Zero Knowledge

“Zero Knowledge”, contrary to what it sounds like, is actually quite interesting and fun. It might even be a solution to our long standing problem of validating the world’s transactions without a trusted third party or government or central bank. If you Google for the terms Zero Knowledge and Blockchains, you will be flooded with whitepapers, articles, explainers, investment advice, and everything in between.

What does Zero Knowledge (ZK) even mean? Let me start with a toy example, and then we can work our way up to world peace.

Say we both get the same newspaper and it has a Sudoku puzzle in the games page. I claim to you that I know the solution to this puzzle, but will not tell you what the solution is. Being the frenemy that you are, you won’t believe me, obviously. Can I prove it to you, beyond reasonable doubt, that I do know the solution to this Sudoku puzzle, without telling you what the solution is? More formally,

  • If I know a solution, I should be able to convince you of that. Without leaking any knowledge about the solution.
  • If I lie about knowing the solution, I should be caught – with overwhelming probability.

If both the above are possible, that would be a Zero Knowledge Proof of Knowledge of a Sudoku puzzle. There are some ingenious ways of doing this, which rely heavily on cryptographic primitives and protocol design. In fact, it’s possible to convince an audience that you know the solution for almost any puzzle without giving them any hint of the solution itself. Sudoku was just one example. You could prove that you know the solution to a crossword puzzle, or the Rubick’s cube, or that you know a cycling route from New York to Seattle that’s exactly 5000km, or that you have paid your rent, or that your bank balance is more than $10,000 or any such statement really – without actually revealing the actual solution to the statement.

Imagine the power of such a system, where you could convince others that something is true, without revealing how it is true. In most real world systems, including financial systems, to prove something to someone, you have to reveal the actual facts of the matter – and thereby reveal more than you have to.

For example, getting a visa to any country requires you to provide your bank statement – just to prove that you can afford the trip. It should be possible to prove that you can afford the trip, without revealing any financial information. Also, the proof should be real – as in, if you cannot afford the trip, you shouldn’t be able to prove such a thing and fool the visa-issuing agency. We want both sides, the prover and the verifier, to win. Just with no leak of extra information. The best kind of privacy, if you will.

Where is Waldo?

First, I will give an example of how such a Zero Knowledge protocol looks like, to make you believe that it’s possible. Below is Waldo: Say Hi to him.

Waldo is somewhere in the amusement park image below. Can you find him? Don’t try too hard, it’s not worth it.

This “Where is Waldo” puzzle lends itself very well to a Zero Knowledge protocol. I can prove it to you that I know where Waldo is without revealing his actual location on the image. How do I do that? We run the following protocol between the two of us.

  1. You blindfold yourself. I keep a large white sheet of paper on top of the amusement park image, and ask you to remove your blindfold. You can give me one of two challenges. You should choose these challenges randomly.
    1. I should remove the sheet of paper and show you the amusement park image underneath.
    2. I should cut out a small hole in the white paper right above where Waldo is on the image. If I do this, I must know where Waldo is.
  2. Repeat step #1 till you are satisfied.

Why does this protocol work?

  1. If I know where Waldo is, I can easily answer challenge #2. That part is easy. It’s not so easy to figure out why challenge #1 is required.
  2. I could cheat by keeping some other image under the paper which has just many images of Waldo on it. How do you know that it’s actually the amusement park image and not some other image that I made up? Challenge #1 to the rescue. If you had asked me challenge #1, I had to remove the entire paper and show you that this was the amusement park image in question.
  3. Note that you cannot give me both the challenges at the same time, as that would tell you where Waldo is. Only one challenge per protocol round.

If we do this entire exercise just once, you could have asked me to answer challenge #2 and I could still cheat with a probability of 50%. If we do it twice successfully, I can still cheat with a probability of 25%. If we do it three times, it reduces to 12.5%. If we do it 10 times, and you picked your challenge randomly each time, I can cheat only with a probability of 0.1%. If we repeat this 20 times, the cheating probability drops to 0.0001%. And so forth, exponentially. Again, this only works if you pick your challenge randomly. If I know in advance that you will ask me the challenge sequence, of say, 122212121222111 – I can pass all challenges easily. The protocol works only if I am unable to guess your challenge sequence.

