- DeFi: Some Trust Required
And Some Assembly, Too
The weiWard team wants to make everyone aware of the trust required to use our protocol.
The weiWard platform requires trust in order to operate. The protocol uses an off-chain oracle, the contracts have mutable state, and some of the contracts are upgradeable. weiWard is currently in an experimental state, and we will be able to mitigate these trust requirements over time. But economic feasibility demands that some implementation details cannot be wholly decentralized.
This requirement for trust is common for all businesses and comes in varying degrees, even across the cryptocurrency industry:
- The Yearn Finance team initially could have set an arbitrary address for some lenders and used it to withdraw funds, but they locked it by giving ownership to the zero address. They recently modified their DAI Vault deposit limit in real-time based on the needs of Alchemix, using their MultiSig members to approve the change. While decentralized, their governance system may occasionally move too slowly and require a smaller team to make quick decisions.
- Governance tokens, such as UNI or SUSHI, may have a major voting share owned by the creators and/or major investors. Regardless of how the governance tokens are distributed (sold) to the broader community, this is reminiscent of the relationship between shareholders and managers in a traditional corporate governance framework.
At one point, 61% of Ethereum nodes were hosted on the cloud, with almost a quarter of all nodes on AWS. A more recent study shows that Ethereum has a commendable distribution of nodes across countries. Of greater concern is that only 6,806 Ethereum nodes were running globally as of March 9, 2021. Ethernodes provides several updated statistics on nodes in the Ethereum network.
According to Alchemy, “70% of the world’s top Ethereum apps” rely on their nodes. Major dapps like MetaMask, Aragon, Gnosis, OpenZeppelin, and Uniswap rely on Infura to handle their infrastructure.
Ocean Protocol forked their OCEAN contract to recover lost tokens in response to a hack on the KuCoin exchange. Their other contracts were upgradeable up until v3.
Ethereum’s developers and miners performed a hard fork to recover funds after the DAO hack.
Chainlink acts as a central authority for its customers, deciding which data feeds to use as trusted authorities.
Rebase tokens like Ampleforth and Badger DAO (DIGG) use centralized oracles and/or data feeds to modify token supply.
Popular custodial exchanges like Coinbase and Binance are centralized and execute their transactions off-chain.
The Ethereum community has come a long way on its journey towards decentralization, and we still have a long way to go. Every project has started somewhere different along this journey. As long as we are all aware of the weakness in the execution of our decentralized goals, we can make informed decisions.
There is nothing inherently wrong with needing to trust someone to use their protocol, as long as users are aware of it. It’s only a problem if the community is incorrect with their assumptions on trustlessness, likely due to false advertising about the magnitude of decentralization or “cryptoeconomic security” provided by a platform.
The weiWard team wants to make everyone aware of the trust required to use our protocol.
The requirement for trust from the weiWard team comes from the fact that:
- We use a centralized oracle to compute the 1-day moving median of gas prices using Geth.
Most of the contract variables are mutable.
We use upgradeable proxies.
Let’s go into detail about why these implementation details require trust.
I recently read a scathing article about Chainlink 2.0 by Eric Wall. Eric outlines how Chainlink’s trust mechanisms are traditional but not “cryptoeconomically secure.”
For something to be cryptoeconomically secure, you must have a guarantee that the particular entity you rely on loses something of concrete value that they currently already own that is worth more than what they make from defrauding you.
— Eric Wall
The potential benefit of using Chainlink is that the redundant data feeds and quorum requirements are distributed across multiple “trusted” parties, mitigating the risk of hacks and dishonesty. The potential risk of using Chainlink is if these parties are not trustworthy and decide to collude. The weakness in Chainlink 2.0’s second tier of watchdog oracles is that they have no penalty for being dishonest. This mechanism pushes the trust requirement back behind another layer of obfuscation. At the end of the day, though, a central authority (Chainlink) decides for its customers who to trust and who not to trust.
Trusted data feeds have nothing to do with “cryptoeconomics”.
— Eric Wall
weiWard relies on a centralized oracle. weiWard utilizes an off-chain process to compute a 1-day moving median of ETH gas prices from a Go Ethereum (Geth) node and publishes the value on-chain on a 4-hour interval. This moving window is essential for mitigating 11th-hour oracle manipulation attacks.
There are several ways to mitigate this trust requirement:
- Use a Layer 2 (L2) solution for cost-effective calculations of the gas price and publish to Layer 1. We are currently investigating this solution with the Polygon team, and we will keep you posted as it develops.
Distribute the data feed across multiple actors. A redundant data feed reduces the potential for hacks and creates mutual accountability between the trusted parties.
Publish a new gas price for every block and compute the moving median from the on-chain data. This mitigates some trust but still requires that users trust our computed gas price for each block. More importantly, writing a new state to the blockchain every block and calculating the median on-chain is not economically feasible.
Publish a new pseudo gas price for every block using the EIP-3198 BASEFEE opcode. This isn’t gas price, but we could use it to estimate network utilization, and it would eliminate the need to trust an off-chain oracle. Regardless, this has the same prohibitive costs as the above method.
Implement a 1-hour update delay on the price publication. Every trader would know the price 1-hour before it is published and be able to exit if it is unreasonable. At the same time, knowing the price one hour before it is published relative to the current price creates a perfect arbitrage opportunity for every trader. There is no uncertainty from competition like there is with a moving window. This could be an easy drain on the platform’s collateral.
