Saturday, January 29, 2022

DeFi needs more secrecy, but not too much secrecy, and the right sort of secrecy

[Below is my contribution to CoinDesk's Privacy Week

The Privacy That DeFi Needs to Succeed

The transparency of blockchains is often marketed as a benefit. It's not. Main Street financial consumers are never going to adopt blockchain-based financial tools as long as blockchains are radically transparent. Regular folks have secrets that they want to keep.

One of the most promising use cases for blockchains is decentralized finance (DeFi). The people who are building DeFi tools aspire for DeFi to be something more than a skate park for the risk-loving crypto-rich. They want their tools to solve real-world financial problems faced by individuals and companies, including America's 31.7 million small businesses.

Imagine a cash-starved manufacturer in Toledo, Ohio, that has a good idea for a product. It could go to its banker for financing, but instead it turns to DeFi. In a jiffy, it tokenizes a bunch of receivables onto a blockchain and lodges them as collateral on a decentralized lending platform in return for U.S. dollar stablecoins. A few moments later, it swaps these dollars for Euro stablecoins using a decentralized exchange, sending them to its French supplier to purchase inventory.

This chain of transactions has the promise of being cheap, fast and avoiding the walled garden of regular banks. Unfortunately, our Toledo manufacturer probably won’t bother.

All blockchain transactions are public by default. The government, your competitors and your mother can all see what you are doing. Blockchain analytics firms like Chainalysis and CipherTrace make it their business to track, analyze and interpret every trade and transaction.

Secrecy is vital to commerce. Not only is it important for businesses to protect the privacy of their customers, they must also keep their competitors in the dark lest their long-term strategy be divined and countered or copied. Our Toledo manufacturer doesn’t want its intentions to be telegraphed by their on-chain financial preparations.

As for individuals, they don't want their friends and colleagues to know what their salary is, or what kinds of porn they're purchasing. No one wants to be doxxed. We like our secrets.

Bricks-and-mortar finance is already capable of providing the secrecy that Main Street requires. Individuals and corporations generally trust their old-school bankers not to reveal information about their financial dealings to others. It's not quite cash-level anonymity. Yes, there are leaks and hacks. And under certain conditions, a banker must disclose information to law enforcement. But in general, Main Street trusts the confidentiality and probity of their financial provider.

So if Main Street users are ever going to migrate over to DeFi, privacy will have to be built first. But not just any privacy.

Tornado Cash has become the DeFi world's go-to tool for achieving anonymity. A user can send funds to a Tornado Cash smart contract where it gets mixed up and obfuscated with other people's funds. Later, that user can surreptitiously withdraw the same amount of money to a separate address. A technology called zk-SNARKs is used to reduce the ability of third parties to trace funds through Tornado.

Unfortunately, Tornado Cash has become a popular venue for thieves to clean stolen funds. The presence of criminals will make Main Street businesses like our Toledo-based manufacturer hesitate. Depositing company funds into a Tornado Cash smart contract may be construed as mixing them with criminally-derived funds. That's probably not the sort of money laundering risk that licit money wants to take.

The best solution for bringing privacy to DeFi is native anonymity. That is, all blockchain transactions have to be opaque by default. That way, Main Street users get the privacy they require without having to take the risk of jumbling up their coins with crooks. (Approaches like the Aztec Network, a privacy layer implemented on top of the base Ethereum layer, might be a solution.)

While native anonymity would solve Main Street's very real need for secrecy, it will lead to the next hurdle to widespread adoption: too much anonymity.

If a Main Street financial user like our Toledo manufacturer can't risk tumbling their coins with dirty money on Tornado Cash, neither can they risk commingling their funds on decentralized exchanges or lending tools that grant unconditional access to everyone, including thieves' dirty funds.

To make their tools palatable for Main Street, DeFi tool makers will have to unwind some of the native anonymity (potentially) afforded by blockchains by collecting and verifying identifying information from users. This way the tools can screen out criminals, assuring legitimate businesses that their clean funds aren't being tainted by dirty money.

