Security Abundance Mindset
What is Ethereum's monetary policy, what should it be, and why does it matter?
At Permissionless III in Salt Lake City (October 2024), Ansgar Dietrichs, Artem Kotelskiy and mcnut will be discussing "Ethereum's Issuance Policy Endgame" and exchange ideas about the right way to approach Ethereum's monetary policy.
Along with Artem and mcnut, equanimiti and adcv contributed to this debate through a proposal we call Maximum Viable Security, or MVS. But what is this issue to begin with? We try to summarize and explain in simple terms below.
Replace the Fed with a Computer
When you log in to Gmail and check your inbox, you depend on a single counterparty, Google, to show you an accurate representation of the data you are accessing. As long as Google is trustworthy, this is fine. But Google could choose to show you something else, or choose to not serve you at all. If you wanted to rely on an absolute frame of reference, that did not depend on this assumption, what do you use and why does it work?
Ethereum is a universal truth machine. Users run small versions of it on many computers around the world and coordinate to agree on the state of the blockchain. This makes it possible to rely on a database that, in principle, no single entity can manipulate. Google could choose to show you the wrong email, but nobody in Ethereum can choose to show you the wrong transaction.
To ensure this, thousands of users have to coordinate to run the same software in the same way. How is this possible?
The Ethereum network connects users, who interact with applications running on it, with validators, who operate the software that keeps the whole thing running. Users value applications on Ethereum because they are secure and can't be tampered with, unlike Gmail and Google. Validators secure the network because they receive a share of the economic activity. The balance between the two is set programmatically by Ethereum's consensus algorithm. This is like having a computer set monetary policy for a currency, which makes participating in the network predictable.
One of the variables that this algorithm can change is the so-called issuance curve. When users pay transaction fees to submit their transactions, part of these fees are burned, or destroyed. The amount of gas consumed depends on the amount of usage on the network - the more congested it becomes with people trying to submit transactions, the more expensive it becomes to submit the next transaction. In a very reductive way, this is sort of like the 'revenue' or 'gross market value' of the network.
To keep the validator side incentivized to keep running the software, some Ethereum is issued to them. In order to maintain the right level of security to give users the confidence to use it, some amount of 'revenues' must be transferred to validators to pay for operating costs and to make it worthwhile and profitable to run the software.
So far, Ethereum has succeeded in keeping these incentives well aligned. The network has attracted effectively hundreds of billions of dollars worth of capital because of the perception that its use guarantees a minimum level of security.
MVI: prioritizing efficiency and externalities
Minimum Viable Issuance, or MVI, is a proposal to modify the monetary policy of Ethereum to shift the amount of tokens that get issued downwards by some percentage.
At the heart of the issue is the mechanics behind validation. In order to participate in validation, users running the software have to lock up some Ether as collateral. This defends against spam attacks, keeps the network load sufficiently low and dissuades malicious attacks through 'slashing' or penalties. To incentivize this, validators are rewarded for continued 'good behavior' running the software that secures the network. This issuance is, simplistically, an 'expense' for the network that could be fairly characterized as a 'security expense'.
The amount of issuance is designed to scale with the proportion of Ether that is staked as collateral following a mathematical formula:
where y is the reward rate of new issuance, c is a constant (approx. 2.6), F is a scaling factor (currently 64) and D is the amount of ETH staked. Because the D factor is an inverse square root, the amount of rewards the network issues declines the more people participate in validation.
The rationale behind a proposal for 'Minimally Viable Issuance', or MVI, is complicated and has many factors. At the heart is the determination of whether the proportion of stake that is allocated to validating Ethereum is too high, beyond what should rationally be required by users looking for security.
To counteract this, an alternative issuance curve under MVI could effectively reduce the issuance to validators and curtail the amount of rewards that are 'spent' by the network on cultivating validators. Mathematically, it could take many forms, such as
which effectively reduces the issuance curve by some factor k:
Simplistically, the framing could be summarized as
Excessive spending on the security budget is bad for the overall network as it creates welfare losses for participants that could otherwise be used in applications on the network
If more ETH is staked than necessary, it becomes easier for a single entity to capture or control large amounts of stake, which would compromise the security of the network anyway
Applications built on top of the staking mechanism, such as tokens 'representing' staked Ether, could eventually 'replace' ETH as a unit of account which would be bad for the value proposition of ETH as a cryptoasset that has minimal trust assumptions (versus a token or application built on top of it, which necessarily has more such assumptions)
This is a perfectly reasonable perspective, and the proposal addresses those concerns by effectively reducing the amount of 'economic' value that filters to validators, making it less likely for more Ether to be staked as collateral and less likely for alternatives to ETH (such as tokens representing staked ETH) to emerge.
