The trust spectrum

Woke up to this thoughtful post, “What You Should Know Before Putting Half a Million DAI in Compound,” by MolochDAO and Spankchain creator Ameen Soleimani. In short:

  • Compound is a rapidly growing lending platform on Ethereum

  • And while the smart contracts are secure

  • The system is custodial and designed so that if the single admin key is compromised, an attacker could drain all the lending pools

There’s also a section on a “bank run” in the system, but for this post, I just want to focus on the custodial part. Specifically, how to think about the trade-off space between getting to market and achieving trust minimization.

I predict this will be the primary theme for “dapps” for the next year or two. By and large, the “fully decentralized” tools available to developers are significantly more inconvenient for end users than even somewhat centralized ones. Some examples where it’s much easier to:

  • Custody a user’s funds than have versus self custody (e.g. managing your own keys versus storing your coins on an exchange)

  • Log in with something like OAuth versus log in with a web3 wallet like Metamask

  • Upgrade your system with admin controls in your contracts versus needing to deploy new contracts

  • Manually control and adjust your system’s parameters versus designing it perfectly upfront

  • Keep track of state changes and transactions off-chain and settle on-chain versus make every transaction on-chain

Discourse about the path to mainstream adoption has focused on scaling layer 1. That’s why there have been so many new chains. Give me faster and cheaper transactions and there’s a higher chance we can reach mainstream users. It might cost me a little trust minimization but maybe it’s worth it.

We are starting to see that trade-off between usability and trust-minimization up and down the web3 stack. In the design of contracts, yes, but also in custody, key management, layer 2 scaling implementations, data indexing and querying, and so on.

It’s difficult enough to evaluate the trust guarantees of any individual piece. It’s going to be even harder to evaluate the trust guarantees of a complex system using many composable pieces, each with their own place on the trust spectrum. In many cases, it’s going be totally fine that the system isn’t maximally trust minimized. In others, it should be a non-starter.