Mastercoin: A Second-Generation Protocol on the Bitcoin Blockchain

Alternative currencies have become a popular topic in the Bitcoin space. We have Litecoin and Primecoin introducing alternative mining algorithms with novel
Alternative currencies have become a popular topic in the Bitcoin space. We have Litecoin and Primecoin introducing alternative mining algorithms with novel
Op-ed - Mastercoin: A Second-Generation Protocol on the Bitcoin Blockchain

Alternative currencies have become a popular topic in the Bitcoin space. We have Litecoin and Primecoin introducing alternative mining algorithms with novel properties, PPCoin replacing mining entirely with a non-costly alternative, Ripple creating a cryptocurrency network that can store credit relationships and user-defined currencies, and over seventy more up and running with new ones being created every week. One particularly interesting project that has received a large amount of attention over recent months, however, is Mastercoin. The key difference in Mastercoin is this: rather than trying to bootstrap an entirely new blockchain, as every other cryptocurrency does, Mastercoin seeks to create an entirely new network of currencies, commodities and securities on top of Bitcoin itself.

The concept of an alternative currently relying on Bitcoin to take advantage of its powerful and secure network backed by petahashes of mining power is not a new idea. The general concept first appeared in a much weaker form as “merged mining”, a mechanism in which alternative currency miners publish pointers to their blocks in the Bitcoin blockchain to mitigate the threat of 51 attacks. Mastercoin, however, takes this principle a step further. Rather than simply using the Bitcoin blockchain as a secure timestamping system to store its own blocks, Mastercoin uses the Bitcoin blockchain to store every transaction. Philosophically, the best way to think of Mastercoin is as an alternative way of making sense of Bitcoin transactions; just like the Bitcoin protocol takes a series of transactions and parses them to determine how many bitcoins are in every address at any particular moment, the Mastercoin protocol also takes the available Bitcoin transactions and parses them to extract data relevant to the Mastercoin network.

The first draft for the Mastercoin protocol was published on January 6, 2012 in a document that original developer J. R. Willett called “The Second Bitcoin Whitepaper“. Willett’s whitepaper starts off by arguing that the Bitcoin protocol “can be used as a protocol layer, on top of which new currency layers with new rules can be built without changing the foundation.” Why a new protocol layer on top of Bitcoin, and not just an alternative cryptocurrency as everyone else was doing at the time? Willett goes on to write:

Alternate block chains compete with bitcoins financially, confuse our message to the world, and dilute our efforts. These barriers interfere with the adoption momentum of bitcoin and the adoption momentum of alternate currencies as well, regardless of how well-conceived their rules may be.
New protocol layers on top of the bitcoin protocol will increase bitcoin values, consolidate our message to the world, and concentrate our efforts, while still allowing individuals and groups to issue new currencies with experimental new rules. The success of any experimental currency protocol layer will enhance the value and success of the foundational bitcoin protocol.

From a less philosophical standpoint, the practical advantages that a Mastercoin protocol has on top of Bitcoin are essentially twofold. First, Mastercoin can leverage the high degree of security that the Bitcoin network gains from its popularity and its high level of mining power. Second, it becomes much easier to create protocols that interact between Bitcoin and Mastercoin, and potentially with other on-blockchain protocols to come in the future.

The project formally launched on July 31, 2013. The project started off with a month-long fundraiser, in which anyone could buy mastercoins by sending bitcoins to the Mastercoin Exodus address, 1EXoDusjGwvnjZUyKkxZ4UHEf77z6A5S4P. 1 BTC sent to 1EXoDus would get you 100 MSC, and an additional 10 more for every week between the end of the fundraising period and the time at which you bought the mastercoins, encouraging investors to buy earlier. Altogether, over 5120 BTC were sent in, worth around $500,000 at the time – far more than almost anyone expected. The funds are intended to be used for development, paying bounties for projects around the Mastercoin ecosystem; currently, there is a 300 BTC bounty for a decentralized exchange interface. Today, one mastercoin is worth about 0.1-0.3 BTC, over ten times its original BTC price at the timeof the fundraiser, and twenty times its original USD price.