The implication is that DeFi tools will have to become privacy managers, just like old-school banks are. Users will have to trust the tools to be discreet with their personal information, only breaking their privacy when certain conditions are required, such as law enforcement requests.

It’s possible that DeFi succeeds in doing a better job of preserving privacy than traditional financial institutions. By using zero-knowledge proofs for collecting identity, DeFi tools may be able to control the spray of personal information required to gain access. This may reduce the amount of information that gets lost to hacks.

In sum, if DeFi wants to attract Main Street users, an odd mix of more secrecy and less secrecy is required. Secrecy is important to businesses and individuals. They don’t want their information to be naked for all to see. But Main Street doesn't want complete anonymity. It wants to use DeFi tools that strip away just enough secrets to assure that dirty money is being excluded.

Only when this balance has been achieved will businesses like our Toledo, Ohio, manufacturer venture onto the blockchain.

Monday, January 24, 2022

Why Henry III's gold penny failed

English gold penny minted by Henry III in 1257

A lucky metal detectorist just discovered a Henry III gold penny, one of the first English gold coins ever minted, on a farm in Devon in the southwest part of the U.K. My favorite thing about detectorist findings is that they give us a good excuse to learn about old coins. 

Minted in 1257, only eight of Henry III's gold pennies (pictured above) have survived. This is odd given that medieval historian David Carpenter's analysis of historical records indicates that 72,000 of these coins may have been produced within a year or two.

Why are there so few of Henry III's gold pennies still in existence? In this short post I'll suggest that the gold penny was a failure. Rather than circulating in trade, as one would expect of a coin, most of them were melted down within a year or two after issuance. And so there are very few gold pennies left for detectorists to find.

Leading up to the 1200s, the demands of English trade for coinage was mostly met by the workhorse English silver penny. Because the yellow metal was expensive, gold coins fell outside of the day-to-day spending range of the average person.

But Europe was getting wealthier and this was creating more demand for higher denomination coins. According to Alexander Del Mar, gold bezants were already circulating in England by the 13th century (page 236, [pdf]). Minted by the Byzantines, bezants had dominated Mediterranean commerce since 300 AD or so (see Munro). To boot, a handful of 11th- and 12th-century Islamic gold dinars and dinar-inspired coins have been found in England, writes historian Caitlin Green in a blog post, further suggesting a nascent demand for high-value coinage (see photo below). Del Mar cites texts from the era mentioning the circulation of Spanish maravedis, a gold dinar copycat.

Arabic gold dinar (AD 1163-84) found in Suffolk [link]

Meanwhile, the Italian city states of Genoa and Florence had begun to mint their own gold coins in 1252, the Florin and the Genovino. In the century before these two cities had pioneered the creation of large silver coins, the grosso or groat (worth 12 silver pennies) which England had yet to copy.

And so Henry III may have been eager to issue his own gold coin, one with his face on it and not someone else's stamp. But his effort failed .

When Henry III issued his gold penny, he rated it to be worth 20 silver pennies. That is, if you were an English merchant in 1256 you were required to accept a new gold penny from a customer at the same rate as 20 silver pennies. As a backstop, Henry III himself promised to redeem the gold pennies at 19 and a half pennies, the other half-penny being a fee. (See Evans, The First Gold Coins of England.)

In bimetallic coin systems, it was crucial for the monarch to choose the proper exchange ratio between silver and gold coins. If the chosen ratio diverged from the market's gold-to-silver rate, then Gresham's law kicked in. Undervalued coins disappear from circulation because they could be better spent elsewhere at their true market metal price.

In his paper Gold and Gold Coins in England in the Mid-thirteenth Century, Carpenter maintains that Henry III picked the right ratio between gold pennies and silver pennies.  A gold penny weighed the same as two silver pennies. At Henry III's chosen exchange rate of twenty silver pennies to one gold penny, this implied a price of ten grams of silver to one gram of gold. Carpenter says that this was in line with the prevailing 10:1 market rate between silver and gold bullion at the time.

