Back to page

📄 posts/against-blockchain-governance.poly.pmd
#lang pollen

◊(define-meta title "Against Blockchain Governance")
◊(define-meta published "2021-04-17")
◊(define-meta topics "Tech, Themelio")

One of Themelio's strongest design principles is its extreme hostility towards protocol governance: Themelio will not undergo any consensus-breaking changes after the stable network launches.

By "protocol governance", or just "governance", I mean community-wide coordinated changes to the core consensus rules of a blockchain, which includes hard and soft forks. All popular blockchains today undergo this kind of governance, whether informally through off-chain discussion, like in Bitcoin and Ethereum, or formally through on-chain procedures, as in Tezos.

This sort of governance is widely seen as necessary to maintain and improve a blockchain's value. Examples include adding features, like opcodes for deploying ZK-rollups on Ethereum, or resolving large-scale community disputes, like the Bitcoin block-size controversy. Yet I will argue that protocol governance not only undermines the primary source of a blockchain's value but is also not needed for a blockchain ecosystem to thrive and grow. For blockchains, _governance is simply a great and unnecessary evil._

## Governance is a great evil

Since the purpose of governance is to preserve and improve a blockchain's value, we must first investigate where this value comes from. Many features of blockchains are cited to explain the massive interest in blockchains. The bestselling book _Blockchain Revolution_ raves about a "truly-open, distributed, global platform" where "all activity is transparent and incorruptible". Ethereum's Vitalik Buterin attempts to pin down blockchains' [decentralization](, another commonly cited "killer feature", as

> politically decentralized (no one controls them) and architecturally decentralized (no infrastructural central point of failure) but [..] logically centralized (there is one commonly agreed state and the system behaves like a single computer)

These groundbreaking properties of public blockchains all appear to stem from a key breakthrough in _trust_. By a "truly-open, distributed, global platform", we don't mean that we trust some highly reputable blockchain operators to guarantee these properties. Instead, we study a blockchain's protocol and conclude that the system as a whole would have these desirable properties _independent of who is running the protocol_. This peculiar kind of trust also enables blockchains to have the rare combination of political and architectural decentralization with logical centralization that Vitalik points out: we trust the blockchain itself to somehow get disparate humans with different computers to "behave like a single computer".

I call this property **endogenous trust**. Often somewhat misleadingly labeled "autonomy" or "trust-minimization", endogenous trust refers to trust that a blockchain protocol will behave correctly with minimal assumptions about who runs it. In blockchains, trust emerges from within the protocol. This is categorically different from exogenous trust in whomever runs the protocol.

Nearly all of the unique properties of blockchains and blockchain applications stem from endogenous trust. Take an application often mentioned in _Blockchain Revolution_: transparent and immutable record-keeping for legal documents. When done on a blockchain, its endogenous trust assures us that the records we keep are indeed transparent and immutable --- no trust in third parties necessary. This stands in contrast to traditional solutions like public notaries, which require much exogenous trust in some record-keeping authority. As another example, the radically jurisdiction-independent and open ecosystem of DeFi (decentralized finance) can only eliminate trust in traditional intermediaries like banks and exchanges by relying on the strong endogenous trust of a blockchain. In summary, endogenous trust is the real killer feature of blockchains.

So how does a blockchain secure endogenous trust? Endogenous trust is powered by **cryptoeconomic mechanisms** that incentivize correct behavior from protocol participants. From the incentive structure of such a mechanism, we can conclude that certain security-critical properties hold using weak, general assumptions about human behavior. For instance, we can show that as long as almost all Bitcoin miners are rational and profit-seeking, Bitcoin would converge to one history. This kind of mechanism allows us to trust that the participants of the protocol will act in a certain manner without any preexisting trust in their honesty.

