Decentralized Stablecoins Are Impossible
This is a longer, more technical explanation of this op-ed and this Twitter thread. And (finally!) this paper.
The discussion follows this post and this paper, applying the same technique to a novel problem: can we build a decentralized stablecoin that is definitely stable or decentralized? Here, as is now the way on this blog, we are going to prove this is impossible in a few steps:
- Carefully define stablecoins and decentralized stablecoins
- Review some economics, computer science and derivative finance
- Show that stablecoins are possible…
- …but decentralized and capital-efficient ones are not
- Resolve a few conjectures from the literature
The last point is key — the proof presented here is consistent with, and pushes forward from, other work in the space. A formal paper will be out shortly.
The Setup
What is a stablecoin? Let’s take a strong definition: an token that can be redeemed for some target with certainty within t units of time. Finding schemes which are “probably” stable — for a flexible definition of “probably” — is outside the scope of this discussion. And if we allow unbounded time to redeem at the target price then anything at all can be called a stablecoin, albeit perhaps a slow one.
This is how insured bank deposits work. While banks can fail, with modern deposit insurance they fail outside business hours — before anybody has a blocked withdrawal of insured funds — and insured deposits are transferred to a new, solvent, bank before opening on time the next day. In the US this process is overseen by the FDIC and they provide clear materials outlining best practices. Things are similar under the EU resolution authority. Both explicitly focus on limiting the duration of any uncertainty. So it feels fair to add the time-bound to a definition otherwise-similar to that given here.
On the decentralized front: we require that no trusted party is required. If we depend on some other token but that token depends on a trusted party…we don’t count decentralization theater constructs like those. We want truly not dependent on any trusted party.
Our goal is to ask is whether it is possible, in a decentralized trustless environment, to achieve this ideal set of features. In such an environment all participant’s actions are voluntary and each participant has no control over other participant’s actions or preferences.
Technical Preliminaries
In the same way we previously looked at risk-free rates, we are going to again lean on Rice’s Theorem. Except this time we are going to blend that with a bit of auction theory, some derivatives math and some very mild assumptions about market efficiency.
We are going to assume two things. First, we assume the quantity of free money available in the market over any finite period of time is also finite. This isn’t the efficient market hypothesis in any normal form. It’s incredibly weak. All we require is that, given X units of time, you cannot surely raise an unbounded quantity of money from riskless arbitrage trading. If that sounds tautological then great — it’s not meant to be a controversial assumption. Economics is the study of scarcity after all.
Second, we assume market operations to raise revenue function as a series of auctions obeying the assumptions of section 3.3.7 of Milgrom’s textbook as linked above. Roughly, this says that everything is voluntary and agents are responsible for this own preferences. That’s also not meant to be controversial. We make a technical assumption here to end-run disputes regarding an imprecisely-described mechanism to raise revenue. That theorem is quite general, matches intuition, and that textbook’s author has a Nobel Prize for his work in auction theory. If you have a mechanism that raises more revenue under similar assumptions you’ll have no trouble attracting attention— ministries all around the world that sell government bonds, wireless spectrum and resource extraction rights would love to hear from you.
That aside, theorem 3.9 from Milgrom tells us the maximum revenue we can extract from any such auction is a function of the buyer’s preferences. This tells us, for each period, that the maximum revenue we can raise is Arbitrage+Auction=A which we do not control.
Finally, we need a little bit of derivatives finance. We know from this paper on the Stop-Loss Start-Gain Paradox by Peter Carr and Robert Jarrow that leaving a trailing stop-loss on a portfolio leaks value over time even in the absence of transaction costs. As an aside, that paper is a fantastic example of rigorously explaining why a trading strategy that at first looks maybe brilliant is in fact useless. Derivatives trading, by virtue of the embedded leverage, requires care.
The Proof
A stablecoin that is 1:1 with the backing works just fine. We know this from international economics among other places. There is no problem with issuers that maintain off-chain accounts and issue matching tokens; those are, however, trusted systems.