Cryptographic researchers have proven that almost any statement can be proven in zero knowledge. Imagine that! Any statement! It’s one of the most celebrated results in theoretical computer science, all the way back from 1986. The concept of Zero Knowledge Proof itself was introduced in 1985, after the original paper was rejected in major scientific conferences in the prior years because of how absurd the idea sounded. It still sounds counter-intuitive, if you ask me.

One popularly used ZK-proof system, solving a very specific problem, is that of Digital Signatures. When you digitally sign a document, you are proving to the verifier that you know a secret key to your public key (which the verifier already knows, or is tied to your identity, or some such). For the longest time, general purpose ZK-systems, which could prove any statement, were just theoretical results – the actual proofs themselves can be quite unwieldy and inefficient. Theoretical work continued, but there were still no practical applications that needed these proofs to get smaller, or easier to understand, or even remotely workable. 25 years went by, and people were mostly happy with either revealing everything about something to prove it, or having a trusted third party (like a Bank Officer or Notary) signing a statement saying that something is true, without revealing the underlying details. Ho-hum.

Enter Bitcoin!

Bitcoin removed the trusted third party from financial transactions. Or at least, introduced the idea that it could be done with clever cryptography and protocol design. Researchers who were toiling away in obscure labs and universities were suddenly like: “Hey, there are these amazing theoretical cryptography results from decades ago, let’s use them”. These ideas suddenly seemed ripe for more R&D to make them practical. And boy did the researchers and engineers deliver! Here’s a short list of how Zero Knowledge pervades the cryptocurrency space.

  1. New cryptocurrencies: Zcash, Monero, Grin, Beam, Mina, etc.
    • Everything about a transaction is hidden. Who is paying. Who is the recipient. What is the amount. Everything is hidden. Crucially though, verifiers can verify that the transaction is valid, and no one is cheating anyone. Zero knowledge magic. Details differ, but this is the general idea.
    • Additionally, Zero Knowledge proofs can verify large numbers of transactions without needing to store all those transactions. So, these ZK-blockchains can be as small as a few KB. For comparison the Bitcoin blockchain is 350GB and growing. Ethereum’s blockchain is 1TB or 5TB (depending on whom you ask) and growing.
  2. Layer-2: ZK-Sync, StarkNet, etc. bring the benefits of ZK-proofs to legacy blockchains like Ethereum and increase throughput quite dramatically.
  3. Other Proofs: Exchanges can use ZK-proofs to convince their users that they are not doing fractional reserve or rehypothecation shenanigans, and in fact, do custody all their customer assets.

What next?

Some of these general purpose ZK-systems have quite advanced cryptography, and their security guarantees are proven sometimes under ideal settings. When I say security guarantees, what I mean is:

  • Can the prover cheat?
  • Can the verifier learn something by violating the zero knowledge principle?
  • Can we do the entire thing without relying on cryptographic assumptions?
  • Some systems rely on an initial ceremony where some trusted party has to do one-off computation. Can we remove such requirements?

Practical minded people say that this stuff is too advanced, or “moon-math” as they call it. These primitives will not make it to Bitcoin for a LONG LONG time, if at all. Bitcoin’s cryptography is from an even older generation, and has been vetted in traditional settings like e-commerce, national defense, etc. No moon-math for Bitcoin!

That doesn’t mean that Bitcoin won’t benefit from these new developments. Bitcoin has evolved to a place now where the core protocol itself won’t change that easily, but additional features have to be built on top, in other layers. ZK-proofs will reside on a secondary layer somewhere on top.

Ethereum, on the other hand, is more open to these ideas. ZK-proofs are making their way into Ethereum’s core-system slowly, but will definitely pervade Ethereum’s Layer-2 ecosystem quite thoroughly in the near future. Much faster than in Bitcoin, from what I can see. Newer blockchains will go all-in, and will be built around ZK-ideas, or will offer them as native operators or subroutines.

You have the entire spectrum of blockchain platforms – some boringly conservative, and just trying to be sound money. Some others on the bleeding edge of maths, offering true privacy through ZK-proofs and the like. I expect these to become more mainstream as privacy becomes non-negotiable. Currencies, smart contract platforms, exchanges, and every other financial intermediary will go maths-first!

Governance, Decentralized

Define Governance: the act or process of governing or overseeing the control and direction of something (such as a country or an organization).

In this article, I will focus on whether any organization can have decentralized governance, and what does that even mean? And how is this related to cryptocurrencies. Let’s start with a very basic organization, and see whether it can be governed in a decentralized way.

