Rune Christensen, CEO and cofounder of MakerDAO, explains the intricacies of the MakerDAO system, which includes the stablecoin Dai, which is pegged to $1, backed by collateral, and whose governance is managed by holders of the MKR token. He describes how the current version of “single-collateral” Dai, is backed by ether, how Dai is created with a collateralized debt position and what happens when the value of the collateral falls too low. He also talks about the roles of various players in the system, such as keepers, oracles and MKR token holders. We also cover how the system handles black swan events or other emergencies. The MakerDAO system is so complex, however, that we will reconvene for a part 2 to describe the rest of the system and how a multi-collateral Dai will function.
Thank you to our sponsors!
Tokensoft: https://www.tokensoft.io
Microsoft: https://twitter.com/MSFTBlockchain
CipherTrace: http://ciphertrace.com/unchained
Episode links:
MakerDAO: https://makerdao.com/en/
Rune Christensen: https://twitter.com/RuneKek
Previous Unchained episode on stablecoins with Rune and Philip Rosedale of High Fidelity: https://unchainedpodcast.com/why-its-so-hard-to-keep-stablecoins-stable/
Unconfirmed episode with Rune on Andreessen Horowitz’s $15 million investment: https://unchainedpodcast.com/rune-christensen-of-makerdao-on-its-15-million-from-andreessen-horowitz-ep-039/
MakerDAO white paper: https://makerdao.com/en/whitepaper/
Decreasing the stability fee: https://medium.com/makerdao/decreasing-the-stability-fee-1f9fe50cf582
Unchained episode on generalized mining with Jake Brukhman and Tushar Jain: https://unchainedpodcast.com/coinfunds-jake-brukhman-and-multicoins-tushar-jain-on-generalized-mining-ep-92/
Laura’s TEDx talk: https://unchainedpodcast.com/lauras-tedx-talk-how-crypto-could-allow-more-people-to-be-their-own-boss-ep-047/
Transcript
Laura Shin:
Hi everyone. Welcome to Unchained. Your no hype resource for all things crypto. Sorry, wait, wait. I have to start over again. Okay.
Hi everyone. Welcome to Unchained. Your no hype resource for all things crypto. I’m your host, Laura Shin. If you been enjoying Unchained, pop into iTunes to give us a top rating or…wait. No, don’t do that. That’s so cruel.
If you’ve been enjoying Unchained, pop into iTunes to give us a top rating or review that helps other listeners find the show, which would be great because we endured the worst sound check you could ever possibly imagine to bring you this episode.
Microsoft:
Do you have an idea for a blockchain app, but are worried about the time and cost it will take to develop? The folks at Azure have you covered. The new Azure Blockchain Dev Kit is a free download that gives you the tools needed to get your first app running in less than 30 minutes. Learn more at (aka.ms/unchained) or by following them on Twitter @MSFTBlockchain
CipherTrace:
Within months, cryptocurrency anti-money laundering regulations go global. Are you ready? Avoid stiff penalties or blacklisting by deploying effective anti-money laundering tools for exchanges and crypto businesses—the same tools used by regulators. Ciphertrace is securing the crypto economy
Tokensoft:
Considering using digital securities as way to grow in 2019? TokenSoft’s trusted platform for digital security issuance provides the security and compliance tools to enter new markets with confidence. Learn more at tokensoft.io or on Twitter @tokensoftinc.
Laura Shin:
My guest today is Rune Christensen of MakerDAO. Welcome, Rune.
Rune Christensen:
Thanks so much for having me.
Laura Shin:
And thank you for enduring that crazy sound check. All right, so you were on the podcast before talking about stablecoins generally.
Rune Christensen:
Yes.
Laura Shin:
And at that time, we did describe MakerDAO in that episode, but it’s a pretty complex system, so I felt like there was plenty more we could discuss. So much so, in fact, that I actually have to warn listeners that the MakerDAO system has a lot of nuances and a lot of special terminology, so you may have to do a lot of rewinding. Honestly, preparing for this, reminded me a little bit of the dYdX episode where I was having to listen to my pre-interview with Antonio on a .6 speed.
Anyway, so Rune, for listeners who didn’t hear the episode, why don’t you give us a short overview of what MakerDAO is and how it works.
Rune Christensen:
Yeah, so at the very basic, MakerDAO is a decentralized platform on Ethereum that creates a stablecoin called Dai, and being a stablecoin means that one Dai is worth one dollar and this is really useful, right, and sort of a new frontier in crypto because once you have stability and once you have money in crypto that just has value that you’re used to, you can actually start using it for real stuff and more than just speculation.
Laura Shin:
And there’s a second token also in the MakerDAO system. Can you talk about that a little bit?
Rune Christensen:
Yeah, so in addition to Dai, the stable token, there’s also MKR, which is like the governance token and sort of a speculative token that gives holders of its exposure to the system as a whole and yeah, I mean, and this really gets into this, what you were talking about, right. There’s a very advanced system, sort of under the hood, that powers the stability of Dai and the MKR token is basically like the ownership and the control over this underlying system.
Laura Shin:
And so, in the previous episode where we described stablecoins generally, we talked about how there were multiple different models to use where you, you know, that you could use to create a coin that had a stable value. So, what is the model that MakerDAO uses?
Rune Christensen:
Yeah, so there’s generally considered to be three types of stablecoins and Maker and Dai falls in the crypto-collateralized model. So, what that means is the stability of Dai comes from the fact that there is collateral. So, there are valuable assets that are sitting in smart contracts on the Ethereum blockchain and are essentially available to buy back Dai, and in that way prop up the price and keep it stable at one dollar.
Laura Shin:
All right, great. Yeah and just so people know right now it started with what’s called single-collateral Dai, which is backed by ether, but you’re going to be moving to a multi-collateral Dai system, which is going to be backed by many different types of assets. I mean, they all have to be crypto-informed, but some of them could even be real world assets such as, like, crypto versions of real estate or gold, or something like that.
