Vitalik Buterin: Ethereum - MEV, Staking Derivatives and Privacy (EthCC 6) #505

Hi everybody, thanks for doing this. Good to be here.

I mean, it's definitely a little bit less euphoric now. But after the euphoria, you always have U5 and U6 and U7, and you just have to do a bunch of hard work. I feel like the hard work's actually been happening. From a dev perspective, we had the merge, then on the road to doing danksharding, ZK EVMs kind of actually exist. The decentralized or semi-decentralized end of Ethereum-based social media that I talked about at ECC two years ago kind of actually exists. Yeah, it does actually. I feel like a lot of stuff has been done. So I don't know, I feel satisfied.

I felt like it's serious. Or I guess kind of greater ECC is everything that's been happening in Paris this week did a good job of being coherent and well organized together. I remember last year there were a lot of cases where I had to Uber bike 25 minutes to go to some side events, and that happened multiple times. This time, everything is much closer together. There was a bigger selection of interesting stuff, and it seems fairly plain dealt to not interfere with each other too much. There's a lot of different things for different people. Obviously, the core ECC itself has expanded a bunch. You've taken over the neighbor building now, right? At least I saw that on the map. There's now two buildings and an extra day. It feels like it's doing a good job of scaling while at the same time not becoming terrible, which is a harder problem than it seems. But it seems like you're doing a good job of it.

Well, last week Justin told me about how you can do complicated ZK-SNARK protocols just using lookups, and I thought that was really cool.

It's a good question. It's never one thing; it's always a combination of a whole bunch of things. But the general impression I get is just ongoing progress in pretty much every area.

I have seen some. I saw Metallic Star for a couple of minutes.

Good question. I'm sure I will. I'm looking forward to hearing the things that have been announced while continuing to be in the process of helping to coordinate the whole account abstraction effort and researching, getting a better understanding of proof-of-personhood protocols, and doing a bunch of other stuff. But I will get to learning what the announcements are in acceptable time, I promise.

Yeah, it's a good question. It's definitely one that lots of people this week in various places have been talking a lot about. One of the big directions that we've been moving in for the last couple of months is the whole enshrined PBS thing. We've actually taken this market where proposers can basically auction off the contents of their block to other more specialized actors and put that whole thing into the core protocol so that we don't have to deal with the extra complexity and trust requirements of things like relays. That is interesting and going to be important. There's the whole question of what the market will look like on the builder side. I feel like you'll have monolithic builders or builders and searchers coordinating with each other, or something else. For that, I don't know; I guess we'll see. The cross-domain MEV issue is interesting. That was always described as the big reason why you might need to share proposal infrastructure across different domains and why you might need even more complicated MEV constructions. I feel like there's some probability that's true, and there is some probability that it just turns out not to be a problem. The intuition for why would be that MEV involving a price discrepancy between Arbitrum and Optimism can always be decomposed into a separate price discrepancy between Arbitrum and Binance and the price discrepancy between Optimism and Binance. So you don't actually have to be on both chains; you just have to be on one chain and on Binance. That's always been the theoretical argument for why it might matter less than it theoretically seems. But I don't know. It's possible that in two years, the centralized exchanges will all be either banned or dead for various reasons, or they'll just fail and be outcompeted. Even if you want to be on the bright side, price discovery itself would happen on-chain, in which case that would look even more different. I think it's important still to keep an open mind to future possibilities of how the market turns out and try to create infrastructure that's as robust to those different possibilities as possible.

I've never been much of a finance guy in the sense that I honestly don't give a damn if the trading spreads for a million dollars of ETH-USDC are 0.2% or 0.43%. My biggest concern is whether this creates an externality that will accentuate staking centralization. If it creates incentives by which larger stakers are benefited disproportionately from smaller stakers, that creates pressure to create bigger staking pools, pressure to join existing ones, and might even create pressure for the decentralized staking pools to become less decentralized. It creates all kinds of nasty effects. This is all part of a larger picture, because the MEV ecosystem is not the only thing threatening staking decentralization. The existing bad user experience of staking as it exists today, which can only be improved with improvements to technology and better code and interfaces, there is the whole restaking issue, the whole issue of using stake as collateral, and the whole question of whether staking large amounts can be safe and whether that involves distributed validators. There are all of those concerns, and I feel like the MEV ecosystem is only one of them. So I really hope that we can continue to make a highly decentralized staking ecosystem possible, and it's important to recognize all of the pressures that might be going against that and do as good a job as we can of addressing them.