What is an organization anyway?

Say some people want to pool their money and use it for charity. We have ourselves a rudimentary organization. During the organization’s inception, the founders make some bylaws – for example: for any charitable donation to happen, say 2/3rd of the remaining capital in the pool has to approve it. These bylaws are written down formally in a “human language” (the language being a “human language” is important). The organization will register itself with the government of that geographical area (let’s say, a country). In case disputes arise in the future, the courts of that country will interpret the bylaws of the organization, apply the relevant common laws of that country, and with the threat of force, ask the members of the organization to abide by the court’s judgment. We kind of get how this works.

I will call this “centralized governance”, because the dispute resolution is adjudicated by a centralized authority. In an ideal world, this centralized authority is fairly appointed by representatives of the people who were fairly elected by the people to carry out such appointments.

Enter Smart Contracts

If the bylaws were precisely written down in an unambiguous computer language, and deployed on a distributed computer that could not be stopped, or taken over by any single authority – we have a decentralized organization. It’s governance is encoded in the program that was deployed on the distributed computer. Ideally, once deployed, the program cannot be changed, and can be arbitrarily run by anyone forever. Who are the members of this organization? Let’s say the program has a function that accepts money as input, and gives out an equivalent valued token – anyone who makes such a function call is a member of this organization, as they have a stake in the program. Do disputes arise in such an organization? No. To see why the answer is “no”, we have to understand that this system adheres to the maxim: “Code is Law”. The program does exactly what it was programmed to do – there is no randomness or discretion or uncertainty in the execution. This faithful execution of the program obsoletes the idea of dispute resolution.

Ethereum smart contracts are such programs. They are deployed and run on Ethereum, which is a distributed network of computers that ideally cannot be censored or stopped. Ethereum has a richer programming language, along with the notion of a smart contract having monetary deposits, and other arbitrary data. Using this setup, one can write a smart contract that represents the charitable organization that we saw earlier. In fact, back in 2016, when Ethereum was still in its infancy, exactly such an organization was deployed as a smart contract on it. It was called The DAO, or the decentralized autonomous organization. It could accept funds from anyone, and with token holders voting for projects, would fund these projects from the collective pool of funds. Venture capitalists thought that the DAO would disrupt the VC industry itself, and added their own funds into the pool. At its peak, the DAO had 14% of all of ETH pooled inside it (ETH is the native currency of the Ethereum system). I didn’t read the code of the DAO, and am not sure how a project got actual funding – was some ETH moved to the recipient’s address? How would the DAO verify that the recipient actually produced something of value, if that artifact was not native to the blockchain itself? In the cryptocurrency space, it’s important to ask these questions – as the answers are not obvious, and often times hide red flags that indicate possible scams.

But as it turned out, this DAO program itself had a software bug, and that allowed a clever hacker to drain the uninvested funds into their own control. To “fix” this “hack”, people who had enough social clout in the Ethereum ecosystem managed to undo history, and start an alternate timeline where this hack never happened.

What?!?!

How does one undo history and make alternate timelines?

It’s the settlement assurances, stupid[1]Read more here: https://medium.com/@nic__carter/its-the-settlement-assurances-stupid-5dcd1c3f4e41

Let’s start with an example. Let’s say your credit card is stolen, and is used to buy strange things in strange lands. You call your credit card issuer and ask them to undo history, and start an alternate timeline where the theft never happened, and you have a clean slate of your own previous transactions and new transactions. Where did the thief’s transactions go? Turns out that they were never “settled”. In the traditional finance world, very very few transactions are actually “fully settled”. Transactions between countries, or between large banks, or those that are brokered by central banks are considered settled for good, and are truly irreversible. The rest of the world’s transactions can be reversed, if the right people are convinced.

In Ethereum, where code is supposed to be law – alternate timelines should not have been possible. The hacker took out the pooled funds from the DAO because the smart contract allowed that to happen. That’s the bylaws of the contract, and the hacker is playing by the rules. There shouldn’t be a discretionary voice that says “But that’s not the spirit of the law”. Smart contracts are only supposed to respect the word of the law, and not the spirit of the law. Ethereum, in its early days at least, believed that the spirit of the law mattered more than the word of the law, and allowed the DAO hack to be “bailed out”.

