Tokenomics play a huge role in security and incentives, but I feel that PoH-Origin (potential future fork name) team attempts to convince other people that unless the court is privately owned, proper incentives cannot be used to secure the court. In my opinion, it’s quite the opposite - PoH cannot be secured, unless it’s properly decentralized and the court is a huge part of that. I’m writing this post on request from @0xjean.eth to show that it is possible. PoH security can be self-contained and achieve it with UBI alone, in similar way that ETH PoS achieves its own security without any need to use any external source of truth, like Proof of Work, which is a false argument frequently repeated by bitcoin proponents.
But before that, I’ll give some high-level description of PoH and show that Kleros as organization has inherent conflict of interest, when it comes to governance of PoH.
Some background on Separation of Powers.
Motivation and Background of PoH
Some history from Kleros blog on motivation behind Proof of Humanity with a reference to paper co-authored by @santisiri : “Who Watches the Watchmen”.
From these documents, you can tell that motivation behind PoH is to enable decentralized, egalitarian, sybil-resistant and censorship-resistant registry of real humans that can be build upon. Token incentives (or tokenomics) should make it secure according to the criteria listed above.
Recognition of PoH
Proof of Humanity gained wide recognition. From Vitalik registering,
Time article and many more articles and podcasts featuring Santi Siri and Vitalik.
I seriously doubt that without promise of decentralization, UBI or appraisal from Santi or Vitalik, PoH would ever manage to get even 1000 people. There are other Identity services and PoH in Kleros-centric form isn’t even remotely competitive.
Misalignment of Kleros
During the growth phase of the registry, many people started noticing that to the Kleros team, it’s more important to keep the Court door spinning and fees flowing, than to make the registry easy and safe to use.
Official excuse we’ve heard many times, is that PoHv2 is under development and that’s where Kleros is focused now, but many issues present in PoHv1 are also present in PoHv2. New implementation is mostly focused on Cross-Chain and SBT, rather than any actual improvements of registration processes. Many other issues, will continue to exist, regardless of less expensive gas on the side-chain. Development doesn’t fund itself - investors fund it with their money and they expect return on their investment. In case of Kleros - fees from PoH court. More people in PoH means good for Kleros too, because of more court fees, etc, but it means that PoH cannot independently make governance decisions in its current form and is forbidden from questioning “The Court”.
See latest HIP-72 as an example of using PoH small budget to fund Kleros-centric ideas. PoH DAO in its current form is nothing more than a Banana Republic controlled by for-profit Kleros DAO.
Conflict of interest is so obvious, yet Kleros folks seem mostly unaware of it, I’m quite surprised I even have to write this post. I’ve honestly expected a little more from ethereum developer community. Bags we’re holding change our unconscious biases and perception of reality, and this case provides yet another example of it.
Current Problems
No incentives to detect deep-fakes after successful registration
In PoH there is no incentive to challenge anyone after they successfully register. Potential challengers who detected new Deep-Fake (not that it happened yet), challenger knowing this, will rather wait until next re-registration. No reward for the challenger - no action from the challenger. This design flaw allows a potential Deep-Fake to exist within the system for up to a year after finding it.
Lack of registration rate-limiting
Any well funded party may attempt to organize large number of people into Proof of Humanity, because all it takes is a deposit and giving a free vouch. It’s possible for the registry with less than 20000 people to triple with legit, but well funded and organized humans, within just a week and takeover the whole DAO. There is no way to stop or slow down the flood of new registrations or make this explosion more symmetrical (even), unless existing people in the PoH registry or court attempt a “foul play”, which brings us to the next point.
Attempts at reactive censorship
Given above design flaw, it’s not surprising that Clement attempted to pass a poorly written and very ambiguous HIP-55 and called to fork when it didn’t, without trying to understand why, but this attempted “law” is not only “less inclusive”, but highly discriminatory and gives huge power to the private court, controlled by PNK holders (Kleros), to arbitrarily seize (in other words steal) people deposits with no evidence of any wrong-doing.
