A significant challenge intrinsic to various forms of consensus architectures is that while they can be engineered to be resilient against adversaries or collusions up to a certain threshold, should an attacker amass sufficient power, they remain fundamentally vulnerable. In a proof of work framework, if assailants possess less than 25% of mining capabilities while all other participants are non-colluding and rational, it can be demonstrated that proof of work is secure; conversely, if an attacker grows substantial enough to prevail, then the costs associated with the attack become negligible—leading other miners to have a vested interest in supporting the assault. As we observed, SchellingCoin is exposed to a so-called P + epsilon attack when faced with an assailant willing to bribe a sufficiently large sum, and is easily manipulable by a controlling majority attacker much like in proof of work.
An inquiry that we might pose is whether there is a possibility of improvement. Especially if a pseudonymous cryptocurrency such as Bitcoin triumphs, and arguably even if it fails, there certainly exists some obscure venture capital sector prepared to invest the billions required to execute such assaults, provided they can confidently anticipate swift profits from their endeavors. Therefore, what we ideally need are cryptoeconomic mechanisms that are not solely stable, in the sense that there is a considerable threshold of minimum “magnitude” an attacker must possess, but also unexploitable—although we can never fully ascertain all the extrinsic methods one could profit from assaulting a protocol, we aspire to ensure that the protocol provides no intrinsic potential for profit through an attack, and ideally imposes a maximally high inherent cost.
Certain types of protocols offer such potential; for instance, with proof of stake, we can penalize double-signing, and even in the event of a successful hostile fork, participants in the fork would still forfeit their deposits (note that to achieve this effectively, we need to incorporate a specific rule stating that forks that do not include evidence of double-signing for a designated duration are deemed invalid). Regrettably, for SchellingCoin-style mechanisms in their current state, such a possibility does not exist. There is no cryptographic means to distinguish between a SchellingCoin instance voting for the temperature in San Francisco being 4000000000’C because it genuinely is that hot, and one that votes for that temperature due to an assailant bribing individuals to do so. Voting-based DAOs, lacking a corresponding form of shareholder regulation, are susceptible to attacks where 51% of participants collude to appropriate all of the DAO’s assets. So what can be done?
Between Truth and Lies
A crucial characteristic shared by all these mechanisms is that they can be characterized as being objective: the protocol’s functioning and consensus can be perpetuated at all times using merely nodes that possess nothing but the entire set of data published and the protocol’s rules themselves. There is no requisite “external information” (e.g., recent block hashes from block explorers, specifics regarding certain forking events, knowledge of external realities, reputation, etc.) necessary for securely interacting with the protocol. This contrasts with what we will refer to as subjective mechanisms—those that require external information to securely engage with them.
When multiple tiers of the cryptoeconomic application stack exist, each tier can independently be objective or subjective: Codius facilitates subjectively determined scoring of oracles for smart contract validation atop objective blockchains (as each user must individually ascertain whether a specific oracle is reliable), and Ripple’s decentralized exchange offers objective execution over a primarily subjective blockchain. Generally, however, cryptoeconomic protocols to date strive to be as objective as possible.
Objectivity has frequently been celebrated as one of the principal attributes of Bitcoin, and indeed it offers numerous advantages. However, simultaneously, it can also be a drawback. The core dilemma is as follows: as soon as you attempt to introduce something beyond the cryptoeconomic realm—be it real-world currency rates, temperatures, events, reputations, or even time—from the external world into the cryptoeconomic domain, you are trying to forge a connection where none previously existed. To illustrate this issue, contemplate the following two scenarios:
- The truth is B, and the majority of participants are truthfully adhering to the standard protocol that determines the truth is B, but 20% are attackers or accepted a bribe.
- The truth is A, but 80% of participants are attackers or accepted a bribe to feign that the truth is B.