Use the gas refund mechanic popularized by GasToken and CHI. This implementation cut costs for 1inch on large transactions but never gained widespread adoption. Gas refund tokens are effectively a leech on the network, cluttering the blockchain with useless data in order to release it at a later date for a potential refund. The ROI can be prohibitive for the average user and requires major gas price changes for economic viability. Regardless, EIP-3529, officially scheduled for the London hard fork, will make these tokens non-viable as it reduces the refund from 15,000 gas to 4,800 gas.
As the weiWard team continues to develop, we can streamline our gas price calculation process for any entity and select trusted parties to provide a consensus mechanism for the weiWard gas price.
The Fei DAO can tweak nearly every variable on their contracts. According to their documentation, they only require a 2.5% quorum for a proposal to pass despite their TRIBE governance token distribution.
The weiWard contracts also enable an admin address to tune many parameters in the protocol. The motivation behind this is that the protocol, its economic model, and its game theory are unproven. We have made every effort to motivate each implementation detail, but the fact remains that the platform is imperfect, and we could be wrong. As the platform grows and develops, the parameters may need to be tweaked to provide an ideal experience for platform users.
One method that might appear to mitigate trust in the weiWard team is a governance token.
Releasing a decentralized governance system during an experimental and unproven phase could have adverse side effects. It’s impossible to develop a truly decentralized and fair governance token distribution mechanism that simultaneously targets stakeholders who want to benefit the platform. If the mechanism for selecting stakeholders is not executed with care (by a central hand, mind you), they could vote themselves a paycheck or rug the rest of the protocol.
Decentralized governance using governance tokens also has its drawbacks, and why most of the teams utilizing governance tokens are continuing to ease into it as they stabilize. weiWard intends to gather sentiment off-chain using Snapshot moving forward. As the platform reaches stability, we reserve the right to elect to migrate towards a form of decentralized governance.
There are plenty of good reasons for smart contracts to be immutable, but it also comes with some disadvantages. When a bug or security flaw is detected in immutable code, the only way to fix it is to abandon the code and perform a fresh deployment, hoping that you can migrate data from one contract to another.
This migration is only sufficient for apps and contracts without any inherent value resting within them. If the weiWard AMM had to abandon its contract code, it would also have to abandon all of the locked ETH collateral in the contract, leaving it forever lost.
As such, we’ve elected to use Transparent Upgradeable Proxies for our contracts, as designed by OpenZeppelin. These proxies allow us to push updates to secure our contracts if security flaws are discovered in weiWard or the Solidity compiler. Upgradeability also enables the platform to maintain its liquidity while staying updated with the rest of the Ethereum ecosystem as a whole. We can leverage upgradability to later implement decentralized solutions for our other trust points, like the gas price oracle.
weiWard will be using a Gnosis Safe MultiSig wallet to help secure our mutable contracts and require multiple signatures to enact changes.
The weiWard team only gets paid when the protocol is profitable. Platform usage creates transfer fees that are the sole driver of both our revenue and the ETH contributors’ returns. Transfers will only occur if the gas peg is successful and users wish to make trades with it. If the platform succeeds, we succeed. If it fails, we fail.
The weiWard team will make mistakes, and the community may deem us to be incompetent. This risk applies to all protocols, and such a realization by the community would create a mass exodus. The value of ETHtx is pegged to the gas price and it is always backed by ETH; You will always be able to exit with some ETH. The value of the ETHmx token could tank, but this is typical of all protocols.
While weiWard is committed to creating solutions to mitigate the potential for hacks, they could still happen. The same is true for all protocols. Whitehats have reviewed the platform’s smart contracts, and the team will pursue multiple official security audits when revenues begin coming in.
Subtle Gas Price Manipulation
The weiWard team, and even future “trusted” price feeds, could subtly manipulate the AMM gas prices to their advantage. Malicious and colluding oracles could benefit from price manipulation by buying and selling ETHtx for profit while making subtle modifications to the oracle price. This manipulation will quickly be discovered, as everyone is aware that we calculate the gas price using a 1-day moving median of gas prices from a Geth node. Anyone can verify the data.
Migrating to a L2 solution for calculating gas price has the potential to eliminate this risk factor.
Independent of reputation, anybody could eventually have a change of heart and attempt to perform an exit scam on their customers. The current landscape in cryptocurrency and DeFi is volatile and has a great deal of uncertainty about the future. At any point, an actor may deem that their future revenues are not worthwhile and decide to “take the money and run” from their current customer base.
weiWard mitigates these risks by having our founders doxxed (Matthew Mahaffey & Benjamin Kostreva), by being a publicly listed business in CO, USA, and being beholden to all applicable business laws. If we attempted to scam the community, we’d lose all of our ill-gotten gains, we’d go to jail, and we’d be in massive debt due to needing to make reparations.
You have to place your trust in the weiWard team to benefit from an ETH gas peg. Currently, the only viable option for gaining exposure to ETH gas is to trust an off-chain oracle. We are looking into migrating our centralized oracle to a Layer 2 solution to eliminate this requirement. The next article will outline how we intend to do this.
The weiWard team saw a gap in the Ethereum community when ETH gas prices became a problem. We came up with a solution, and we intend to provide the best possible experience for our community.
We believe in providing long-term value to everyone, and we wish to enhance the broader Ethereum ecosystem as a whole with a protocol that should sell itself. Integrity and honesty are our core values, and we’d rather be broke than give those up.
- Date of publication:
- Tue, 05/04/2021 - 13:54
Click on the link - it will be copied to clipboard