This post documents an idea for a few different mechanisms that could be adopted by EOSIO blockchains to address concerns some may have regarding potential abuse of the flexibility provided by the EOSIO platform to enable changes to core concepts of the blockchain that some may have believed to be immutable (or at least very difficult to change). I wrote this just to share the idea with the community and get feedback and it no way indicates that it is something actively being worked on or even on the roadmap for any development group working on EOSIO code (that I know of as of this time anyway).
EOSIO blockchains move a lot of the behavior people expect to be part of the “core” protocol of a particular EOSIO blockchain to the WebAssembly layer that permits easy upgradability. This provides a tremendous advantage by enabling EOSIO blockchains to be adaptable and to support a wide variety of experimentation across multiple EOSIO blockchains while each still build on top of the same robust underlying base protocol. However, adaptability can come into conflict with predictability which also provides benefits. In particular, some users of the blockchain would be happier to know that it is difficult to change some of the tokenomics of the blockchain they are using.
Fundamentally, there is no way to guarantee that the value of the assets one holds on a particular blockchain will continue to be preserved on a particular branch of the blockchain that follows the rules they prefer. However, it may be useful if tools were provided to guarantee to a node operator that their node will not automatically follow a branch of the blockchain that violates the rules they prefer. I propose two concrete mechanisms that can be added to EOSIO blockchains to facilitate this: one (which I call “protocol change events”) is an objective mechanism that all nodes in the network must follow and therefore requires changes to the EOSIO protocol to support; the other (which I call “subjective protocol restrictions”) is a subjective mechanism enabled through a nodeos plugin which enables any given nodeos operator to configure their own rules that they don’t wish to see violated on the blockchain that their nodes automatically follow. The idea is to use these mechanisms to provide a node operator assurance that if particular changes occur on the blockchain, their node will not automatically follow it unless they pre-agreed to the change by configuring their node appropriately (e.g. by adding some hash to a whitelist). If they did not agree beforehand to a change which does in fact occur on the blockchain, effectively it will appear as if their node is stuck. This alerts the node operator that something is wrong and they can then decide whether to agree to the change (which allows their node to continue syncing with the blockchain) or to take some other action like configuring their node to follow some other hard fork of the blockchain that follows rules they agree with.
While it is theoretically possible to construct a hard fork of an EOSIO blockchain currently, it is not easy. So I also propose new mechanisms (specifically two data-driven protocol features) which can ease the process for some part of the community to organize a hard fork of an existing EOSIO blockchain. By reducing the burden of creating a hard fork, this would make it more likely for acceptable options to exist for the node operator who is stuck because their node will not follow a branch of the blockchain that implements changes they do not agree with. In addition, with the technical barrier to create a hard fork lowered, the threat of creating a hard fork of an existing EOSIO blockchain becomes more credible to the existing powers that are given governance control of that blockchain who may then think twice before carrying out a contentious change in the first place. (The threat comes from the fact that the users easily migrating to the forked chain may cause a corresponding drop in value of the assets on the original chain.)
With the above mechanisms and tools properly in place, a node operator could theoretically configure their node to, as an example, not automatically follow the EOS Public Blockchain if the BPs on that chain increase the inflation rate to above 5% per year or issue new EOS tokens. Their node would stop and then the node operator could investigate what went wrong. If the node operator decides the trigger that stopped their node was actually acceptable (e.g. it was a system contract upgrade that was benign and did not attempt to bypass the safety mechanisms in place to ensure the inflation rate did not exceed 5%), then they could approve that specific change and allow their node to continue synchronizing with the rest of the network and continue following the blockchain (at least until the next trigger that stops the node). If they determine the trigger was actually due to behavior they consider unacceptable, e.g. hyper-inflation of the EOS token, then: first, they would know that at least they wouldn’t be tricked into accepting hyper-inflated EOS tokens without their knowledge in exchange for some other asset of value; second, they could easily configure their node to instead follow some hard fork of the blockchain where the unacceptable behavior does not occur (assuming some part of the community already went through the effort to organize such a hard fork); and third, even if such a hard fork didn’t exist, they would have the tools accessible to attempt to organize a hard fork that they find acceptable themselves and they hope to convince enough people to use it so that the tokens on that fork end up actually having some value.
