Feb03
Money & Macro

# What’s Holding Back Blockchain Finance?

## On the Possibility of Decentralized Autonomous Finance

With James Caton. Forthcoming in the Quarterly Review of Economics and Finance. This paper can be downloaded on SSRN.

Finance plays a critical role in modern capitalistic economies. The ability to fund loans with the leveraged issue of promises to pay not only facilitates efficient flows of funds (Levine 1997), but also (when those promises are sufficiently liquid to circulate as money) stabilizes aggregate economic activity (Selgin 1994). Facilitating financial intermediation has been recognized as an important function of national currencies at least since the time of Bagehot (1873). If cryptocurrencies are to take over a major role from national currencies, it will be necessary for them to do so at least as well as national currencies do now.

Cryptocurrencies are based on decentralized ledgers known as blockchains, a technology that allows parties with no knowledge of or trust in each other to agree on a canonical ledger state, and therefore to transfer funds with minimal counterparty risk, or in other words to do so trustlessly.1 More recently that technology has been augmented with smart contracts, or decentralized autonomous organizations (DAOs), which are ways to control currency transfers algorithmically, and – potentially – entirely without human intervention (Diedrich 2016), again with the goal of minimizing counterparty risk among parties with no knowledge of or trust in each other.

Though smart contracts and DAOs greatly increase the scope for feasible interactions between trustless parties, finance – the borrowing and lending of funds – has so far proven elusive except in simple and highly collateralized forms. Harwick (2016) argues that leveraged finance entails irreducible counterparty risk, the management of which requires borrowers to employ a public, non-alienable identity. Since identities on the blockchain are obscured by pseudonymity and ease of exit, it may be the case that cryptocurrencies will be unable to compete with national currencies beyond the scale at which finance becomes necessary – or at least, there will be high hurdles impeding the establishment of cryptocurrency-denominated credit markets.

A solution to this problem can be pursued along two dimensions, neither mutually exclusive: technical innovation and institutional innovation. A purely technical solution, as Bitcoin was for base money, would structure the interaction between borrower and lender in such a way that they could conduct financial transactions without knowledge of or trust in one another. This would be the Holy Grail of what might be called Decentralized Autonomous Finance (DAF).

On the other hand, in principle, any financing methods used to intermediate fiat currencies could also intermediate cryptocurrencies simply by changing the unit of account and the medium of redemption to a cryptocurrency, but otherwise preserving the institutions traditionally used to manage counterparty risk in financial transactions. This would be a pure institutional solution, and we place the use of permissioned blockchains in this category. Such transactions lack the benefits of trustlessness, pseudonymity, or decentralization, despite blockchain assets serving as the medium. They have therefore been regarded both as alien to the blockchain ethos (Šurda 2012; Wall 2019) and have yet to convincingly demonstrate clear advantages over existing forms of finance. Nevertheless, unlike a purely technical solution, the feasibility of an institutional solution to the problem of counterparty risk is at least clear by analogy to status quo financial arrangements.

This paper establishes the limits in principle of technical solutions in supporting decentralized autonomous finance. If pure DAF is not possible, this will also indicate the minimal off-chain information, particularly identity information, necessary for the viability of any given financial technology. For example, the very existence of cryptocurrencies shows that an electronic base money and payment system can be administered trustlessly under normal circumstances.2 A base money and a payment system, therefore, lie completely within the frontiers of technical innovation, what we will call the technical frontier. On the other hand, modern economies currently rely on many  financing methods that lay outside the technical frontier. These will require some amount of institutional innovation on top of technical innovation. In other words, finance on the blockchain will require the development of off-chain norms and structures to supplement the blockchain’s technical architecture. Within the technical frontier, technical innovation has proven a powerful substitute for a number of institutional forms. Outside the frontier, however, technical and institutional innovation must remain indispensable complements.

We discuss both future institutional developments in the cryptocurrency space, and recent technical developments. Among the latter, three innovations hold out the possibility of supporting a financial ecosystem, and therefore a leveraged money supply that could render cryptocurrencies viable competitors to national currencies. First, smart contracts and DAOs – most notably Turing-complete contracts like those implemented on the Ethereum protocol – will be an indispensable foundation for any foray into decentralized autonomous finance. Second, oracles – a technology for introducing trusted data onto the blockchain for use in DAOs – provide a plausible entry point for the minimal identity information necessary to sustain blockchain finance, without the complete deanonymization typical of traditional financial institutions. Finally, off-chain transactions – most notably on the pattern of Bitcoin’s Lightning network – provide a plausible model for levering up the supply of base money into a broader, demand-elastic stock of “credit” money in a way that maintains the protocol-level convertibility between the two. We show to what extent such protocol innovations can support trustless lending, and offer a sketch of the minimal off-chain institutions necessary where they cannot.

### Incentive-Compatibility and the Technical Frontier

The viability of a type of interaction depends not only on the capabilities of the platform on which it takes place; it also depends crucially on being incentive-compatible. We define an interaction type as a role structure; for example, “buyer” and “seller” or “lender” and “borrower”, and consider it to be incentive compatible if:

1. Everyone plays a strategy associated with a definite and public role,
2. There is common knowledge of the strategies associated with various roles, and
3. No one in a given role has an incentive to change strategies, given the strategies pursued by others.

Degenerate cases of non-interaction are excluded; the role structure must actually provide for interaction.

We define an environment as the information set upon which strategies can be conditioned, and the actions available out of which to construct a strategy. For example we will refer to anonymous, pseudonymous, and persistent-identity environments depending on the existence and mutability of the identity information available to participants. Blockchains provide a pseudonymous environment for interaction, but – we will argue – hybrid environments are also possible.