But historian John Munro suggests otherwise. What Carpenter omits is that an English silver penny was only 92.5% pure, the remaining 7.5% being comprised of base metals. This means that Henry III's chosen exchange rate of twenty silver pennies to one gold penny actually valued the quantity of gold inside a gold penny at just 9.3 times that of an equivalent amount of silver, not 10 times.

Thus the king's chosen rate undervalued gold. And so Henry III's gold penny would have run smack dab into Gresham's law. It would have been more profitable for an English merchant to melt down 1 kg of gold pennies into bullion and buy 10 kg of silver with the proceeds at the going market rate than to spend that 1 kg of gold pennies as coins (since that would mean getting the equivalent of just 9.3 kg of silver).

Put differently, an English arbitrageur could engage in the following set of trades to make a risk-free return. He or she could spend 9.3 kg of silver coins to get 1 kg of gold pennies at Henry's official rate. Then they could melt that 1 kg of gold coins down and sell the gold bullion for 10 kg of silver at the market rate. Voila, our arbitrageur has magically turned 9.3 kg of silver into 10 kg of silver, earning a free 0.7 kg in silver. They would continue to execute this trade until the entire stock of Henry III gold pennies had disappeared.

There is additional evidence of the undervaluation of the gold penny. In 1265, just eight years after initially issuing them, Henry III increased the gold penny's rated value to 24 pennies from 20 pennies, writes Kemmerer (Gold and the Gold Standard, 1944). This rating would have been more in line with the market rate between gold and silver. But by then it was probably too late. All of Henry III's original issue of gold pennies would have been melted down. Nor was he minting any new ones. Specimens like the coin found this year in the farmer's field in Devon would have been one of a few to escape the melting pot. 

As for England's monarchs, they would only get gold coinage right in 1344 with the successful issuance of the gold noble.

Monday, January 17, 2022

Yemen's bifurcated monetary system

Over the last five years Yemen has stumbled into a unique monetary situation. I initially wrote about Yemen's odd currency status two years ago. Here is a quick update.

In brief, Yemen has split into two warring sides: the Houthi rebels in the North and the Saudi-backed government in the South. This split has also torn the nation's central bank into two branches the Aden branch and the Sana branch.

Likewise, it has separated Yemen's stock of Yemeni rial banknotes into two different types of banknotes. The Houthi rebels in the North (who run the Sana branch of the central bank) have adopted rial banknotes printed before 2016. The officially-recognized Aden regime in the South controls all notes printed after 2016. (Read the original blog post for the full story.)

We take it for granted that banknotes of different vintages, or years, are equal to each other. Put differently, cash is fungible. But not in Yemen. The value of the North's pre-2016 notes and the South's post-2016 notes began to diverge in 2019. Below is a chart published by the Cash Consortium of Yemen (which I've modified for clarity) showing how far that divergence has proceeded. The value of rebel's old notes relative to the U.S. dollar has stayed stable at around 600 rials to US$1 (see red line). But the value of the official Aden government's post-2016 notes has inflated. A new rial is now worth less than half a pre-2016 note (green line).


The reason for this growing gap is that the rebel North can't increase the supply of pre-2016 notes. The supply of old notes is locked. The supply of new notes, however, is not fixed. The South has been printing up new paper money and spending it into circulation.

It would be as if the northern & southern U.S. states had a civil war, the North adopting pre-2016 Federal Reserve notes and the South post-2016 notes. The South keeps printing new notes to finance itself, but the North is stuck with a fixed stock of notes. So the U.S. dollar bifurcates.

A currency war of sorts developed last summer in Yemen. It began with the Aden government printing up new notes of the same size, shape, and appearance as the rebel's pre-2016 notes and then spending them. You can see why the Aden government would want to adopt this strategy. If it could spend the replica notes at the same purchasing power as old notes, which are more valuable, the Aden government would extract twice as much goods & services than it otherwise could. If Aden's replicas succeeded in filtering into the Northern economy, we'd expect the old notesso stable till nowto finally succumb to price inflation. The price gap between old notes and new notes would collapse.