EOSIO blockchains are designed to be quite flexible. This includes putting features that many consider core to blockchains (e.g. the existence of the main token, its tokenomics, the governance mechanism that determines how blocks are produced) at a layer in the stack (the WebAssembly layer) that is above the base protocol layer and is easier to modify (does not require a hard fork). The fact that changing the tokenomics of the main token of the blockchain (e.g. increasing the inflation rate of EOS on the EOS Public Blockchain) does not need to be done through a hard fork may scare some people who want to have assurances on some aspects of those tokenomics (e.g. a hard upper limit on the rate of inflation).
The reality is that no hard limits are possible to guarantee. The rules can always be changed (despite any technical hurdles) simply by hard forking the blockchain to change the rules and then achieving social consensus to redefine which blockchain the token with the vast majority of the value refers to. Not even Bitcoin’s 21 million hard BTC cap is safe from such a change. However, because the 21 million BTC cap is part of the base Bitcoin protocol, a change to that number necessitates a cumbersome process called a “hard fork” which requires all nodes to take explicit action (e.g. upgrading their node software) for their local nodes to continue following the version (or branch) of the blockchain that changed the rules.
An EOSIO blockchain similarly has rules that are part of the base protocol that can only be changed through a hard fork (sometimes also referred to as a consensus protocol upgrade). However, for EOSIO, due to its more general architecture, there are fewer things that fall into this category. For example, increasing the length of EOSIO account names would require a hard fork. But things like changing the voting mechanism behind the DPoS (Delegate Proof of Stake) governance or changing the rate EOS inflation would not require a hard fork.
I personally believe putting more functionality into the WebAssembly layer is a good architecture for the blockchain. There may be some costs in performance but I think much of that can be mitigated through reasonable design of the interfaces between the WebAssembly layer and the base layer as well as simply putting engineering effort in making sure the WebAssembly engine is fast.
By keeping the base layer simple and general it enables the same platform that implements the technically hard parts of blockchains and consensus to support a wide variety of specific blockchain ecosystems that can experiment and explore radically different ideas. It also enables a particular blockchain to experiment over time by making it easy for it to change seemingly fundamental aspects of the blockchain with relative ease which allows it to be more adaptable and likelier to survive changing environments.
But that greater adaptability is not strictly only a positive thing. People also want to have confidence that some aspects of the blockchains they rely on are unlikely to change. There is a balance that needs to be met between greater adaptability on one side and on the other side to provide users predictability and confidence that a particular blockchain ecosystem is a stable platform that they can invest in and build on.
Providing a general architecture that enables greater adaptability is not necessarily a disadvantage in finding an appropriate compromise in this struggle between the two sides. Just because you have some tool does not mean you have to use it. On the other hand, one may argue that if one side (proponents of more frequent change in the name of progress) are given more powerful tools to support their mission compared to the other side (those who want to take a more conservative approach to give users of the platform confidence in what they depend on), then the tools could be argued to bias too heavily towards one side. And as will be discussed shortly, the side that wants to take the more conservative approach could benefit from some additional tools and blockchain mechanisms that currently do not exist in the EOSIO ecosystem. Also, these tools can be more widely beneficial and provide value to parties that are independent of the two prior stated sides of the struggle; for example, one of the mechanisms that will be discussed could enable better testing of new sophisticated features that are being considered for adoption by the blockchain.
It may help to discuss a concrete example of the kinds of struggles that may exist in finding a balance between greater adaptability and better predictability.
One example is regarding the tokenomics on the EOS Public Blockchain. It appears there is a general consensus in the EOS community that the maximum tolerated inflation rate on EOS is 5% per year. This was actually codified in the system contracts upon launch of the EOS network which enforced a fixed 5% inflation rate (albeit with 4% of that going to the
eosio.saving account which was not being used for anything). But because these rules are enforced (at a technical level) in the system contract which allows a 15 out of 21 multisig of the current active block producers (BPs) of the EOS blockchain to change that inflation rate. And in fact this was done. It was dropped down from 5% to 1% at some point (and also the accumulated funds in the
eosio.saving account were burned) and the inflation rate has remained at 1% per year since then (at least as of April 10, 2021). But the same mechanism (the
eosio::setinflation action) that was used to reduce the inflation rate could be used to bring it back up to 5% again (or to even increase it past 5%).