I think maintaining decentralization will require incentives other than in-protocol hard-coded incentives. The morals of ecosystem participants is one example. Another example of things that can cause more decentralization is sometimes regulatory pressure causes it. Sometimes if protocols end up having things like public goods funding, then that funding can intentionally subsidize everything but the largest staking pool. So there definitely is a possibility that hard-coded stuff is not enough and we have to start actively doing more soft-coded things.

The challenge with that is you would have to have some kind of trust system involving who is allowed to participate. From the point of view of an attacker who wants to break the chain, that attacker would of course want to join this system. If they join, they would be able to use the thing as collateral, take out some other stuff, and they would not suffer the full cost of being slashed anymore. If they're able to do that, then attacking the protocol becomes much cheaper. In that case, the staking protocol itself is going to end up losing a lot of money. All the honest participants would. So you would need to have some off-chain way of filtering out bad guys. One way to frame it is to let good guys in and don't let bad guys into a staking protocol. Another way is to put a max on the participation per person, because an attacker is likely not going to be 10,000 people. Then the totally other possibility is if there's some change to staking economics that we haven't understood yet. Justin is a big fan of one-time signatures, for example. Right now it's utopian far-out cryptography, but five years ago ZK VMs were utopian far-out cryptography. One-time signatures are a quantum technique that allows you to create a key where for every nonce you're only able to make one signature, because when you make your first signature, that actually destroys the superposition so you're not able to sign any other message.

The significance is that it makes double spending or self-slashing inconsistency literally impossible.

Oh, totally. But how would that impact the staking ecosystem? Because you would literally not be able to sign two conflicting blocks. So if a block gets finalized, whoever finalized it would totally not be able to find a conflicting one. The advantage would be there's no slashing needed. If it's used on-chain or off-chain, then you as a staker would be able to use this key scheme and prove to other people that you're not slashable, so everyone would accept you in their pool. But one thing to note is that self-contradiction is one way to get slashed, but the other way to lose your money is inactivity leaks. Sometimes making yourself more defensible against one sort of weakness weakens your ability in the other case. You have to make sure you have both covered.

It's a good question. I think just telling people not to do stuff doesn't work. We should work harder to make versions of these things that have the properties we want, and possibly make some trade-offs until we're ready with the technology to do them fully properly, but try to provide those properties. With one-time signatures, the utopian thing is the quantum stuff. A thing today that makes trade-offs would be keys and trusted hardware. You could imagine a system where stakers are only allowed to join a staking pool if you put your key in a trusted hardware module that prevents you from signing two conflicting messages. Another option is to look at all the major applications of LSTs and create alternatives, or help the existing ones design themselves in a way that's still staking-friendly.

I think we can admit that we don't fully know what the desirable outcome is yet. The scenarios to avoid: one is if Lido governance ends up dominating, and governance could get attacked. Another is if the smart contract system has a bug. A third would be if Lido governance tries throwing its weight around in some protocol decision. If Lido goes one way and the rest of the community goes the other way, the researchers are fully intent on stamping their foot down and saying no, we're doing this. If 64% of the stakers disagree but the community agrees, then the 64% of the stakers are just going to go into inactivity leak themselves. There's a strong willingness among the people I've talked to to let the too-big-to-fail people fail. I don't mean a hard fork targeted to abort these systems; I'm against social slashing. But if there's a hard fork on some governance issue that's controversial for other reasons, like if the community is more on the cypherpunk side and wants to preserve strong privacy and anti-censorship, and it so happens that dominant ETH holders end up being BlackRock types who submit to the will of governments, and a hard fork comes along with EIPs that improve censorship resistance, and large ETH holders are against it and try to coordinate against it by doing proof-of-stake 51% attack stuff, then they'll be ignored. There's a strong consensus among the developers, researchers, and community people I've talked to about that.

