Can we better protect the EIP process from special interests while improving the incentives for those working for the public good?
The purpose of this post is to get the ball rolling on a discussion we hope will eventually result in the equivalent of a meta EIP that structurally improves the EIP process.
Without improvements to the current EIP process there is a danger that protocol lobbyists getting paid to serve special interests will outnumber unpaid altruistic volunteers serving the public good, leading to a tragedy of the commons.
We believe this is already a problem and that it is getting worse. We’ll start by providing some general examples, and examine in more detail a recent EIP as a case study.
We can break the problem of perverse incentives down into two related sub-problems:
- High reward for getting bad EIPs in: special interests have a high incentive to lobby governance for changes that benefit them, even at the expense of the public good or other stakeholders. This can be a high stakes adversarial game, where success depends on obfuscation, collusion and misdirection. Successful protocol lobbyists could be highly motivated and well coordinated.
- Low reward for promoting the public good: either by protecting from bad EIPs or by doing all the work to get good EIPs in. Both require significant talent, time and energy. Only some of this work is intrinsically rewarding. The current process relies heavily on altruism and prestige, and it is unclear whether this will scale in proportion to the scaling rewards for successfully attacking the process.
The imbalance is a natural consequence of public choice theory (see David Friedman’s excellent original writings on the subject). The core idea is that concentrated special interests win out over diffuse public interests, sometimes even when the diffuse public interest is larger in absolute terms. A somewhat naive calculation for illustration:
- $100 million gain divided by 100 colluders = $1M gain per colluder
- $1 billion loss distributed across 100,000,000 million public victims= $10 loss per victim
Coordinating the defense is hard because it’s a large group, and each individual member of the group internalizes only a very small portion of the benefits of a successful defense. Special interests, on the other hand, are a concentrated interest, which each participant expecting to see a large portion of the gains from getting their proposals implemented. Hence, the attackers will be highly motivated, while the defenders suffer from a tragedy of the commons.
"To prevent a bad proposal that someone is really motivated to push in, I have to write posts, prove my point beyond doubt, talk to people to make sure the issues get enough exposure, and I’ll probably need to stay on it, defend my research on the ACD, etc. And I have no real incentive to do this, other than defending the ecosystem I care about. The people on the other side are strongly motivated. They are paid to fight for their EIP, and have a lot to gain from it. How many EIPs will pass because no one is willing to put the resources to shoot them down, while the proposer is motivated to push it through?
And the same goes in the other direction. I’m often reluctant to propose EIPs that I think are good for everyone because I’m afraid the process of pushing it past the objections at ACDs and getting it accepted would exhaust me.
And so EIPs that don’t personally benefit someone are less likely to be accepted, while EIPs proposed by companies that stand to gain are more likely."
Sunlight is a good disinfectant, but whether it’s enough depends on how deeply it penetrates.
The more attention and domain expertise is required to understand how value or risk is transferred, the less resistance can be expected, and the easier it will be to get the critical mass of community sentiment required to persuade the core devs to include a change.
A blatant EIP that says “give X ETH per block to our cabal” will quickly get rejected (and, indeed, even EIP-2025, a not-obviously-malicious proposal of that type was quickly thrown out). But there are far more subtle protocol changes that can benefit some constituencies at the expense of others.
Some examples include:
- Concentrated interest in favor: specific use case that wants a precompile
- Diffuse interest against: large increase in consensus complexity, dependence on external libraries, development time delaying high-priority items (e.g., the merge)
Coin rescues or other state-intervention forks
- Concentrated interest in favor: single group that wants their coins saved
- Diffuse interest against: risk of chaotic split, precedent, long-term higher governance burden and controversial-fork risk due to emboldened future requests
Highly specialized in-EVM/state data structures (e.g., sorted storage slots, heaps)
- Concentrated interest in favor: specific use cases (e.g., on-chain order books) that benefit from these structures
- Diffuse interest against: greater consensus complexity, lower flexibility to make future changes (e.g., sorted storage slots would have prevented Vitalik’s recent Verkle tree proposal)
This is not to say that all proposals of the above categories are bad; sometimes a more concentrated gain really is on the whole greater than the widely distributed cost of a proposal. But as a general rule, we should expect the concentrated pro- side to be systematically over-represented, and the diffuse anti- side to be systematically under-represented.
The open and inclusive nature of the EIP process is currently our main defense against bad proposals. However, given that proposals may be complex and subtle in their effects it may be unsafe to rely on proposals being self evidently good or bad. An open process where everyone has access to various public forums may not in practice provide sufficient protection to balance out the perverse incentives.
