This post is a response to “On-Chain Vote Buying and the Rise of Dark DAOs”
The article is about methods of orchestrating a vote-buying attack on blockchains with stake-based governance. It describes two approaches. 1: Smart contracts, which are transparent (rendering the attack easy to detect) unless the blockchain offers smart contract privacy; 2: Trusted hardware, which could allow vote selling to occur in a way which is trustless, frictionless and private. I’m not well placed to assess the viability of this approach, but it seems for now to require the cooperation of a hardware vendor (Intel’s SGX is cited as the only example of working tech, use-cases must be signed off by Intel).
I’ll assume that it’s technically possible to set a vote-buying Dark DAO as described in this article, as it may be at some point in the future.
Threat models for one approach or set of projects should be considered in the context of alternatives. Money can buy influence or decisions in many/all governance models, and can be used to attack any permissionless blockchain (whether through buying votes or hashpower).
Money could conceivably be used to buy influence over members of a “technocratic council”, and it wouldn’t require the use of (as yet unavailable) trusted hardware to keep this private.
The question is whether buying on-chain votes is a more or less cost-effective, and thus powerful, strategy. From a vote-buyer’s perspective, it may be attractive because it offers the possibility of ensuring that vote-sellers follow through on their end of the deal.
It is worth considering when voters would be incentivized to sell their votes, at what prices and in what numbers — and how much it’s likely to cost to exert any meaningful influence on a vote’s outcome. These are questions that can only be answered for a specific project, in a particular context and point in time.
Considering Decred as an example: 40,320 tickets are called to vote during a rule-change interval, 75% of those that don’t abstain must vote Yes for a rule change to be approved. Right now, each of those tickets is paying a reward of around $91, and Live tickets represent 47% of available DCR. Any effort to bribe Decred Voters is in the context that they are already being rewarded for voting.
Asking a Decred Voter to participate in a Dark DAO would be asking them to expose their locked DCR (and prospective reward) to devaluation upon a successful attack, the reward would have to be very high to justify this risk. As tickets vote after random intervals (average one month but up to 4.5 months) there is no way to execute a ticket-based attack without holding (or influencing the holders of) most of the DCR that backs those tickets.
I don’t agree that on-chain governance is inherently plutocratic, and see very little value in pushing this narrative so hard— projects are doing it, this is a good time for these experiments because the stakes are still relatively low, we’ll see how it goes. People probably will sell their votes in some cases to some degree, but I would be surprised if all of the projects with on-chain governance come to be characterized by vote-buying.
In an effort to move this discourse somewhere more interesting, here are some parameters that seem useful in thinking about whether an on-chain governance system is vulnerable to a bribery attack:
What is the threshold at which individual holders can be bribed? This probably has a wide distribution between speculators with little interest in the project’s long-term success and founders, who are invested emotionally (as well as financially) in the project’s success. This would also vary from vote to vote, a holder who is disinterested in one vote (and would perhaps sell their vote cheaply), may be much more expensive to buy for another vote. In a scenario like the Dark DAO, if holders sell their voting power carte blanche — presumably they would ask a much higher price if their votes could be used to attack the blockchain (and devalue their holdings).
How much is at stake? Voters will be rewarded for their vote-selling, presumably enough that the transaction makes sense for them financially or they wouldn’t do it. The people who are more likely to be negatively affected are holders/users who do not participate in voting/staking. If participation in staking/voting is lower, it is more likely for an attack that damages users to succeed.
How liquid is the stake? Liquidity of this stake is also important, if parties to an attack can un-stake and sell their holdings quickly or predictably, they are more likely to be able to execute an attack without suffering the consequences.
How many Voters are there? This affects the chances of buying enough votes to make a difference secretly. It would be difficult to pull off a genuinely secret bribery attack if one must recruit thousands of Voters. Even if the method of implementation facilitates privacy, people talk.
How are votes/coins distributed? Difficult to know with confidence but definitely important. If a small group commands a majority stake, governance is probably very resistant to vote buying — but also an obfuscated oligarchy, which is not great.
Is voting direct on issues or to elect delegates? Delegated voting has its own set of vulnerabilities. When electors vote for multiple candidates this seems rife for cartels forming, and if that constituency is receiving a big chunk of the block reward those cartels could get locked in pretty quickly. I haven’t looked at any DPoS projects in much detail (yet) though.