Why has Mastercoin seen so much attention? Essentially, the main attraction of Mastercoin is the sheer number and depth of the features that it brings. The following is a sample of what the Mastercoin specification intends for Mastercoin to support:

  • User-defined currencies – anyone can create their own currency on the Mastercoin network.
  • Decentralized exchange – the Mastercoin network itself serves as a fully-functional exchange between any two currencies in the Mastercoin network. Anyone can place an order on the blockchain to trade a quantity of one currency for another, and anyone else can match the orders and have the trade complete automatically without the order poster’s further involvement.
  • On-blockchain price feeds – trusted organizations can publish price data (eg. the value of one ounce of gold in USD) which can then be used in Mastercoin scripts
  • On-blockchain bets – it is possible to register a bet with another party that a given price feed will be above or below a certain value at a particular future time. This essentially allows leveraged speculation on currency pairs, as well as hedging, so that users can store value in the Mastercoin network without exposing themselves to a high degree of currency risk from Bitcoin or Mastercoin volatility.
  • Savings addresses – a transaction from a savings address can be reversed within N days (with N set for each address) by a “guardian address”. This essentially provides an additional level of security for high-value savings accounts.

And these are only the beginning.

Technical Details

A Mastercoin send transaction looks as follows:

{ inputs: [ { address: '1LQBddrjjUaMLHcd4cG9XnN4cCZbHfREJF' , value: 1445759 } ], outputs: [ { address: '1EXoDusjGwvnjZUyKkxZ4UHEf77z6A5S4P', value: 6000 }, { address: '12ARS3euPbdQ9S68xXhmq4ySzSADfMaR1a', value: 6000 }, { address: '1D3tBJ6b3htSaMhEV3EtTAPLvTHwLBrQPH', value: 1417759 }, { address: '121AS7PVawbgo7f4zbkZisYEC4yhJCoUEN', value: 6000 } ]}

This transaction actually sends 10.78119709 MSC from 1LQBddrjjUaMLHcd4cG9XnN4cCZbHfREJF to 12ARS3euPbdQ9S68xXhmq4ySzSADfMaR1a. Where is this information actually encoded? The answer is, in one of the output addresses. Converting 121AS7PVawbgo7f4zbkZisYEC4yhJCoUEN to hexadecimal form, we get:

0b0000000000000001000000004042cd1d000000

This can be broken down as follows:

  • 0b
    – sequence number
  • 00000000
    – transaction type (regular send)
  • 00000001
    – currency ID (Mastercoin)
  • 000000004042cd1d
    – value (1078119709)

The 6000 satoshis sent to the Exodus address mark the transaction as a Mastercoin transaction (as well as providing the Mastercoin developers an extra $0.012 USD to use to fund the project). The recipient is taken as the 6000-satoshi output that does not encode data and is not the Exodus address, and the sender is taken as the owner of the address that the transaction spends from. There are also other types of transactions, such as currency issuance, price ticker updates, bets and decentralized exchange, and they all have their own transaction type, and a similar data protocol is used to determine the details of the transaction. Recently, Bitcoin developer Gavin Andresen announced an update to the Bitcoin protocol, allowing users to encode data in transaction outputs in a way that Bitcoin nodes that only want to store the minimum amount of information can safely remove; soon, Mastercoin will be switching its data-encoding outputs to this new format to better cooperate with the Bitcoin community.

Self-stabilizing currencies

The most ambitious feature of the Mastercoin protocol, however, is the concept of self-stabilizing currencies. With Mastercoin as it is, it is certainly possible to use bets to hedge one’s position so as to have one’s net worth in the Mastercoin network effectively track the value of a traditional stable currency or asset, such as the USD, commodities or silver; the basic strategy is (assuming 1 MSC is currently worth 40 USD and you have 10 MSC) to set up a bet for 5 USD that MSC will be below X for every X in some dollar range around 40. The more MSC drops, the more you lose, but the more you gain back from winning bets; similarly, if MSC goes up your winnings are counteracted by lost bets. Note that if Mastercoin were to implement contracts for difference as a type of bet, this process would be much easier, requiring only a single bet.

