at Devcon 2 about Correct-By-Construction Casper. Vlad hinted at a rigorous approach to creating provably correct crypto-economic mechanisms, and imagine my surprise when he gave an impromptu talk on crypto-economic mechanism design at the Ethereum Silicon Valley Meetup.

If you’re unaware of what mechanism design is, it’s often referred to as “reverse game theory” – Game theory is about choosing the best moves in a given game, whereas mechanism design is about creating a game, given the moves you desire.

The basic idea that Vlad built on in his talk is that cryptography is the part of your mechanism that ensures the integrity of past moves, and economics is the part of your mechanism that ensures you’ll take the proper future moves.

This can be boiled down into a six step process for creating crypto-economic mechanisms:

  1. Assume an oligopolistic setting. Low coordination costs between people in charge of protocol, high coordination costs between users.


    This removes Schelling-points as an option for a coordination scheme.

  2. Figure out desired behavior of all actors in this setting


    Vlad made a distinction between trying to produce proper outcomes, and trying to produce behavior that produces proper outcomes. He thinks the latter is much easier.

  3. Add economic motivators like rewards, escrows, equity, etc. to every actor that may have misaligned incentives relative to above behaviors.

  4. Create economic rules around above mechanisms that discourage the following behavior:

    • Invalid Protocol Messages: Giving information that is untrue or invalid.

    • Failure to Produce Protocol Messages: Not taking your proper part in the protocol.

    • Omission of Protocol Messages: Failure to let the network know about messages you’ve seen(censorship).

    • Equivocation: Failure to choose a single definition of the truth.


  5. Add cryptography to ensure the integrity of all data from the past.

This process seems basically correct, but also looks easier than it is in practice. Not only do you have to determine economic and cryptographic schemes that can satisfy all these requirements, but you also have to do that while taking into account practical computation limits.

I also wonder how DoSing fits into Vlad’s scheme above. It’s a peculiar form of omission where you can’t tell whom is doing the ommiting.

Casper seems to deal with this right now by just punishing everyone, but that seems to open a class of outside attacks. If I want the protocol to fail I can quickly bring it to it’s knees by just DoSing a few people, thus making everyone lose money until it’s unprofitable for them to secure the network. This type of griefing attack isn’t just theoretical, as we’ve seen with the recent attacks on Dyn and Ethereum.

Vlad made a point in his talk that you need to prove your mechanism under multiple behavior models (other than Nash Equilbrium) but to me that seemed to miss the point. Game Theory is one lens through which to view behavior, and I think formally proving Nash Equilibrium’s is enough to satisfy that you’ve made that lens. Proving another incomplete game theoretic behavior model won’t then somehow show that you’re immune to problems.

Instead, the approach I would recommend is a mental models approach, in which formally proving Nash equilibriums checks one box, but there are other heuristics which can increase or decrease your confidence in the real word correctness of a protocol. A surprisingly great book for these types of heuristics is Building Successful Online Communities: Evidence Based Social Design, by Robert Kraut and Paul Resnik, and I’m of the opinion that it should be on every crypto-economists bookshelf.

Crypto-economics is a new frontier, and opens up the possibility to solve long-standing problems in mechanism design like The Byzantine General’s Problem or Arrows Impossibility Theorom. I’m glad we have people like Vlad pushing the state of the art forward, and hope to see more standardization of crypto-economic methods over the coming years.



Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>