The incentive compatibility of an interaction type is defined in a particular environment. That is, its viability depends on the identity information and strategic actions available to participants. Where an interaction type in a certain environment provides some party an incentive to increase his own payoffs by reducing total payoffs, we will say that it has dilemma aspects. Dilemma aspects can be surmounted by changing the environment: repeated dealings and external enforcement, for example, are common remedies. Nevertheless, viability does depend on surmounting them one way or another if people are to employ the roles in question.

We define the technical frontier as the set of interaction types that are incentive-compatible in an environment where interactions are structured on the basis of explicit algorithmic rules, and without any trusted outside information or enforcement. In the first place, this will require that the expected value of participating remain positive at all times for a vast majority of users in each role.3 By assumption, if the expected value of remaining bound should fall below zero, the user always has the outside option of abandoning the network and rejoining with a clean slate. Any enforcement, therefore, is limited to the value voluntarily offered by users.

If we interpret this environment as a combination of a blockchain network and the possible smart contracts writable on it, the technical frontier will be the set of interaction types that can in principle be replicated in trustless form by a blockchain or a DAO, or in other words, administered on-chain. Decentralized autonomous finance, therefore, refers to the ability to conduct borrowing and lending in such an environment. External information and enforcement will be referred to as off-chain.

We locate four basic types of finance relative to the technical frontier: (1) monetary exchange, (2) direct lending, (3) tradable securities, and (4) lending funded by fractional-reserve money issue. To do so, we ask for each: how much trust is necessary to support it? – that is, how much discretionary action is necessary to ensure its incentive-compatibility?4 The technical frontier can be thought of as the set of types for which the answer is ‘none’. Those types lying outside the technical frontier, however, have irreducible dilemma aspects: they will require some amount of trust, which is to say they will require discretionary action in their administration. Punishment will either need to be conditioned on information external to the network, or (if we think of the user’s balances on the network as collateral to keep him on the network) require more value than the user has offered. They will not, therefore, be amenable to pure algorithmic administration. Such interactions, if they are to function, will require an environment analogous to “traditional” off-chain institutions to supplement any algorithmic rules.

### The Incentive-Compatibility of Monetary Exchange

A primary function of monetary exchange is to coordinate the separation of income and consumption such that consumption can postdate income without the individual consumer needing to carry stocks of goods. Finance, on the other hand, coordinates the separation of income from consumption such that consumption can precede income for individual consumers (cf. Lachmann 1956: 78). Nevertheless, though the problems involved in the latter differ in fundamental ways from the former, they are sufficiently parallel in form that we can usefully consider monetary exchange as our “no finance” benchmark.

Money, like language, is an indirect signal used to influence expectations and therefore elicit costly behavior. In the case of money, the face value of a monetary unit conveys an expectation that it can be disposed of on similar terms in the future, and so induces people to give up valuable resources voluntarily. And again like language, allowing one’s expectations to be influenced by an indirect signal makes one vulnerable to exploitation by those with the ability to manipulate the signal (Searcy and Nowicki 2005: 8; Knight 1998). In practice, there are two sources of manipulation money users must be wary of: other money users (counterfeiting), and the administrators of the monetary system (debasement/inflation). In both cases the dilemma aspect arises from the fact that the payoffs for successful manipulation rise with the value of the monetary network. The main transaction costs of monetary exchange, therefore, are incurred in verifying the medium to increase certainty that the expectation conveyed is accurate.5

The usual story of the evolution of money from bullion to fiat is one of trading off vulnerability to counterfeiting against vulnerability to debasement (Harwick 2018; Selgin and White 1988; Glasner 1999). As an issuer becomes more effective at preventing counterfeiting, its stamp on a unit of currency conveys more precise information about that unit’s value, and sellers need incur fewer verification costs. At the same time, increased reliance on the informational content of the issuer’s stamp creates scope for the issuer itself to profitably exploit that trust in the form of seigniorage (Copernicus 1517; Webster 1791; Calomiris 1988; A. White 1896; L. White 1988). Compared to bullion weight, stamped coins economize on verification costs, but require trust in the mint that the stamped weights are accurate. Compared to full-bodied coins, denominated banknotes reduce money users’ liability for counterfeiting risk, but require trust that the issuer has not overextended itself. And compared to banknotes under a commodity standard, fiat currency entails lower resource costs6 and more policy flexibility, but requires trust in the competence and benevolence of a single central issuer.

In each case, to a greater or lesser extent, there exists the possibility that the informational content attributed to the monetary unit will diverge from reality. Central banks are constrained by an often tenuous mix of good will and political incentives. Financial organizations are constrained in equilibrium by competition, but can overissue either innocently or maliciously in the short run. Even mints, if monopolistic, can debase their issues with less valuable metal. In contrast to all of these, blockchain technology ties the existence of the monetary unit to the information contained in it. The protocol that constitutes the monetary network defines a bitcoin, for example, as something that (among other things) there can never be more than 21 million of (Nakamoto 2019). This does not quite make the face value a direct signal of the relevant underlying reality, as high volatility under conditions of uncertainty will similarly dilute the signal (Harwick 2016). Nevertheless, it does foreclose the possibility of strategic manipulation, either by counterfeiters or administrators. In other words, it eliminates the historical tradeoff between vulnerability to these two forms of manipulation, and in so doing eliminates the dilemma aspect of monetary exchange entirely.

In order to see the incentive-compatibility of monetary exchange in the absence of the possibility of manipulation, it is important that – where losses due to counterfeiting are sufficiently low – participation in a monetary exchange network is a coordination game, where the Pareto-optimum is a Nash equilibrium,7 and this is true across a wide range of environments. Money being a network good, the optimal strategy is to adopt the money with the best chance of being accepted, i.e. the money already adopted by the most people (Menger 1892; Kiyotaki & Wright 1993). While this process does make the existence of niche monies like Bitcoin something of a puzzle (Luther 2015, though see Luther 2019; Nair & Cachanosky 2017), it also ensures that endogenous disruptions have little chance of getting off the ground: “defection” – disrupting the monetary system by refusing to accept the money – hurts the defector more than it does the system. Repeated dealings, real-world identity, even persistent identity at all, are unnecessary for the network to be functional.