Rune Christensen:
Yeah and even other types of stablecoins as well.
Laura Shin:
Oh, right, right, right, which I think I asked you about before, but anyway, okay, so let’s now dive into the details of how all this works and we’re going to just walk through the simplest scenario with Dai, which is that we have a single-collateral Dai and a user decides to create this single-collateral Dai for themselves and so listeners should know that what can happen is that if the value of the collateral that you put up falls below a certain minimum threshold, then your Dai and the collateral that you put up will be liquidated, your position will be liquidated.
However, let’s just walk through the simplest scenario in which somebody creates Dai for themselves, but their position is never liquidated. How do they create the Dai and then how do they get their collateral back?
Rune Christensen:
Yeah, so whenever I talk about this, I really like to compare it to a mortgage, like taking out a loan, where you’re using your house as the collateral from the bank, right. Because this is actually something a lot of people do and so basically the first part of interaction is putting the collateral into the system, right.
So, this is kind of equivalent to going to the bank and saying here’s my house and here’s the claim on my house and then you, like then the system, you know, gives you basically an amount that you can borrow based on the value of your collateral and then gives you, sends you the Dai, and gives you the money, basically, and over time…so, basically now you have the Dai.
You have the stablecoin that you borrowed that you can then go and spend on something and you also have what’s called the CDP, the collateralized debt position and this is effectively…this is something like, you know, like when you own your house, but the bank has a lien on it, right.
So, you own your collateral, but the collateral is locked behind debt and you can only retrieve the collateral out of the system again by paying back the debt, and let’s say if you wait a year before you pay back that debt because you wanted to spend your money and then after a year, maybe the price of Ethereum has gone up and you want to, like, lock in some of those profits.
Then you also have to pay a stability fee. So, this is basically the interest rate you have to pay to the bank as well, right. This is a similar logic, so you pay down the debt and then you pay the stability fee, which right now has to be paid with a MKR token. So, the speculative governance token I was talking about earlier, and when you pay, the system actually burns the token resulting in more scarcity of the MKR token and that’s sort of what drives the value of MKR and then in the end you can retrieve your Ethereum collateral out of the system again.
So, this is really like you pay, you know, after you finish paying of your mortgage to the bank, the house is just yours, right, for you to hold and the bank can’t come and take it.
Laura Shin:
And what is this stability fee and why does that have to be paid through MKR?
Rune Christensen:
Yeah. I mean, so the stability fee is equivalent to, like, the risk premium of the loan, right. So, the stability fee sort of exists to protect the system against the risk that the collateral will crash to nothing and the system will have to recapitalize because, you know, now there’s not enough collateral to back Dai. So, the stability fee depends on how risky the collateral asset you’re using is and of course in single collateral Dai, so the current version that’s running live on Ethereum right now, there’s only one type of collateral and so there’s just one stability fee set for that, set for Ethereum.
Laura Shin:
Which is what amount?
Rune Christensen:
Yeah, so right now it is 0.5 percent and what’s interesting is actually it’s been changing quite a lot and it’s been changing based on our decentralized governance process, so it is actually the MKR holders that come together and then vote directly on the blockchain with their MKR to change the stability fee and yeah, and then again the way it’s…like when you’re paid you actually paid with the MKR as well.
So, if you’re like a regular user, when you want to close your CDP, so when you want to pay back your loan and just retrieve your collateral, you have to go and buy a tiny amount of MKR and then give that to the system and then the system will then burn that MKR, and to date about 500 MKR has been burned this way, which is equivalent to something like…let me think.
That’s less than one percent of the total supply so it’s not really…actually, it’s about 0.1 percent of the total supply, that has been burned so far in total, but that kind of represents what gives the system value and kind of keeps it going, because it means that as the system runs and as people use it the value of MKR grows, right, because MKR becomes more and more scarce and this in turn creates the incentive that’s necessary for MKR holders to actively engage with the system and govern it and make sure it remains stable.
Laura Shin:
And in a way, I guess, paying that through MKR it’s sort of like it helps insure the safety of it, in a way. Do you know what I mean in that it creates an incentive, or it sort of pays, I guess, the people who are governing it for governing well.
Rune Christensen:
Yeah, exactly.
Laura Shin:
Yeah.
Rune Christensen:
So, it aligns incentives of the users of the system and those who, like, I guess you could say the workers, right, those who operate the system, but actually…
Laura Shin:
Yeah, and actually pay isn’t the right verb. It’s more like the value of their MKR rises as long as they govern it well.
Rune Christensen:
Yeah, exactly.
Laura Shin:
And people are paying back. Yeah, okay.
Rune Christensen:
And in the multi-collateral version of the system, so in the next release, there is like what we really consider to be like the full version, and the current version we consider to be a beta. This will be abstracted away, so when you pay down your debt, the stability fees actually paid in Dai, and you don’t even know. Like you don’t even have to worry about what’s the principle debt. What’s the stability fee?
Like you just have an amount of debt that you have to pay to get access to your collateral and the system then automatically, sort of takes out the portion of what you’re paying back that is equivalent to the stability fee and takes that Dai and automatically buys MKR with it and then burns it.
So, it becomes more convenient for the end user, but the system still has that dynamic of buying and you know burning MKR and thus making sure that as users use the system, those who regulate and protect the system are continuously rewarded to align the incentives.
Laura Shin:
All right so now let’s move to the next scenario, which is a little bit more complex than the single collateral Dai that’s just redeemed and doesn’t get liquidated. So, a version in which someone does create single collateral Dai, but then the value of their collateralized debt position does fall below that minimum threshold. At that point, what happens?