We’re going to try and start the conversation by proposing some principles and ideas. This list will be incomplete as the intention is to get the ball rolling, not say the final word.
We believe it’s important to recognize that making bad things harder has to be balanced with making good things easier so that we don’t end up throwing out the baby with the bathwater. We wouldn’t want to “protect” the EIP process by shutting it down.
Let’s use the famous trojan horse that brought down the ancient city of Troy as a metaphor.
Thanks to the open nature of the process, everyone who is paying attention can see what is trying to get through our metaphorical gates. This means an attack has to sneak past the public’s guardians in plain sight.
How do we raise the bar and make it harder to disguise attacks (e.g., the infiltrating force that opens the gates to the city) as “gifts” (e.g., a beautiful statue of a horse to decorate our city)?
For example, this may involve a combination of improvements to our processes that help us:
- Better understand who is offering us gifts and what is their motivation. Who are they working for? What’s their track record? Are they friend or foe? How aligned are they with our values? Do they have conflicts of interests?
- Make sure we have enough highly trained guards that are well paid and stay alert. Volunteers are great, but there’s only so much glory to be had and standing guard gets old fast.
- Make it harder for attackers to lull us to sleep by hijacking our trusted institutions.
- Make sure our guards can sound the alarm and draw attention to an attack that might overwhelm them. We can’t defend ourselves against attacks we don’t realize are happening.
- Investigate close calls so we can iterate intelligently on our defense mechanisms while carefully balancing trade offs and avoiding knee-jerk overreactions.
- Keep score to increase public awareness of who is doing a good job helping us, and who has been trying to harm us. Since our attention and resources will always be limited, we should allocate it intelligently. Leveraging reputation could be part of the solution.
- Reward and honor what we want more of - benefactors and guardians of the public good, while penalizing and shaming what we want less of, those who attack us in the service of special interest.
“Given enough eyeballs, all bugs are shallow” - Linus’s law
The last line of defense before including any EIP in a network upgrade could be an open bug bounty that will pay anyone who discovers significant flaws that blocks the EIP’s inclusion as is. The reward should be at least enough to pay for an independent audit at current market rates. It should be open for long enough to give independent researchers time to find flaws.
The benefit of a bounty as a supplement to a contracted audit is that it is minimally opinionated regarding who will succeed. It’s not who you know, it’s what you know. Anyone with skill can try to claim a bounty and get compensated for success with economic and reputational rewards.
The bounty process should not only reward finding flaws in existing proposals but also alternative proposals that achieve similar benefits with a better risk/reward profile.
“Fool me once, shame on you. Fool me twice, shame on me”
When a bad proposal almost gets in, maximize the learning from that by funding a bounty that rewards the best understanding of what process improvements would have maximized our margin of safety against bad proposals while minimizing the friction for good proposals.
Reward those who watch the watchers and help the community hold auditors accountable.
One way to do this would be to post open bounties for the best “audits of auditors”. These would reward those that take a close look at what past audits missed and help the community reassess how much to trust their brands.
Consider using these “meta audits” to update a public hall of fame & shame that makes it easier to notice when auditors miss critical issues. The effect should be that when a critical issue is missed the community can reduce the “credit score” of that auditor.
Auditors have skin in the game to the degree that they are held accountable for endorsing bad proposals (e.g., explicitly or implicitly). For an efficient auditing market to form around Ethereum the reputation of auditors and the amount of business they get should be based on their performance.
Pushing auditors with low standards out creates a market opportunity for auditors with higher standards.
Achieving this is a public good and will help improve an industry otherwise prone to market failures, though it’s worth thinking carefully about how to do this to avoid introducing perverse incentives that adversely affect e.g. what EIPs auditors are willing to audit.
“Sunlight is the best disinfectant”
- Require disclosing conflicts of interests: all proposers and their supporters must disclose conflicts between their private interests and the interests of the public, or the interests of other stakeholders in the ecosystem.
- Require disclosing motivation: all proposers and their supporters must disclose their motivation for participating. This means what they stand to gain if the proposal is accepted.
- Require disclosing means: all proposers and their supporters should disclose who they are working for.
- Whistleblowing: encourage people to provide evidence in those cases where important information is being withheld.
- Accountability tracking: if evidence establishes beyond reasonable doubt (e.g., thanks to a whistleblower) that proposers and their supporters withheld information on their motivation, means or conflicts of interests, their reputation should suffer and their ability to influence the EIP process should be diminished. Similarly, exceptional positive contributors should see their reputation benefit. Some form of public tracking (e.g., badges) can be used to formalize this.