From the protocol’s standpoint, these two situations are entirely indistinguishable; between truth and lies, the protocol is exactly symmetrical. As a result, epistemic takeovers (the assailant persuading others that they’ve convinced everyone else to support an attack, potentially flipping an equilibrium at zero expense), P + epsilon assaults, profitable 51% attacks from extremely affluent individuals, and so forth, all come into play. Although one might initially conclude that objective systems, relying solely on information furnished by the protocol, are straightforward to analyze, this array of issues reveals that to a substantial extent, the reality is quite the opposite: objective protocols are susceptible to takeovers—and potentially costless takeovers—while standard economics and game theory are inadequately equipped to assess equilibrium shifts. The closest approximation we currently possess to a scientific discipline that attempts to analyze the complexity of equilibrium shifts is chaos theory, and it will be fascinating when crypto-protocols begin to be promoted as “chaos-theoretically guaranteed to safeguard your grandma’s funds.”
Thus, we turn to subjectivity. The strength of subjectivity stems from the fact that concepts such as manipulation, takeovers, and deceit—often undetectable or in some cases even indefinable within pure cryptography—can be comprehended by the human community surrounding the protocol quite effectively. To illustrate how subjectivity may function in practice, let us jump directly to an example. The example provided here will outline a new, third, hypothetical form of blockchain or DAO governance, which can be instrumental in complementing futarchy and democracy: subjectivocracy. Pure subjectivocracy is defined quite simply:
- If all parties consent, proceed with the collective decision.
- In the event of a conflict, say between choice A and choice B, bifurcate the blockchain/DAO into two branches, with one branch implementing choice A and the other executing choice B.
All branches are permitted to coexist; it is left to the surrounding community to determine which branches they find significant. Subjectivocracy represents, in a manner, the ultimate non-coercive style of governance; no individual is ever compelled to endure a scenario where they do not get their preferred outcome, the sole caveat being that if your policy inclinations are unpopular, then you will find yourself on a branch with just a few others willing to engage with you. Perhaps, in some advanced society where nearly all resources have taken a digital form and everything tangible and beneficial is too inexpensive to meter, subjectivocracy could emerge as the favored governance method; but until that time arrives, the cryptoeconomy appears to be an ideal initial application.
As another illustration, we can also examine how to implement subjectivocracy in SchellingCoin. First, let us articulate our “objective” rendition of SchellingCoin for contrast:
- The SchellingCoin system is linked to a sub-currency.
- Individuals have the capacity to “join” the system by acquiring units of the currency and placing them as a security deposit. The weight of participation correlates with the deposit’s magnitude, as is customary.
- Individuals can pose a question to the system by paying a predetermined fee in that system’s currency.
- For any given question, all participants within the system cast their votes either A or B.
- Everyone who aligns with the majority receives a portion of the question fee; all those who voted against the majority gain nothing.
It is important to note that, as referenced in the article on P + epsilon attacks, there exists a refinement by Paul Sztorc in which minority voters forfeit some of their tokens, and the more “disputed” a question becomes, the more tokens minority voters relinquish, even to the extent where at a 51/49 split, minority voters lose all their tokens to the majority. This effectively elevates the threshold for a P + epsilon attack. Nonetheless, raising the threshold is not entirely satisfactory; we are focused on achieving zero exploitability (once more, we formally define “exploitability” as “the protocol provides inherent opportunities for lucrative assaults”) altogether. Therefore, let’s explore how subjectivity could assist. We will omit unchanged aspects:
- For any given question, all participants in the system cast votes either A or B.
- If all parties consent, proceed with the collective decision and reward everyone.
- In the event of a dispute, divide the system into two on-chain branches, where one branch behaves as if it chose A, rewarding all who voted A, and the other branch acts as if it chose B, rewarding all who voted B.
Each version of the system possesses its own sub-currency and can be engaged with independently. It is up to the individual to choose which branch is more worthy of inquiry. The premise is that if a division occurs, the branch reflecting the correct answer will see an increased stake from those advocating for the truth, while the branch reflecting the incorrect answer will see an increase in stake from those misrepresenting, and users will hence favor asking questions in the branch where truth-seekers have a greater impact.