Self-stabilizing currencies, however, potentially offer a much more efficient means of doing this. A self-stabilizing currency works as follows. First, the currency’s creator (who has no further involvement once the currency is up and running) picks a currency or commodity that the currency would follow, and finds a price feed for that currency. They then take this information, along with some other metadata such as an “aggression factor” to indicate how closely the currency should track the underlying index, and publish it as a Mastercoin transaction. From that point on, the Mastercoin protocol itself simulates a sort of central bank for this currency, creating units out of thin air and selling them to anyone who is willing to pay slightly above the market price.

For example, if the currency (call it XUSD) is intended to track USD with an aggression factor of 4, and 1 MSC = 40 USD, then the protocol would create and sell XUSD to anyone who wanted to buy it for a price of at least 0.026 MSC per XUSD (that’s 0.025 MSC per USD plus 4 from the aggression factor). Once the fund has sold some XUSD, and therefore has an MSC reserve, it would also start buying XUSD at a price of 0.024 MSC per XUSD. If the price feed then registers that 1 MSC is now worth 50 USD, these buy and sell prices would automatically drop to 0.0208 MSC and 0.0192 MSC, respectively. The intent is that the fund itself would become stronger over time through this process of buying low and selling high, creating a stable currency with no centralized human involvement except for the external price feed. Perhaps even the price feed itself can later be decentralized.

In theory, the idea of a self-stabilizing currency sounds very seductive; if successful, it provides a way for users to store any currency in the network without having to trust that a centralized issuer has the funds to back the currency up, which is the weakness that currencies on Ripple have. Even though the price feeder can potentially manipulate prices for their own benefit, they have no clear incentive to cheat the way that asset backers do – namely, by running away with everyone’s funds. However, the self-stabilizing currency does have one obvious potential failure mode: the fund can run out of money. For example, suppose that the above described XUSD fund sells 1000 XUSD for 26 MSC. Then, however, the value of 1 MSC drops by 50. Perhaps, at that time it might come to pass that some XUSD holders wish to exchange back into MSC. If the fund needs to buy back 400 XUSD, it uses up 19.2 MSC and everything is still fine. If, however, the fund needs to buy back 600 XUSD, it will run out after 520 – causing a digital bank run as the value of the XUSD will likely drop to zero.

There is one guard against this problem: the XUSD fund itself will not necessarily need to do all that much. Since traders know that, as long as the fund is active, the price will not drop below $0.96 USD, they might maintain orders at around $0.97 USD, knowing that the price will not fall far below that and they will likely be able to profit when the price goes back up. However, this is a double-edged sword – the exact same mechanism will cause traders to sell XUSD at $1.03 USD, depriving the fund of revenue. It is difficult to say exactly how likely a fund bankruptcy scenario is; some people are confident that the self-stabilizing currencies will work, while others are convinced that they will work just fine until an unforeseen “black swan” event sends many self-stabilizing currencies at once down to the abyss.

Concerns and flaws

One problem that many have with Mastercoin as it stands is that, in some ways, Mastercoin is much more centralized than more standard cryptocurrencies such as Bitcoin, Litecoin and Primecoin. Unlike these more standard cryptocurrecies, where everyone has a chance to earn coins by a neutral process of computational mining, in Mastercoin all mastercoins were initially issued to users who donated money to the Mastercoin Foundation’s Exodus address. In response to the question “Was Mastercoin pre-mined?”, the Mastercoin FAQ answers:

No. Mastercoins were generated in a completely public fundraiser project, Kickstart style, during August 2013. It is true that the investment period was relatively short, and that a lof of people didn’t hear about it. Still, it can be said that a lot of people didn’t hear about Bitcoin until 2011, by which a lot of the Bitcoins were already mined. In August 2013 there were a lot more people looking into crypto-currencies in general, and Mastercoin was published on a lot of forums, so it had a lot more exposure than Bitcoin did in its early days.