Just see Aldo and his struggles with the court, when there was no law against “poor-looking people joining PoH in groups”. Without external parties funding, he’d have lost his >$150 deposit, only because Kleros team felt threatened at the time and had no better ideas as how to improve registration process than give themselves explicit powers of a dictator.
Not only is it a “duct-tape solution” to a huge design flaw omitted during initial development, but it opens doors to a protocol-level censorship. If you read the wording of HIP-55 carefully, you’ll understand, that in order to remove “sybil” (or whole groups of accused sybils), there is no requirement for any proof (since that’s impossible to provide), and just a “strong suspicion” is sufficient. This law comes with no guideline or any standard as to what should constitute a “sybil”, just a gut feeling of challenger and juries.
-
Being funded from the same address? Potentially nothing wrong here - one person with CEX account could fund their family or friends wallets, but it’d be enough ground to be removed by court and have their deposit stolen (!). PoH recommends people to fund new accounts privately (like tornado) in order not to link their private and public activity for their safety. This law could constitute almost anyone who followed this recommendation as a potential sybil.
-
Strong feeling that the given address isn’t custodied by that person? Since when courts talks about feelings? Where’s the evidence? Don’t think that it would stop real sybils either. Proper “Puppet-master”, who’s aware of these laws, will be able to fund his accounts anonymously (tornado, aztec, CEX), ensure fake, but unique history and DeFi activity, etc, so jurors would have a very tough time deciding on anything.
Eventually, anxious juries may come-up with behavioral defence mechanisms, like implied policy of “Vote Removal by default” as not to lose their deposits, because they know certain challengers are more likely to fund appeal than a poor person or individual jury is, especially if the challenger is a large PNK holder - it’s likely they’re well-connected and opposing them may result in jury penalties.
With this bad law, you’re only targeting poor or unaware people and allowing even more court value extraction from the PoH registry. See the votes and how single-minded Kleros team seems to be. Wouldn’t it enough ground to consider them Sybils in this framing? Would it be possible that correlated voting could be part of sybil-detection mechanism by Kleros? What if some sybils get ignored, but others don’t? Isn’t it a little dystopian? With this HIP in place, PoH would also potentially become a trap for courts to suck peoples deposits arbitrarily and suppress democracy.
-
Similarly looking faces registering at the same time? The whole point of UBI is partial wealth transfer from crypto-rich to poor. Why are you surprised when people come knocking? Perhaps you’ve ought to consider the consequences, before you’ve partnered with @santisiri i and his UBI project? I’m sure, you’ve liked the free marketing and legitimacy. Now it’s too late - you can’t put the genie back. @green commented himself in HIP-55, that “sybil-resistance” is more important than “inclusiveness”, but let me remind you PoH announcement
Proof of Humanity opens the doors to a wide range of uses including insurance, credit scoring, quadratic funding and human DAOs. All of this, without a centralized actor controlling the process, with users maintaining full control over the network.
Who’s going to have full control of the network? Users or large PNK holders (Kleros)? Where does the security and sybil-resistance come from? Decentralized network of users or mostly centralized court? What about censorship-resistance? Just listen to your past selves.
I can’t imagine, that anyone valuing egalitarian principles that could come up with this faulty law. It might be better to admit you’ve screwed-up, than pushing this “kleros is security” narrative and blatant attempt at introducing centralized filter and a de-facto dictatorship as a coverup for your prior lapses in competence.
Incorrect Submission farming
Based on @santisiri data published during devcon, even 1 in 20 of registering people gets challenged with “Incorrect Submission” challenge and rarely there is any other challenge type. In some cases, it’s a paper with address covering part of his chin, some video format / size issue (like it cannot be verified by frontend app), single letter in address mistake, face in the photo looking in the wrong direction,
and many more.
There is nothing wrong with keeping registry clean, but the document describing rules is pretty damn long and it’s easy to get any of the rules wrong on your first attempt. Even more so, due to app not being very helpful.