Upon close examination, this reveals itself as merely an ingenious formalization for a reputation system. The system primarily records the votes of all participants, allowing each user wishing to make an inquiry to review the history of each respondent and subsequently select which cohort of participants to approach. A rather mundane, conventional, and seemingly not particularly cryptoeconomic method of addressing the issue. Now, where do we head next?
Transitioning To Practicality
Absolute subjectivocracy, as outlined previously, encounters two significant challenges. Firstly, in most practical scenarios, there are simply too many decisions to make for it to be feasible for users to determine which branch they wish to be on for each decision. To mitigate overwhelming cognitive burdens and prevent storage overload, it is critical for the collection of subjectively-determined decisions to be kept as minimal as achievable.
Secondly, if a particular user lacks a strong conviction regarding how a specific decision should be resolved (or alternatively, does not know what the rightful choice is), then they will struggle to identify which branch to follow. This challenge is especially pronounced within a category that may be termed “very uninformed users” (VUUs) – think not of Homer Simpson, but Homer Simpson’s refrigerator. Instances include internet-of-things/smart property applications (e.g., SUVs), other cryptoeconomic mechanisms (e.g., Ethereum contracts, distinct blockchains, etc.), hardware devices governed by DAOs, independently functioning autonomous agents, etc. In summary, machines that possess (i) no means of obtaining updated social information, and (ii) no intelligence beyond simply adhering to a predetermined protocol. VUUs are present, and it would be beneficial to devise a method of managing them.
The initial problem is, surprisingly, essentially isomorphic to another well-known issue: the blockchain scalability problem. The task is precisely the same: we aim to achieve a level of strength analogous to all users performing a certain type of validation on a system, but without necessitating that degree of effort being exerted each time. And in blockchain scalability, a recognized solution exists: try utilizing less intense strategies, like randomly selected consensus groups, to address problems by default, relying on full validation only as a contingency to be employed if a warning has been triggered. Here, we will employ a similar strategy: aim to utilize traditional governance to settle relatively non-controversial matters, using subjectivocracy as a fallback and last-resort incentive.
Thus, let us define another alternative version of SchellingCoin:
- For any given inquiry, all participants in the system vote either A or B.
- Everyone who voted with the majority receives a share of the question fee (which we will refer to as P); all who opposed the majority gain nothing.However, deposits become inactive for one hour following the conclusion of voting.
- An individual has the capacity to place a significantly large deposit (let’s say, 50*P) to “sound the alarm” on a specific question that has already been voted on – effectively, a wager indicating “this was wrongly conducted”. If this occurs, the mechanism bifurcates into two on-chain branches, with one answer selected on one branch and the alternate answer on the other branch.
- In the branch where the selected answer matches the initially voted answer, the alarm initiator forfeits the deposit. Conversely, in the other branch, the alarm initiator receives a reward of 2x the deposit, funded by the deposits of incorrect voters. Moreover, the rewards for all other respondents become more pronounced: “correct” respondents receive 5*P while “incorrect” respondents lose 10*P.
Assuming an extremely generous premise whereby, in the case of a split, the incorrect branch rapidly diminishes and is disregarded, the (partial) payoff matrix begins to resemble the following (assuming the truth is A):
| You vote A | You vote B | You vote against consensus, sound the alarm | |
| Others predominantly vote A | P | 0 | -50P – 10P = -60P |
| Others primarily vote A, N >= 1 others sound alarm | 5P | -10P | -10P – (50 / (N + 1)) * P |
| Others mainly vote B | 0 | P | 50P + 5P = 55P |
| Others mainly vote B, N >= 1 others sound alarm | 5P | -10P | 5P + (50 / (N + 1)) * P |
The strategy of voting with the consensus and sounding the alarm is evidently self-defeating and foolish, hence we will exclude it for conciseness. We can evaluate the payoff matrix employing a fairly conventional repeated-elimination strategy:
- If others predominantly vote B, then the strongest motivation is for you to sound the alarm.