For this reason, monetary exchange lies entirely within the technical frontier. The same kind of network effects that lead people to join a monetary network in the first place are harnessed by blockchain protocols to induce users to ratify the information that constitutes the monetary unit as a precondition of joining the network.

The same is not necessarily true for the other side of monetary exchange, the delivery of goods, the incentive-compatibility of which is more sensitive to the environment when the good cannot be transferred immediately (e.g. if it has to be shipped). Nevertheless, complementary off-chain institutions such as dispute-resolution and reputation mechanisms are developing around blockchain ecosystems (Norgaard, Walbert, and Hardy 2018). Later we will consider similar mechanisms necessary to support time-separated financial exchange.

Despite the impressive feat of bringing monetary exchange within the technical frontier however, cryptocurrencies still perform poorly on a number of important economic margins, most importantly in their lack of stability in purchasing power – and indeed, the fact that these fluctuations are driven by impersonal forces of supply and demand rather than an opportunistic issuer hardly matters for the money users themselves. In a modern market economy, the institution of monetary exchange must be supplemented with financial intermediation – lending and borrowing in terms of money – not only to facilitate intertemporal exchange, but also in order to ensure stability of purchasing power (Harwick 2016). In other words, an effective monetary system requires more than mere provision of a base money and payment system. Although nascent forms of blockchain intermediation exist, a robust market is presently lacking.

### The Incentive-Incompatibility of Direct Lending

The simplest type of finance is direct lending, which entails the transfer of accumulated funds from a lending party to a borrowing party in exchange for a promise to pay at a later date. The dilemma aspects of intertemporal exchange, however, are more fundamental than those of monetary exchange, and persist in more environments, even in the most basic form of direct lending. In particular, we show in this section that so long as exit from the network is an option for defaulting borrowers (that is, so long as identity is alienable), these dilemma aspects are inherent in the interaction type, even with repeated dealings. Along with more advanced forms of intertemporal exchange, therefore, uncollateralized direct lending lies outside the technical frontier.

The technical infrastructure for direct lending already exists. ETHLend and Ripio, for example, are platforms for organizing collateralized loans using smart contracts, with the latter also supporting cosigning (Economics Gazette, July 31, 2018). A lender sends a sum to a smart contract, and a borrower sends some illiquid collateral asset (which must be native to the blockchain) to the same smart contract. The smart contract then disburses the lent funds to the borrower and holds the collateral in escrow until repayment with interest. If the borrower defaults, the contract remits the collateral to the borrower.

In a traditional collateralized loan, collateral serves to mitigate the borrower’s commitment problem while introducing a commitment problem on the lender’s side, as the lender may fail to return the collateral. Both typically have some amount of legal recourse in the case of negligence or opportunism; however, the lender generally has a stricter duty to safeguard the collateral than the borrower does the loan’s principal. A smart contract, however, being only an algorithm controlling the disbursement of funds, cannot rely on legal recourse; instead, it holds the collateral in escrow until repayment or default. There is therefore no scope for opportunism on the lender’s part, a restriction which – even though default on the collateral is rare even when the opportunity exists – nevertheless impinges upon the lender’s liquidity position for the duration of the loan compared to a situation where he has full use of the collateral.

Although the lender’s commitment problem can be eliminated at some liquidity cost, the borrower’s presents a more difficult problem. An important function of finance in the modern economy is not only to create and transfer liquidity, but also to pool and transfer risk. If this is to be possible, the borrower must have the ability to default. Unlike for the lender, there is no possibility of eliminating the borrower’s commitment problem without foreclosing an essential function of finance.

We distinguish, therefore, between honest default, where the borrower’s revenue becomes insufficient to repay the loan, and opportunistic default, where the borrower finds it in his interest to default regardless of his revenue. His commitment problem consists in the fact that the lender cannot distinguish between the two. Nevertheless, analytically, we can focus on the two separately from the borrower’s perspective. In the following model, we focus on opportunistic default by assuming that the borrower borrows an amount on-chain that is small relative to his off-chain wealth, so he always has the ability – if not the inclination – to repay. This assumption will be relaxed below when we take up securitized lending.

Imagine an anonymous borrower seeking a loan of size L, at interest rate r, which would provide him with some liquidity benefit q proportional to the loan size, with $$1 > q > r > 0$$. The loan is collateralized with an illiquid asset worth some proportion $$c≥0$$ of the loan’s value, or, if $$c=0$$, the loan is uncollateralized. The borrower solicits the lender, who has the choice either to provide the loan or not. At the loan’s maturity, the borrower may either repay (in which case the lender returns any collateral) or default (in which case the lender keeps the collateral). The borrower’s history is private, however, and the lender has no recourse if the borrower defaults.

In such a spartan environment, because $$1+q-c>q-r$$ for all $$c<1+r$$, the borrower’s dominant strategy is to default on any loan. The loan must, in other words, be more than fully collateralized in order for a one-shot anonymous loan to be incentive compatible – and indeed, ETHLend limits the loan amount to 80% of the value of the collateral ($$c≥1.25$$, which ensures incentive compatibility for any interest rate below 25%). Unless the borrower is willing and able to put up this kind of collateral, his commitment to repay is not credible, and the lender’s dominant strategy is not to lend. Gains from trade totaling $$qL$$, therefore, are not realized in the one-shot Nash equilibrium.

More-than-fully-collateralized direct lending is an advance over spot exchange, but it limits financial transactions to the transformation of liquidity; the temporary exchange of an illiquid asset for liquid cryptocurrency. From the perspective of the borrower, a fully collateralized direct loan does not bring value capitalized from expected future earnings back in time to the present. It is therefore not sufficient to support capitalistic production under the shadow of an uncertain future.