Rune Christensen:
Yeah, so right now, the liquidation ratio, so that minimum threshold of collateral value, is set at 150 percent and on average, actually, most people keep it at 300 percent. So, most people, they have for every one dollar of debt, they actually have three dollars of Ethereum collateral, but that doesn’t…you know, that doesn’t protect some people from being a little bit…taking a little bit too much of risk and getting really close to that point and yeah.
So, if you hit that 150 percent level, so that basically means let’s say if you have 100 dollars in debt. If the value of your Ethereum collateral hits 150 dollars in value, the system will detect this through it’s price feed oracles and will then trigger a liquidation and that really just means that it takes all your collateral and it sells it off on the market to try to recapitalize and get in enough Dai and then when it gets enough Dai, it pays down your debt, takes also, a penalty that’s kind of there to incentivize people to not get into this position. Like, not rely on this mechanism, but rather make sure that they maintain their own CDP, like, on their own and then whatever’s left over, if anything is left over, is then given back to the user.
Laura Shin:
And so, for this penalty, which is the liquidation penalty, what percentage is that?
Rune Christensen:
That is actually at 13 percent right now, which I think is quite high, but I think an interesting dynamic that we have seen is that as over the past year, right, as the Ethereum price has completely crashed, like complexly cratered, right, but during this time Dai has been backed only by Ethereum and what’s interesting is that as CDP holders keep getting closer to their liquidation point, they’re very good at, like, topping off with Ethereum collateral because they don’t want to get hit by that 13 percent penalty. So, it’s like a very strict penalty that is in place right now, but also it has a very healthy sort of effect on the behavior of the users.
Laura Shin:
And why do you have the liquidation penalty? I mean, I understand you said earlier it’s to incentivize people to not get liquidated, but why is that important for the MakerDAO system if essentially this system should always at least remain whole?
Rune Christensen:
Yeah. I mean, this is so like this actually gets into some of the deeper governance and risk theory that we spend a lot of time talking about in the community and basically the thing is that Maker is designed to not fail under normal circumstances, right. Like it’s fine if Ethereum falls, let’s say, 90 percent over a year. That’s not really a…like that is actually an expected scenario, right, and similarly if there just are, like, fluctuations in the market and there’s like a big crash or something, that’s still also not for these parameters to deal with.
But kind of the only real risk to, like, a financial infrastructure like Maker is, you know, it’s like really like a systemic type of sleepwalking where everyone is kind of ignoring what’s going on and people are just like counting on whatever. Like, oh yeah, it’ll be fine kind of, and you know so actually it’s almost like more than just a financial phenomenon. It’s like a cultural phenomenon, right, which I think is something…like if you look at something like the 2008 financial crisis. That’s like an example of when complacency really sets in, that’s when you can get these kind of, like, crazy crashes that actually can catch even the most, you know, diligent risk model off guard.
So, the goal is basically that we really want to ensure that, you know, the users understand that, you know, that they’re playing with leverage, which is some…you know, credit is actually something and credit risk is something to take seriously. So, if you don’t know, like if you’re not actively managing your own position and you’re don’t actively know what’s going on in the system, you should use a service that, you know, holds your hand kind of. That helps you actually do this, and so right now a few of those services exist, but basically in the future we expect it to be a much, you know, bigger and healthier ecosystem of many types of, you know, like front-end services that, for instance, will help liquidate user’s position in advance so they don’t hit the limit.
Like so they don’t hit sort of the system level and just in general ensure that the system as a whole runs more smoothly because the people who use it actually, you know, are watching the market right now. Actually, watching what’s going on rather than just, you know, levering up and then, you know, hoping everything will be fine.
Laura Shin:
Yeah, I love what you said about the cultural shift, because I feel like this is yet another example of how people have to learn with crypto that it really is like digital or it can function like digital cash and that this money just…it performs really differently or acts really differently from the kinds of money that we’re used to and it’s like yet another example of the mind shift that somebody has to undergo if they’re going to take control of their private keys, and there’s actually more I want to ask you about that later, but another thing that I wanted to ask you was, so why is it 13 percent? Because you, even yourself, admitted that was high.
Rune Christensen:
Yeah, it’s actually because, I mean, so the reason why, I think, 13 percent is high and kind of…I mean because in hindsight, we actually think that in a way we can justify that it maybe makes sense in a system like this to have this sort of a very punishing penalty like that just because we saw that good behavior out of it, right, but so it’s actually because just like for technical reasons in single-collateral Dai.
It’s implemented in a way where its liquidation function is just not very good, basically. So, it’s very inefficient and for that reason, so just to like…I mean, I guess it’s not like it’s…you know it’s just like it could be a lot better and it will be a lot better in multi-collateral Dai and basically because that’s the case, we just decided to really, really err significantly on the side of caution and just put something we thought was like yeah, this is really, really high. We’re going to put it at 13 percent and then there is no way that we will actually run into issues, you know, derived from the fact that the liquidation function is implemented in a more simple way.
Laura Shin:
And then why is the minimum threshold for collateral, why is that 150 percent?
Rune Christensen:
That’s actually just an arbitrary number. Like that is, I mean, I guess it’s like what we looked at when we came up with that completely arbitrary number is things like other stablecoins like, you know, BitShares has this BitUSD stablecoin that Dai really is inspired by and is sort of an evolution of that whole design, and that actually had a similar…like had risk parameters that were similar to that, although their risk rules work slightly differently, and then another example is when you look at the various margin-trading platforms, like that allow people to margin trade Ethereum, for instance.
What we saw is those that we considered to be kind of like the legit ones, I guess you can say, like the not ones that are like full-on casinos, but more like actually are providing leverage to sophisticated professional traders that know what they’re doing and they seem to…I mean, typically, they would allow up to 5X leverage in many cases and also 3X is pretty common, so we basically said 3X was going to be our sort of absolute upper bound for how much leverage users would be able to take.