Ethereum is just one such “network computer” (blockchain, to keep up with the times) that runs such code-is-law smart contracts. There are other blockchains that claim to do the same, and have varying degrees of centralization that allows the powers-that-be to “bail out” certain contracts if shit his the fan. On the other hand, Bitcoin doesn’t even allow such powerful smart contracts, and the rudimentary smart contracts that it does allow, have never been reversed because some people lost their money. I think it’s an important distinction that makes Bitcoin the most (if not the only) credible blockchain in existence, but that’s just me.

Governance, through code

Coming back to Ethereum smart contracts which act as decentralized autonomous organizations, how can governance rules be changed if all token holders agree to it? We now get into some of the more sophisticated governance models for smart contracts, which can all be coded into the initial smart contract itself. Here’s one popular model:

In our original charity smart contract, we had the initial bylaw that 2/3rds of the total pool had to approve every new donation. Let’s say we want to change this rule to have 3/4 instead of 2/3. While writing the initial smart contract, this particular constant (2/3) is delegated to a different smart contract that is deployed first, and the main smart contract calls this other smart contract to perform it’s actions. In software programming, this is either called “delegation” or “forwarding” or “a pimpl – pointer to an implementation”. The difference between a classic software program that does this, vs. a smart contract that does the same thing – is that in a smart contract with decentralized governance, the change in implementation of a functionality has to be voted by token holders. This is how it looks:

  1. The initial smart contract is written in such a way that the following steps are supported.
  2. Someone (doesn’t matter who) codes a new piece of functionality and deploys it on the blockchain. For now, this is dead code, as no one is executing it. But everyone can see what it does.
  3. Someone (again, doesn’t matter who) makes a proposal in the original contract that they would want to call a vote for this new functionality from step (2) to replace the equivalent step in the original code.
  4. There is a timeline for token holders of the smart contract to vote for this proposal. Votes are tallied. The result is known.
  5. If the governance change is approved, there is an additional time window before it comes into effect. Token holders who are unhappy that this change was made can withdraw their capital from the pool by returning or burning the tokens.
  6. The governance change is affected by changing the smart contract implementation of this functionality from the original to the new.

Many smart contracts on Ethereum have the so called “governance token” that allows token holders to change the rules of the smart contract if enough such token holders vote for it.

  1. Uniswap, the popular decentralized exchange on Ethereum, has its own governance token UNI, which allows UNI holders to vote for governance changes like increasing or decreasing the fee taken by the protocol per exchange trade.
  2. Compound, a smart contract for credit issuance on Ethereum, has its own governance token COMP, which allows COMP holders to affect governance changes – like how they recently voted to change their price oracle.
  3. MakerDAO, the smart contract behind the stable coin DAI, has its own governance token MKR, which allows MKR holders to change the parameters of the DAI stablecoin, and how it maintains its 1:1 peg against the USD.

In my naïve unqualified opinion, these kinds of governance tokens can sometimes pass the Howey test, and could qualify as securities under some regulatory regime.

What’s in it for me?

Many tokens/coins are available to buy on many cryptocurrency exchanges.

  1. Some are native coins of their own blockchains – like BTC/ETH. Many of these native coins are centralized, issued to investors first, and dumped on the general public later.
  2. Some are ERC-20 tokens on the Ethereum blockchain. They represent governance rights on protocols, and thereby generate cash flow.
  3. Some are tokens on other blockchains. Most blockchains’ native currencies themselves are worth nothing. Tokens that are launched on these blockchains are even trickier.
  4. Some are even more complex tokens issued by smart contracts that govern other smart contracts.
  5. Some tokens are blatantly pointless, and are valuable just as collectibles: remember NFTs?

Some tokens have a point, but are still worth nothing.

Some tokens have a point, and might be worth something.

To keep life simple, one can just buy Bitcoin. If that’s too conservative (it’s not), maybe add ETH to the mix (don’t).

References

References
1 Read more here: https://medium.com/@nic__carter/its-the-settlement-assurances-stupid-5dcd1c3f4e41

Defi for the rest of us

DeFi stands for Decentralized Finance.

Decentralized: Ideally, any single entity should not be able to stop the process or program or system in question. It’s running on some unstoppable system where anyone can execute operations.

Finance: Savings, Loans, Exchanges, Margin Trading, Synthetic Assets (Equities, for example), Lotteries, Insurance, Collateralized Debt Obligations (why not?), and such.