It's a good question, and it is something that I worry about. I've been pushing hard for privacy protocols to continue to be developed. There's definitely a big need for this stuff to happen. Even just zooming out beyond the crypto space, we're in a situation where stuff all around the world is being rapidly digitized, and a lot of the time that digitization comes with forms of privacy that our civilization has had for thousands of years just suddenly being erased within a decade. We saw examples of that during COVID, in the context of the whole cashless society transition that a lot of governments are pushing, with CBDCs potentially being a part of that, the proliferation of KYC for a whole bunch of use cases. Huge amounts of privacy are very quickly being lost, and no one is really presenting an alternative. The place where the crypto community really shines is that it actually can provide a credible alternative with enough execution power to actually execute on it, but it needs to actually do that. Examples of that are payments, where we need to solve the most basic payments privacy problems first. Over the last couple of years, the whole Tornado Cash situation happened. There are definitely people who were scared off from participating in privacy protocols entirely, which I think is a huge overreaction. Even if we look at the law itself, there are lawsuits against the government's ability to do what they did. More generally, zero-knowledge proof technology creates a lot of opportunities to create privacy protocols that are even stronger and better for everyone in a lot of respects. One very simple example is the proof of innocence approach that Chainway, a lovely company from Turkey, created. Solomoni has been a fan of it, and lots of other companies. Basically, when you are withdrawing from a Tornado Cash type system, you would be able to specify which subset of deposits your withdrawal came from, and you would be able to say, "Hey, I'm a participant in this scheme, and by the way, I am not one of these 35 recognized DeFi hackers." If you make that a default, then almost everyone will be excluding the 35 DeFi hackers, and the 35 DeFi hackers end up having a much tinier anonymity set. There are techniques like this which are being actively worked on, and I think we really should be working on them a lot more. Right now on Ethereum, this stuff is happening more at the application layer. One of the big reasons not to do that on base layer right now is because we just don't know enough about the underlying technology for it to solidify that much. All these schemes use ZK-SNARKs, and we don't even agree among the experts whether Nova is the future, or whether 64-bit Goldilocks STARKs are the future, or whether the lookup singularity is the future. Which technology stack are you even going to use?

It's a good question. I feel like in some ways, this resignation about privacy mirrors the resignation toward biological death from aging. People end up thinking it's fine because they don't see a viable alternative in front of them. The alternative has to present itself in a way that does not require massive sacrifices of inconvenience. It's about making the comparison between privacy and aging here intentionally. There's a meme on Twitter that these people are getting up in the morning and having their 84 minutes on us at 67.2 degrees, then eating 500 pills and 325 milliliters of vegetable pudding. You're living longer, but what kind of life do you have? In a lot of these idealistic things, there is a big dimension of turning people off by putting front and center the options favored by the geeks that involve huge amounts of work. The real solution is that for this stuff to be adopted, it has to be affordable in terms of money and time, and it has to be automatic and the defaults. I am fully on board with privacy becoming automatic and a default in the Ethereum ecosystem. I don't think that involves privacy being on layer one, because the default isn't the chain; the default is the wallets. If you have major wallets that support it, then users can go and send things through privacy contracts.