- If others mainly vote A, then the strongest motivation is for you to vote A.
- Therefore, each individual will never choose B. Hence, it stands that everyone will opt for A, and thus everyone’s motivation is to vote A.
It is noteworthy that, in contrast to the SchellingCoin game, there exists a distinct equilibrium here, at least if we presume that subjective resolution functions appropriately. Thus, by depending on essentially game theory from the users rather than the voters, we have managed to sidestep the rather unpleasant array of complexities associated with multi-equilibrium games and instead have a more lucid analysis.
Also, it is significant to point out that the “sound the alarm by placing a bet” procedure is distinct from other methods related to fallback protocols that have been previously referenced in articles here regarding scalability; this new system surpasses and streamlines those other methods and can also be utilized in scalability theory.
The Public Function of Markets
Now, let us reintroduce our cars, blockchains, and autonomous agents into the discussion. The reason why Bitcoin’s objectivity is so esteemed is, to some extent, precisely because this objectivity renders it highly suitable for such applications. Therefore, if we aim to develop a protocol that competes effectively in this arena, we must also cater to these “very naive users” among us.
Enter markets. The fundamental insight behind Hayek’s specific variant of libertarianism in the 1940s, and Robin Hanson’s conception of futarchy half a century later, is the notion that markets are not solely present to connect buyers and sellers, but also to furnish a public service of information. A prediction market concerning a data point (e.g., GDP, unemployment, etc.) reveals the insights regarding what the market anticipates the value of that data point will be at some future juncture, and a market based on a commodity or service or token conveys to interested parties, policymakers, and mechanism designers how much the public appreciates that specific commodity or service or token. Consequently, markets can be perceived as a complement to SchellingCoin in that they, similar to SchellingCoin, serve as a conduit between the digital domain and the “real” realm – in this scenario, a conduit that illustrates just how much the real world values a given subject.
So, how does this secondary “public function” of markets associate here? In essence, the response is quite straightforward. Suppose there exists a SchellingCoin mechanism of the last type, and following a specific question two branches emerge. One branch asserts that the temperature in San Francisco is 20’C; the other branch claims that the temperature is 4000000000’C. As a VSU, what do you perceive? Well, let’s examine what the market perceives. On one side, you have a branch where the larger portion of the internal currency is governed by truth-tellers. On the opposing side, you have a branch where the majority is controlled by deceivers. Well, guess which of the two currencies commands a higher price in the market…
In cryptoeconomic terms, what transpired here? In simple terms, the market translated the cognitive prowess of the insightful users within what ultimately is a subjective protocol into a pseudo-objective signal that enables the VSUs to align with the correct branch as well. It is important to note that the protocol itself is not objective; even if the attacker successfully manipulates the market for a brief duration and significantly elevates the price of token B, users will still maintain a higher valuation for token A, and when the manipulator relinquishes control, token A will revert to being the dominant option.
Now, what are the resilience attributes of this market against an attack? As discussed in the Hanson/Moldbug debate on futarchy, in an ideal scenario, a market will consistently provide the accurate price for a token as long as the economic strength of the honestly participating users surpasses the economic weight of any specific colluding group of attackers. Should certain attackers artificially inflate the price, a motivation arises forother participants to exchange their tokens and for outsiders to come in and short it, in both instances generating an anticipated profit while simultaneously aiding in driving the price right back down to the accurate value. In reality, manipulation pressure does have some influence, but a complete takeover is only achievable if the manipulator can outbid all others combined. And even if the attacker does prevail, they pay a hefty price for it, acquiring tokens that ultimately become nearly worthless once the attack concludes and the fork with the correct result reasserts itself as the most valuable fork in the market.
Certainly, the preceding is merely a rough outline of how quasi-subjective SchellingCoin might function; in actuality, several enhancements would be necessary to deter asking ambiguous or unethical inquiries, managing linear instead of merely binary bets, and optimizing the non-exploitability characteristic. Nevertheless, if P + epsilon assaults, profit-driven 51% assaults, or any other type of attack ever truly become an issue with objective SchellingCoin mechanisms, the fundamental model remains ready as a substitute.