Before the advent of Bitcoin/Ethereum, financial products were run on a computer that some entity controlled. This entity had a physical address, and could be visited by law enforcement or regulators or more generally, whom I call “men with guns”. Bitcoin/Ethereum run on so many computers that it’s not possible for men with guns to stop it. Smart contracts running on Ethereum are hard to take physical control of – and stop, or modify unilaterally by men with guns. This is the decentralization that we are interested in. Because of this, we have “unstoppable programs”, at least in theory.

First, a simple example of where these “unstoppable programs” come in. Let’s say you want to buy some Ether. You could submit your KYC details to a centralized exchange like Coinbase or Kraken and get an account. You then wire-transfer some dollars to their bank account, with some routing instructions so that the money goes to your account. You wait for the dollars to show up in your dashboard, and then buy some Ether with it. You could let the Ether stay there (like how you let your money stay in a real world bank) or you could self-custody by transferring the Ether out to your own hardware wallet. Like you withdraw cash from a bank and self-custody under a mattress, for example.

Decentralized Exchanges

Given that you could be an “under-the-mattress” type of person, Coinbase could block your account. What then? Enter DEX’es, or decentralized exchanges. Uniswap is one such DEX. It’s a set of smart contracts that run on the Ethereum network. The specific Uniswap smart contract that accepts USD and gives back Ether is located at the address 0xb4e16d0168e52d35cacd2c6185b44281ec28c9dc on the Ethereum blockchain’s “main-net”. Think of it as the unchanging IP address of the smart contract on the Internet. If you make a request to this smart contract with some USD, and it returns some Ether to your address. Think of it as making a web-search request to Google.com with a query and getting back 10 blue links as the result. But to start this process, you need to have USD in a form that the smart contract can accept. Enter Stablecoins.

Stablecoins

Stablecoins are tokens that 1:1-track external fiat currencies like the US Dollar or Euro, external (to the system in question) cryptocurrencies like Bitcoin. This token system is implemented as an ERC-20 token (which I explained in my post on NFT’s). Take USDC for example, which is a stablecoin that tracks the US Dollar. Every token minted by the USDC smart contract can be redeemed for $1. How do you mint a USDC token? You create an account on Coinbase, you transfer USD to it, and you buy 1 USDC for 1 USD. This 1 USDC is an ERC-20 token that can be transferred from your Coinbase account to your computer, or some other contract, or exchanged on Uniswap for something else. The 1 USD you owned earlier is now on the Ethereum blockchain in the form of 1 USDC. To redeem this 1 USDC back to 1 USD, you transfer this USDC back to your Coinbase account, and sell if for 1 USD. Note again, that there is no USD, ever, on the Ethereum blockchain. Ethereum does not know about USD at all. All it knows is USDC. Coinbase is your bridge from the real world to the ethereal world.

Coinbase is able to redeem USDC to USD because they have a traditional bank account somewhere that stores the USD that backs the USDC.

Coming back to our earlier use case: now that you have USDC on Ethereum, you can use the Uniswap contract to buy Ether with it, without going through Coinbase. But hey, we had to go to Coinbase to buy USDC. So, didn’t we just move the trusted third party from the exchange to the stablecoin issuer? We did. But do note that you can get USDC without going to Coinbase as well – it’s just an ERC-20 token that anyone can transfer to you on the Ethereum blockchain without permission from anyone else. And you can use this to exchange to any other token without anyone’s permission as well. If more and more of the economy “moves on chain”, the on and off ramps to fiat currencies like USD will become less important. But for now, someone, somewhere has to store 1 USD in a bank account to be able to generate the equivalent stablecoin “on chain”.

Automated Market Makers

So, how does Uniswap know the exchange rates for every token pair that it allows us to trade with? Each token-pair is run as a smart contract, where you can make function calls to swap one token for another. The smart contract also has a liquidity pool under its control which stores both the tokens in some ratio, and this ratio is used to infer the market price. The assumption is that if this ratio goes out of sync with the external market price, arbitrageurs will trade in the other direction to take tiny profits and revert the pool ratio back to reflect external market price. Users with excess liquidity in any token can fund these liquidity pools and take a small cut of each trade that hits their liquidity pool. We now have a liquidity provider who can get some yield on their capital. Notice that this system of smart contracts is not relying on any external data to be ingested into the system. The exchange rate between token is entirely set by market dynamics.

