Quadratic Voting is not a silver bullet for Governance

Hi all, I’ve not used the Cardano Forums for a long time because I’m generally on Twitter - but the ideas I want to discuss here far exceed the character limit.

In our discussion on CIP-1694 many people are uncomfortable with the 1-coin-1-vote system of governance that is being proposed. While a few propose 1-person-1-vote, many call for a “middle ground” of “quadratic voting” as used in the Gitcoin grants program. This use of Quadratic Voting was explored in the article “Liberal Radicalism: A Flexible Design For Philanthropic Matching Funds” by Vitalik Buterin, Zoë Hitzig, and E. Glen Weyl and the program has been a very successful way of providing funds for public infrastructure projects on EVM networks. However, I am not convinced that the methodology could be scaled to an ecosystem-wide governance framework such as the one we need for Cardano.

The first place where this methodology breaks down is the fact that Gitcoin is only dealing with funding while Cardano needs to both control the Treasury and make decisions on parameters. But if we just look at the Treasury we already see that Gitcoin and Cardano are different by nature of the funds being distributed. The funds in a Gitcoin challenge are coming from donations by individuals or foundations that want to see a challenge area addressed. In fact, the Gitcoin system is more pointedly called “Quadratic Funding” than “Quadratic Voting” because individuals don’t simply get to vote on how the Challenge Fund is being spent. The voters must put skin in the game by pledging their own donation to projects in the challenge category and then the Challenge Fund is distributed as matching funds.

The Cardano Treasury, by contrast, is coming from a portion of Transaction Fees and the scheduled monetary inflation. To put it colloquially, the Cardano Treasury comes from your taxes. Now, if that’s the case and you’re in favor of a Quadratic Funding mechanism, why are we considering the amount of Stake that is passively held by each individual? Shouldn’t we be looking at the volume of Transactions that are associated with a wallet each Epoch to determine governance instead? After all, they are paying the network fees. I, for one, welcome our new DeFi Overlords! ( / sarcasm)

The second issue I would like to examine is that Gitcoin doesn’t actually follow the Quadratic Voting mechanism discussed in Buterin’s paper. While the Quadratic Funding mechanism was founded on this idea, it has been adjusted over the years to account for people gaming the system. If we try to implement Quadratic Voting ecosystem-wide in Cardano we will undoubtedly have the same problem and be forever chasing the cheaters.

As Pi from SundaeSwap pointed out, it is quite easy for users with large holdings to simply split their bags into multiple wallets to amplify their votes.

That's not how it works

24 words => one stake address is purely convention

From the ledger standpoint, each stake address is a private key, which is just a random number. On a cruddy laptop I can generate several million private keys a minute, and each one takes up a few bytes.

— Quantumplation | Pi Lanningham (@Quantumplation) March 18, 2023

The users who would be really disadvantaged in this scenario are the mid-level bag holders who are not sophisticated users. While Quadratic Voting might help level the playing field between someone who holds 10,000 ADA and 100,000 ADA, the user who holds 1,001,000 ADA can just pay someone 1,000 ADA to develop a script that splits her 1,000,000 ADA bag into several 10,000 ADA wallets that can be coordinated.

Proponents of Quadratic Voting say that we can require Decentralized Identities to register for voting and chain analytics to watch for cheating - but we need to carefully think about who will be in charge of such a system. With a Gitcoin challenge this isn’t as big of a deal - you have a voluntary program where people are choosing to engage in charitable giving. That’s quite different from the decentralized governance of the entire Cardano ecosystem and control of the Cardano Treasury.

In a Decentralized Identity system someone has to be in charge of providing the verified credentials and invalidating the credentials of people who misuse the system. Whoever is in charge of catching the cheaters in a Quadratic Voting system and removing their votes from the count would be able to abuse that power. It’s all well and good to say we can install checks and balances but the entire point of cryptocurrencies and blockchain is to build trustless systems where the possibility of human abuse is limited by the mechanisms for manipulation not being present.

