What A Valid Cryptoeconomic Design Looks Like For a Blockchain Oracle

A response to Eric Wall’s “What’s Wrong With the Chainlink 2.0 Whitepaper? (For Simpletons)” from the point of view of somebody who’s been building oracles for the last 5 years.

DISCLAIMER: I’m one of the authors of the Witnet whitepaper and current chairman of the Witnet Foundation board. I am biased towards Witnet inasmuch as the public sees Witnet as a competitor of Chainlink, and both projects claim to be building “decentralized oracle networks”.

Eric Wall recently published this pedagogical article trying to debunk the main cryptoeconomic claims of the Chainlink 2.0 whitepaper:

What’s Wrong With the Chainlink 2.0 Whitepaper? (For Simpletons)

What This Article Is About

I’m not here to bash Chainlink’s work. I just want to stress a few key points that he made, and explain how we did things differently in Witnet. I’m also trying to be pedagogical, so expect some degree of simplification.

About The Chainlink 2.0 Whitepaper

On the whitepaper itself, I will only comment two things:

1. They seem to mainly focus on justifying past design decisions and trying to make sense of their current ecosystem rather than presenting any specific advancement in terms of making Chainlink 2.0 more secure, scalable or useful as an oracle.
2. I’m happy to see them embrace many concepts that were first explored in the 2017 Witnet whitepaper. What didn’t make me so happy was seeing the Witnet paper absent from the references— especially noteworthy given the academic pedigree of their whitepaper’s authors.

Due Reminder on What Cryptoeconomic Design Means

I don’t really know if these are Eric’s words or he’s quoting someone else. However, I can’t avoid reproducing it here because it’s the most spot-on description of crytpoeconomic design I’ve come across:

[...] cryptoeconomic security is the concept of making evil actions cost more for the attacker than what the upside is.

It is about creating systems that punish evil actors financially for not doing what they’re desired to do, so much that you as a user can rely on them to act faithfully in alignment with a protocol’s mission. In a cryptoeconomic system, you don’t need to trust that people are honest. You just trust that people are economically rational and are doing what’s best for themselves financially.

This idea permeates all public blockchain systems: leveraging the selfish behavior of each participant to feed the neutrality and trustlessness of the system as a whole.

And that’s where cryptoecomic design enters the game — it’s about making honest behavior the most profitable, by holding participants economically liable for any attempt at manipulation. The set of rules that regulate those economic incentives is what we often call a protocol.

Witnet’s Most Basic Cryptoeconomic Primitive: The “Commit-And-Reveal” Scheme

In the core of the Witnet cryptoeconomic design lies one of the simplest and most elegant cryptographic primitives out there: the commit-and-reveal scheme.

Here’s a little thought experiment to explain how it works:

You’ve been locked up in a room with no windows for so long that you cannot tell what date it is today. There are a few people around you who are free to go in and out of the room, but you cannot. How can you find out the date?

You can simply ask any of the (few) people around you. But they can lie to you.

(C) You can ask every one of them and accept the most frequent answer. But there are only a few people, and they are free to leave the room and agree on a false response.

Luckily, there’s something else in the room. In the corner, you find a telephone, a mailbox and your wallet.

(W) You can phone a hundred random numbers, and propose a little game: they have to tell you the date, and you’ll mail $5 to any each of them whose answer is the same as the majority.

As the receivers of the phone calls don’t know each other, the most profitable thing they can do is to simply tell the true date, which acts as a Schelling point.

Although only a metaphor, this lock up situation is much alike to what the crypto ecosystem calls the oracle problem, i.e. smart contracts can’t directly read data from outside the chain state. They need to “trust the messenger”, who can easily get away with lying because the information cannot be verified.

Chainlink’s solution is marked as (C) in the experiment: queries are sent to a set of trusted nodes, and the median response is picked. Reporters know one another, so they can easily collude or attack each other. Reporting is conducted publicly, and they can react to each other’s reports to move the median up or down (or even force themselves into being the median). Regardless of their behavior, they get paid a fixed reward in LINK tokens — even if they misreport.

Witnet’s solution is marked as (W) in the experiment: queries are sent to a random set of anonymous nodes, who secretly commit to their reports. Only when all the reports have been collected they reveal their committed responses, so they can’t copy or react to each other. Outliers are filtered out before aggregation (median, average, etc.), and only the ones that end up affecting the final result get rewarded.