Let’s say you wanted to provide liquidity to the token pair ABC-XYZ on Uniswap, but you have neither token with you. On the other hand, you have more than enough Bitcoin that you want to HODL and not want to sell. Can we use this Bitcoin as collateral to get a loan of some ABC tokens that you can then use to fund the ABC-XYZ Uniswap pool? Enter DeFi loans.

Loans

In the traditional world of finance, Loans are given out to parties with good credit rating, and defaults are prevented/mitigated by a combination of social pressure of reputational damage, law enforcement, liquidation of other assets, or such. In the world of cryptocurrencies, the users have just one identity – a public key, which looks like this: 12cbQLTFMXRnSzktFkuoG3eHoMeFtpTu3S. How do you cause reputational damage to this public key? Traditional default protection ideas fail here. Most crypto-loans are, for that reason, over-collateralized. You want to borrow 100 tokens of ABC? You put up 150 ABC worth of Bitcoin as collateral, and then you take 100 ABC. As long as the smart contract can convince itself that the loan remains over-collateralized, you are good. If the value of Bitcoin goes down, you are expected to put up more collateral – or risk being liquidated.

Why would someone borrow an amount of X by pledging a collateral of 1.5X? Well, one obvious reason is that the borrowed token is more useful than the collateral token. It could be that the borrowed token is undervalued by the market vis-à-vis the collateral token. It could be that the borrower knows that the collateral token will tank in value the next day, and wants to willfully default on the loan. It’s all possible.

Hmm

What next? “TradFi” could get disrupted by “DeFi” because of how automated these smart contracts are, and how they can easily build on top of each other. Everything is an API, and API’s are open. On the other hand, men with guns could mess with the trusted third parties that, say, back stablecoins – and take down the whole system. Also, they could just run in this little corner of the general financial ecosystem, and everyone wins.

PS: Overheard on Twitter: Fish are swimming to DeFi in droves, and that’s attracting the sharks 🙂

On NFT’s

In 1996, a federal mint employee was eating bananas near where US dollar bills were being printed, and a Del Monte sticker on one of the bananas fell into the printing press and got under a transparent layer of a $20 bill. The Del Monte note was created. This particular $20 note is a collectible in some circles and has been auctioned many times before, and most recently for around $400,000. That the serial number of the note is printed over the Del Monte sticker makes this even cooler, and kind of unforgeable, and a fungible token became a non-fungible token.

What?

What does it mean for something to be “fungible” anyway? As an example, dollars (or any money for that matter) are fungible. That is, a dollar is a dollar is a dollar. It doesn’t matter if it’s a note with serial number XYZ or ABC or a ledger entry in some bank’s database. If I give you a $10 bill to transfer an equivalent value, the actual printed bill is irrelevant. This was made much easier when we went from cash (physical transfer of value) to digital transfer of value, and we now transfer an abstract notion of $10 without having to bother with a physical vehicle to carry that value. Now that we have digital money like your bank deposits or Bitcoin – what is the equivalent of the Del Monte note? I will get to that question in a bit.

In the physical world, there are two primary requirements for an object to become a collectible.

  1. It should be one-off, or a limited edition.
  2. It should have some intrinsic appeal because of aesthetic reasons (a Picasso, a Ferrari 250 GTO) or quirky reasons (the Del Monte note).

The appeal of a collectible is driven by popular culture. That’s beyond the scope of this article. The limited edition nature is what I am interested in. Most paintings appreciate in value after the painter has died. This makes that artist’s work provably limited edition. In rarer cases, the technology used to create the collectible in question is provably obsolete, or some raw materials have become extinct. Many times, if the creator is still active, they could implicitly make a promise that the collectible is limited edition. For example, the car company McLaren has implicitly promised us that they won’t make more of their iconic F1 supercar from the 1990’s. Or Ferrari with their 250 GTO from the 1960’s. Note that there is no technical reason that prevents them from making more of these cars. It’s just that if they break their word, the collectible nature of these cars will vanish. On the other hand, Seiko and Casio G-Shock, the Japanese watchmakers, make many limited edition collections of watches every year. In the watch collectors’ community, it’s almost a joke when a new “limited edition” Seiko comes out. Sure, there will only be 50 of these specific watches with some specific quirk, but tomorrow, there will be another limited edition collection with some other quirk. Eventually, even among watch collectors it’s hard to know which of these is a true collectible, and which is not. But they are all limited edition, according to Seiko.