But this didn't happen. The Northern rebels reacted by banning Aden's replicas on the basis of serial number, according to the Sanaa Center. Notes with a serial number starting with the letter (أ) would be accepted, the rebels said, but those starting with the letter (د) would not be, presumably because د notes are all replicas. (According to the Sanaa Center, the government reacted by printing up serial numbers starting with أ.)

The exchange rates illustrated in the chart above suggest that the North's efforts to filter out the replicas was successful. The Northern rial notes are still worth just as much as before, around 600 rials to the U.S. dollar. Meanwhile, Aden's notes have inflated dramatically, from around 950 rials to 1290 rials per US$1.

My hunch is that some of the rebel's success may be due to the relative quality of the North's banknotes. Given years of active use, Northern rial notes must be relatively filthy right now. Crisp new notes from the South would immediately stand out. After Aden's new notes have circulated for a few years, it may become easier for them to pass as the rebel's old notes. Only then will the price gap start to shrink.

Thursday, January 13, 2022

The fallacy of bitcoin and renewable energy

In my previous post on proof-of-work several commenters suggested that bitcoin, the biggest proof-of-work coin, is good for society because it spurs renewable energy production.

The full argument is worth reviewing. (See Nic Carter, here). Briefly, the supply of renewables like solar and wind is finicky and doesn't neatly overlap with demand. Luckily, bitcoin mining farms are flexible. They can shut down and turn back on quickly, consuming energy when it is plentiful (& cheap) and ducking & running when it is expensive. This miner-facilitated smoothing encourages power companies to install more finicky wind and solar power.

On it's surface this is a provocative argument. But if you read carefully it's a version of one of the oldest fallacies in economics: the broken window fallacy.

In the broken window fallacy, a boy breaks a shop window. Observing the flurry of economic activity ensuing from the mending of the broken window, the townspeople decide that the boy has helped the local economy. "Breaking stuff is good, let's do more of it!"

But we know that breaking stuff is not good for the economy. The economic activity devoted to fixing the broken window comes at the expense of economic activity that would have occurred otherwise, say repairing the shop's furnace or purchasing more inventory. Economists call this opportunity cost. The broken window parable forces us to recognize that the cost of any activity is all the things that could have been.

Let's bring this back to bitcoin. Bitcoin using up renewables isn't a benefit, it's a cost. There are many industries that can efficiently consume electricity in a staggered or interruptible manner, of which bitcoin mining is just one. If bitcoin miners use this electricity, then these other industries cannot.

And so bitcoin isn't good for society because it uses renewables. Rather, it should be judged whether it is the best use of renewables. Is the product a useful one? The market seems to think so.

What I've said up till now is just bog standard economics. Here's the more controversial bit:

I'd argue that bitcoin is NOT the best use of renewable/interruptible electricity.

What the average bitcoin owner values is bitcoin's up-and-down price movements. But fabulous amounts of renewable energy are not necessary to produce a volatile speculative vehicle. Unfortunately, most bitcoin holders aren't aware of the huge energy cost of maintaining bitcointhey don't bear, or internalize, this cost.

If the bitcoin protocol were to shift to an energy-lite production method, or, alternatively, if bitcoin speculators were to swap into competing energy-lite coins, then users would still get to enjoy the same up-and-down experienceand other industries would be free to use the interruptible/renewable electricity liberated from bitcoin processing. That would be a good thing.

Monday, January 10, 2022

Tether vs the New York stablecoins

Stablecoins are the world's newest payments option. But not all stablecoins are the same. There are safe stablecoins and there are sketchy stablecoins.

The safest ones are the New York stablecoins: Paxos Dollar, Gemini Dollar, and Binance USD (BUSD). The New York stablecoins are issued by financial institutions supervised by the New York Department of Financial Services. Measures such as segregation, bankruptcy remoteness, and a trust company structure are used to protect customers funds. Customer money is invested in low-risk securities such as short-term U.S. government debt.

