Five technical truths about Facebook’s Libra
A few weeks ago, before the launch of the Libra website, I posted a few questions about the potential design of Libra. Someone over in Palo Alto must have been listening since most of these questions have been generally addressed by the publication of the Libra whitepaper and other related materials.
However, I wanted to take an even deeper dive into the technical side of things – while also comparing what Facebook and company have put out with what my experience in building a Proof-of-Stake blockchain with the Ardor platform.
A clearer picture of some obvious (and not-so-obvious) truths about one of the most ambitious crypto projects to date.
1. Facebook’s decentralization is not pure.
Quite honestly, Facebook would be just as happy to run its currency through a centralized database which it controls. They are, of course, forced to implement a system based on blockchain due to the realization that people, governments and regulators will not trust putting precious funds under the direct control of powerful, social media company.
With this in mind, Facebook is practically forced to implement a blockchain as a sort of lip service to their users and regulators, but in the process, they also seem to have fallen in love with the technology.
2. Facebook’s bigness is actually a good thing
Due to its huge user base, Facebook can rely on “entropic” considerations: “We are a 10-ton gorilla named Facebook; don’t mess with us!”
But this “bigness” also has its advantages. For example, Libra can afford to make all block generators known both by the entity controlling them and internet address. This way if a block generator tries to cheat or initiates an attack, Facebook and/or the block generator can leverage its significant resources (think billions of dollars) to put into legal action to chase the perpetrator. This is something that public blockchain operators try to avoid since they don’t want to deal with or cannot afford the inefficiencies and expenses of the off-chain legal system.
3. Bigness makes boldness – both good and bad.
Another “entropic” assumption is that Libra is guaranteed to have the network effect so important for a global financial system based on their captive audience of Facebook, Whatapp and Instagram users. This goes without saying, of course.
And this size creates an unusual side-effect. Unlike most public blockchain projects which have to attract users, any users at all, Libra can place all manner of restrictions on its users – even to the extreme – and still be fairly certain of have a sizeable base of activity on its platform and using its tools.
By comparison, with Ardor, we went to great lengths to make sure end-users do not have to pay transaction fees, which can be sponsored for them by the business operating a bundler on a child chain.
In Facebook’s case, the dominance of the system operator (Libra) and the almost certain eagerness of users to participate will open the possibility to require fees and not worry about whether users want to or are able to pay them.
Such is the luxury of scale.
4. The scale is everything.
With regard to the blockchain design itself, Facebook has come up with a new consensus algorithm which, based on their design assumptions, makes a great deal of sense.
First and foremost they correctly realized that scaling the blockchain would be the main limiting factor and that this scaling conundrum is mostly tied to the capacity to resolve forks.
They leverage that fact their block generators are known publicly and on the internet to design a consensus algorithm which does not allow forking. This is a big trade-off, but it makes sense for Libra.
5. Following the leader is fragile.
The idea behind Libra’s blockchain is that block generation is separated into rounds, wherein each round has a leader (known in advance) who will generate the next block. The underlying assumption is that this leader will almost always work by the protocol rules and not become byzantine (i.e. malicious or negligent). The leader will generate a block and share it with other nodes directly to collect signatures until more than 2/3 of the nodes agree on the new block. Since the leader is known in advance there is no competition about generating the next block like in most public chain consensus algorithms and therefore no forks. This implies that nodes will never need to switch to a better fork.
But the clever solution isn’t as good as it looks.
Given the “no forks” assumption, Facebook also promises a theoretical sustainable scale of 1000 TPS, which is a reasonable assumption, although it may take a while (or forever) to get there.
However, the price to be paid by compromising on forks is significant. The deterministic leader selection makes the Libra solution very fragile.
Why you ask?
Because in a centralized system, if the central server is down, the entire system goes down. In a “normal” blockchain, even if many or even most of the nodes are offline the blockchain will still operate correctly. In the Libra case, even a single node which is selected as a leader while being offline (or being attacked or become byzantine) can cause major disruptions to the whole network.
The proposed workaround is to implement a mechanism called a “pacemaker” wherein there could be a situation where the leader does not generate a block over a “longer period of time.” In this case, other nodes can issue a timeout proof which propagates through the network until at some point it causes the network to agree on a replacement leader. Assuming this process would take, say 15 seconds, we already have 15,000 unprocessed transactions flooding the network, which would put a huge load on the next selected leader which might be offline as well and from there things continue to deteriorate.
The pacemaker also does not deal with the situation of a byzantine node that may be chosen as a leader, created a bad block that other nodes will not sign, and thereby creates a whole another set of complications. Leaders can also follow the protocol but manipulate it, for example by including their transactions while censoring their competitors’ transactions.
In the end, this leads us to this fundamental truth – in spite of Libra’s energetic start and great potential, it does indeed create a system that, on one hand, is less scalable than a centralized database and at the same timeless responsive compared to a normal public blockchain.
That may or may not be a truth we can live with.