What about collectibles in the digital world, where anything can be copy-pasted. Making a limited edition of anything is quite hard. For the most part, digital money is the only thing that cannot be copy-pasted. Government controlled digital money does this by having a centralized database with a trusted party (commercial or central banks) and this trusted party is – er – trusted to not copy-paste. Bitcoin and related cryptocurrencies prevent copy-paste using cryptography, distributed computing, and game theory. If you can make a unit of a digital money unique, by affixing a banana sticker on it digitally, you get yourself a digital collectible, or a Non Fungible Token (or NFT).

Can we “affix a banana sticker” on a unit of digital money in your savings bank account? Bank account balances are not represented as cash-like notes with serial numbers. Every account has just a numerical balance, and that makes it quite hard to take a part of that balance, and affix a banana sticker on it. So, that’s out. What about the other money that we know about: Bitcoin? Bitcoin is cash-like, in the sense that each digital unit of Bitcoin (technically called a UTXO, or Unspent Transaction Output) has a unique serial number associated with it. But how do we affix a banana sticker on it? For better or worse, Bitcoin is a bit too focused on being a secure implementation of money, and makes affixing this banana sticker much harder, like that Del Monte note was a one-off with the US dollar, but most US dollar bills are unmarked and fungible. Bitcoin is out.

What if we had Bitcoin-like platforms where affixing banana stickers on non-copy-paste-able digital tokens is easy. These are NFT platforms built on Ethereum.

A bit of history here: Ethereum, being a more ambitious platform than Bitcoin, wanted to allow general purpose computation on a decentralized system with no central operator (the opposite of say, Google Cloud or Amazon Web Services). General purpose computation is all fine and dandy, but most users wanted coins equivalent to Bitcoin, but with more fine-grained control on how the actual units were minted and transferred. Note that Bitcoin itself has these minting and transfer rules, but they are all set in stone. Ethereum’s underlying currency: Ether, also has such rules, and for the most part, they are also hard to change. But if a single user wanted to create their own such coin platform, with their own minting and transfer rules, they could create such a platform on Ethereum. This platform standard was called ERC-20, and all the ICO’s you heard about from 2017-2018 were ERC-20 coin platforms with specific mint and transfer rules created by specific teams. To give another analogy, every ERC-20 token-platform is like a bank. Users of a specific ERC-20 token-platform have their own account in this bank with fungible ERC-20 tokens in these accounts, and can transfer these tokens from their account to someone else’s account. This entire ERC-20 bank, along with other such banks, are all built on Ethereum. There are 1000’s of popular ERC-20 token-platforms on Ethereum, with each of them having many users.

One such platform is Cryptopunks, which is an ERC-20 token platform created by a company with 2 engineers. Cryptopunks added one new feature to each of its erstwhile fungible tokens. Each token is associated with a unique 24×24 pixel art image representing various human like faces, which added – er – personality, to each token. It turned out that these tokens were now not fungible at all – some of these tokens have cooler personalities and are valued higher. Thus was born the ERC-721 standard, which allowed token-platforms to add a unique personality to each token that the platform mints. The ERC-721 standard is also popularly known as the NFT standard. Any token-platform that conforms to this standard allows creation/transfer/showcase of tokens with personalities – and sometimes, the personality is as random as a random string of 32 characters. The digital fingerprint of an image file can be 32 characters, and if you add such a fingerprint to a token – this token now has art associated with it. You could add digital fingerprints of music files to a token. Cryptokitties is another famous NFT platform on Ethereum – where each token represents a kitten, with kitten like features – all digital, of course. Note here that the token is associated with the token platform, which is in turn associated with the meta-platform on which the token-platform is built. Could the same 32 character fingerprint of some art be associated with a token from another NFT-platform? Yes, it can be.

After all that background, the main question is – are NFT’s valuable? From the earlier analogy, we could ask ourselves – are watches valuable? There are more watches coming out every year – and Seiko makes many limited edition collections every year – is a particular Seiko watch from a particular limited edition collection worth $69 million? You have surely heard of the Paul Newman Daytona Rolex. As I said earlier, it’s hard to understand the popular culture that makes something a collectible. But, what’s definitely understandable is – what makes a digital artifact a limited edition. The NFT standard says nothing about NFT’s being limited edition. It just says that there should be a way to create NFT’s, transfer ownership, and show their uniqueness. So, we have to trust the NFT platform that it will somehow enforce the limited edition nature of these tokens. In Ethereum, the computer code (also called a smart contract) that controls any deployed NFT-platform cannot be changed after it’s been deployed (immutable). This gives us some notion of trust: we can inspect the deployed code, and check for ourselves tokens minted by this smart contract are truly limited edition. Does that give us true limited edition now? Not quite – there are two major caveats.