Identity is a complicated word because it mixes at least four different problems into the same concept. There is identity in the sense that I prove that I, the entity that did this previous action some time ago, also did this action. That's the most basic form of identity, like a cryptographic key. Then there is identity in the sense of attesting specific things about someone else, which could be a web of trust or centralized versions, and that starts getting into things like government KYC, which is probably big enough to be a third category. Then there is the unique proof of personhood problem, where you care about someone being a human and not a bot, but you don't mind exactly which human you are, and you're trying to keep that private. There's a whole range of things that people put in the identity box. There are roots of authentication: if you lose your account for one service, what service do you use to recover it? A lot of the time that's been Google, Twitter, WeChat, or phone numbers. In that case, centralized alternatives are actually pretty terrible. There's a culture of using phone numbers for things by default, but SIM swapping attacks happen all the time. Even Google accounts, if you lose your password, theoretically centralized services are better because you can call the company and get it back, but in practice, I've personally known people who have tried and literally failed. The way I look at this is that we in the crypto space should be ambitious in the sense of trying to create a separate stack, an alternative to the centralized tech stack to the same level of depth that in China there is a Chinese tech stack, except in this case instead of being more centralized, it's less centralized. You have to replace Google with Ethereum, replace PayPal with crypto payments, put in actual privacy solutions, replace KYC with your favorite proof of humanity. Actually be ambitious and build that stack. Identity is a big part of that. That will be able to both solve problems within the crypto space that we sometimes use the word identity to describe, but also hopefully serve as a demonstration to the wider world of all of these technologies working together in a coherent way and solving those problems in a way that actually protects privacy. One example is from the pop-up mini city we did in Montenegro in the spring. One of the applications we worked on was called Zupass. I can actually take it out and show it for our video listeners right now. I gotta switch to my profile because that's on Gnosis West, which takes five seconds, but it's still more convenient than I expected. Open up the app, zupass.org, and one two circles rotating. This is a QR code. This QR code is a zero-knowledge proof, a ZK-SNARK, I believe Groth16, but I'm not exactly sure; it could be a PLONK proof or something else too. This proof proves that I am one of the residents of Zuzalu without revealing which one. This is all done within this nice, really convenient application. It has a QR code, and even security guards with one hour of training or less can scan it and verify it. There's an online component; you can use this to log into websites. There's a system called Zupool where you could use this to do anonymous voting. Only people authorized by the system can vote, but nobody, not even the operator of the system, can tell which specific person made which specific vote, because ZK-SNARKs break that link, but they preserve the property that only authorized people can vote and voters can only vote once. This is basically a small-scale e-government solution. It was applied to about 500 people. The next step is to apply something like this at Ethereum conference ecosystems, which is ten thousand, and then can we go up from there to small countries and get up to a million. There is an opportunity for the community to work together and actually demonstrate this whole stack working. To be clear, this is not going to happen just because of economic incentives. I'm not expecting more than 5% of ECC attendees to be willing to put significant amounts of effort into highly inconvenient applications just because this stuff is cool and ideologically important. I'm expecting groups of developers who tend to be passionate about these causes to build things, and for the ecosystem to adopt it. Once these kinds of things become adopted and become defaults, then more and more people can start participating. It's not just an annoyance you accept because you value privacy that much; it's also a cultural thing. We need to make all of these privacy solutions an important and cool part of the good side of crypto culture. At the same time, in the protocol with payments, there's a huge amount of technical work left. A lot of this stuff is only viable on L2 because of transaction fees, so users have to actually move to layer two. Fortunately, a lot of these privacy systems are already launching on layer twos now. It feels like things are moving in a good direction, and there is momentum, but that momentum definitely needs to be created and maintained. If the people who could maintain that momentum don't, then things could very easily slide into being a lost opportunity, which would be really tragic. We could totally end up in a no-privacy world 15 years from now, so hopefully we don't.

There's a lot of things that are valuable in communities that start online and then materialize offline, which could be temporary or even permanent. There's just a lot of things that become easier to do when there is an actual in-person community that does them together. The easiest example is universities. People have been excited about using Coursera to displace in-person universities for 15 years. I remember when the first MOOCs were coming out; I literally participated in the very first ones on machine learning and artificial intelligence by Professor Sebastian Thrun and Andrew Ng. 10 years later, that's partially happened, but there's still a large extent to which it hasn't. Part of that is the old world being credentialist and slow-moving policies, but there is definitely a large component that in-person learning has all kinds of advantages. It's a very disciplinary environment where everyone around you is pursuing the same cause. A journalist from Mars would possibly describe it as a cult, yet it's super effective in a lot of contexts at teaching people. If you're having trouble with problem number 17, you can go talk to your friend or your professor; those options exist by default. Another good proto-example is Linux, especially in the good old days of the 90s, before it started taking a mainstream path. Linux was intense, and you needed to be intense to be a Linux person, but they had in-person user groups in many cities. If you had a problem and you were earnestly trying to become a Linux person, you could go and they'd actually help you figure things out. Creating environments like that, where things can be tested out not just by separate individuals but inside a community, and you can run through the full workflow and make sure everything works. Similar to how we used Zupass and Zupool, it's not just a bunch of separate people who can vote; it's an actual community where people make polls, vote on polls, talk about the results, and things happen because of the results. If something spicy happens in the polls, people know about it and talk about it. You get a much more holistic picture of all the good things, all the bad things, all the frustrating things. A few months ago, it would take 15 seconds to load the QR code, and it wasn't fast enough for me to get verified by the security guard. I complained, and two days later they said they used some newer browser technology, and now things are much quicker. Zupass is the beginning. I would love to try out a whole bunch of other cool stuff. We need to make crypto payments come back. Remember back in 2013, there was big enthusiasm about Bitcoin payments. When I started my Bitcoin nomadding tour visiting the Northeastern US, mainly New Hampshire because all the fun libertarians were there, but also Boston, there were exactly two places that accepted Bitcoin: Thelonious Monkfish and the River Veggie Galaxy. I'm not sure whether these two still accept Bitcoin or even still exist. I took pilgrimages to these places. In Berlin, there was a thing called Bitcoin Kiez, where they convinced a whole bunch of restaurants in a small region of Kreuzberg to accept Bitcoin at the same time. We'd go on pilgrimages to Room 77, which was the most famous one. I think the founder is right here. Room 77 is closed now, but the guy who started that whole thing also created the first mobile wallet for Bitcoin because he wanted to pay with his phone in Room 77. That stuff is cool. Now that we have layer twos and cheap payments are again on the horizon, the benchmark I gave that the internet of money should not cost more than five cents a transaction. First people thought it was a joke, but now even back in 2020, Loopring made a payment-specific ZK-rollup where the transaction fee actually was lower than five cents. If you make something payment-specific, you can make it really simple, use compression like indices, and make payments only 16 bytes total, which is a tiny amount of calldata. I want to do more of these cool things and have communities to be able to do more of these cool things, and make real progress and level up much faster.

