The myth of trustlessness

Con men reveal blockchain is a confidence machine

The Blockchain Con Men

On a night in 1990, Tommy Carmichael woke up with a brilliant idea. He had just invented the “Monkey Paw”: a flexible metal wire connected to a rod that could be used to cheat slot machines. Twenty-six years later, a hacker (whom we will refer to as “0x15def”) sat in front of his computer screen, inspired by another brilliant idea. He came up with a way to exploit an “immutable” software protocol which enabled him to amass an amount of cryptocurrency worth $55 million at the time. He became known as the attacker of TheDAO: one of the world’s first decentralized autonomous organizations.

This story is about the debate over whether a technology can truly be “trustless.” As shown by recent events like the dramatic implosion of the Terra cryptocurrency, a so-called “algorithmic stablecoin” which relied on code to help it maintain a peg to the US dollar, supposedly trustless systems can have ruinous consequences for communities organized around them when they fail.

We ask: is there a better way to think about trust in blockchain technology, that does not reject it, but brings it thoughtfully into the picture?

Cheating TheDAO

TheDAO, launched on the Ethereum blockchain in 2016, was envisioned to operate like a decentralized version of Kickstarter. Participants could pool their cryptocurrency together, and then vote on how to invest it—without a centralized operator taking a cut. It was supposed to counteract the rent-seeking inherent in “platform capitalism” and enable participants to have greater control in the decision-making of an online platform. The basic building block of TheDAO was its “smart contract,” which—like the slot machine—was designed to operate mechanically, without any possibility for human interference.   

As originally conceived by blockchain pioneer Nick Szabo, smart contracts are embedded in a deterministic world. If the world of the slot machine is one made of metal, levers, and gears, the world of the smart contract is one made of code—which, unlike natural language, is unambiguous and executes exactly as it is written. 

The uniqueness of TheDAO was that it created an organizational form in which every interaction is technologically determined. No human would ever need to be trusted, as nobody would ever be able to cheat the system—in theory, at least. TheDAO would thus be a towering testimony to the widespread idea that blockchain is a “trustless” technology; that we don’t need to trust any banker, accountant, or stateswoman anymore. That notion would be put to the test on April 30, 2016, less than three months after TheDAO went live, when the attacker used an unintended feature of TheDAO code to drain millions of dollars worth of Ether—the native Ethereum cryptocurrency—into a single wallet. 

This was a devastating blow to the users of the Ethereum protocol, which sent the price of Ether tumbling as panic and anger raged on online forums, tearing a rift in the Ethereum community. 

Many considered the attack to be theft, calling for an immediate intervention. They advocated for a “hard fork”: a new version of the Ethereum blockchain, identical to the original but with the stolen funds transferred to a new smart contract, from which the original token holders could redeem their funds. Such a solution could not, of course, be achieved unilaterally; it would require an intervention by all network nodes to collectively “switch” to the new protocol.

Others, however, believed that regardless of the theft, the principle of immutability should at no cost be violated, as it was a basic prerequisite for the technology’s “trustless” nature.  Informal public polls leaned against forking, with one user asking: “What’s the point of using blockchain tech if a 3rd party acts as judge and police deciding what’s right and wrong?” Forks should, according to this view, only relate to technical fixes intended to improve the security of protocols. 

Eventually, the lack of consensus between the two groups led to a split of the Ethereum network into two separate networks: a dominant version, where the theft has been undone, and a less popular “classic” version where the theft has been left untouched.

TheDAO attack and its aftermath revealed something important about the claim that blockchain is a trustless technology. Like Tommy Carmichael and his Monkey Paw, the anonymous hacker 0x15def taught us that even the most mechanical and deterministic machine can be cheated. As advanced and sophisticated as the code of a smart contract might be, we can never assume that it is immune to abuse. 

When these systems fail, it is humans who always remain in the loop. Even in the most deterministic and tamper-resistant blockchain networks, participants still need to trust the decisions of core developers, validators, miners and crypto-currency exchanges, and other relevant stakeholders. 

When the confidence in Ethereum was compromised in the course of TheDAO attack, core developers had to be trusted to develop a practical solution to address the hack, while ensuring the proper functioning of the blockchain network, in line with the majority of token holders’ sense of fairness and justice. Miners and validator nodes had to trust each other to collectively upgrade their software to implement the hard fork when the update was released by the core development team. The fact that a minority of miners decided to remain on the original protocol is a sign that such distributed trust could not be taken for granted.

Designing trust for trustless technology

TheDAO attack showed that blockchain technology isn’t as trustless as it is claimed to be. And yet, the myth of trustlessness and immutability continues to capture everyone’s imagination. So let’s reverse the question: if blockchain is intended to operate without trust, what is it offering instead?