The risky stablecoins best represented by BVI-based Tether invest customer funds in higher-risk instruments like long-term commercial debt, loans to affiliates, or cryptocurrencies. They do not have clear protections for customers should an adverse event occur, nor do they have a regulator looking over their shoulder to make sure that they are running their stablecoin operations in a robust manner.

[For a more complete description of the differences between the New York stablecoins and other stablecoins, see my post here.]


Riskier assets should always offer investors a higher interest rate than safer assets. Interest is the extra carrot that we get for incurring financial danger. But interest doesn't exist in the world of stablecoins. That is, the risky stablecoins and the safe ones all pay holders the same 0% rate. Given the absence of a reward for bearing risk, one would expect a reverse Gresham's law effect to kick in: the community of stablecoin holders should gravitate to the safest stablecoins, the good money displacing the bad.

As the above chart suggests, this shift to safety is occurring. Since 2020, the three New York stablecoins have grown much faster (up by a factor of 60) than Tether (up by a factor of 17).

However, as the second chart below indicates, Tether still remains the largest stablecoin... by far. There are around $80 billion in outstanding Tethers circulating through the cryptoeconomy compared to $16 billion in New York stablecoins. This suggests to me that more stablecoin rationalization will occur.


Why is this reverse-Gresham process proceeding so slowly?

Tether has been around since 2014. The New York stablecoins didn't arrive until 2018. In that interim period of Tether dominance, a Tether standard of sorts emerged. Given a lone stablecoin option, the cryptoeconomy built up a dependence on Tether. Like any standard, once everyone is plugged in it's hard to shift to a superior standard. 

But just because it is difficult to switch standards doesn't mean it won't happen. Over the long term, there is no reason for the community of stablecoin users to continue using the riskiest 0%-yielding stablecoin. Either everyone will shift away from Tether, or Tether will be forced to adapt by becoming just as safe as the New York stablecoins, or Tether will start to pay interest in order to compensate for being the riskiest product.

Wednesday, January 5, 2022

A tax on proof-of-work

The world is overpurchasing proof-of-work (POW) blockchains. How do we fix this? 

Let me quickly outline the argument for why the world is buying too much POW. Blockchains such as Bitcoin, Dogecoin, and Ethereum provide coin buyers with a special sort of security proof of work. POW requires huge amounts of electricity, so much so that Bitcoin and Ethereum together currently use up more energy than Italy.

It's not the energy-intensity of POW that's problematic. The issue is that the biggest buyers of POW coins speculators and gamblers care very little about POW security. What they value is the thrilling price movements that blockchain coins provide.*

Coin gamblers also have the option of buying non-POW blockchains. Non-POW coins offer gamblers the same wild price movements as Bitcoin, Dogecoin, and Ethereum. However, the security that these non-POW coins rely on requires far less electricity. 

On net, the world would be better off if all blockchain gamblers migrated away from POW coins and onto cheaper non-POW coins. The gamblers themselves would not be any worse off. They'd still get all the crazy up-and-down fun & entertainment as before. But the rest of us would benefit, since far less of the world's energy would be burned. That's what I meant at the outset when I said that we have a POW overpurchasing problem. Coin speculators are unwittingly over-gambling on energy-heavy POW blockchains and under-gambling on energy-lite non-POW chains.

Left to their own devices, it is unlikely that coin gamblers will migrate away from POW coins like Dogecoin and Bitcoin towards cheaper coins. (See here for why). Might it be worthwhile to adopt a policy that nudges speculators away from POW and into cheaper non-POW blockchains? 

A targeted tax on POW coins is one option. But how would we design this tax? I suppose we could tax people's holdings of POW coins while exempting their holdings of non-POW coins. Or we could tax POW coin purchases & sales on exchanges like Coinbase. Or would we could tax the POW miners.