So, we just ensure the system stays on the sort of safe side, but yeah there’s actually more nuance to this because in reality this liquidation ratio is actually not like a fixed point, but rather it’s a function of what the stability fee is. So, there’s, you know, the interest rate that you have to pay due to the inherent risk of your collateral of your loan.
So, in multi-collateral Dai it will actually be kind of like choose your own liquidation ratio depending on how much you want to pay in stability fee and then those two things are related on a curve.
Laura Shin:
Oh, wow. Yeah, I mean, there’s a lot of comparisons one could make to something like Lending Club, like a peer to peer loan, but that I definitely think of as another parallel that I’m seeing. I actually think this sort of brings up the role of keepers, so can you describe who they are in the community?
Rune Christensen:
Yeah, so keepers are, I guess you can say, they’re kind of rational agents who are completely independent from the system and who can be, like, anonymous and basically can be anyone, and any person can run a keeper by just going to a keeper repository on GitHub and get the open source code, and what they basically do is they are, yeah, they’re like external independent agents that exploit various profit opportunities in the system.
Now, the most obvious and sort of like the reason why the keeper concept was invented was to arbitrage the liquidations in the system, right. So, when a keeper sees…like, so keepers are constantly looking for CDPs that reach the liquidation point and if it finds one that has reached the liquidation point then the keeper is actually the one that sort of triggers the function in the system that actually runs the liquidation and the keeper then also will buy the collateral out of the system during a liquidation, for instance, and then immediately go and sell it on some market elsewhere.
So, keepers are kind of, in a way, a little bit like the glue that holds the system together and they’re also kind of like the rational capital that interact with the system to, for instance, stabilize Dai in the short term, based on the incentives that are built in for the long term and ultimately the more keepers there are, like the more regular users the system can handle, and also, like, depending on how efficient or inefficient the system is, that determines how much you can make as a keeper.
Laura Shin:
Yeah, the role of keeper reminds me a little bit of miners in Bitcoin or Ethereum, or really any other role, or this new trend that I discussed on the podcast with Jake Brukhman and Tushar Jain of Generalized Mining, where now you’re seeing
that these software networks basically can employ people or machines and it’s something I talked about in my TEDX talk a little bit, but as long as the incentives are designed correctly, then the people who take on these roles can make money doing them.
So, one thing that you mentioned, though, is that they kind of help keep the price, you know, near the peg or at the peg. How does that part work?
Rune Christensen:
Yeah, so and actually I really like what you were saying about it’s similar to mining, because when we first came up with the name keeper, we actually was like thinking, like, how do you explain what it is. Maybe something like mining 2.0 and then so the other key thing to a keeper, other than that keepers exploit profit opportunities is also if you’re a keeper and you’re already doing one thing where you’re sort of scanning the blockchain and exploiting a profit opportunity, you may as well also do everything else that sort of is, you know, now you’ve already got this secure setup that’s performing some sort of profitable function, you may as well also look for other similar things you can do, right, and so the other really obvious thing to do, like as a keeper, that’s already scanning Maker for liquidation opportunities, is to, for instance, arbitrage the price of Dai across decentralized exchanges, right.
So, if you can find something, like you can find an order on two different exchanges that actually cross, but just haven’t matched because they’re in two different order books, then you can buy one and sell the other, for instance, right, but the really advanced and also the most profitable activity that a keeper can do is market making, right. So, really just providing liquidity to the market and this is what can really, in a way, be described as exploiting the most fundamental mechanism of the Maker system, which is the governance mechanism that keeps Dai stable around one US dollar, and so basically what a keeper will do is a keeper will just bet that if the price of Dai is, you know, deviates from one dollar, that’s a profit opportunity because you can either then buy Dai and expect it to go back to one dollar and sell it again for some profit, or you can sell it above one dollar and expect it to go down to one dollar and then buy it to also similarly make a profit.
Laura Shin:
Yeah, I find this whole system pretty incredible. The more I learned about it the more I was really amazed, and I honestly was proud because, like you, I taught English in Asia early in my career and so I was pretty impressed that you had led the charge to go with this system. All right, another role that I want to discuss is oracles. What do oracles do? Who are they?
Rune Christensen:
So, the term, oracle, is a pretty old term. I think, probably like those kinds of things, I feel like it was made up by [inaudible]. I think that’s very likely. I mean, I feel I remember him making a blog post at some point in the early days, but anyways, the oracles is like, yeah, it’s a generalized term for external actors that provide trusted data onto the blockchain.
So, for Maker, like oracles play this very crucial role of telling the system what the price of Ethereum is, for instance, right. So, the system knows when CDP is supposed to be liquidated, right, because you can’t actually find that. Like, the blockchain doesn’t see the outside world, right. So, you know, you actually need to have some sort of link and there needs to be some element of trust when you get in some data, because you can’t just have anyone submitting any data they want, right.
Then that’ll immediately…it just won’t work. You actually need to, like, define in advance who do you trust and like what kind of sources do you trust for your data, and the oracle problem, as many like to call it, right, is really one of the most fundamental issues in, like, smart contracts and decentralization, and the good news is nowadays there’s some really cool solutions.
So, the solution we are currently using with Maker is just a relatively simple, like diversification scheme, essentially, so basically rather than using one source for the price feed into Maker, they MKR holders, they actually choose a whole set of oracles. So, they will choose. So, like, right now, it’s 14 different Ethereum addresses, so like 14 different, like, people basically around the world that have been chosen through an MKR vote when the system was launched and they all individually provide data into…like they all individually continuously update what they sort of observe to be the current price of Ethereum on the market, and then there is like a fully autonomous smart contract that takes in all of these data.
So, it basically takes 14 different data points in real time and then takes the median of those different data points and then pushes that median into Maker itself, and so that means…and taking the median of the data points is pretty important because that actually gives us some resilience, because it means that if just like, let’s say, some of the oracles get compromised and start sending crazy numbers, it’s going to be completely ignored by the system.