  1. Deployed smart contracts can be modified in the future if there are backdoors or hooks in the code. Proving the non-existence of such backdoors or hooks is quite hard. Foundation App, a popular NFT-platform, is just one public backdoor. The entire contract can be changed unilaterally by that organization in the future. They are not even pretending to be immutable.
  2. An organization which deploys the V1 version of the NFT-platform could deploy a V2 version tomorrow, and a V3 version next year. If the organization puts enough marketing around these new versions of the same platform, users move. Case in question – Uniswap, the popular DeFi exchange contract is now in its V3 version.

In contrast, Bitcoin was deployed just once, and cannot be changed (at least, not easily). And the code is open and has been pored over by normal users, bounty hunters, cryptographers, butt-hurt software engineers, and other experts over the last 11 years and it’s almost certain that there is no backdoor.A backdoor could be built in the future, but it will be very hard, and very visible. An NFT, on the other hand is a single token created by one among many NFT-platforms, on top of one among many meta-platforms like Ethereum. To put that in context, there are around 10,000 NFT-platforms on just Ethereum right now. If we leave Ethereum, we get other blockchain platforms, which are ostensibly decentralized across the world – and NFT-platforms are being built on them. NBA TopShot NFT-platform is on the Flow blockchain meta-platform. I have no idea how Flow works.

To give a concrete example, let’s take the NFT that captured the popular media’s limited imagination. Beeple’s $69 million “EVERYDAYS: THE FIRST 5000 DAYS”. The painting itself is 300+ MB, and like most NFT’s is not actually stored on the blockchain, but somewhere else on the internet. It’s not that easy to find, but I will save you the trouble by pointing to a link the works (for now). Clicking on that link in the browser will slow your browser down as it has to download 300+ MB of data for a single image. The digital fingerprint of this image is: 6314b55cc6ff34f67a18e1ccc977234b803f7a5497b94f1f994ac9d1b896a017 (SHA256 hash of the actual image file). This fingerprint was affixed to token #40913 that was minted by a smart contract that lives on the Ethereum blockchain at the address: 0x2a46f2ffd99e19a89476e2f62270e0a35bbf0756. This smart contract is actually called “MakersTokenV2” (no, I am not making this up). Token #40913 was transferred to an Ethereum wallet at the address: 0xc6b0562605D35eE710138402B878ffe6F2E23807, who apparently paid the equivalent money in Ether to Beeple through Christie’s, the auction house. This transaction itself cannot be traced on the Ethereum blockchain. That’s kind of ironic – because we really don’t know for sure if the money was truly transferred or not. Assuming the transaction happened, the buyer now owns the right to transfer token #40913 on smart contract 0x2a46f2ffd99e19a89476e2f62270e0a35bbf0756 on Ethereum to someone else. I guess that ~10 people might have inspected the code that is deployed at 0x2a46f2ffd99e19a89476e2f62270e0a35bbf0756.

There is this other idea that poor artists, ripped-off musicians, multi-billion dollar sports-organizations like the NBA could associate their content with an NFT platform and get better remunerated for it. Each piece of content goes on a specific token from a specific NFT-platform, and committed fans will buy them. What I fail to see is how an NFT-platform is different than a private art-gallery or a record label, or a pay-per-view sports channel. They can all channel money to the artist, and they can enforce copy-paste protection through law. If a piece of art is fingerprinted and attached to another token on a competing NFT-platform, and this token is then sold – what happens? The artist or the NFT-platform representing the artist will sue the other platform or buyer. Or some such.

So, are NFT’s a fad? Yes.

Is every Bitcoin an NFT? Technically, yes. But every Bitcoin is worth the same value as every other Bitcoin.

Is every USD bill with a unique serial number an NFT? Technically, also yes. But every dollar bill is worth the same value as every other dollar bill. The Del Monte note though, is the kind of NFT that is in vogue now for being an NFT. That’s the fad part.