Make signalling explicit: In order to prevent the hijacking of the EF’s brand, the EF should publicly disclose its intention in funding work related to an EIP.
For example, it should be clear whether an EF employee authorized funding an audit in support of what they believe to be a good EIP proposal or out of concern that it may be flawed in a way they can’t put their finger on.
This will be more clear if the EF explicitly signals the former when it has the intention to support something, and the latter when it does not.
Increase personal skin in game by disentangling organizational and personal reputations: the EF is not a hive mind like “The Borg”. It is a collection of individuals with varying degrees of domain expertise. The domain experts the EF relies on to authorize signalling on the EF’s behalf should have skin in the game. The community should be able to see their faces. Their personal reputation should increase by supporting good things, and diminish from supporting bad things.
In addition to making it more difficult for EIPs promoted by special interests to pass through unchallenged, it is also important to make it easier for truly important EIPs to make it through, even if they don’t have any special interest constituencies supporting them (e.g., EIP-2929 gas price changes) to improve anti-DoS safety that were talked about for over a year without progress before they started to be implemented).
How much more top talent could we attract to serve the public good if it was at least (or more) economically rewarding to work on that than in the service of special intersts?
Retroactive grant models make it possible for those interested in allocating resources to the public good to solve the easier problem of evaluating impacts post-hoc instead of the harder problem of anticipating future impacts.
There’s more than one way to do this but here’s a simple approach. Each EIP could designate a proposer that will be responsible for getting the EIP all the way through to a network upgrade and distributing any retroactive grant amongst collaborators afterwards. The proposer would also track which individuals and teams made the most important contributions to that EIP, and make an allocation table representing what they consider to be a fair distribution of rewards.
Any tips (from the public, or the EF, or other grantees, or potentially revenue from selling an NFT of the EIP) would be split among the contributors according to the allocation table. If desired, the allocation table could even be tokenized, allowing an independent team to raise funds to pay for fiat or ETH-denominated expenses if they can convince the market that their EIP will succeed and be deemed valuable.
We expect this to be the most controversial part of this post, but we feel it is instructive to examine a live specimen of protocol lobbying currently in progress in the service of a powerful and highly motivated special interest - Consensys. We are watching the situation unfold with growing concern, but have so far avoided getting directly involved in this discussion on the public forums under any name.
Consensys’s proposal was deceptively simple and was purported to solve the important problem of gas abstraction, by creating a new type of transaction that delegates control over an EOA to a contract. This appears more powerful and dangerous than what is needed for gas abstraction. Why do it this way? From EIP 3074:
“A good analogy for the benefit this EIP provides is that it’s similar to allowing any EOA to become a smart contract wallet without deploying a contract.”
This is both insightful and potentially misleading. As Vitalik points out, rather than accomplishing account abstraction, EIP 3074 enshrines EOAs instead of helping us get beyond them.
It now seems dangerously close to getting into the next network upgrade, despite:
- Critical security issues that were not discovered by two EF-commissioned audits
- Being designed to benefit Consensys’s proprietary Metamask wallet at the expense of open source smart contract wallets
- Centralization risks
Up until a last minute intervention by the unpaid volunteer who posted “A simpler alternative to EIP 3074” on this forum, the process not only failed to catch the security problems but also failed to come up with alternatives that had potentially better risk/reward profiles and could get the purported upsides with fewer downsides.
At no point in the process did we have a public discussion on why promoting EIP 3074 was in Consensys’s strategic interests, or how it risked benefiting Consensys at the expense of other stakeholders like Gnosis and Argent.
We also didn’t discuss whether it was interests of the Ethereum community to tilt the playing field in Metamask’s favor, especially given that after establishing high market share they rug pulled on open source licensing, a core Ethereum value.
How did we get so close to EIP 3074 being seriously considered for inclusion in the next network upgrade?
Consensys made all the right moves. The proposal is deceptively simple on its surface. They made it easy for the core devs by implementing the client change. They lobbied for it behind the scenes, starting with their natural allies and gradually networking out to expand their circle of support.
Consensys also cleverly lobbied to position their proposal as something that EF was supporting. Consensys could have easily funded the audits by themselves, but they probably realized it would legitimize the proposal more if they could get the EF to participate, and thus leverage the EF’s trusted brand.
In various internal community calls promoting this proposal the impression conveyed was that it was endorsed by the EF and was practically a done deal. Who wants to criticize a proposal backed with the prestige of the EF?
A piece of the puzzle that is still missing is what role Consensys played in selecting the auditors, given that Least Authority ended up endorsing EIP 3074 after missing critical issues. From their report:
“We conclude that under the right conditions - wallets and invokers being implemented correctly - that this proposal is safe for use”
Promoting a false sense of security can have negative value.