In contrast to this pessimistic result, it might be supposed that a reputation system (i.e. persistent but alienable identity) would support partially- or uncollateralized loans. Suppose, therefore, that the borrower is no longer anonymous, but pseudonymous, with a reputation score attaching to the borrower’s identity. The borrower’s history, therefore, is public information. In such an environment, with the possibility of repeated dealings,

(1) $$U_t^R = qL_t + \sum_{T=t+1}^\infty \frac{1}{(1+r)^{T-t}}(qL_T-rL_{T-1})$$

(2) $$U_t^D = (1+q-c)L_t$$

(1) is the borrower’s payoff from repaying, the discounted value of the liquidity benefits of borrowing in all future periods. (2) is the borrower’s utility from defaulting on the current period’s loan, which spoils his reputation and eliminates the possibility of future borrowing. Note that this trigger strategy is a particularly extreme response on the part of the lenders; in reality, the possibility of honest default means that the terms of future loans will move against the borrower, but the possibility may not be foreclosed, meaning that (2) is a lower bound for $$U^D_t$$.

The borrower will have an incentive to repay the next period’s loan so long as

(3) $$U_t^R > U_t^D$$

Subtracting $$qL_t$$ from both sides gives us an equivalent interpretation: the value of the borrower’s reputation (the second term of (1)) must at all times be greater than the difference between the value of the current period’s loan and the collateral $$(1-c)L_t$$ in order for lending to be incentive-compatible under pseudonymity. Importantly, and unlike a standard intertemporal budget constraint, it is not sufficient for negative values of $$U_t^R – U_t^D$$ to be made up for by positive values in later periods. Because the borrower has an outside option of withdrawing his wealth from the network and rejoining with zero reputation, he will never have an incentive to maintain a reputation valued less than the maximum amount he could borrow that period. (3) must be expected to hold in every period if the borrower is to repay.8

Ignoring for the moment the effect of an increasing time path of $$L_t$$ on the borrower’s reputation, suppose the lender commits to lend some fixed amount $$\bar{L}$$ each period so long as the borrower repays the previous period’s loan. This allows us to simplify (1) and write the value of the borrower’s reputation as

(1’) $$U_t^R – q\bar{L} = \frac{q-r}{r}\bar{L}$$

The repayment condition then becomes

(3’) $$q > (2-c)r$$

which, for all $$c<1$$, is more restrictive than the borrower’s participation condition $$q>r$$.

Consider the predicament this puts the lender in. The value of the borrower’s reputation is proportional to the size of the loan stream, which means $$\bar{L}$$ does not appear in the repayment condition at all. For a given $$q$$, $$r$$, and $$c$$, the size of the loan does not affect the incentive to repay. Because c enters negatively on the right-hand side, increasing the collateral requirement can ensure compatibility. On the other hand, if the lender should raise the interest rate to compensate for the risk of an unknown prospect, the higher $$r$$ actually decreases the borrower’s incentive to repay – a classic adverse selection problem. Uncollateralized lending, apparently, is not incentive-compatible in a pseudonymous environment except for borrowers that the lender already knows to have a high demand for liquidity, knowledge that is private to the borrower. This is true even under an unrealistically stringent trigger strategy.

The lender can, of course, forestall these problems by venturing small sums at first and increasing the amount advanced as the borrower builds up a reputation. In this way, an increasing time path of Lt can raise the value of the borrower’s reputation relative to the value of the current loan. Suppose, then, the lender decides on a time path $$L_{t+1} = L_t + g(L_M – L_t)$$ with $$0<g<1$$ so that $$L_t$$ converges asymptotically to a maximum loan size $$L_M$$. In this case we can rewrite the time path of $$L_t$$ in terms of initial conditions:

(4) $$L_{t+T} = L_t-(L_M-L_t)\sum_{\tau=1}^T{\binom{T}{\tau}}(-g)^\tau$$

Plugging (4) into (1) and simplifying gives us the value of the borrower’s reputation at time $$t$$,

(1’’) $$U_t^R – qL_t = \frac{q-r}{r}L_t +(L_M-L_t)\frac{g(q-r+qr)}{r(r+g)}$$

which gives us the repayment condition

(3’’) $$q > (2-c)r – \frac{L_M-L_t}{L_t}\frac{g(q-r+qr)}{r+g}$$

Because $$q>r$$, the second term of (1’’) is always positive, the value of the borrower’s reputation is greater than in (1’), and the repayment condition (3’’) is less stringent than (3’). In addition, the reputation value is no longer strictly proportional to the loan size. However, notice that (1’’) and (3’’) converge to (1’) and (3’), respectively, as $$L_t \rightarrow L_M$$. It follows, therefore, that if (3’’) holds at some time $$t$$ where (3’) would not, there necessarily exists some threshold that will be reached in finite time where (3’’) will again cease to hold.

### A Path Forward: Sanctions, Identity, and Oracles

If uncollateralized direct lending is not incentive-compatible even under repeated dealings, it will generally be necessary to add ex post sanctions in order to diminish $$U_t^D$$ and ensure that repayment exceeds the benefits of opportunistically defaulting. Such off-chain sanctions would enter (3’) and (3’’) exactly symmetrically with $$c$$, and can be thought of as implicit collateral: a sanction of x as a proportion of the original loan size can be depicted by replacing $$c$$ with $$c+x$$.9 Given that a borrower has by definition not exposed himself to such sanctions in an uncollateralized loan, however, this will not be possible in a pseudonymous environment where one’s identity is alienable.

Traditionally, sanctions are provided for by cross-linking many different domains, at least some of which are backstopped by the possibility of legal sanctions. This cross-linking amounts to an inalienable identity across all domains, effectively removing the constraint that (3) hold in every individual period.10 For example, a credit score is not only a reputation that influences financial opportunities across different lenders, which could be straightforwardly replicated on the blockchain. Importantly, credit scores also provide information to and summarize information from collection agencies and courts, both of which can impose sanctions outside of the bounds of the loan transaction in question.