Finally, we need to address the basic fact that Cardano is a Proof-of-Stake system. At the end of the day, even in its current form where the three founding entities of Cardano hold the governance keys, the Stake Pool Operators, who gain their legitimacy from the ADA Stakeholders, ultimately make the decisions on how the network is governed. This was very evident in June 2022 when IOG was forced to delay the implementation of the Vasil upgrade because the SPOs demanded more time to test the node software. That was a GOOD exercise of governance where the Stakeholders demanded assurances from the developers that the node software was up to specs.

CIP-1694 is working within this framework by creating a tricameral governance structure where DReps chosen by stake, a Constitutional Committee chosen by the DReps, and the SPOs as a governing house each have a role to play in passage of Proposals. I’m tempted to go into more details why each of these bodies has governance advantages, but I think I should leave that for a different post.

The point I want to make is that it is necessary for DReps to have their power come from governance delegation of Stakeholders because that is the only way that they will be equal to the SPOs. At the end of the day, the SPOs have the ability to execute a coup d’état and fork the chain to a different set of rules if a large enough majority decides to do so. Establishing a balance of power where a healthy body of DReps are in place to counter-balance the SPOs is an important check for the system.

So, does this mean that if you don’t hold a large amount of stake you won’t be able to have an influence on the governance of Cardano? I don’t think that’s the case of all. The great thing about the CIP-1694 framework is that it sets up a minimum viable governance where participation is rewarded. If individuals want to get out there and be active in governance they can attract delegation to serve as a DRep and command far more power than they could ever buy on their own. If a community wants to have a say in how Cardano develops going forward they all delegate to the same DRep and perhaps even get others outside the community to join their cause by adding governance delegation.

In the future we will undoubtedly build layers of governance on top of this basic structure and there may be a very good reason to have some systems where individuals are identified and quadratic voting is utilized. But that will take time to develop and must be approached carefully so that nobody attempts to capture the process for their own means. For now we should utilize the strengths that Cardano has as a Proof-of-Stake system to encourage broad participation and merit-based elevation of leadership.

I don’t understand this, or the DID argument in the first place.

The idea is that DID would be some form of Sybil resistance.

One possibility is that an issuer says “this person has showed us a passport of country X”, and then the did wallet self-certifies that they own a particular Cardano wallet. Problem is that unless there’s a database of unique personhood, the same user could reuse their VC and link it to another Cardano wallet. The uniqueness isn’t solved.

Alternative is that person reveals their full identity AND link it to a ada wallet. But that would of course never be considered as an option.

Another partway would be to have some database, decentralised IFPS if desired, with a hash of a DID document (Verifiable credential) with the particular details of citizenship (government document) as verified by some company or software eg onfido.

If a user tries to link their DID wallet with ada wallet using a VC whose hash has already been registered in this database then the registration would fail, and hence we achieve sybil resistance. Note that there’s NO gatekeeper here who could have the power, as Adam argues, to stop participation.

To be clear, the DID document would be in the form of a government issued ID document, translated to a DID document by the DID wallet provider via Onfido API (or something similar). This does mean Onfido is a centralised point, but it is unclear to me why they would care. All they are doing is verifying the authenticity of a scanned document.

There are companies that offer DID, integrated with Onfido.

On the one hand, this would be a clear violation of the promise to serve the millions of people who do not have a legal identity now. I personally think that’s an empty promise, anyway. But such a glaring contradiction – “You can only participate in our governance if you have one of the government-issued documents supported by our KYC partner.” – would be very remarkable, nevertheless.

And it also requires everybody to be content with the choice of KYC partner, to be prepared to share an official document with them and go through their identification process.

On the other hand, storing the documents or their information in a publicly accessible way, would be out of the question.

But the hash only guarantees no duplicates if said KYC partner guarantees that it provides data which are the same bit by bit if the same person KYCs again. The scan of the document cannot go into it. It will be different for every scan process almost certainly. If they allow several documents for a country – passport, ID card, driver’s license, … – exactly the same data have to be present and extracted from each of them, not more, not less. If a person has several nationalities, the passports for each of them have to lead to exactly the same extracted data. And so on. And so forth.

But it still have to be enough attributes to not exclude false positives. Name and birthday are surely not enough to uniquely identify every person on earth.