However, this answer is somewhat misleading, as it does not address the reason why pre-mines are unpopular. Many Bitcoin users do not like pre-mines because there is a strong belief that the whole point of cryptocurrencies is that they are decentralized, and thus a true cryptocurrency should not privilege any specific centralized parties in any way. It is true that Mastercoin’s issuance model is not like Ripple’s, in the sense that there is no central party that started out owning any mastercoins by default. Furthermore, on a practical level, Ripple Labs is a private corporation, whereas the Mastercoin Foundation is a nonprofit organization and a silver-level business member of the Bitcoin Foundation. However, the Mastercoin Foundation is nevertheless a privileged party, as no one else had the ability to earn BTC from the issuing process. Furthermore, with the way the protocol is organized now, the Mastercoin Foundation is entitled to extract ~1.2 cents from the marker output in every transaction in perpetuity. Both the centralized issuance and the ongoing privileged status that the Mastercoin protocol gives to this one organization, many Bitcoin users beleive, disqualifies Mastercoin from being classified as a truly decentralized currency.

To that end, one idea that some Mastercoin community members have is to create a new currency, “Mastercoin 2″, with no fundraiser at all. Instead, anyone with Bitcoin can claim MSC2 by sending a transaction to themselves, with a minimal 0.00006 BTC to a specific address to serve as a marker. To prevent abuse, a “coin age” based formula will be used – the amount of MSC2 that you get per BTC is proportional to the amount of time since those bitcoins last took part in a transaction. Thus, if you send to yourself multiple times, even mixing the coins along the way, the subsequent attempts will generate only a very small amount of MSC2.

This scheme has the advantage that coins will be distributed in a fair way, but without wasting resources or privileging anyone; the only thing that will be sacrificed is the pristine status of a few old coins. This new Mastercoin 2 would be usable in the Mastercoin protocol for the exact same purposes as the original Mastercoin – backing self-issued currencies and serving as a medium of trade between the various Mastercoin user currencies, most of which will be too small to have highly liquid markets directly between each currency pair.

Another flaw of Mastercoin is security. With Bitcoin, and with colored coins and alternative currencies, even instant transactions have a certain degree of security. Bitcoin nodes refuse to propagate transactions that are incompatible with transactions that they have already seen, so if an attacker attempts to send money to a merchant and then immediately send another transaction sending the same money back to themselves the second transaction will be rejected by the network. With colored coins, the situation is the same, and alternative cryptocurrencies also benefit from this mechanism.

With Mastercoin, however, most of the Bitcoin network does not “speak” Mastercoin; the result is that an attacker can send a transaction sending MSC from themselves, and then send another transaction sending MSC from themselves using a different transaction outputs. The second transaction is incompatible with the first under Mastercoin’s rules, but perfectly compatible under Bitcoin’s rules, so miners will accept both, and the Mastercoin protocol may process either one first. Thus, Mastercoin transactions are only secure after one confirmation (~10 minutes). “MasterCoin double-spends are essentially ‘half a confirmation easier’ than bitcoin double-spends,” J. R. Willett admits. In theory, Mastercoin can potentially be modified to get around this vulnerability; if a sending transaction spends all outputs associated with a given address, and special features like limiting accounts are not used, then it would be impossible to double-spend the Mastercoin transaction without double-spending the associated the Bitcoin transaction. However, implementing double-spend-proof transactions and the advanced Mastercoin features at the same time will require some thought.

What is the future of Mastercoin going to be? There are definitely many new features around the corner. One interesting idea is the concept of limited accounts, which will allow users to set up accounts that can spend from a particular source of funding but once up to a set maximum within a prespecified timespan. This willhave two main use cases. First of all, it can be used as another safe mechanism for storing a savings account, limiting the losses from the limited address getting hacked. Second, it can be used as a Coinbase-like “recurring subscription” feature – for example, I might give Private Internet Access a limited account for $7 per 30 days in exchange for a VPN subscription. Other developments include a bounty for a Mastercoin faucet, and much further into the future we may even see Mastercoin serving as the base of a decentralized market.

Anyone interested in looking more into the Mastercoin project can check out the Mastercoin website, the various Mastercoin development tools and the Mastercoin reddit. If you want to purchase mastercoins, check out the Google Docs Mastercoin order book or buy directly at www.buymastercoin.com.