In total, the challengers and court extracted ~80 ETH from honest, but unaware of Kleros strictness, people attempting to register there. The simplest alignment test for developers would be: “Do you perceive this as a success in increasing PNK shareholder value or as a failure due to high loss rate of innocent registrant deposits”?
No ability to correct submission before going to court
These silly issues should be resolvable in pre-trial. In order to keep incentives for challengers,
they could be promised 10% of deposit as a tip. Unfortunately, Kleros would never come up with this or design such feature, because they care more about Kleros and its shareholders, and prefer to pump their metrics and resolve any conflict with their court. Even the Governor Contract has to go through court.
Vouchallenging
Another game-theoretic flaw in PoH design. I don’t want to cover it too extensively, but vouch is supposed to mean that a known person in the registry checked registrants video, knows them and confirmed everything in the submission is correct.
From “Vouch Button” description, intention is clear:
Make sure the person exists and that you have physically encountered them. Note that in the case of a dispute, if a submission is rejected for reason “Duplicate” or “Does not exist”, everyone who had vouched for it will get removed from the registry. Note that your vouch will only be counted when and as long as you are registered, and another submission is not using your vouch.
Missed that “Incorrect Submission” has broken tokenomics. Ability to vouch people by attackers, who don’t know them and later use that unsolicited vouch to challenge them (unvouched people can’t be challenged) and take their deposit, should be considered a design flaw or a bug. Yet Kleros leadership seems to defend it, without consideration that the voucher behavior is malicious, since they likely don’t physically know the person being vouched, and their goal is to push the registry state machine to make their profile possible to be challenged.
Why this happens
Lack of such consideration for such design flaws or not prioritizing it more, may unconsciously come from the fact, that it is self-serving. More people being challenged for silly things means pumping PNK price short-term (long-term, this extractive model is doomed), since it increases court usage metrics and revenue flows to PNK shareholders.
Even attempt in bribing people, like KIP-51 seems insufficient to decentralize the court, because humble 1000 PNK ($30) per-person doesn’t get anyone a jury seat - current required stake is 8700 PNK and even if it resulted in every registered (no silly quiz) getting 1000 PNK, registered humans would only control 16mln PNK, which is ~2% of all PNK.
What’s more, it’s probable that people interested in maintaining PoH registry or additional income would be baited into buying x8 more PNK than they got, so they can later get dumped-on by PNK whales. If you’ve had honest intentions, you’d give 8700 PNK to every registered person or just a random sample of them, if you don’t want to dilute your shareholders more. Yet, somehow, you still want PoH to pay for development of airdrop tool solely for Kleros use,
despite likely divorce.
Vitaliks insinuation
Not only PoH has an issue with Kleros. Vitalik Buterin also sees a structural issue, at the center of Kleros model, since it’s a private and shareholder-run court with their own interests and business ties.
There was a high profile, regarding Kleros partner - an insurance company “Unslashed Finance”, which resulted in a controversial ruling, favoring the partner company over insured person, despite missing Policy Papers.
Regardless of above case, It’s not hard to fathom that a court with shareholder structure and revenue flows will usually end-up favoring their Partner perspective than their Partners Customer perspective. Talk about game-theory and trust are still good PR campaign, but it doesn’t change the underlying reality that Kleros DAO is a for-profit corporation and PoH was only an investment.
Eventually, there is no need for 50%+1 attack, if major shareholders are the same people who decide on court rulings (proportionally to their stake!) and have their interests aligned. All the subjectivity talk and game-theoretic models, I’ve heard in Kleros talks, don’t mean much when contrasted with simple reality that shareholders act to protect their value and corporate interests, which means that from time to time, “corporate juries” will vote along the party-line or partner interests, regardless of what the truth is, because each low-level jury actually attempts to predict the potential decision of majority stake, not real truth.