Listening to Markets and Proof of Work
Previously in this article, and in my initial post on SchellingCoin, I suggested a form of isomorphism between SchellingCoin and proof of work – in the original post reasoning that since proof of work is effective, so will SchellingCoin, and furthermore, because SchellingCoin presents issues, so does proof of work. Here, let’s delve into this isomorphism further in another direction: if SchellingCoin can be rescued through subjectivity, then perhaps proof of work can be as well.
The essential argument is this: proof of work, at its essence, can be perceived in two distinct manners. One perception of proof of work is as a SchellingCoin competition, an objective protocol where the participants that cast their votes with the majority receive 25 BTC while everyone else receives nothing. The alternative perspective, however, is to view proof of work as a sort of constant ongoing “market” between a token and a resource that can be measured entirely objectively: computational power. Proof of work represents an endless chance to exchange computational power for currency, and the greater the demand for acquiring units in a currency, the more effort will be exerted on its blockchain. “Listening” to this market simply consists of verifying and calculating the total amount of work.
Considering the description in the earlier section regarding how our improved version of SchellingCoin may function, you might have been prompted to suggest a similar methodology for cryptocurrency, whereby if a cryptocurrency undergoes a fork, one can observe the price of both forks on an exchange, and if the exchange assigns a significantly higher price to one fork, it suggests that fork is legitimate. Nevertheless, such a methodology possesses a flaw: ascertaining the authenticity of a crypto-fiat exchange is subjective, and thus this issue lies beyond the scope of a VSU. However, utilizing proof of work as our “exchange,” we can actually advance much further.
Here lies the equivalence: exponential subjective scoring. In ESS, the “score” that a client attributes to a fork relies not just on the total amount of work done on the fork, but also on the timing of the fork’s emergence; forks that emerge later are explicitly penalized. Consequently, the group of always-online users can recognize that a particular fork appeared later, and thus that it constitutes a hostile attack, which leads them to abstain from mining on it even if its proof of work chain accumulates a greater total work. Their motivation to do this is straightforward: they anticipate that the assailant will eventually surrender, and thus they will persist in mining and eventually surpass the attacker, reinstating their fork as the universally acknowledged longest one; therefore, mining on the original fork has an expected value of 25 BTC while mining on the attacking fork holds an expected value of zero.
VSUs that are offline at the moment of a fork will merely assess the total proof of work accomplished; this tactic is analogous to the “listen to the child with the superior price” strategy in our iteration of SchellingCoin. During an assault, such VSUs may, of course, be temporarily deceived, but ultimately, the original fork will prevail and so the assailant will have substantially paid for their treachery. Thus, the subjectivity once more renders the mechanism less exploitable.
Conclusion
Ultimately, what we observe is that subjectivity, far from being an adversary of rigorous analysis, actually simplifies many forms of game-theoretic examination of cryptoeconomic protocols considerably. However, should this type of subjective algorithm design gain acceptance as the most secure method, it carries profound implications. Primarily, Bitcoin maximalism, or any form of single-cryptocurrency maximalism in general, cannot endure. Subjective algorithm design inherently demands a type of loose coupling, where the higher-level mechanism does not truly control any assets of value belonging to a lower-level protocol; this condition is essential to permit higher-level mechanism instances to replicate themselves.
In fact, to enable the VSU protocol to function, every mechanism must encompass its own currency that would fluctuate with its perceived utility, necessitating thousands or even millions of “coins” to exist. Conversely, it may be feasible to specify a very particular number of mechanisms that indeed need to be subjective – perhaps basic consensus on block data availability validation and timestamping and consensus on facts, while everything else can be constructed objectively on top. As is frequently the case, we have not yet witnessed significant actual attacks occurring, and thus it may very well be a decade before anything akin to a final judgment is required.