Only if 51 percent of the oracles are compromised and start sending bad data do we actually have a problem where that’s going to get pushed into the core of the system, so there also have to be some secondary mechanisms to kind of protect against, yeah, like compromised oracles and that’s fundamentally like the fact that oracles always can, in theory, be compromised is sort of the fundamental thing about the oracle problem.
Laura Shin:
We’re going to keep discussing oracles in a moment, but first a quick word from our fabulous sponsors.
Tokensoft:
Issuing a digital security on the blockchain can be a significant undertaking, particularly to ensure compliance requirements are met. TokenSoft’s trusted platform for digital security issuance provides security in a world of uncertainty by working with top legal and financial experts so that your digital assets are secure. TokenSoft leads the market in providing tools to support tax, banking and securities regulations for issuers of digital assets. We are honored to have supported the leading issuers in 2018. To learn more about issuing digital securities successfully, visit tokensoft.io or follow them on Twitter @tokensoftinc.
CipherTrace:
Within months, cryptocurrency anti-money laundering regulations go global. Are you ready? Avoid stiff penalties or blacklisting by deploying effective anti-money laundering tools for exchanges and crypto businesses—the same tools used by regulators. Ciphertrace is securing the crypto economy
Face it, regulations can stall or kill a fast-moving crypto business. New financial action task force and european union cryptocurrency AML laws are coming soon. You could be hit with stiff fines or blacklisted—no matter where your servers are in the world. Prepare now. Deploy the same powerful CipherTrace tools used by regulators. protect your assets, streamline your compliance programs and keep your exchange or crypto business out of the regulators crosshairs. Learn how effective anti-money laundering tools help keep your crypto businesses safe and trusted. Learn more at www.ciphertrace.com/unchained. CipherTrace is securing the crypto economy.
Microsoft:
Getting your blockchain app off the whiteboard and into production can be a big undertaking. From connecting user interfaces to integrating disparate systems and data, blockchain app development can be time-intensive and costly. Well, the folks at Azure have you covered. With a few simple clicks, the Azure Blockchain Workbench can create a blockchain network for you, pre-integrated with the cloud services needed to build your app. And with their new Development Kit, users can extend their app to ingest messages from bots, edge devices, databases and more. It’s free to download and gives you the tools you need to get your first app running in less than 30 minutes. To learn more about the Dev Kit and how to get started, visit (aka.ms/unchained) or by following them on Twitter @MSFTBlockchain
Laura Shin:
Back to my conversation with Rune Christensen of MakerDAO, so I totally understand everything you’re saying about how the oracle problem is a fundamental problem and I understood this part about the 51 percent attack, but if that’s all the case then why are there so few oracles? All you have to do is get eight people to collude and they can totally corrupt the system. That seems like a really, kind of, vulnerable position to be in.
Rune Christensen:
Yeah, I mean, so right now with single collateral Dai and the way the system is setup currently, we are really relying a lot on the fact that, like, the people who are running these oracles currently are actually some very longstanding community members. Some of them are even oracles from other projects in the past, including BitShares, which is like one of the first, or possibly the first, project that started using oracles in this way, and then they’re also, like, their identity is also not known.
Like, the foundation runs this whole oracle, sort of anonymization scheme where it’s only very few people who actually know who the oracles are and so ultimately it’s definitely…I mean, what it is, it’s really a system that’s robust enough for the beta, for single-collateral Dai, because like it’s not really in its current state it’s not really something that can be compromised by like a normal actor.
You know, maybe some state-level actor would be able to penetrate the way it currently works, but we definitely consider it safe enough for, you know, the relatively limited scale of single-collateral Dai and then our main focus is how to make it better, right, and actually the absolute key thing that must be solved is, in fact, like I mean the oracle problem, fundamentally, just needs to be solved, right.
Like, in fact, you can’t actually ever accept that regardless of what the chance is that the oracles get compromised. Like it doesn’t matter what that chance is, as long as it’s not zero, that’s not acceptable, right. You’re not going to actually be able to build a full financial infrastructure on top of it.
So, we actually have a solution that we believe actually…I mean, of course, you can’t…like you can never solve something or you can never sort of guarantee anything with complete certainty, right, but we’re sort of approaching, you know, like 99.999 percent confidence with this approach and basically the idea is that so alongside this median, like this function that sort of takes in all the different inputs and then takes the median of those inputs, so to ensure that even if some of them are compromised it doesn’t matter because as long as the majority of them are clean then it won’t get contaminated, but then the next step is that instead of pushing this sort of, you know, the fully processed data directly into the system, there’s actually a delay in post on that data, and this is through something that we call the oracle security module.
So, basically, the oracle’s, like, sort of the processed data from the oracle is put into the oracle security module and it then sits there for an hour and just waits and is basically available for everyone to see. So, everyone can see okay in one hour, this will be the new oracle input, but you know we can see it now and we don’t, like, we can actually react.
We have a full hour to react and then if the value is something crazy like, you know, 99999 or whatever, or zero, or something, right. So, basically if the oracles are compromised and they’re trying to attack the system by sending in malicious data then the sort of second layer and very strong, powerful, defensive mechanism can then, like, activate, and this is probably actually the most important feature of the whole system.
It’s called the emergency shutdown. So, basically it is a way for the system to actually shutdown in the event of some sort of negative, you know, external or whatever. I mean it could even be if the system got hacked, or it could be if the market went completely crazy, or if like there was some sort of crazy crash, or if there’s some sort of crypto-economic attack, like on the oracle infrastructure, and what an emergency shutdown does is, it sort of freezes the system at its last known safe state.
So, if there’s currently some bad data on its way through the oracle security module, then the emergency shutdown will sort of rely on, like, on the last oracle datapoint that was before that, right. It was still a safe data point and then it will settle every single user of the system at the net asset value they’re entitled to.