The economics of taxation is not my strong point. So I'm going to farm this out the comments section: if we want to shift speculators away from POW blockchains, how should we design a POW tax?


*There is also a community of hobbyists and technologically-informed individuals who do indeed consume POW. That is, they can put out a coherent argument for what POW is and why they prefer it over other types of blockchain security. Unlike the gambling class, they are less interested in coin price fluctuations. But the size of the hobbyist community is dwarfed by the gambling class.

Monday, January 3, 2022

Should central bankers be afraid of crypto?

As crypto continues to move into the public's consciousness, curious people who aren't familiar with it often ask me if central bankers at the Bank of Canada or the Federal Reserve should be worried that crypto may replace the dollar. 

In this short blog post I'll suggest that they should not be worried.

For central bankers like the Fed's Jay Powell or the Bank of Canada's Tiff Macklem, controlling national monetary policy is probably their most important task. By altering the money supply or shifting interest rates, Powell influences the value of U.S. dollar. These policy changes get transmitted across the entire country thanks to the ubiquity of the U.S. dollar as a unit for expressing prices. (For his part, Macklem relies on the Canadian dollar's dominance as a unit-of-account in Canada to exercise monetary policy). 

Monetary policy is important. First, it keeps the dollar's purchasing power stable. Since our wages and contracts are denominated in dollars, a degree of sameness and consistency is important. Second, monetary policy is an important tool for offsetting broader economic shocks, say the pandemic or the '08 financial crisis.

Given that crypto is often marketed as a dollar replacement, might Powell and Macklem be losing some sleep? After all, if crypto starts to replace the dollar as America or Canada's unit-of-account then neither central banker can carry out national monetary policy.

Luckily for Powell and Macklem, crypto is not a threat to the dollar.

Crypto is no longer a very useful term, since it encompasses so many different types of phenomena. There is bitcoin, programmable blockchains like Ethereum, stablecoins, non-fungible tokens (NFTs), decentralized finance (DeFi), and more.

Let's start with Bitcoin. In this category I've included other volcoins like Dogecoin, Shiba Inu, Bitcoin Cash, and Litecoin. I call them volcoins because they are incredibly volatile.

In the early days, many of us thought it possible that Bitcoin might develop into a legitimate threat to the dollar. But enough time has passed now that we know this isn't case. The dominant reason people have for owning volcoins is to get exposure to their exciting price moves. That is, volcoins are a gambling technology, not a monetary technology. Rather than competing for dominance with the relatively stable payments instruments issued by central banks, volcoins serve as substitutes for casinos, meme stocks, lotteries, poker, and OTM options. None of these bets will ever be a credible threat to Fed or Bank of Canada dollars.

Let's move onto stablecoins. Whereas volcoins are wildly unstable, stablecoins are the tamer version of crypto. The stability of stablecoins means that they could credibly replace banknotes issued by the Fed and Bank of Canada.

Even if stablecoins become widely used, they won't subvert Powell and Macklem's ability to conduct monetary policy. Because they are pegged to central bank money, stablecoins effectively do the opposite: they extend central bank monetary policy power into blockchain environments. Stablecoins are therefore allies of the Fed and Bank of Canada policy makers, not enemies, in the same way that regular banks such as TD Bank or Wells Fargo are allies because they extend the range of central bank monetary policy into the regular economy.

[Yes, stablecoins involve financial stability issues. But this post is about monetary policy, not financial stability.]

Nor is decentralized finance, or DeFi, a threat to monetary policy. DeFi is just another component of a nation's financial edifice, albeit more decentralized than the other bits. If a stock exchange like the NYSE or Toronto Stock Exchange is no threat to monetary policy, then neither does a decentralized exchange such as Uniswap pose a threat.

Finally, NFTs are a hyperfinancialized claims on underlying digital art. Art never has been a threat to monetary policy and never will be.

In sum, Jay Powell and Tiff Macklem may have reasons to worry about crypto, but concerns of monetary policy impotence should not be one of those worries. Crypto is not going to replace the dollar anytime soon.