Lastly, we have to be very sure that the KYC partner can really reliably verify the documents of each of the supported nations … through a mobile camera controlled by the user. If I can find just one country where they accept forged documents, I will be able to create hundreds of identities. Not that problematic for usual KYC use cases, where most businesses would probably not care that much if the identities for some obscure country are not reliable (which the business perhaps excludes, anyway). Devastating for Cardano governance.

I’m not necessarily in favour of this DID thing but I’m just saying it would add Sybil resistance (not guarantee ofc).

Any security barrier (EVER) can be breached. It’s a matter of increasing the cost of doing so.

And competing providers can be used. It’s the oracle problem, basically.

On a practical note, I’m fairly sure passport numbers are unique global, at least with nationality information. If you really want to have uniqueness over accessibility. And yes, you can probably get fakes of some country etc, but the claim is that it adds resistance, not that it’s Sybil secure.

If you want to do something that isn’t government ID, WorldCoin. But there are trade offs…

I think the only way I’d sort of having Sybil secure system is some kind of live in person voting which is somehow linked to Cardano wallet (?) not sure how anonymous that would be.

Thank you for sharing your thoughts @NeoCornelius. I enjoyed reading through your well-formulated post. You should do that more often The crowd here is also nicer than on Twitter

That is just spot on. No one disputes the potential of VCs & DIDs or quadratic voting, nor should we avoid discussing them. However, at this point, adding more complexity to the proposed on-chain governance process would only hinder the necessary transition to a fairer and more decentralized governance model. The focus is on designing and implementing an optimal minimal viable governance model.

CIP-1694 may not be the ultimate governance solution that ends all wars, resolves climate the climate crisis, or fixes every problem. However, it serves as a cornerstone we can build upon, where the Cardano community can truly decide and govern itself. Engaging in governance discussions and voicing your opinion is essential. Progress will be limited if only a select group of Cardano influencers engage in dialogue. We need diverse perspectives from individuals of different backgrounds, demographics, genders, and ages.

I agree with your claim and partial evidence. The solution imho could be allowing for different types of vote counting, based on the type of decision to take.

Since we are THE functional chain, I think we could even design a continuous function that dampens the voting power with a fractional exponent parameter. This way you could accomodate many (any?) type of voting on Cardano depending on the proposer, but still fix said parameter to be 1 in case of, say technical chain parameters change proposal (1 ADA = 1 vote), and 0 in case of democratic elections (1 vote = 1 vote).

Anyway, last option or any weighting on ADA in general cannot be applied before we have a personal DID on-chain, so we must start with 1 ADA = 1 vote for sure, and allow the other options to be added (but not enforced) in the future.

Just DIDs are not enough! Anybody can just create as much DIDs as they like as they can create as much wallets/accounts/stakes as they like.

For any one person or quadratic voting option, it needs some form of guaranteeing unique accounts per person, which is even more than KYC.

I was suggesting using KYC/ID exactly for not allowing the same person to vote more than once.

@SimonSallstrom I understand what you are saying but it will be a very heavy lift to convince me to EVER support DID for a protocol-level governance mechanism. Cardano is a successor to Bitcoin in cypherpunk philosophy where human collaboration supercedes nation-state governments.

The cypherpunks had to fight for their right to party to privacy. In his famous “Cypherpunk Manifesto”, Eric Hughes wrote,

“We cannot expect governments, corporations, or other large, faceless organizations to grant us privacy out of their beneficence…”

and

“We must defend our own privacy if we expect to have any. We must come together and create systems which allow anonymous transactions to take place.”

@kopeboy In response to what you are suggesting with KYC/ID, that is exactly the dilemma that we find ourselves in. Simon seems to be trying to figure out a way to enact DID without having to go the route of heavy-handed KYC/ID that would require all Cardano users to submit to the kind of regulatory scrutiny required by national banking systems. But there is no way to do this unless you set up an equally powerful system with some centralized control structure that is able to kick out “bad actors” who don’t act the way that we want them to act.