So, what that means is as a Dai holder, the worst thing that can happen to you as a Dai holder is that the system stops. Like the service sort of stops running right, the system stops working, but you can now just…like what that means to your Dai is your Dai now just becomes a claim on one-dollar worth of collateral, right. So, you no longer have a stablecoin that remains stable at one dollar, but your current stablecoins you can go and you can exchange them directly in the system for like the equivalent value in eth of one dollar at the time that this emergency shutdown was done, and then there is this very highly redundant infrastructure of what’s called emergency oracles.
So, basically a different type of oracle that just watches out for, yeah, for like oracle attacks and actually there’s also another kind of attack, which is the MKR holders getting naughty and trying to use their powers maliciously, and in both cases the emergency oracles are able to detect this and then it’s like a very redundant and also very, I guess you can say trigger happy infrastructure, right. So, like even a single emergency oracle is able to, on its own, unilaterally trigger an emergency shutdown, and there is actually layers beyond that.
So, even if all the emergency oracles failed, MKR holders themselves are actually, with, like a relatively small minority, able to also directly trigger an emergency shutdown and ultimately all of this together is how we get to that. So, you know, we can’t guarantee with total, like total certainty, that an attack will be, you know, mitigated with an emergency shutdown, but we can guarantee it with like 99.9999, like kind of like as close as you can possibly get to total certainty, and this, we believe, is then a strong enough deterrent that it actually makes it just totally economically unviable for someone to try to attack the system in any way, right, because launching an attack would be very expensive and the probability of success is just, you know, it doesn’t register, basically.
Laura Shin:
Wow. This is really intense. Just so I can be clear that I understood. So, a single emergency oracle can trigger a shutdown and also MKR holders can singlehandedly trigger shutdowns?
Rune Christensen:
Yeah and you know it’s kind of like that logic of you know it’s better to see an imaginary tiger than to fail to see a real tiger, you know. So, you know, basically it’s very easy to trigger an emergency shutdown and even a small, like a minority of MKR holders, so actually a very small percentage of MKR holders are able to do it. Now, of course, the problem is like there’s the flipside to this, right.
This is emergency shutdown is very terrible. Well, I mean it’s definitely like it’s not really a desirable thing, right. I mean, ideally it never happens and that’s actually why it’s called…it used to have a different name, but we changed the name to emergency shutdown to really, like, signify that this not actually like a feature you should expect to ever happen, but it’s more like, you know, it’s almost like a game theoretic device that sits there to prevent stuff from happening, but hopefully never has to be used. However, if it did have to be used, there are, you know, there’s a lot of infrastructure in place to ensure that you can actually just do a smooth, sort of, redeployment and kind of like immediately restart the system and get everything back to normal.
So, in the end, what kind of like what we call a troll shutdown, right, so someone, like, abusing their power of being able to trigger an emergency shutdown in the event of attack and instead just using it to, you know, just like cause disruption. What that would really mean for an end user is that, like, in their wallet or something like that they would have, like they would have to click a button and they wouldn’t even need to know, like, why that was, what was going on behind the scenes, but then that would be sort of that would be the only thing that would really be felt by the end users and the system and the governance is then able to sort of handle the entire migration on the backend.
Yeah, so you know it really is kind of like, you know, a nuclear deterrent in a way, right. It’s kind of like mutually assured destruction and ideally, it never actually is used in real life, except in one circumstance, which is upgrades. So, you also use it when you want to upgrade the system, right. Then it exists to, you can shutdown the infrastructure and you can transition to a new one and actually when we upgrade from single-collateral Dai to multi-collateral Dai it is by eventually triggering an emergency shutdown on single-collateral Dai.
Laura Shin:
And I’m sorry, in the case of a troll emergency shutdown, how is that person punished?
Rune Christensen:
Yeah. So, that’s my favorite part. So, there’s actually a whole bunch of…like we also have a bunch of game theory around that, right, but I mean there’s basically two types of actors that can trigger an emergency shutdown, right. So, there are the centralized emergency oracles that are, I mean, in the long run they are basically going to be institutions of some sort that are chosen by MKR holders and given the power to trigger an emergency shutdown.
In the short run, they will be sort of multiple independent divisions within the foundation. So, the foundation will run, like, a very sophisticated security infrastructure that then also has the power to do the emergency shutdown and basically like the way to prevent trolling from, you know, centralized legal entities is pretty simple. It’s just using the legal system, right.
So, there will actually be, like, you know there will be legal agreements in place that ensure that someone who abuses that power can actually be, you know, like can be pursued legally and then the other…so, like that should serve as a deterrent but of course it’s not guaranteed to do so and ultimately…
Laura Shin:
But wait, when you say pursued legally, like what law would be broken and there’s different jurisdictions, so how do you…that just sounds…
Rune Christensen:
Yeah. Like let’s say, like…I mean this is actually different depending on which jurisdiction the emergency oracle operates in, right. So, but typically I mean it would basically it will be an agreement between, like, the emergency oracle and then something like well-known entities and institutions in that jurisdiction that are sort of that the community ultimately trusts that if we look at this entire network here and they all have agreements with this emergency oracle, you know, that if they abuse their emergency oracle powers, they can be…you know, there’s some sort of liability there.
Then, like that’s at some point, there is going to be enough guarantees in place that the community actually feels comfortable, you know, whitelisting that particular emergency oracle with the power to trigger an emergency shutdown, and then if like of course it’s still not guaranteed it really is for sure not going to be abused, but then again like the key is that if it is actually abused, it’s still like, you know, it’s not the end of the world.
It is just like a UX annoyance, basically, and the next time that…like once you then have a troll emergency shutdown from such a scenario and you do the redeployment after, then of course you just make sure to not make the same mistake, right, and exclude that emergency oracle and in general can add more, like, strict checks and balances on who gets to have that power.