Embrace Security Maximalism
An alternative perspective to the monetary policy debate is Maximum Viable Security, or MVS. If MVI frames the optimization as "minimize issuance without compromising security", MVS would be a framing that suggests "maximize security without compromising scarcity". The MVI perspective views security as having diminishing returns at this point in time, while MVS challenges whether we have enough security or even whether we may actually have increasing returns to more security.
The Ethereum Yellow Paper stipulates, as a key goal:
There are many goals of this project; one key goal is to facilitate transactions between consenting individuals who would otherwise have no means to trust one another.
Source: Ethereum Yellow Paper (link)
MVS is no more a specific proposal than to "not change the issuance policy right now" on the grounds that any reductions in the 'security budget' could result in first and second order impacts that reduce the level of security for the Ethereum network and compromise its value proposition as a whole.
Today’s global capital markets are valued in the hundreds of trillions of dollars, while Ethereum represents only a tiny fraction of that. For Ethereum to become a neutral settlement layer for the world, the cost required to attack it would need to be in the hundreds of billions, if not trillions, of dollars, to guarantee a meaningful portion of this activity to take place on the network. Decentralization and the resulting neutrality is Ethereum’s #1 competitive advantage. No risk should be taken to erode that, and instead, we should seek to strengthen it even further.
Strategically, MVI and MVS represent two different paths for Ethereum’s growth. MVI focuses on minimizing costs, benefiting ETH holders in the short term. MVS, on the other hand, emphasizes building a long-lasting moat around the network, optimizing long-term value creation for all stakeholders, including ETH holders.
The more security that Ethereum accrues, the bigger the value proposition it builds over time, strengthening its attractiveness as a settlement layer and therefore demanding more security to reinforce it.
The argument that issuance creates inefficiencies is compelling, but addressing it could have second order effects that are undesirable.
Large, professional node operators (entities that run validator software as a business) contribute to security and performance, to the extent that they don't dominate the share of validation, which would compromise security. But they also have a structural cost advantage relative to smaller ones or individuals.
This cost advantage is in the form of operating leverage. Operating leverage increases in a business when its fixed costs as a percentage of its total costs are smaller. This means that, for the same amount of fixed costs, a business with more operating leverage can sustain more business or more growth.
If the issuance policy were to decrease the amount of Ethereum issued to validators, node operators with a higher degree of fixed costs could be pushed to breakeven or lower and forced to exit. This would have a centralizing effect on the market share of validation and could reduce Ethereum's security, and therefore value proposition, in a negative spiral.
Finally, with respect to the threat that 'staking tokens' can represent to the security of Ethereum, it is worth looking at the extent to which this really represents a threat. The most successful of these tokens, Lido stETH, has actually contributed quite significantly to decentralizing validation, through the use of market incentives to check the growth rate of node operators who participate in the application. A crude way of measuring this effect is the Herfindahl-Hirschmann index (calculated as the sum of the squares of the market shares of individual entities).
Even in a world where many or most users on Ethereum rely on alternative tokens as, for instance, collateral in lending markets, Ether still remains the underlying commodity at the heart of the transaction. To start with, ETH is simply a prerequisite for even submitting and paying for transactions. In any case, designing a monetary policy to target a handful of applications could also materialize the risks of overregulation. It is hard to predict or quantify what effects such a targeted change could have on the overall network, and could undermine the argument that Ethereum is a neutral application layer open for anyone to build on top of it.
Simplistically, MVS as a counterpoint to MVI could be summarized as:
Security is the biggest value proposition of Ethereum and it depends on the decentralization of its network of validators, so no expense should be spared in maximizing this output
Reducing issuance to improve the economic efficiency of validation could knock out some of the participants that the network needs the most to guarantee enough security
Targeting the suppression of specific applications, 'staked tokens' or any other, shouldn't be a primary objective of Ethereum's monetary policy