Public blockchains by themselves, of course, have no power over assets external to the blockchain,11 no powers of compulsion, and therefore no power to attach inalienable identities to users without relying on trusted external information. Furthermore, even if such power was possible, its administration requires distinguishing between honest and opportunistic default. Unlike the information asymmetry relevant to the dilemma aspect of monetary exchange, determining whether or not a default was opportunistic requires irreducible human judgment and could not in principle be decided algorithmically by a smart contract (Harwick 2020). Indeed, the difference could not be exhaustively specified in advance by any contract, for the same reason that complete contracts are commonly assumed to be impossible.

The conclusion that even simple forms of finance lie outside the technical frontier, therefore, is firm: uncollateralized finance in a pseudonymous on-chain environment is not incentive-compatible. The question, then, becomes: which of these environmental constraints can be most feasibly relaxed without violating the spirit of the public decentralized ledger?

One potential path forward is with a technology called oracles, which – in contrast to “hermetic” blockchains – provide an interface for smart contracts to use chain-external information.

Oracles, ideally, provide a trustless (or at least near-trustless) way of getting extrinsic (i.e., ‘real-world’ or off-chain) information, such as the results of football games, the price of gold, or truly random numbers, onto the Ethereum platform for smart contracts to use. . . . Oracles can therefore be thought of as a mechanism for bridging the gap between the off-chain world and smart contracts. Allowing smart contracts to enforce contractual relationships based on real-world events and data broadens their scope dramatically. (Antonopoulos and Wood 2019)

If there is a third party responsible for confirming data external to the chain that is linked to the identity of either party in a transaction, however, the exchanging parties are no longer necessarily pseudonymous to each other. This can be avoided with contingent pseudonymity. In this setup, an oracle uses a trusted third party to confirm identity and any other attributes required by the smart contract, such as account balances at traditional financial institutions, but only reveals identity to the lender in the case of failure of repayment, thereby opening the possibility of off-chain sanctions. This would be the equivalent of sending a photocopy of one’s driver’s license to a bank when opening an account with the expectation that the bank does not share that information with its depositors, with the difference that the trusted third party need not even know the identity of the second party to whom the information is sent, provided the first party has authorized it. The user’s identity, in other words, is posted as additional collateral. Whatever collateral would be necessary in order to make lending incentive-compatible, whether in a repeated relationship or not, can be (threatened to be) collected ex post with the same result.

Recent developments suggest that such a setup is feasible. One current attempt is Metaverse, a platform for notarizing identity information on the blockchain using trusted oracles. The digital identity whitepaper (Metaverse 2017) describes a potential application where a user who has undergone vetting by Bank A may use that prior approval in applying for an account at Bank B. Provided Bank B trusts Bank A’s vetting process, Bank B does not need any personally identifying information from the user. From here, contingent identity contracts – where identity is revealed only on a trigger event – are a small step.

There are also efforts to maintain the privacy of information acknowledged by an oracle. Cornell Tech’s oracle, Town Crier, has been employed for maintaining privacy of information used to perform a query such as an account ID and password (Zhang, et al., 2017; Coindesk, May 17, 2017). The same or similar protocol can be used to maintain the integrity of borrowers’ identity information. A clause where identity is revealed in the event of a breach of contract would be a straightforward application of existing technology.

Oracle-derived data is necessarily “trusted”. To condition protocol behavior on the input of data external to the protocol requires that users place some trust in the source of that data. The alternative to an oracle, however, is a ‘hermetic’ blockchain, where algorithmic contracts are limited entirely to trustless network-internal data. If finance falls outside the technological frontier and is therefore nonviable in a pseudonymous environment, the contribution of blockchain technology to finance will be limited to simply keeping track of accounts that are for all intents and purposes administered with traditional institutions. The advantage of oracles over hermetic blockchains is not only the end result of making financial institutions viable, but also making trust transparent where traditional institutions often obscure exactly whom a user is relying upon in trust. Users may, for good reasons, desire to expose themselves to counterparty risk. A blockchain that allows user to do so transparently, rather than preventing them entirely from doing so, will be one that supports a much richer financial ecosystem; one with true disintermediating potential, rather than simply a payments technology to undergird existing systems.12

### On-Chain Securitization

Returning to our types of finance, direct lending is only the simplest. More complex types are largely similar in the fundamentals, but introduce new roles and new dilemmas, and therefore require more reliance on traditional identity institutions. This section shows that the incentive-compatibility of on-chain securitization – i.e. the resale of promises to pay on a secondary market – requires a similar identity-laden environment between buyers and originators as the previous section argued was necessary between lenders and borrowers.

Assuming such an environment characterizing lender-borrower interactions, it is a small step technically to the resale of promises to pay on a secondary market, i.e. the establishment of securities on the blockchain. As a creditor, I have only to transfer my stake in an ETHLend smart contract (for example), and that smart contract becomes a security, a liquid liability of the borrower, rather than an arrangement between two concrete parties. The new question introduced by securitization is: under what circumstances will a third party buyer find it worthwhile to purchase the lender’s stake in the smart contract and the revenue stream it represents?

The situation between the buyer and the lender in this scenario is almost exactly analogous to the situation between the lender and the borrower in the direct lending scenario. The buyer faces no commitment problem; however, the lender does face a commitment problem vis-a-vis the buyer in a way that requires external sanctions and precludes pseudonymity.

In order to focus on the dilemma between the lender and the buyer, we assume here that the borrower may default, but only honestly. It will therefore be necessary to say something about the borrower’s income, so we drop the assumption that he is always able to repay. Instead, the borrower borrows in order to finance a project that will either generate enough revenue to cover expenses, in which case the borrower repays, or it will generate no revenue, in which case the borrower defaults honestly.

