Ownership is often referred to as a foundational element of web3. Yet, how ownership is encoded and enforced on-chain is often overlooked. While token-voting and delegation are regarded as mechanisms for enforcing and practicing ownership, there’s an even more fundamental mechanism that’s gone relatively unnoticed: permissions.
In this paper, we’ll explore the relationship between ownership rights and permissions, introduce classifications for permission types, and discuss a few examples of how permissioning impacts ownership.
The term “ownership” is often thrown around in web3.
But what does ownership really mean?
At its core, “ownership” refers to a bundle of rights. When you own a piece of land, that ownership grants you a set of rights (possession, control, exclusion, enjoyment, disposition) and when you own stock in a company, that too grants you a set of rights.
These rights are all good and well ‒ but the important aspect of rights is not the rights themselves, it’s the enforcement of those rights. In most cases, these rights are enforced and protected by legal systems, which allow for prosecution when an individual’s rights are infringed upon. By providing systems for upholding these rights, legal systems create security around property and ownership.
The Power of Permissioning
The entire point of blockchain is to not depend on third parties (like courts) for enforcements of agreements. This is made possible by cryptographically-secured trust assurances ‒ removing the need for an intermediary.
These cryptographically-secured trust assurances come in the form of smart contracts. Rather than relying on a legal system for enforcement of rights, smart contracts allow for only rights-abiding behavior.
Unlike a judge or a jury, smart contracts are impartial: they cannot make judgements on whether a specific action on-chain is an infringement upon an individual’s ownership rights. Instead, smart contracts need to be told who is allowed to do what. This is called permissioning.
In an immutable environment with no intermediaries, permissioning is the primary mechanism for upholding ownership rights on-chain.
Permissions are fundamentally about control. The right to transfer an asset, change a parameter, or even participate in a treasury diversification – these are all actions that require control over on-chain resources, which are granted via permissions.
Consider a core team who holds all important protocol permissions (i.e., all important controls over the protocol). If token holders have no ability to rescind those permissions, who really owns the protocol?
If we want to create better practices around permissioning, we first need to understand them. A given permission can fall into one of two classifications: agent or meta. Both types of permissions give holders of that permission control.
Ability to control resources directly, where “resources” include executable access to smart contracts, money, or other on-chain assets.
Permission: Control over the treasury
Enforces rights of: Nouns holders
How: Directly grants them the ability to deploy capital out of the Nouns DAO treasury
Ability to control how resources are controlled or who has control over resources; this includes things like token holders having the power to elect a treasury management service provider (and thus holding control over who can control the treasury) or control over governance parameter changes like modifying on-chain voting quorum requirements – which impacts how resources are controlled.
Example: ENS Endowment
Permission: Control over who has access to manage the treasury
Enforces rights of: ENS token holders
How: Grants token holders the ability to control who has access to manage the treasury
How Permissions Impact Ownership
Together, agent and meta permissions make up the primary mechanisms for upholding ownership rights on-chain. An ecosystem that lacks proper delegation of these permissions is ultimately lacking proper ownership over control centers. This type of dynamic calls into question the entire notion of “ownership” in the first place and ultimately undermines much of the web3 rhetoric around bottoms-up ownership. To explore this tension further, here are a few examples where we see misalignment between permissions and ownership:
Yuga Labs Blocklist for Sewer Pass
Shortly after Yuga Labs released the Sewer Pass, a Twitter investigator pointed out that the Sewer Pass NFT contract referenced a Registry contract, which creates a blocklist that prevents Sewer Pass NFTs from being transferred to specific addresses. Among the blocklist was addresses for popular NFT exchanges, including Blur, LooksRare, Sudoswap, and NFTX.
Effectively, this blocklist restricted Sewer Pass holders from selling their NFTs on specific marketplaces – undermining the ownership rights of token holders. While this alone is concerning, it also introduces a dangerous pattern: giving Yuga the ability to unilaterally restrict Sewer Pass NFTs from interacting with any marketplaces or protocols they decide to block in the future.
Agent Permission: Control over where an NFT can be sent
Enforces rights of: Yuga Labs
How: Grants Yuga Labs the authority to restrict NFT transferability
Impacts rights of: Sewer Pass NFT holders – assets are not freely transactable, limiting what owners can actually do with their own NFTs
Oasis Smart Contract Upgrades
While the Yuga example demonstrates how permissions can undermine ownership rights, the case of Oasis demonstrates how permissions can undermine ownership over user assets altogether (not just the governance of those assets).
Shortly after the Wormhole hacker deposited funds in Oasis (a defi yield aggregator) the High Court of England and Wales issued an order to Oasis which directed that the team take “all necessary steps” to retrieve assets that were involved in the Wormhole Exploit. The Oasis multi-sig, as it turns out, had the permission to upgrade smart contracts – which allowed them to access user funds and transfer assets from the hacker’s possession into a wallet controlled by a third party.
While this resulted in the retrieval of funds from the Wormhole hack, it raises concern around permissions – demonstrating that misallocated permissions don’t just undermine the ownership rights of token holders, but they can also undermine the ownership rights for custodial assets.
Agent Permission: Oasis Automation contracts
Enforces rights of: Oasis Labs Team
How: Grants them ability to upgrade contracts, allowing the team to access funds in vaults
Impacts rights of: Users with funds deposited into Oasis vaults (threatening ownership rights not just over Oasis as a protocol, but over funds deposited)
As an industry, we are at a critical crossroads. While crypto has made significant progress in recent years toward the creation of democratically governed, credibly neutral systems, the current state of permissions threatens to reverse this progress.
We’re beginning to see this play out across the web3 landscape. From royalty wars that pressure NFT projects to concentrate control to defi core teams holding the keys to vital smart contract upgrades that put user funds at risk – ownership is quietly under attack.
But failing to address these issues doesn’t only impact ownership – it calls into question the decentralization of these systems more broadly. If we continue to allow permissions to be concentrated in the hands of a few key stakeholders, we run the risk of entrenching harmful and exploitative powers – resulting in systems that are no more decentralized or censorship-resistant than the ones we aim to dismantle in the first place.