This means that endogenous trust crucially depends on actually being able to pin down what cryptoeconomic mechanisms will be in force. Without knowing for sure what those mechanisms will be tomorrow, you cannot have endogenous trust. Since these mechanisms are encoded in the core consensus rules of a blockchain, _protocol immutability_ is the ultimate backstop of endogenous trust. Alice and Bob trust the smart contract that intermediarizes their transaction only because they know that the contract code is immutable. A merchant accepts bitcoins for the goods he sells only when he is confident that tomorrow some protocol change wouldn't freeze all his bitcoins.

By introducing externally coordinated protocol changes, governance undermines this ultimate backstop. Now instead of accepting bitcoins because Bitcoin has endogenous trust, the merchant must have _exogenous_ trust that a governance event by the Bitcoin community wouldn't expropriate his assets.


The severity of this problem cannot be overstated. By introducing exogenous trust in a nebulous "community" that may from time to time rewrite the protocol, governance destroys the basis of endogenous trust.

It seems, however, that Bitcoin and Ethereum are pretty trustworthy despite having governance. After all, people put trillions of dollars in them! But this trust is not endogenous, but rather trust in "the community". Just like any other human institution, a blockchain community can merit exogenous trust, even a lot of it. For instance, the Bitcoin community is perhaps far superior at maintaining consistent monetary policy than central banks, and therefore much more trustworthy. Nevertheless, trust in communities is categorically different from endogenous, cryptoeconomically-driven trust that doesn't depend on trusting anybody running the protocol. After all, communities are not always that great: just take a look at EOS's [infamously "plutocratic" governance](, which is often abused for protocol-violating actions like [freezing assets](

The trust revolution promised by blockchains is no longer a revolution if all blockchains offer is yet another form of exogenous trust in yet another human institution. There is then no escape from the conclusion that by its very definition, **protocol governance wrecks the primary value proposition of blockchains**.

## Governance is an _unnecessary_ evil

But all the major blockchains have governance. Perhaps blockchains cannot survive without some form of governance, and endogenous trust is simply unrealistic. Indeed, the experience of Bitcoin and Ethereum hints that at least for existing blockchains, governance is a "necessary evil". Out of the [20 times]( the Bitcoin protocol soft- or hard-forked, the majority fixed important issues with the protocol. And Ethereum's numerous upgrades added significant features such as [bitwise shifting operators](, [elliptic curve mathematics](, and [error handling functionality]( necessary for many applications. If the Bitcoin and Ethereum communities dogmatically stuck with the original protocol, they would clearly be worse off.

But _why_ do these blockchains need governance? What's the source of the issues that must be addressed by governance, and can we avoid these issues?

If we examine Bitcoin and Ethereum's numerous upgrades after their early development, it is clear that they largely come in two categories. First, many address situations where the blockchain protocol is no longer suitable for the applications people want to run on it, or _application-protocol friction_. This motivates most of Bitcoin and Ethereum's governance events, where new features were added to the consensus rules to accommodate new applications, such as Bitcoin's Lightning Network and Ethereum smart contracts with advanced cryptography. The second kind of governance event, arguably the much more destabilizing kind, comes from _controversial application failures_. These stem from application-level community controversies, where the failure of a popular blockchain application (like low-fee transfers on Bitcoin, or the DAO smart contract on Ethereum) generates powerful special-interest "victim" groups that pressure the community for governance to address their grievances.

We see a common pattern here: **tight coupling with applications** makes the blockchain vulnerable to ever-changing application needs and happenings. Bitcoin is itself primarily a money-transfer application, while Ethereum is a "world computer" directly acting as a runtime environment for applications. Tight coupling to applications generates both application-protocol friction and controversial application failures --- a diverse and innovative application ecosystem necessarily involves many unanticipated applications. Some would clash with the blockchain's original design, and others might fail spectacularly.

This suggests that we can banish governance by avoiding tight coupling with applications. In fact, the most successful network protocol of all time --- the Internet Protocol (IP) --- does exactly that. IP focuses on one thing (unreliably routing datagrams), does it extremely well, and doesn't interface directly with applications. Instead, user-facing Internet applications like Facebook or Netflix are separated from IP by many layers of abstraction. Importantly, IP needed no governance to support these ever-evolving applications. This stands in stark contrast to pre-Internet telecom protocols, which were tightly coupled to applications like telephone and television. In those protocols, even small application-level innovations, like [pagers](, involved governance-intensive upgrade efforts reminiscent of blockchain protocol upgrades.