We can think of these two outcomes as representing two types of borrowers, and each borrower has an incentive to represent himself positively to the lender regardless of his own expectations.13 The lender therefore spends some amount on each applicant to determine a probability that the borrower is of one type or the other (this can be thought of as the cost of verifying the borrower’s income, or assessing the project’s viability). If the lender selects borrowers randomly from a continuum of borrowers with an ex ante default rate of $$d \in [0,1)$$, we can define $$i$$ as the average cost per funded borrower of gathering enough information to select projects such that the expected rate of honest default is $$d/(1+di)$$.14

Returning to a one-shot game, the lender’s expected profit from holding the loan to maturity will be:

(5) $$\pi_H = \left(r-(1+r)\frac{d}{1+di}\right)L-i$$

And his profit-maximizing investment in information when intending to hold is

(6) $$i^*_H=\sqrt{(1+r)L}-\frac{1}{d}$$

Suppose, however, that the lender has the opportunity to sell the loan as a security on the open market. In this case, the lender’s profit will be

(5’) $$\pi_S = \frac{(1-\rho)(1+r)}{1+\bar{r}}L-i$$

where $$ρ∈[0,1]$$ is the buyer’s (not the lender’s) expectation of the revenue stream as a proportion of the future value $$(1+r)L$$, and $$\bar{r}<r$$ is the risk-free market rate of interest over the relevant time period. The first term, therefore, is the market price of the loan on the secondary market.

The problem, however, is that $$i$$ is private information for the lender. Even if the buyer can verify an amount $$i$$ was spent, he cannot tell whether this was spent in such a way as to effectively gather information. In a one-shot environment, there is no way for the buyer of a security from an anonymous source to verify the expected value of the underlying revenue stream. $$i$$, therefore, does not affect the market price, and the profit-maximizing information-gathering investment $$i^*_S=0$$. The buyer, knowing this, attributes $$ρ=1$$, and the equilibrium market price is also zero. Under these circumstances, because $$πS < πH$$ for all $$i$$, lenders will prefer to hold loans to maturity and no secondary market develops.

The move from the one-shot anonymous environment to a repeated pseudonymous environment with reputation is exactly analogous to the direct lending model: the lender stands in the same relation to the buyer as the borrower does to the lender, exchanging current money for a promise to pay, with the difference that he is reselling another’s promise rather than making his own. Nevertheless, because default is probabilistic, the buyer is not able to employ a trigger strategy, but instead must update his assessment of the likelihood that the lender is misrepresenting the probability of default. The lender’s “honesty condition” – analogous to the borrower’s repayment condition – is therefore even less likely to hold.

Real-world secondary markets are vouchsafed by a number of institutions, none of which clearly lie within the technical frontier, but many of which would be amenable to hybrid oracular solutions. First, credit rating agencies conduct external audits on the revenue streams of securities in order to assess probabilities of default, thus lending credibility to the lender’s estimation. This does not preclude systematic error, as in 2008 when the mortgages underlying mortgage-backed securities turned out to be more cyclically correlated than had been anticipated. This was not, however – to anyone’s knowledge – an instance of opportunism. Indeed, though a given risk model may be objective enough – and therefore be executable by a smart contract on a blockchain security – discretion enters at two points: (1) the data fed into the risk models, and (2) the development and choice of risk models, neither of which can effectively be chosen algorithmically.

Second, while blockchains reduce transaction costs in information dissemination, they cannot be expected to reduce economies of scale in information production. A large lender’s reputation is relatively more valuable than a small lender’s, hence in part the great deal of market consolidation observed in financial firms. Large-scale pseudonymous financial firms are conceivable, if unlikely, but even so this takes us rather far from the disintermediating image of small-scale lenders originating and exchanging securities on the open market.

Finally, both lenders and rating agencies are potentially subject to discretionary sanctions from courts in the event of opportunism. As with the sanctions in the previous section, it is the lender’s incentive to misrepresent pertinent information, as well as the inability of the buyer to see through the lender’s plausible deniability ex post, that necessitates discretionary and non-algorithmic action involving value that none of the parties have explicitly put up.

A liquid secondary market in blockchain securities, therefore, is likely to look much more “traditional” than blockchain maximalists might expect. In particular, it is likely to involve large-scale and non-anonymous intermediaries, using smart contracts, but not to the exclusion of traditional legal contracts. While algorithmic governance is a viable substitute for discretionary decisionmaking inside the technical frontier, outside it, they must remain complements. In such situations, contrary to the common mantra “Code is law”, it is precisely the non-algorithmic nature of law that gives it a comparative advantage over code.

### Leveraged and Liquid Promises

The final type of finance that would bring cryptocurrencies to functional parity with national currencies is the circulation of leveraged promises to pay as money. The most significant example of this, historically, has been the practice of fractional reserve banking, where banks issue money substitutes (i.e. promises to pay basic money) in order to fund a portfolio of loans. Where the bank is sufficiently credible, people will be willing to hold its liabilities instead of base money.  Importantly, the bank’s liquid reserves are insufficient at any given time to redeem its outstanding liabilities. In a competitive environment, this flexibility allows the money supply to offset changes in the demand for money and prevent significant business fluctuations (Selgin 1989, ch. 5; 1994). This occurs without any action on the part of the authorities administering the more basic money.

In cryptocurrency markets, given the high exchange rate and purchasing power volatility compared to national currencies, this countercyclical force is of paramount importance – not only for stabilizing the volume of spending against changes in the demand for money (Caton 2019), but also for matching the distribution of changes in the supply of money to the pattern of the initial change in demand (Harwick 2016).