This private court may attempt to act just in order to gain trust and influence, but after it’s no longer small startup, but an incumbent solution handling millions of cases, there no reason for it not to start acting arrogantly, like Facebook or Twitter. Compare feelings people had towards Google or Uber when they were still a startup with how they feel about them now. There is no reason to expect, that Kleros is on any different trajectory, just because they use “the blockchain”.
Idea for more egalitarian and sustainable PoH and court
Rough idea of how PoH could’ve worked with some options.
Required UBI Stake
Every registered Human should maintain a minimal stake, let’s call it “unspendable UBI” (e.g. starts at 1 month of UBI), which is initially funded by vouchers. This stake is required to maintain incentives and potentially penalize people for malicious or negligent behavior post-registration, i.e. court jury-duty skipping (partial stake loss) or being Deep-Fake that got through the initial challenge period (full stake loss).
If the required stake bucket isn’t full, UBI currently held, is streamed to it first, same with new transfers, so only an overflow of it should be considered spendable (visible wallet value). A Person without full stake has some of their acting rights temporarily suspended until their stake regenerates, i.e. they’re not capable of vouching or acting as a jury in court, since they may not have the full capacity to be penalized. In other words, “required stake” value determines maximum financial penalty for any human incurred by the system.
UBI locked-in stake is not recoverable, only transferable along with that persons identity to another address. Getting removed from the registry (including “deceased” reason) results in staked UBI getting burned.
Benefits
- Person maintains slashable stake (deposit) at all times, so removal from the registry isn’t the worst that could happen, because re-registration will cost them UBI every time.
- Mandatory stake comes as a free UBI token from PoH (value comes from patrons), so unlike in case of your own ETH or DAI, there should be no anxiety about locking it up for indefinite amount of time, especially since it will “regrow”.
- Rate-limiting. People attempting to attack the registry with lots of new people would need to wait for a long time to execute it or buy UBI off the market in huge quantities, which would likely move the price and inevitably bring more people into the system. Growth can still be exponential, but sudden attacks on the registry are much less feasible thanks to even distribution of any new UBI.
Vouches seed new account stake with UBI
Since every human is required to maintain some unspendable amount of UBI at all times to cover potential penalties, they need to get it somewhere. It does make sense for requiring voucher to make slight sacrifice / investment into new person in the registry. Potentially, many vouchers could fund stake UBI together. After required enough of stake is committed, registration process is kick-started.
Think about it in terms of people in village sharing their yeast with neighbors, or similar.
The missing yeast will grow back in a while, but your neighbor can grow same amount as you and share it with their neighbor and so on. Still, no one can create an 10x explosion of new yeast over one week.
This does not necessarily eliminate need for an additional deposit (currently ETH), locked until challenge period is completed, but introduces a new - permanent one, which adds incentives for the whole duration of presence in the registry and can decrease amount of needed ETH significantly.
Benefits
- Vouchers are being rate-limited or economically penalized. Organic growth of sybil network would take years and buying it off the market in huge quantities, would pump its price and bring a huge wave of new, honest registrants. This would slow down the attacker even further. Very beneficial feedback loops.
- It ensures that there is a close relationship between Voucher and person being voucher for. Costly vouch may seem like a lot, but since it is something Voucher received for free anyway, people should have no psychological barriers with passing some of it further as an investment into a friend or a family member.
- Getting into a registry is harder, since you need to know “someone”. Might be a good marketing strategy (like gmail, fb).
Downsides
- Slower growth. People interested in getting in must find some willing person to give them some of their own UBI or buy it themselves.
- Volunteers who vouch for other people in telegram groups will have a tougher job and may require additional funding.
Court
Decentralized court should scale along the same trajectory as the registry population growth, assuming the registry grows, it’s likely that in the near future, millions of people will be subject to whims and arbitrary decisions of very few people, just like in case of Twitter or Facebook.
There is a very good reason why post-revolutionary French and American courts had (and still have) juries made of random citizens to decide verdicts and not that of small group of oligarchy.