Imagine that a year ago we had this discussion on protecting the EIP process from special interests and improved the EIP process with some of the ideas presented in this post. How could things have played out differently?
If we had been routinely auditing the auditors by comparing their audit reports to what was later discovered we may have noticed Least Authority’s poor track record and adjusted their reputation appropriately.
Ideally, the pain of visibly losing reputation in our metaphorical hall of shame would incentivize Least Authority to be more diligent with their audits. They might catch more critical issues, or at least be more cautious in providing endorsements that could come back to haunt them.
With bug bounties as the last line of defense, the situation would tend to be more self correcting as critical issues that auditors miss would be an opportunity for new auditors to make a name for themselves.
Auditors that keep missing critical issues would cease to command a premium as a source of trust and may have to switch to a different business model such as competing for bug bounties that only pay out on success.
Explicit signalling: most likely EF would have clarified that it was funding the audits out of concern rather than with the intention of signalling support.
Accountable domain experts: if Consensys tried pursuading a domain expert at the EF to explicitly signal support for EIP 3074, that person would have to consider whether they were confident enough to stake their personal reputation on doing that.
First, we would have started by encouraging a candid discussion about Consensys’s motivations in promoting EIP 3074 so aggressively.
If the proposers didn’t provide full disclosure regarding their ties to Consensys we might regard them personally with suspicion. If they were honest about their affiliations but were simply not in a position to disclose Consensys’s strategic interests due to an honest lack of insight we could regard not them but their employer with suspicion and invite community members to try and fill in the gaps.
We could invite speculation on Consensys’s business interests and the goals of senior management while still believing that most of the technical people working for Consensys are good and well intentioned community members.
As an exercise, let’s try to take a stab at understanding Consensys’s motivation. Suppose the future belongs to smart contract wallets and we expect EOAs to be gradually phased in favor of account abstraction. This is not good for Metamask, the dominant EOA wallet owned by Consensys.
EIP 3074 is strategic for Consensys because it changes the rules of the games to make it possible for the proprietary Metamask wallet to leverage its position as a dominant EOA wallet to compete and possibly displace trusted open source smart contract solutions like Gnosis and Argent.
This would potentially further centralize Ethereum around Metamask.
How does EIP 3074 transform the red ocean of smart contract wallets into a blue ocean for Metamask?
Without EIP 3074, if Metamask wants to compete in the smart contract wallet space it has to develop a new smart contract wallet offering and then try to convince users to choose that over other more mature smart contract solutions that have empirically stood the test of time and have billions in assets under management. That’s a hard sell.
With EIP 3074, Metamask can seamlessly convert their userbase in place to a new kind of smart contract wallet (they coined “Synthetic EOA”) by having users sign a special type of transaction that delegates control to an all capable invoker contract. They control the UX, so it should be not be hard for them to do that.
An EIP 3074 invoker contract will be as extremely security sensitive as any smart wallet contract. Assuming Consensys don’t make a catastrophic mistake, their invoker contract could gain enough Assets Under Management to provide empirical validation that it is trustworthy.
Given the sensitivity of this contract, users that are using Metamask’s invoker will be reluctant to switch to other invokers. Metamask can leverage their trusted invoker to provide their users with similar benefits to smart contract wallets without the pain or risk of migration. This way Metamask gets to lock-in users that would have eventually “graduated” to open source smart contract wallets.
To the degree that competition in the market resembles a winner take all tournament competition will be limited and we could end up centralizing Ethereum around a proprietary wallet with a natural de-facto monopoly.
From EIP 3074:
“Choosing an invoker is similar to choosing a smart contract wallet implementation. It’s important to choose one that has been thoroughly reviewed, tested, and accepted by the community as secure. We expect a few invoker designs to be utilized by most major transaction relay providers, with a few outliers that offer more novel mechanisms.”
Amongst our friends are technical people at Consensys that we like and respect. The above case study is not meant to attack anyone involved in EIP3074 personally. Good people can be misguided. They are not the problem.
Consensys itself is also not the problem. It’s a rational corporate actor trying to maximize its special interests. In that sense it is not fully aligned with Ethereum’s values, but it is not unique in this regard.
The problem is if we don’t do a better job protecting the EIP process from the special interests, EIP3074 will not be the last bad proposal that is on the verge of getting in. If our defenses don’t hold, successful attacks would embolden future attacks. In the worst case scenario, this could incentivize the creation of a well funded lobbying industry that gradually captures the EIP process.