There has been some resistance from the cryptocurrency community to the idea of fractional reserve banking (e.g. Šurda 2012). A primary ideological justification of cryptocurrency has been its non-discretionary nature: there are neither central banks nor private banks to exert discretionary control over the supply of money. Indeed, in the case of Bitcoin and many others, the supply path cannot be changed except by a hard fork.15

New developments in the cryptocurrency space have the potential to sidestep both technical and ideological hurdles. What is important for a demand-elastic money supply, and therefore a stable currency, is not fractional-reserve banking as such, but the issue of leveraged debt instruments with sufficient liquidity to allow them to substitute for and circulate as money. Bank deposits currently serve this purpose for existing national currencies, but any development that collapses the secondary market for securities into the market for money balances could suffice. The Lightning network on the Bitcoin blockchain is a promising paradigm for doing so.

The Lightning network originated as a way to reduce both transaction fees and verification time, both of which had grown as waves of interest congested the Bitcoin blockchain’s ability to handle payments effectively (Poon & Dryja 2016). The idea is to use a smart contract to open a tab between two parties. The smart contract keeps the tab isolated from the blockchain’s transaction-verifying process, only broadcasting (and finalizing) the respective balances to the wider blockchain when the two parties close out their relationship.16 Given that broadcasting transactions can be costly in terms of both fees and time, keeping track of bilateral balances this way can improve efficiency.

What makes the Lightning network interesting from a financial perspective is that the balances it accounts for are legible to the blockchain, but not reflected in the final balances. They are, in other words, from the perspective of the canonical blockchain ledger, promises to pay.

That being said, Lightning-esque smart contracts are still limited in their financial applications. A philosophy of minimal exposure to counterparty risk constrains parties to encumber a fixed amount into the contract ex ante, the division of which can then be updated off-chain. If the tab exceeds the encumbered amount, more funds must be encumbered, which entails an additional on-chain operation that negates the speed and cost advantages of the tab paradigm.

With feasible technical extensions, however, something akin to Lightning’s smart contracts could provide the scaffolding for the decentralized creation of leveraged monetary blockchain instruments (We will refer to Lightning-like contracts on any blockchain as Lightning contracts). If it were possible to promise more than is encumbered in the smart contract, then the limitations of Lightning contracts as promises to pay would be overcome. There would be no necessity of committing liquid assets ex ante to a loan, and the quantity of loans in the aggregate would respond to the demand for money in the usual way. There is no insurmountable technical problem here: the promise of the Lightning contract is to separate the medium of exchange – transferrable stakes in smart contracts – from the means of settlement, which remains actual bitcoins. Such a separation is characteristic of fractional-reserve institutions in the broader financial world, where the most common medium of exchange (bank deposits) is a promise to pay in terms of the means of settlement (Federal Reserve notes or accounts at the Federal Reserve), but is not itself that means.17

Compared to current fully collateralized blockchain financing methods, flexible Lightning contracts would have the following advantages:

1. Allowing the system to create liquidity by provision of a saleable instrument in response to changes in expectations, rather than simply transfer a fixed stock of liquidity,
2. Allowing individuals to draw on the capitalized value of expected future returns, rather than simply transforming currently held assets,
3. Stabilizing the value of the currency as the aggregate supply of leveraged liabilities adjusts to offset changes in the demand for the monetary unit.

These would come at the cost, however, of a pure trustless system, and allowing the possibility of default. A system with the aforementioned advantages is necessarily one that exposes the lender to counterparty risk. We have moved, in other words, from the realm of payments to the realm of finance, where eliminating counterparty risk also eliminates the ability of any financing method to deal with the irreducible uncertainty of the future. The financing methods necessary to support production and organization under conditions of uncertainty will necessarily involve the possibility of default. Protecting against this possibility, as in the previous section, must involve off-chain institutions. Specifically, off-chain sanctions and arbitration (enabled by contingent pseudonymity) will be necessary in order to render a secondary market in leveraged promises, like the non-leveraged promises of the previous section, feasible. Without collateral or off-chain sanctions and arbitration, a pseudonymous lending market cannot function.

Existing and historical institutions offer clues as to feasible solutions to these potential problems. Nevertheless it would be a failure of imagination to think that analogous institutions on the blockchain must mirror traditional institutions in every respect. Though it is difficult to predict the exact path that innovation will take, unencumbered Lightning contracts would offer some advantages compared to existing fractional-reserve financial institutions:

1. Transparency: On a public-ledger blockchain, the balance sheet of any lender reselling promises to pay is public information. Even if the accounts reflect face value rather than more economically meaningful “mark-to-market” pricing, monitoring intermediaries becomes much less costly.
2. Decentralization: Completely separately from the physical decentralization that characterizes a blockchain ledger, the technology can also make possible market decentralization. Costs of monitoring and gathering information scale as a function of the number of intermediaries, so high and rising monitoring costs are likely a significant factor in the recent concentration in financial markets. In response to the increasing intricacy of finance and the increasing difficulty of consumer monitoring, governments have imposed increasingly stringent reporting and capital requirements. If these requirements entail large fixed costs, smaller firms will be driven out of the market. A reduction in monitoring and reporting costs, therefore, will plausibly reduce market concentration, allowing a multitude of small lenders to credibly finance their lending operations by issuing circulating liabilities leveraged atop their liquid reserves.
3. Competition: Because the responsiveness of the broad money supply to changes in demand depends on the competitiveness of the market for financial intermediaries, increasing concentration of financial firms has entailed more activist monetary policy, adjusting the quantity of base money to changes in demand that could be effectively satisfied by changes in the quantity of bank money. A more decentralized and competitive financial market, on the other hand, could plausibly function with no discretion whatsoever on the level of base money, with adjustment to demand happening entirely on the level of leveraged liabilities. Friedman (2014), for example, considers the possibility of freezing the monetary base or its rate of expansion – a possibility strongly resembling Bitcoin’s constitution today – and assigning the responsibility for an elastic money supply to the issuers of broader monies in a competitive environment.

