I want to see if I am understanding the point Charles is trying to make. Charles, please correct me if I misunderstood. Also, everyone else please help me out if you find a flaw in my reasoning.
But first, I need to spend some time explaining how I understand the security of DPOS.
The security of a POS consensus system is derived from the fact that it is expensive to buy up a huge fraction (51%) of the stake (shares in the DAC). For it to be expensive to do this the market cap of the DAC needs to be expensive. How expensive? Expensive enough that the value an attacker can get out of compromising the consensus system of the DAC is less than the cost of acquiring the majority of the stake. What can an attacker do if they compromise the consensus system of a DAC? Typically, they can only filter transactions and trick an individual into thinking some state was committed to the blockchain when it really was not (double-spend attacks).
How much an attacker values filtering (or even entirely shutting down) transaction activity on a DAC is dependent on how much he is interested in reducing the market value of the DAC. Although, the attacker is the one to lose the most financial value from such an attack, if the market cap is small it may be worth it to the attacker to sacrifice that money to shut down the network. Except, in DPOS, the legitimate shareholders can simply purge transactions that voted for the attacker's delegates (the ones who were suspected of filtering or known to not cooperate) and resume operation of the DAC. This means that the attacker cannot permanently shut down the system, only temporarily inconvenience users at great repeated cost to the attacker. Eventually, the shareholders would bleed the attacker dry as long as they were committed to putting up with the annoying restarts for a little while.
So, the only other way it makes any rational sense for an attacker to buy enough stake to control enough delegates to attack a DPOS DAC, is if the attacker can make up enough value from double-spends to cover the costs of registering a delegate, the opportunity cost of not continuing to receiving pay as delegates that do their job properly (since the double-spend victim would quickly present cryptographic proof to the network that the delegates double-signed blocks and are therefore dishonest and can be automatically removed from the delegate list), and the cost of losing significant value in the shares they obtained (because after a successful double-spend attack in a DAC, the market cap of the DAC will likely drop). I am going to assume the first two costs are not significant for an attacker who is buying up a huge stake: delegate registration cost are low which can be easily paid off by just keeping the delegates honest for about a month before carrying out the attack; and, I assume shareholders will want delegate pay to be as low as is sustainable in order to increase the value of their shares as much as possible (at the cost of lower security in the network). So, whether the attack is beneficial to the attacker is a function of the value of double-spends in the DAC and the cost of buying up stake only to use it to reduce its value (which is itself basically just a function of the market cap of the DAC). DPOS DACs in which double-spend attacks are very valuable need to have a high market cap to be secure. But it also means that DPOS DACs where double-spend attacks are not very valuable can afford to have considerably lower market cap.
Now, finally to address what I believe is Charles' argument.
I think his concerns are regarding DACs that have no reason to have a high market cap. A DAC that does not provide services desirable enough to command a high source of income (say through the transaction fees), might not have a high market cap unless the shares in the DAC themselves had high value for other reasons. Examples of such exceptions include BitShares X in which the transaction fees are very low but the DAC can still have a high market cap because the shares are the only way to provide collateral for BitAssets (and BitAssets are desirable to own because they have the properties of a currency assuming the market-peg works as is hoped) and there is a natural network effect in being able to make transactions using a currency with people on the same blockchain. Another example of an exception is something like BitShares Me, but with the entire DAC dedicated to owning shares in a centralized firm. In this case the value in the shares comes from the trust users have that the centralized firm will treat the shares like company stock (meaning paying them dividends by taking corporate profits, buying up the shares in the DAC, and destroy the shares to act as a stock buyback). Companies would do this because they want to give their stock value, and in particular they want to be able to do an IPO to raise initial capital to grow as a company (the people who contribute to the IPO become the shareholders in the genesis block of the DAC). BitShares DNS is actually not one of these exceptions. It is instead an example where the DAC can command a high source of income through fees because of the natural scarcity of human-readable globally-recognized uncensorable names.
Now, what about other DAC concepts such as a storing/hosting service DAC that Charles brings up? For these services the most significant cost is in actually providing the storing/hosting service (hard drives, computers, and bandwidth) which is something only a centralized firm can do. There can however be many different centralized firms competing to provide quality service at low cost. I am not certain what the purpose of the DAC would even be. It would most likely be for bookkeeping, such as trying to set up some incentive structure to allow market participants to accurately gauge the quality of service the firms are providing, or keeping track of how much attention (meaning money) a particular file needs on the servers of a particular firm before it gets deleted to free up space. This is a complicated DAC that I cannot analyze at this time to determine what its actual value would be. But the general rule to follow is: if the DAC has a lot of value (high market cap), then it is well protected from double-spend attacks; if the DAC does not have a high value, then the benefit an attacker can get from double-spend attacks better be very low. If the DAC cannot be constructed in a way to respect this rule, then it has no business being a DAC! Note that in that case it shouldn't matter whether you use PoS or PoW since the security of either one would be low if the DAC doesn't have value (since hashing power is proportional to miner income). In the case of the storage/hosting DAC idea, maybe it ends up making more sense to just keep the storage/hosting business as a centralized firm that one simply pays for its services with BitUSD.
I think it is important for all of us to be clear on what types of services make sense to build with the DAC metaphor (and these can benefit greatly from DPOS and the BitShares toolkit), and what services are more appropriately implemented with traditional methods.
Edit: I took out a paragraph on the Voting DAC because I need to really think about it more before I say it isn't a legitimate DAC. While I believe the network effect is in the human verifiers, there may still be a tendency for the DAC to not clone too much for exactly the reason that it becomes less secure. So, security may in fact be the network effect force for all DACs that tries to merge them together as much as possible (countered by the other force that wants to pull them apart to reduce transaction volume for scaling reasons).
Topic: Charles Hoskinson Left Ethereum? (Read 25028 times)