I did not. Please tell me about it.

You forgot the really cool part: if the payment terminal accepts Gnosis Pay, the payment is a crypto payment. So you can do a native P2B transfer. I think that's super cool. We should do more of it.

It's good to talk a bit separately about chains and ecosystems. Bitcoin is an ecosystem that basically has Bitcoin and maybe Liquid. Ethereum has Ethereum and everything which aspires to be in the same security zone as Ethereum, which means it reverts if Ethereum reverts, or it doesn't make progress until Ethereum finalizes, and it would have to hard fork if Ethereum hard forks. Then there are other ecosystems. Cosmos is trying to be an ecosystem and do a lot of shared security. It feels to me like there will be consolidation between ecosystems. I don't expect a large number of meaningful totally independent things happening. I do expect a lot of chain interoperability within Cosmos, because that's what IBC promotes as a way of moving around Cosmos land. The main technical differences between these are security, especially in extreme circumstances like a 51% attack. How much breaks? Another is what happens if one of these things makes a governance decision that implies a cascade of other governance decisions, or does that mean there needs to be some kind of multi-sig bridge that relays the governance decision to other ecosystems? These different properties have different trade-offs. You could have more adaptability or more shared security, or find ways to move a little bit more on the shared security spectrum but sacrifice a little bit of adaptability. It's an interesting technical discussion. But only part of the problem is technical; the other part is a question of which ecosystems are successfully able to survive and grow over time. One interesting thing I've been thinking about is that currently the interoperability discussion is very much happening at the lower protocol or state layer. If you look at the way interoperability happened between Mac OS, Windows, and Linux, it wasn't at the application layer; it happened because of the web. We created interoperability of applications at a higher layer of the stack. I wonder if this vision of interoperability with IBC, state cross-chain state verification and transport layer, actually ends up happening, or if we just end up having interoperability at the smart contract application layer. I made a similar point one and a half years ago, where I argued against bridges and in favor of DEXs. I think that's totally fine. We don't want to create links that turn into something ugly if something on one side goes badly. There's a lot of value you could get from that kind of interoperability. The question is what do you not get? Every asset is homed in one ecosystem, and if you want to use it in another ecosystem, you need to have an actual client of that ecosystem. That's fine. There are multi-chain wallets. As soon as wallets of any of these ecosystems become standardized and become libraries, someone will have a wallet that includes a copy of all of them. If you want to move from one to the other, you use DEXs. If you want to use a DeFi thing, there will be a copy of every important thing in each of those ecosystems. That's fine. In a lot of ways, I think it's a totally okay way to do things.

Good question. I do think that the ongoing instances of crazy hacks of bridges are turning huge amounts of people off from that concept. There could be different blocks in the future, and there could be a black swan on the layer two side. But I definitely get the impression right now that people are more skittish about holding their funds in complicated constructions than they were before, because of how many of these weird $180 million incidents we've seen. I guess we'll see.

Bug risk is definitely one of the issues. The other issue is that even if you have a ZK bridge, a validity proof of consensus bridge, that still creates the possibility of a 51% attack on one of these systems that leads to stealing coins. When you have a VC chain where half the coins are literally controlled by four people, the difference between that and a multi-sig becomes more philosophical. This sort of stuff is less of a problem between big ecosystems and more of a problem between small ecosystems. Sometimes we like to trust that governance is going to be fine, but a year ago there was an $80 million hack within a flash loan because somebody borrowed money and used it to buy up half of a governance token and then voted to give themselves a treasury. I'm glad that technology is being developed, but we need to be realistic about timelines and when we actually hand over the keys and have the power to do upgrades. We'll see.

Thank you guys too. It was fun. Thank you.