At the macroeconomic level, the exogenous supply path of Bitcoin and other cryptocurrencies provide no means of offsetting the price fluctuations that result from day-to-day shifts in demand. On a micro level, the inability of users to acquire liquidity on the basis of expected future returns leaves productive opportunities on the table. The ability to leverage promises – to create transferrable promises to pay without encumbering the value of that promise – is the key to solving both problems, regardless of whether this is accomplished by firms that look like traditional fractional-reserve banks or by some other more decentralized organizational form. If such institutions do indeed arise with the support of the necessary technical innovations, cryptocurrencies will be truly viable replacements for national currencies.

### Conclusion

Finance is an essential part of a monetary economy, and the quantification, mitigation, and transfer of counterparty risk is integral to finance. On a purely infrastructural level, cryptocurrencies have the potential to perform monetary and financial functions more effectively than national currencies today. We have shown, however, the insufficiency of purely technological solutions for interactions that lie outside the technical frontier. Because finance involves irreducible dilemma aspects, even in simple and direct forms, it cannot be done purely algorithmically or in a pseudonymous environment. Pure decentralized autonomous finance is, ultimately, chimerical.

If the potential of blockchain for financial technology is to be fully realized, therefore, entrepreneurs must be able to supplement the technical infrastructure with the existing discretionary and identity-laden social institutions that have evolved to solve the kinds of dilemmas that finance poses. The philosophy of eliminating counterparty risk must be supplemented with the ability to transparently manage counterparty risk.

We have argued that oracles provide a plausible basis for just this sort of integration. And with the financial intermediation made possible by oracles, Lightning contracts also have the potential to ensure substitutability between leveraged promises and base money in a way that will be necessary for a functional and stable-valued cryptocurrency, one that – while not purely autonomous – is still not subject to active management. It is our hope that, by showing the necessity of “trustful” institutions for effective solutions to the social dilemmas inherent in finance, that this paper will point the way toward future entrepreneurial solutions to the problem of blockchain finance.

### Footnotes

1. In this paper we limit our analysis specifically to public or permissionless blockchains. Private or permissioned blockchains like Libra, though sharing some of the underlying technology, are fundamentally centralized systems, and pose different problems, more akin to traditional financial organizations.
2. Users would be exposed to counterparty risk from any party in control of >50% of the mining power on the network, a possibility that has become less remote with the centralization of Bitcoin mining pools. Many newer blockchains, however, have adopted a variety of technologies – most importantly, the substantially more energy-efficient proof-of-stake consensus mechanism – to discourage centralization.
3. Specifically, a ruleset structuring a positive-sum interaction will be robust to some amount of defection or abandonment, provided this does not increase the value of further defections via an adverse selection mechanism.
4. Harwick (2020) discusses the exact connection between trust and the necessity for discretionary action.
5. Alchian’s (1977) argument that a monetary commodity must be easily verifiable follows straightforwardly from this logic. Horwitz (1992) discusses further parallels between money and language as social institutions.
6. This is the conventional wisdom dating to Friedman (1959), though see White (2015) for a dissenting view.
7. The converse, however, is not necessarily true: all the Nash equilibria are not Pareto-optimal, hence the “lock-in” problem common to network goods.
8. In this respect the situation resembles the one-sided commitment models in Phelan (1995) and Sanches (2011). Private information plus long-term credit relationships makes the lender aware of the borrower’s repayment history in much the same way that public information without long-term credit relationships does here.
9. We ignore the issue of the costliness of sanctions on the part of the lender (for example, time or legal fees), which would introduce a potential commitment problem on the lender’s side. This is an important issue, but secondary to the issue of assessing off-chain sanctions in the first place.
10. This parallels the finding from Phelan (1995) that credit markets with one-sided commitment can function if the opportunity cost of participation is autarky.
11. To the extent that blockchain tokens can be used for titling of physical assets and that these are respected by law, physicality as such is not an important barrier.
12. On the other hand, legal hurdles such as know-your-customer laws may impede even this provisional form of pseudonymity, especially if economies of scale in lending are sufficient that blockchain lenders become large enough to be targeted by governments. There is some evidence that this is already happening; for example the Monetary Authority of Singapore has recently identified that blockchains that conduct Initial Coin Offerings “fall under MAS regulatory law. Articles 3.2 and 3.3 require companies to conduct diligent and continuous KYC checks, and report and suspicious or unlawful activity” (Forbes, May 17, 2018).
13. This form of opportunistic moral hazard is distinct from the opportunistic default in the direct lending model. Assessing sanctions $$x$$ can mitigate the latter; paying $$i$$ to gather information can mitigate the former. It is not necessary that the borrower know his own type ex ante; only that he knows it with more probability than the lender prior to the latter investing in information gathering.
14. Alternatively, if the lender faces adverse selection such that d is endogenous to $$i$$, the $$d/(1+di)$$ can be replaced by the simpler $$1/(1+i)$$. The logic here would be that a lender who gathers no information will be taken advantage of by borrowers rejected by other lenders.
15. In a hard fork, changes to the blockchain’s consensus protocol make new blocks incompatible with those generated by the original ruleset. If all the computing power on the network does not switch to the new protocol, a separate blockchain is generated, e.g. the hardfork of Bitcoin Cash from the main Bitcoin blockchain.
16. Final balances are also broadcast to the blockchain in the event that either party disputes the current balance. The details need not concern us here, but Poon & Dryja (2016) show the feasibility – both technically and in terms of incentives – of relying on such a tab rather than having recourse to the mining mechanism, so long as the latter is available in the breach.
17. This separation, which entails separate M0 and M1 (or M2) money supplies, is a particular form of the more general logic of the Pyramid of Credit. See Mehrling (2012).

#### Tags

BitcoinFinanceGame theory