Laura Shin:
Yeah. I mean one other thing that I was thinking is it’s more than just a UX annoyance because the people who have collateralized at 3X will recoup much less money than the people who collateralized at 1.5. So, in that regard, the people who are kind of being safer with their collateralized positions, they get punished more in that scenario, right?
Rune Christensen:
No. I mean if you go from one live system and then do an emergency shutdown, and then a redeployment process, and transition over, you’ll be the exact same. Like you click a button and your CDP will be exactly like it was before. There are actually some efficiency losses.
Laura Shin:
I thought with the emergency shutdown, everybody’s position basically…well, I don’t know if it gets liquidated, but people only receive one dollar…they only get a value that’s equivalent to the amount of Dai that they had. Isn’t that correct?
Rune Christensen:
Yeah, well, sorry. As an asset as in value, right. So, if you’re a Dai holder, you get value equivalent to the Dai you have. If you’re a CDP holder, you get value accrual into sort of the excess, you know, the free collateral that you have. So, let’s say you have a CDP with 200 dollars of collateral and 100 dollars of debt, right. Then you would get 100 dollars of collateral and you would then immediately be able to go to the new system and use that 100 dollars of collateral to then, again, collateralize, you know, a 200 percent collateralization CDP, where you also take out 100 debt and use that to purchase an additional 100 dollars’ worth of Ethereum.
Laura Shin:
Oh, okay.
Rune Christensen:
But rather than having to do this manually, you know, there’s a process in place that we will showcase the first time when we do the single collateral to multi-collateral upgrade, where you actually just click one button once and then all of this stuff happens, sort of automatically, on the backend and you just see now your CDP has been migrated over from one system to another.
Laura Shin:
Okay, and I wanted to ask more about the oracles. How often do they give their prices because, as we know, the crypto prices can be very volatile? So, if it’s you know within long enough time periods then the price can really have varied a lot even in the interim between when they have to give their price updates.
Rune Christensen:
Yeah. So, right now, they actually give it very often. Right now, it’s something like…well, actually, right now they don’t really have a fixed frequency. They just have that they update any time they see a change of, I think, it’s something like one percent, but actually there’s some deliberately set to be scrambled, so but like in the end it does give a pretty regular cadence of updates, currently.
Laura Shin:
Which is when?
Rune Christensen:
Well actually, I mean, which is something like every…well, it’s hard to say actually because it depends on how much the price is swinging. So, like, but I guess it’s I mean at least every minute or something. You know, like it stays very up to date in that sense, but actually what’s interesting is…
Laura Shin:
So, it’s really like people running algorithms, essentially, that are the oracles.
Rune Christensen:
Well, yeah. So, what it is, is it’s processes on servers around the world that basically hookup to various APIs of exchanges and then like monitor them and then run some sort of algorithm on the different prices that they see from different exchanges and then ultimately come up with like some accurate number that they then, or you know some median number or something, that they then push into Maker and they actually all use different algorithms, you know, for the sake of diversification.
So, they all have like a slightly different approach on, you know, how they obtain the current market price of Ethereum, but I think one thing…
Laura Shin:
If Maker…oh, go ahead.
Rune Christensen:
Yes. One thing that’s interesting, you were talking about is how this thing about the price, how there needs to be very frequent oracle updates, right, because that was also our initial thought, right, and that’s why we engineered the oracles the way they currently run, but what we’ve since come to realize is that the opposite is actually true, and that the system doesn’t actually need very regular oracle updates and that’s why we have that.
You know we had that whole security mechanism where so basically in multi-collateral Dai there will only be updates every hour and the short version of the reason why that is okay to do is because you can compensate for that via the risk parameters, basically. So, you can actually take it into your overall risk assessment that the oracle isn’t in real time, but rather you know has this one-hour delay, but then the second part is that in multi-collateral Dai, the way liquidations are done are through auctions and these auctions are like based on, you know, on like doing the preliminary calculations on it.
Basically, it turns out that these auctions typically should have a duration that’s something like six hours or more, basically, to really probably, you know, be able to access all the arbitrageurs and liquidity across the whole marketplace and ecosystem. So, once you have that as a context, right, if the auctions take six hours anyway, then you know like an oracle duration of one hour doesn’t actually really change much, because that just means you could, okay, if you were going to make the auction duration six hours and the oracle frequency is one hour, you can just cut down the auction duration to five hours instead and you still get sort of an overall end to end cycle of six hours.
Laura Shin:
Okay, I’m having a little bit of trouble following this. So, I think, though, this may relate to a question that I had for the oracles. Dai went live after the ether flash crash on GDAX in the summer of 2017, but at that time let’s say that Dai had been live. Then what would have happened is that the oracles all would’ve thrown out the 10 cent prices and whatever on GDAX because it takes the median. Is that how that would’ve worked?
Rune Christensen:
Yeah. I mean, so the oracles actually, like, so the way the median is implemented on the blockchain, on the smart contract side, and it’s a very simple process, right. It just takes the median of its inputs, but actually the oracle, you know, clients themselves. So, like that actual servers that are sitting there and sort of pulling data from different exchanges, they actually have a lot more sophisticated signal processing logic built into them, so they actually are just able to like detect this is a flash crash.
Just totally ignore that and so of course the problem is the question is when is something a flash crash and when is it a real crash? You know, that basically if there was a major crash across all exchanges at once and it actually was sustained, so it wasn’t just like instant. You know, it goes to zero and then it goes back up after like a few seconds or a few minutes, but actually if there’s like a huge crash and it is sustained for like, you know, for many minutes or maybe even an hour or something, then at that point, you know, there’s no way to basically detect that this is just a flash crash and then the system would really just register those numbers.
So, the risk of that, of something like that happening, basically has to be accounted for in the risk models themselves, right, because that’s like something like that can always happen, right. I mean there are many instances of like true, like true black swan events in the real world where there are assets that just have huge crashes and this really also speaks to the reason why you’ve got to have multiple collateral types, right. You can’t keep all your eggs in one basket.