Following IP's example, blockchains can also be designed to eliminate tight coupling with applications. Indeed, **Themelio's design is firmly centered around decoupling the blockchain from user-facing applications**. I believe that the proper role of a blockchain is to be deeply embedded in applications, providing endogenous trust to security-critical functionality, like PKIs and payments. The blockchain itself would be neither a user-facing application nor a platform in which applications are embedded. As such, Themelio aims to be a low-level, radically application-neutral blockchain. It focuses on implementing basic, highly composable functionality that can power a vast, diverse, and constantly changing ecosystem.

Governance for Themelio would then be a purely unnecessary evil. The core Themelio protocol will be separated from applications by layers of intermediate protocols and laser-focused on implementing one thing (endogenous trust) extremely well. As a result, it will not need to change with the fickle trends of upper-level applications, just like IP did not need to change to support today's extremely diverse Internet ecosystem. That the Internet today has evolved unrecognizably compared to the Internet back when IPv4 was published in 1981 attests to the power of decoupling.

An objection may be that refraining from upgrading the protocol is also just another governance choice by the community. Since actual community members run the Themelio software, it may appear that we still need exogenous trust in their promise not to enforce governance.

Fortunately, _governance-freedom itself can also be endogenously trustworthy_. We don't need to rely on the good judgement of "the community" for governance not to happen. It is simply in the nature of deeply embedded, low-level protocols not to change. Again, the Internet Protocol provides a stellar example. Ever since IPv6 was created in 1998, many influential members of "the community" have spent great efforts to try to replace the older IPv4 with its technically superior successor. Impressive-sounding events sponsored by "big shots", like the Internet Society's ["World IPv6 Day" in 2011 and "World IPv6 Launch Day" in 2012]( were supposed to jump-start IPv6 adoption.

Yet IPv4, despite severe technical shortcomings like a drastic shortage of IP addresses, is just not going. Now, 23 years later and 9 years after "World IPv6 Launch", only [a little more than 30%]( of networks support IPv6, and the vast majority of Internet traffic continues to be IPv4-based.

So we see that given an entrenched "narrow-waist" protocol, a governance event for an unambiguous technical improvement cannot get executed, even with widespread support and essentially zero opposition. How much harder would it be to push through governance in Themelio, when it threatens the core value proposition of the protocol itself!

So we don't need to trust the Themelio community not to attempt governance. The entire incentive structure of a low-level, application-neutral network protocol is incredibly hostile to attempts at governance. Just like a Bitcoin user will trust Bitcoin's incentive structure to provide stable consensus without preexisting trust in the Bitcoin mining community, a Themelio user can trust Themelio to remain radically immutable, independent of any trust in the Themelio community. Even though all systems are ultimately run by humans, the root of trust of Themelio is happily endogenous.

## Conclusion

In summary, governance aims at maintaining a blockchain's value but actually destroys the most important source of blockchain value --- endogenous trust. Protocol governance is also entirely unnecessary, provided that a blockchain steers clear of tight coupling to applications. In fact, a blockchain without application entanglements can come with powerful incentives that discourage any attempts at governance.

It turns out that blockchains really can revolutionize trust --- we can avoid depending on "governing" authorities as a root of trust after all. To do so, we must eliminate governance from the core blockchain protocol, but that doesn't mean governance has no place elsewhere. "Human-free" endogenous trust holds vast potential as a conduit for new forms of _human_ trust, such as commercial trust between merchants in mutually hostile jurisdictions, or behind untraceable pseudonyms. Governance models utilizing these new kinds of social trust will be critical for building new modes of social interaction, such as DAOs and voluntary public-good provision. A radically simple blockchain with a self-enforcing lack of governance will provide a rock-solid foundation to explore this fascinating space.