Why does the
eosio::setinflation action even allowing raising the inflation rate above 5% per year? Wouldn’t it be really easy to add a check into the action to enforce an upper bound? Yes, it would. But it is also meaningless because if the BPs were in consensus they could just update the system contract code to remove that restriction. And it is valuable for them to be able to update the system contract code in order to fix bugs or add new features. The system contract on the EOS blockchain has been updated many times throughout the history of the chain (sometimes to just fix bugs and other times to introduce new features like PowerUp) without requiring a hard fork which is a slow process as it requires waiting on nearly all ecosystem participants to update before the change can be activated. And when it comes to security bugs the community may not have the luxury of time to carry out a system contract upgrade through a hard fork.
The reality is that if there actually is community consensus on a 5% upper bound on the EOS inflation rate, it is not any hard technical means that prevents it from being violated (other than require 15 out of 21 multisig of the elected BPs of the network). The protections are enforced through social means. If the BPs understand it may be taboo to increase inflation beyond some limit, they are motivated to properly gauge community sentiment on the matter (which may involve a long tedious process) before approving the multisig proposal that executes the change. Otherwise, they could risk undesired consequences as a result of supporting the change. The simplest example of such an undesired consequence is getting voted out by the token holders and losing the future income stream from the network. In a more extreme example, the community could organize a hard fork to revert the changes and punish the BPs that voted for it; this was demonstrated in 2020 by the split of Hive from the Steem blockchain.
But notice that while the protections are fundamentally social, they involve using technical means to carry it out. For example, the DPoS governance that allows voters to vote out BPs they do not like requires a lot of smart contract code that tracks staked amounts and aggregated votes to rank BPs. And there is a lot of technical sophistication required to hard fork a blockchain successfully.
Furthermore, additional tooling can benefit users impacted by the undesired changes by focusing on preemptive solutions rather than only reactive ones.
Consider that if BPs colluded to hyper-inflate a token of some blockchain, they could then sell those hyper-inflated token to some victim in exchange for BTC. Even if the victim discovered the hyper-inflation change a few hours later and decided to stop supporting that blockchain by selling their tokens, the damage may have already been done. The price of the token may have crashed as others discovered the hyper-inflation as well, so the victim would not be able to get much value out of the tokens they received. And the BTC they traded for those tokens would be gone for good with no way to reverse it. The best they could do is organize a hard fork of the blockchain prior to the hyper-inflation event and hope that the version of the token on that forked blockchain ends up achieving the value it once had.
Also, notice that there is considerable difficulty in organizing the hard fork of the chain. This is not just a matter of the technical difficulties but also the social difficulties in getting enough people in consensus on which block to fork from, which set of block producer candidates replace the active set of BPs (which is needed otherwise irreversibility would not advance on the new forked chain because the active BPs as of the fork point would likely not support that fork of the blockchain), and determining what other modifications may be needed to ensure the undesired event does not just repeat again on the new fork (e.g. perhaps slashing the tokens of voters who supported the hyper-inflation change).
Any tools that make this process of organizing a hard fork easier helps with the reactive protections but it may also help to preempt the undesired change to begin with. If barrier to a hard fork is lowered, then the hard fork becomes a more credible threat to the powers that are given governance control of the existing blockchain who may then think twice before carrying out a contentious change. The threat comes from the fact that the users easily migrating to the forked chain may cause a corresponding drop in value of the assets on the original chain. And without sufficient value on the original chain, the powers that control it don’t have much to control.
New tools and mechanisms can also help the victim of the hyper-inflated tokens described in this section. If their node, which they could use as the source of truth of the activity of the blockchain, stopped syncing with the blockchain as soon as the hyper-inflation event occurred, then they never would have confirmed receiving the hyper-inflated tokens and would have never exchanged their BTC for it. So they would be less impacted by the hyper-inflation change if their node software was sophisticated enough to detect that change immediately. In addition, if all nodes that cared about avoiding such a hyper-inflation change all stopped at the same block due to the same event, then the last good irreversible block they each have (which should be the same for all of them) can likely act as a Schelling point for the block from which they will build their new fork from (assuming they decide to hard fork the blockchain to resume production with the original rules intact). Of course the users of these nodes will still require a lot of communication to confirm which block they wish to fork from and to organize all the other aspects of the fork (e.g. which set of block producers are chosen to resume the blockchain), but the social process does become a little easier when the group has a straightforward way to agree on at least the block they wish to fork from.
[Due to post length limitations, the remainder of this proposal will be left in a subsequent comment.]