What we care about here are stablecoins backed by something else. To begin, consider a stablecoin where the value of the backing exceeds the liabilities but is held in assets other than the target. As those assets move in price against the target we know from the stop-loss start-gain paradox paper that we cannot pursue a strategy of “hold target when treasury value reaches 1:1, hold other stuff when higher” without leaking value over time. Eventually such a strategy, absent a top-up, drops below 1:1 in value. This remains true if we put the order at a more conservative level.
This means, if we don’t always hold the backing, then we can just assume we are holding some other bag of assets which may need to get auctioned off at redemption time.
Probably you can see where this is going now. A stablecoin is only definitely stable when we can prove that we can raise enough revenue to service redemptions, always, within the allowed time. If we allow at most t units of time for redemption we can see the problem: we can only run t auctions and only raise t rounds of arbitrage profits. Call that quantity tA. While this may be predictable from running all the platform’s smart contracts the stablecoin operator does not have any control over A. We have to go ahead and run the processes to see how much money comes out.
And now Rice’s theorem comes back: no matter what scheme we contrive we cannot know if we are going to need to invoke it more than t times in advance to raise a sufficient quantity of the target. So a stablecoin that relies on revenue generating sales cannot be proven to always work even if we can see all contracts on the platform. As the problem is undecidable it doesn’t help to give us more time — we simply cannot offer the guarantee. This result is not about any particular design or approach. Rather, this is true for all possible designs whether anyone has tried them yet or not. Such is math.
We know that 1:1 backed-with-target stablecoins work. Therefore 1:1 or greater backed-with-target stablecoins are the only design that always works.
If our target is a fiat currency this rules out decentralization. We require sufficient fiat backing to be stable — but there is no way to achieve that in a decentralized system. Someone needs to own the fiat — there is a bank or securities account somewhere with names on it. This process requires trust in whoever or whatever that is. We may depend on some different token. And it might even depend on a third. But somewhere down the line there is a trusted party that we rely on.
Something like a CBDC or regulated stablecoin is entirely consistent with this result as in those cases token holders must trust the issuer.
Implications
As with all of these sorts of results, we are only proving the ideal version of the product is impossible. But, as this is the one people really want, this is important. Our finding is also entirely consistent with both the structure and history of traditional financial markets.
Insured deposits in fractionally-reserved banks would be ruled out by this result were it not for trust: the trust placed in the bank, regulators and deposit insurance. A bank with a positive net worth is still subject to the stop-loss start-gain result and the idea of lending at generous collateral valuations in a crisis goes back at least to Bagehot’s Lombard Street. He had never read Carr & Jarrow’s paper — and yet his proposed solution is still to avoid a stop-loss strategy and employ trust to extend bridge financing. It says something our prescription is entirely in line with pronouncements first published in a discussion of the Overend Gurney crisis.
Because the ideal end goal is impossible, any system which tries to provide that service will have vulnerabilities. They may or may not be easy to see or exploit. And they might be incredibly byzantine. But they are there.
Outstanding Conjectures
Two conjectures are put forth in this paper. Both are resolved, at least for our stablecoin definition, through this work. The first reads:
In fully decentralized stablecoins (α = 0) with (i) multiple classes of interested parties (e.g., risk absorbers vs. stablecoin holders) and (ii) a high degree of flexibility in governance design, no equilibrium exists with long-term participation under realistic parameter values.
We’ve shown there is only one stablecoin design that works for our definition. As it admits no flexibility in governance design whatsoever the conjecture is proved. The second reads:
Considering fully decentralized systems (α = 0) with (i) multiple classes
of interested parties and (ii) a high degree of flexibility in governance design,
DEXs have a wider range of feasible long-term participation equilibria than
stablecoins under realistic parameter values.
Again, we’ve already shown there is but a single working stablecoin design with no flexibility. If we consider that Uniswap, Balancer, 1Inch and Serum are all working DEXs with different designs this conjecture is also proved.
Conclusion
Once again this impossibility result makes plain why engineers have yet to construct a desirable product. It also levels the playing field for stablecoin providers. Some form of trust is required and various tokens should compete on features alone.
Probably-stable coins are fine and should be labelled as such. But it is no longer reasonable for the provider of such a product to assert they will remove the “probably” at some future time without injecting trust.