Witnet’s Own Take on “Implicit Staking”: Algorithmic Reputation Score

“Hey, nodes actually do have something at stake! Their future LINK payments!”

Regardless of whether “expectation of future income” is a valid cryptoeconomic guarantee, the point cannot be stressed enough that, as of today, if we look at Chainlink’s aggregator contracts, reporters are paid regardless of the quality of their reports. This fact alone invalidates any claim that Chainlink reporters will behave because they have their reputation at stake.

As in the context of the Chainlink ecosystem reputation really means “public perception of reliability”, there’s no actual mechanism in place that automatically enacts the penalty.

Rather, it’s assumed that someone will notice the wrongdoing, speak up about it, and convince Chainlink users to — somehow — remove the offending reporter(s) from their aggregator contracts.

And I said “somehow” because the ability to remove or add reporters to a contract that is being used on mainnet is a huge single point of failure that could potentially jeopardize its security.

In contrast, every Witnet reporting node (aka witness) has a public reputation score that increments every time they agree on a result. Conversely, if a node fails to agree with the majority, its reputation gets reduced by 50%.

But the Witnet reputation score is not only a public indicator about the reliability of a witnessing node. In fact, each node’s probability for getting tasks assigned to them is proportional to their reputation score.

Put simply, when a Witnet node participates in resolving a data request, these are the two possible outcomes:

• Agrees with the majority: earns a reward paid by the requester in form of WIT tokens, gets its reputation score increased, becomes more eligible for future tasks and rewards.
• Disagrees with the majority: earns NO rewards, gets its reputation reduced by 50%, immediately becomes less eligible for future tasks and rewards.

Comparing these two outcomes, it becomes evident what any economically rational actor will do ¯\_(ツ)_/¯.

I’m not trying to claim that this reputation system is the ultimate cryptoeconomic guarantee to make Witnet indestructibly secure (SPOILER: it is not!). However, it is indeed a much more serious form of “implicit staking”, in the sense that the potential income of a node is automatically, immediately and inevitably reduced after any wrongdoing without any need for human intervention or judgement.

This algorithmic reputation system is much more efficient than it may seem because it is implemented on the Witnet side of things (Witnet is a separate blockchain but is sort of side-chained to Ethereum), and has a lot more intricacies to it, e.g. every reputation point you earn expires after a while so as to create incentives to remain honest in the long term, and prevent exit scams.

And This Is Witnet’s Own “Explicit Staking” Mechanism

I won’t say much on the Chainlink’s 2.0 proposal for “explicit staking”, aka proper staking, aka staking. Their paper only presents some outlines on how they could implement it, not an actual cryptoeconomic design that I can comment on.

In the case of Witnet, I must admit that staking was not present in the original design of the protocol (2017). In the first Witnet testnets (2018–2019), we used to rely on the commit-and-reveal scheme, the economic rewards in forms of requester fees, and the algorithmic reputation system to create the right incentives for nodes to report the data they retrieve without tampering.

But as we approached mainnet (2019-2020), researchers who know much more than I do about this stuff (like Mario Cao, Gorka Irazoqui Apecechea and Claudia Bartoli Duncan) warned that those cryptoeconomic guarantees might not be enough when Witnet starts being used as the oracle of choice to secure high value contracts on Ethereum. One special concern was bribing and the P+Epsilon attack, which we explored at length:

Deterring Bribery Attacks on Decentralized Oracle Networks

So, in acknowledgement that the incentives and penalties we had created were still too lenient for the kind of use case we are aiming for, we decided to implement staking in the Witnet protocol — albeit in a way that is very much tailored to the peculiarities of a decentralized oracle network.

Every time a node discovers its own eligibility to participate in resolving a data request — which happens secretly — it is required to stake a specific amount of WIT tokens, which we often call “collateral” as a special transaction input in the commitment transaction from the commit-and-reveal scheme above (yep, you read well, I said transaction input, as Witnet is based on the UTXO model).

The amount of the collateral changes on a request basis, and is decided by the requester. For example, when creating a data request that will update a price feed or trigger any other important consequence, the most sensible thing to do is to require an amount of collateral that is in accordance with the amount of value that is at stake in the consumer contract, with a view to counteract the incentive for a witnessing node to lose their inside-Witnet collateral in expectation of a higher outside-Witnet yield.