I arrive at my conclusion that the 1-coin-1-vote system is the best method of governance available to us because the level of control required by any other system violates the principles of privacy and free association. Cardano is a cooperative system that is supposed to be available to all peoples. Forcing individuals to identify themselves by government-issued ID or some form of corporate ID that could either be abused by the people who run that system or fought over by regulators of various nation-states should not be an option.

I’m not sure if I understand how the sketch I drafted above creates an "equally powerful system with some centralized control structure that is able to kick out “bad actors” per se. I am guessing you are thinking that an effective way to shut someone out from Cardano governance, under my proposal, is for the government to take away their government-issued ID/passport?

If this is what you had in mind, then my response is that it only works for a person who the government already knows is participating in Cardano governance. VC would allow you to submit ZK-predicate, “I am a citizen of country X”.

Just to be very clear: the government VC version is just what I put out there because it can almost be done using existing infrastructural capabilities, i.e. within 1-2 years definitely doable.

There are non-governmental and decentralized methods for achieving the same goal, but they are, at this point, just sketches (mine below) or very early stage (Worldcoin and the two we mention in this DAO overview article.

One can imagine a decentralised oracle system of nodes that can onboard people’s biometric information using barebones physical infrastructure and running on open source code, combined with the aforementioned global hash-database. These oracles would be the issuers of these VCs. Parallel to this, I think we would need some form of decentralised auditing system wherein the oracles are being regularly checked for authenticity. Both oracles and auditors are incentivized for verifying/punished for cheating.

Who will control the oracle and be the auditors who punish the “cheaters” in the system? Even if you have nodes that contain checks and balances against each other - you’re still putting people in charge of invalidating the right of participation that others have on the network.

How will you make sure that they don’t abuse their power?

First of all, thank you for those excellent questions! I am not necessarily in favour of 1P1V or quadratic, just trying to make the strongest possible case for it that I can! However, I hope you do not expect a detailed solution at this stage. My goal is merely to sketch out an a prior plausible alternative that is on the balance of probabilities, is internally consistent (the system achieves its objectives as per its own definition of which) and could address concerns of centralisation of power.

My assumption is that becoming an oracle or auditor is permissionless.

I imagine oracles would function as any other currently existing decentralised permissionless oracle system, i.e. using some combination of reputation and slashing for misbehaviour.

Auditors would be rewarded by presenting fraud proofs, similar to how Optimistic rollups invite and incentivise any actor to present fraud proofs for transactions.

Secondly, I could, but I won’t ask you the same question about how Whales could abuse their power. The answer is somewhat trivial. We’ve probably seen it in Catalyst already. I am saying this just to emphasize that the above system doesn’t have to be perfect - just better than the alternative.

The difference is that for rollups you can actually mathematically prove misbehaviour. How would you do that for identity validators?

If they didn’t properly check identity documents or didn’t properly did biometric measurements, if they issued credentials for which no such visit in person even happened can hardly be proven in a machine-verifiable way, can it?

Auditors would really have to travel and they should therefore probably also get compensation for positive audits (or there would be no incentive to audit very remote oracles at all), but then there is an incentive to do fraudulent audits and we would have to audit the auditors. …

The WorldCoin World ID system you mentioned above seems to go in the right direction. But it is far from decentralised and permissionless. They have to control their providers around the world or they could just invent iris scans/codes. And it seems very questionable to me if they can really achieve a world-wide infrastructure for that. That’s an incredibly huge endeavour.

True, but only limitedly helpful.

The question is if the imperfect solution still makes sybil attacks hard enough (while staying accessible enough to be even accepted by the community), if there really is an alternative that is better.

And to assess that, we would really need the details of the proposed compromise.

My claim/feeling is that no such system exists, that all compromises that are realisable in the next years and acceptably accessible, still make it far too easy and reasonably cheap to create a lot of fake accounts.

I do. All of them.

But discussing them is, of course, perfectly valid and interesting.

This is why I specifically mentioned open source code and bare metal hardware, to make auditing of the oracle onboarding infrastructure.

But again, my goal isn’t to convince conclusively that this is possible. Just to detach out one somewhat, a priori, realistic way of doing it!