Laura Shin:
Right, but so then, let’s say that there was something like maybe there was some vulnerability found in the Ethereum blockchain and suddenly the question of whether Ethereum itself was viable. Let’s say that, that happened. Like something really even bigger than, you know, when Vitalik was rumored to have died and you know, whatever. Just something where it’s like oh my God. Ethereum may not work anymore.
So, in that case, I guess this is just another way of me asking about what you were saying about how you actually don’t need frequent updates. Let’s say that, that it was thought that, that was the case and then maybe like an hour or two later people realized that for whatever reason this didn’t mean the end of Ethereum and suddenly people were buying back ether. Then, so why is it that the oracles don’t need to be updated as frequently? I still don’t understand that point.
Rune Christensen:
I mean, so I actually don’t…I mean, I think a better example to look at is just like an asset just crashing extremely fast, right, and the system not, basically, registering this fast enough to start triggering liquidations itself. So, once it starts triggering those liquidations the price is already zero and maybe if…like I mean now I’m sort of making the argument for why you think that you would have a really fast oracle client.
I mean if you have ultrafast oracles, you could imagine a scenario where like liquidations actually happened during that incredibly fast crash and the system would have been able to get some of the money back, right, because it would have been lucky enough to still sell to like a greater fool, kind of, that was willing to buy all the way down to zero, but I mean again, that is sort of…there is a reason. Like, there is sort of an argument to be made that this is good behavior, but like there’s actually also reasons why you don’t want that, right, because that is actually kind of the scenario you talked about, right.
I mean, where what if it goes to zero and it is at zero for, you know, 20 minutes and then it goes back to the price it was before, right, or some scenario like that, right. In some cases you don’t want to just like be super neurotic and immediately react to the data, but the most important thing is that fundamentally like whichever you do it, don’t really matter in the grand scheme of things, because Maker ultimately has to be able to not just deal with like really, really fast crashes, but with literally instant crashes, right. Like with a crash that’s literal from like the government seizes this entire tokenized, you know, like against all the gold or something that is tokenized in some vault, right.
So, the gold token is now from the very second that, that happens, that token is now totally worthless, right, so it doesn’t matter how fast the oracles are. The price has completely gone to zero now and that kind of scenario is something the system also needs to be able to handle, right, and the way you deal with that is really just through the fundamental risk management of the system, right.
So, the system must have very diversified collateral and must have, you know, like different kinds of stability in it and sort of like un-correlated assets that provide many different types of value and ultimately provide many different types of income streams to MKR holders, right. So, a lot of stability fees that constantly go to MKR to buy MKR and burn it, so that if one of these many different types of collateral suddenly disappears and just goes poof and is gone, this system as a whole is able to absorb that loss.
So, kind of like, you know, basically like insurance that like everyone, everything is paying, and then suddenly there’s a disaster in one point and basically the payments form every other point sort of makes up for the fact that there is a huge disaster. There is a huge shortfall here, but ultimately as a whole the system is able to absorb that and keep going, and so I mean, that’s also an interesting mechanism, right, because the way that actually happens in practice is that the MKR token is inflated.
So, just like the MKR token is burned and deflates in good times, it actually inflates and goes out on the market in the event of this kind of massive crash that undercollateralized parts of the system and ultimately, that’s sort of the fundamental dynamic of the governance, right, is all about trying to get in fees in good times and by all means and at all costs means prevent these kind of like crazy crashes that result in inflation.
Laura Shin:
Yeah, I’m having a lot of flashbacks to the financial crisis and I’m realizing, in a way, what you’re saying reminds me of how everybody says that when there’s a market crash, the smartest thing to do is to not sell. Of course, everybody does sell, which is why there’s a market crash, but it’s only, you know, when you sell that you lock in your losses. So, in the scenarios that you’re describing where there’s a crash but then there’s a recovery, it is better for the system to have not sold.
However, as we were talking about before, you don’t want the MKR holders to become complacent and so that’s why if they do manage the system in a way where it is exposed to these risks and therefore is harmed by the risk that they take, then their MKR holdings get diluted.
So, okay, Rune, so we’re now starting to sort of talk about multi-collateral Dai, and yet we’re approaching the end of the hour and it’s kind of crazy that we have not even discussed that or any of the many other things going on in MakerDAO, and I had a feeling this was going to happen, actually, when I went into the episode, because I mean it’s the case with pretty much every episode where I generally have more questions that I have time to ask, but this episode definitely took the cake and since we had a sound check that lasted longer than a typical episode, I think I’m just going to make this a two-parter, and we will release the second hour with my gazillion other questions, next week.
So, listeners, I would like for you to tune back in next week and in the meanwhile, Rune, it’s been so great having you on the show. Where can people learn more about you and MakerDAO?
Rune Christensen:
I mean the main place to go is to our website, right, MakerDAO.com. It has the whitepaper. It has our team page, and a lot of really good resources and then we have our subreddit which is reddit.com/r/makerdao as well as our community chatroom if people really want to get involved, which is…yeah, you can find that on the website, but it’s also at chat.makerdao.com.
Laura Shin:
Great. Well, thanks for coming on Unchained.
Rune Christensen:
Thanks so much for having me.
Laura Shin:
And to listeners, thanks so much for joining us today. To lean more about Rune and MakerDAO check out the show notes inside your podcast player. New episodes of Unchained come out every Tuesday. If you haven’t already, rate, review, and subscribe on Apple Podcasts. If you liked this episode, share it with your friends on Facebook, Twitter, or LinkedIn and if you’re not yet subscribed to my other podcast, Unconfirmed, I highly recommend you check it out and subscribe now.
Unchained is produced by me, Laura Shin, with help from Raelene Gullapalli, Fractal Recording, Jennie Josephson, Corin Faife, and Daniel Nuss. Thanks for listening.