This of course has important UX consequences — users need the appropriate tools and information to assess what the right amount of collateral should be. If the collateral is too little, the request could potentially be exposed to attacks, and if too high, some nodes may refrain from participating, especially if the potential reward “is not worth the risk”. This is a very interesting challenge, but at least we know we reduced a security problem down to a usability problem.

So, what happens to collateral after the result of a data request is revealed? Let’s consider the same two outcomes as before:

• Agrees with the majority: recoups the collateralized amount, and earns a fraction of the collaterals slashed from fraudsters.
• Disagrees with the majority: loses the collateralized anount, which gets distributed to the nodes who agreed with the majority during the same block.

No “Tier 2” bs. No “super-linear security” mumbo-jumbo. This simple staking mechanism elegantly builds on the more than proven properties of the commit-and-reveal primitive above to condition the behavior of economically rational actors and keep them accountable. Cryptoeconomics 101!

Beyond counteracting any perverse incentives that may exist, staking / collateralization has another great benefit to it: sybil resistance. Whatever amount of WIT tokens that you put into resolving a request using a certain identity (private / public keypair), you can not use it at the same time with a different identity.

This idea of “exclusive allocation of a scarce resource” is the very cornerstone of every Proof-of-Stake system out there. Not only that, this is indeed the core security principle of Proof-of-Work too — only that instead of tokens, you are creating exclusion on computing power, because you can spend 1 kiloWatt of power doing nonced hashes on 1 processor on top of 1 block, but you cannot move that power to a second processor, nor reuse the hashes you already made for mining on top of a different block; so every time a valid block comes, you’d better start mining on top of it.

To achieve that exclusivity of resource allocation, another key element beyond the collateralized amount is the reallocation delay. That is, how quickly can you move your WITs from one identity to another. If you can instantly move your stake between identities, you could theoretically operate a million identities, check whether any of them are eligible for participating in resolving a data request, and transfer the required stake to those.

In Witnet, for a WIT token to be used as collateral, it needs to be at rest — stay in the same address — for 2000 blocks, which equals 25 hours.

In this way, if you want to operate millions of identities and deposit enough WIT tokens in all of them so as to satisfy any requests that they may get assigned, you would basically need more WIT tokens than the entire WIT circulating supply. Hey, good luck with that! 😜

Implementing this security measure is super easy on a UTXO based blockchain like Witnet because you only need to check how old are the UTXOs being used as the collateral input of the commitment transactions.

A complete specification of Witnet staking / collateralization mechanism can be found in the WIP-0002 document (yeah, WIP stands both for Witnet Improvement Proposal and Work In Progress, a true statement of them being ever-evolving requests for comments):

witnet/WIPs

Final Remarks

Most probably, Witnet, at least as we know it today, is not the absolute solution to the oracle problem. At the end of the day, especially when we’re talking about securing contracts that manage a lot of value, it’s hard to believe that there will ever be a “silver bullet” oracle solution that will meet the requirements of the many use cases that smart contracts have.

However, for the 4 years we’ve been building Witnet, we’ve explored every single way to improve the cryptoeconomic guarantees it has to offer, and iterated its design many times in search of a solution that truly lives up to the decentralized and censorship resistant nature of public blockchains.

We are pleased to find people like Eric Wall voicing these concerns and bringing the topic of cryptoeconomic design of oracles to the table.

As the world of smart contracts and DeFi continues expanding and maturing, we need to get serious about these matters, and make sure that the infrastructure we build is solid enough for acting as the foundation of the decentralized protocols and apps of the future.

If we — the crypto ecosystem as a whole — fail to separate the wheat from the chaff, and continue praising projects that don’t really care about cryptoeconomic design, true decentralization, and censorship resistance, everything will fall as a house of cards.

About Witnet

Witnet is a next-generation decentralized oracle that leverages state-of-the-art cryptographic and cryptoeconomic techniques to provide smart contracts with secure data inputs. In exchange for WIT tokens, Witnet’s network of permissionless oracle nodes retrieve, attest and deliver information to smart contracts in a tamper-resistant and decentralized way.

👇 Discover more 👇

Run a Node | Website | Blog | Twitter | Discord | YouTube | Telegram | GitHub