You can keep asking questions about details and at some point declare that I haven’t been able to convince you sufficiently etc:) which is fine

If you believe that “yes, in principle this is worthy of pursuing” (normatively) then we can have a constructive technical discussion about how to achieve it

These are somewhat technical objections. And definitely solvable. How would you solve these things for example?

What’s your metric/definition for “easy and reasonably cheap”?

any number or range to work with will d. Just as a starting point

I’m aware. But so is IOG and your internet service providers and this forum (centralised power). Point is that there are trade offs…

If we gain decentralisation of governance, where protocol parameters and use of public funds is at stake… and then we balance that with the (low imo) probability that a project like WorldCoin would somehow help malicious actors create fake IDs in order to attack the (?) Cardano network. It’s a stretch. If it ever came out, that entire billion dollar project is just dead immediately because their sole purpose is to provide this service

It’s kind of like objecting to using Ledger hardware wallet because they are centralised (which is true)

Great summary of the issues and risks. Agree with your conclusion of SPO’s balanced by DReps, both of whose voting power comes from delegation of ADA. 1 ADA = 1 Vote. Don’t really see a viable alternative to be honest without destroying the foundations we have built so far. All options put forward are too easy to game.

To move to DIDs at this point in the evolution of the ecosystem is also undesirable as we likely gain a new centralisation point and alienate or lose many voters who will not want to perform the checks. The approach outlined strengthens the existing foundations and still allows to move to DIDs at a later date IF it is voted for by a supermajority. Same applies to voting system refinements.

The twin houses of DReps and SPOs are both incentivised to vote for the health of the system via simple self interest, as is each ADA holder proportionate to their stake in the system. This is also likely to be a stable configuration.

Forgive me if this is a bad idea:

How about if influence was logarithmically (not sure why everyone opts for quadratic) curtailed at the dRep level rather than at the staking level? Not sure if it would solve anything but the thought here was IIRC the top 150 dReps in terms of staking share are eligible for rewards.

If it is gated that way, then would it not follow that making 1M addresses for 1M ADA to bypass diminishing influence becomes a moot point?

Yes, this does mean that in theory a 1 ADA holder will have <1 vote but I don’t believe we are back at square one. In a world where the whale split his or her delegation equally among all dReps then it would be the same as 1C1V but in practice usually the whale would have an agenda meaning their dRep delegation split # < total dReps voting.

Main point is that the fixed number of dReps → forced concentration of stake → diminishing returns of stake.

Very intriguing discussion nonetheless.

There are several ways of governance with quadratic voting being an alternative to implement over the 1C=1V method.

Since it is the founders, developers, researchers and community members that have contributed to making the ecosystem to where it is today, greater voting priority should be granted to those that have most served Cardano. Quadratic voting could be a viable model of voting for CCs and dReps based on taking into regard the metric of previous value the candidate has delivered for the Cardano community.

While the 1C=1V method offers ADA holders the ability to have their voices heard, the CCs, and dReps have the responsibility to focus on the short, medium and long term growth of Cardano. But what if there is a considerable portion of the ADA holders only aiming to achieve short term financial gain? This then makes the 1C=1V model not the most viable for many instances.

Metrics are necessary in determining who gets what vote in any voting model. I advocate for voting to be determined based off the value a candidate previously and intends to bring for the future of the Cardano ecosystem as a metric to take into regard for voting.

How would you even begin to measure and compare the individual impact someone had on the Cardano ecosystem, let alone potential future contributions?

Determining the value of each candidate and their history is something that each CC member, DRep, and SPO have to do when they vote on governance action. I don’t know of any technique on how to measure merit objectively.

The metric could include a list of what contributions a candidate has undertaken in developing, researching or value added in community engagement for the Cardano ecosystem.

This would be a meritocratic based voting system for determining CCs and dReps. I believe that voters should take into account of a candidate’s merits, just as the ecosystem subjectively decides which kind of voting methodology will be implemented.

It would be in the ideal state that each CC member, dRep and SPO has determined their own value, but it should be in the responsibility for the voters to determine the candidate’s merits to be in their respective roles, or be given delegation to.