Kleros model requires buying into a private court, which is only beneficient for existing PNK holders, but not justifiable in decentralized and egalitarian registry.
Court should be made of people participating in the registry and that participation should be required and penalized with stake slashing if duty isn’t met.
Handle Incorrect submissions in pre-trial
When a challenger finds an issue with the submission, registrants stake is on the line. It is unfair that these minor lapses, result in whole deposit to be taken from them. Instead of going to trial on Incorrect Submission challenge, allow challenged person to Acknowledge and correct it. After that, challenger may agree that it’s resolved, claim 10% of stake and move on. Only when challenger and challenged person don’t agree on whether mistake exists or whether
it has been corrected, the case should end-up in court.
Sybil challenges
A person who is registered, but is suspected of being a sybil, e.g. hired on a street,
could be required for perform additional confirmation, after any period of time passes (e.g. 1 month) and additionally demonstrate that they control the address by signing message under another recorded video with proof of time, like recent ethereum block hash or its human-friendly encoding, just like in case of HIP-41.
Each person should have exponential back-off included (e.g. 1 month, then 3 months, 1 year, 2 years, etc), which maxes at couple of years as to suppress harassment of famous people.
Maintaining registry incentives over time
Challengers should always be properly rewarded for hunting down Invalid profiles. If the registry becomes successful, it is likely to enter a long stagnation (no exponential growth) phase. In order no to have it’s security fall apart, we may require bigger commitment, like 1 or 2 year of UBI, which makes sense since the only new people joining will be children of existing registrants.
Any penalties should burn (maybe 25%?) of penalty on behalf of other people and the rest should be used to reward challenger and juries.
It’s unclear whether such policy ought to be automatic, or manual. Some ideas for automation:
Required UBI stake expressed in $-value
It’s possible to tie required stake to external currency, like USD or ETH (likely $) and adjusted for inflation. Downside is that people who haven’t saved enough UBI, when stake is being adjusted, may be excluded from court operations.
This means that court is as dynamic as community itself and does not give disproportionate and permanent power to few “haves” over most “have nots”. Currently, a significant majority of people in the registry does not serve as Kleros jurors in PoH Court and their total stake is insignificant, compared to that of Kleros insiders. Local community may choose just one person among them and give (or delegate) them required stake in UBI, they’ve saved-up together, to serve as a jury representing them, and make them money from fees.
Even this simple change (PNK stake → UBI stake + delegations) is a lot better model than requiring them to buy into a 3rd party, speculative, private ICO token to get a place in court. It’d be similar to Kleros PNK staking mechanism, but ensures either zero or exactly one vote per person. Only delegates can have higher likeliness of being selected, but they still can’t take-over due to:
- Quadratic Delegations - 100 people, each delegating full required UBI stake gives them only 10x more likelihood of getting drawn. Local communities should seek local leadership, instead of high-profile people to get better returns on their delegated stake.
- Even if some organized cluster of people buys high amount of UBI and delegates it in optmimal manner to increase controlled number of votes, eventually they’ll get diluted by others, so they’d need to continuously buy new UBI to maintain their relative position, which would raise price of UBI and likely bring more new people to the registry due to its increasing price.
Elastic stake per-human
Another feasible approach to make courts egalitarian and protocol more secure is circulating supply control by increasing per-person “required stake” along some curve or PID controller. Compared with previous solution, this solution this allows for mandatory jury-duty and ensures equal weight, regardless of their financial situation, but comes at a cost of reducing “spendable UBI inflow”, in order to ensure protocol security by increasing UBI stake amount to maintain circulating supply goals and value of a single UBI.
Depending on defined goals, e.g. 5 years of average per-person UBI in circulation, the system may attempt to automatically decrease impact of newly printed one and signal need for “burn”, with following trickery:
- Make spendable per-person stake depend on total UBI in circulation divided by number of people, making it more expensive in terms of UBI-time to register new people when there is too much UBI in circulation. A side effect of this approach would be that some new incoming UBI is immediately committed to increasing “required stake” bucket, so 1 streamed UBI is divided between spendable and required stake, which may still be recoverable later if system returns to healthy levels and “required stake” shrinks back.