In 2000, the German lawyer and sociologist Niklas Luhmann made an argument that trust should be distinguished from confidence. He claimed that trust is a feature of social interaction that allows us to take risks by putting ourselves in a vulnerable position. Consider trusting a friend to deposit a thousand dollars in cash at the bank: this trust might be betrayed, for she might run away with the money. 

Confidence, argued Luhmann, cannot be betrayed. It does not rely on human agency but instead on general knowledge, prior experience, or statistical evidence about the way a system operates. It derives from the predictability of future events that comes from the deterministic qualities of the system. Now, consider the slot machine. When we operate a slot machine, we are confident that putting in a coin could, according to the logic of the machine, result in a payout. 

Blockchain technology, like the slot machine, has been designed to build confidence. By combining technical features of deterministic computation, cryptographic primitives, and distributed consensus mechanisms, blockchains manage to generate confidence in a system that stretches across borders and cultures. You don’t have to know your peers in a blockchain network to be confident that a transaction will be executed. In other words, it is a “confidence machine.” 

Yet, even though trust and confidence are distinct, they are still related. Indeed, building confidence in a system—as we saw with TheDAO—requires trusting a network of actors operating the system. The actions of con men like the TheDAO attacker revealed that confidence in a system can never be absolute, and that when it is violated, trust needs to be rebuilt.

The difficulty of bringing trust back in

One popular approach to create more trust in the blockchain space has been the establishment of “off-chain” governance mechanisms, such as non-profit foundations that raise money to support the development and maintenance of protocols, and interact with real-world policymakers. These foundations, while sometimes described as unaccountable to the networks they serve, generally do not exercise direct control over these protocols. 

Some cryptocurrency networks, like Dash, have taken a different approach by vesting their “masternode operators” (participants who are paid in the Dash token to maintain a copy of its blockchain and validate blocks) with the power to vote on governance and funding proposals. Additionally, these masternodes can participate in the election and removal of the Dash Core Group’s board of directors through the democratically-controlled Dash Trust. This techno-legal arrangement enables the Dash network to own property and interact with the physical world, while still being controlled and administered “on-chain.”  

Yet, other examples reveal the limitations of an on-chain plutocracy. 

Consider the case of Steemit, a “decentralized social network” with over 1.5 million users . To avoid centralized control, the network was designed to be governed by a limited number of “delegated witnesses” elected by the users of the Steem blockchain, whose votes are weighted by the amount of cryptocurrency they lock up in a smart contract. 

Yet, there was a problem: a commanding percentage of Steem’s cryptocurrency tokens had been pre-allocated to the network’s founders. In 2020, Steemit fell into crisis when one of the founders sold his tokens to Justin Sun, a wealthy crypto-entrepreneur, who declared he would transfer Steemit to his own TRON network. Despite the protests of its community members, Sun was able to force through a takeover of the Steem network, violating users’ implicit trust that major stakeholders would not use their influence to sway voting behavior. 

Cases like this are why many blockchain communities prefer the chimera of “confidence without trust” over “trust without confidence.” Indeed, as the trustless character of a blockchain is often the raison d’être for its development and adoption, many blockchain communities prefer to hide behind the façade of “trustlessness” rather than admit that the systems require trust to operate. 

But this means many users go on falsely assuming that blockchain eliminates the need for trust—and the con men exploit this ignorance to their own advantage. Each time they do so, users end up learning hard lessons.

TheDAO attack was both a curse and a gift to the Ethereum community. By showing the limitation of the ‘confidence’ machine, it opened the eyes of many blockchain users to the existence of trust and importance of governance, and the need to design structures that could account for both. But there are many others who still haven’t gotten the message. 

Recognizing that slot machines and blockchains are not trustless doesn’t make them useless. Indeed, people use slot machines not because they are trustless, but because they come with a promise of potential gains, at low entry costs. Various applications of blockchain technology also hold a similar promise. But for a machine to truly generate confidence, we must focus not just on the design of the machines themselves, but on building a better trust infrastructure around them. That means people—even con men—will always have a role to play. 🌳

---

Primavera De Filippi is a Research Director at the National Center of Scientific Research in Paris, and Faculty Associate at the Berkman-Klein Center for Internet & Society at Harvard. She is the author of “Blockchain and the Law” published by Harvard University Press.

Wessel Reijers is a philosopher of technology, working as a postdoctoral researcher at the University of Vienna. He investigates the ethics of emerging technologies, with a focus on blockchain and social credit systems. Wessel is the author of Narrative and Technology Ethics.  

Morshed Mannan is an academic and lawyer. He is currently researching blockchain governance and platform cooperatives as a Max Weber Fellow at the European University Institute in Florence. He is part of the ERC project on BlockchainGov and a Research Affiliate at The New School.

Illustration by Josh Kramer.