- Implement negative rates on all holders (forced burn of hoarders money), to dilute them faster, while still adding 1 UBI per hour to every registered human. Note that it would also affect Stake, Lending and other Liquidity contracts. They should have support for potentially shrinking nominal values.
- Increasing inflation. Same result in change of buying power as point 2., but eventually, hourly rate of UBI would increase, like minimal wage in $.
Solution 1. may be complemented with 2 or 3, but 2 and 3 are likely exclusive. I’m favoring combination of 1 - “elastic stake” and 2 - “negative rates”, because it ensures protocol is secure, even if it doesn’t pay as much UBI nominally, it still pays it equally. Another reason is that UBI should favor people who need it now, even if it may hurt long-term savers / hoarders. It’s also easier this way to eventually get rid of most of unusable UBI (sent to 0x0) or frozen on broken contracts.
Automatic stablecoins like RAI may provide some inspiration to UBI to manage tradeoffs, but they can’t create something out of nothing, so demand for UBI will still need to be engineered and looked for outside (charity, politics).
UBI
Mostly based on existing solution by @santisiri and UBIv2, but I thought it’s worth repeating the benefits.
This token should be unconditionally and equally streamed to every human participating in protocol. Participation may require some jury duty, but it won’t be frequent in practice (on average once every few years).
DAO should seek initiatives that remove UBI from circulation with open market forces and allow it to have market value. Examples are: charity projects, sales tax in willing marketplace (NFT) or in-game rewards. Project should come with a builtin solution to burn UBI and remove it natively and not just send it to 0x0 address.
Charity
PoH DAO or other DAOs should encourage NFT auctions, donations, parties to burn some UBI.
Forced taxation
Other DAOs or projects may decide to enact taxation that will redirect funds (eth or other tokens) to some ubi burner. Such ubi burner should implement some smoothing algorithm, so it cannot be as easily attacked by MEV bots that trigger and then sandwich it.
A successful PoH DAO or related can gain sufficient political power to enforce self-taxation of say: OpenSea and other apps is similar way (1% of slaes tax to UBI burner), currently companies are forced to implement ESG guidelines or gets ostracized. UBI DAO can get AI and blockchain companies that remove people’s jobs faster to do something similar. UBI results are trace’able and verifiable, unlike most ESG talk resulting mostly in media campaigns.
UBI-Ash token
Similar to https://fees.wtf/ , but more functional signal for the rich and another way of removing UBI from circulation, but without necessarily involving the market - ritual burning of some of your own UBI in order to permanently ensure that accrued or bought UBI can never be sold back to the market. May not be core to PoH and UBI, but a separate project.
Consider Vitalik - he bought a lot of UBI as a gesture of charity, so he did a lot of good, but you can never be sure if he’s not speculating or whether he won’t dump them to drive down the price. Potentially, he could attempt sybil attack on registry. Burning it in official way should allow him to clearly express his intent. Some form of burn leaderboards, business ranking by % of tax should help people get better informed.
Substreams
UBI should come with ability to create substreams to allow directly support any DAO by granting it percentage of your own spendable income. It’d be a good way to fund DAOs or help known people in need passively. AFAIK, UBIv2 has some support for it.
Foreword
The main point of this long post was to give high-level design and something to think about to open-minded leaders of this protocol and prove that it’s feasible to secure protocol like PoH only with its own token, given some special considerations.
Proof of Humanity may be more ambitious project than “yet another centralized registry pretending to be decentralized”. I urge you to rethink your position and consider if your PNK bags, which are likely still vesting, are worth this conflict. This or next PoH DAO will still need developers, and I’m pretty sure, it will find sponsors to pay them proper wages - simply don’t expect it to pump your bags, ffs.