--- title: "CO2 Coin: Decentralized Carbon Capture Blockchains" description: 'Sketch of a decentralized mineralization-based carbon capture: suppliers stake on reported deposits of mineral dust in publicly-auditable locations.' created: 2021-06-12 modified: 2023-07-13 status: finished previous: '/Bitcoin-is-Worse-is-Better' next: /startup-idea confidence: possible importance: 4 cssExtension: dropcaps-kanzlei ...
> Blockchains or tokens for carbon dioxide removal have sometimes been proposed, but provide little advantage. > > I review the principles of cryptoeconomics for designing mechanisms, and the proposal of "mineralization"---rock dust naturally reacting with atmospheric CO~2~ to lock it into minerals---for carbon capture to fight global warming. > > Cryptoeconomics often relies on auditability & challenges to create desired behavior, and mineralization provides an objective, checkable, form of carbon credits. Thus, one can set up a simple economic game where miners claim tokens for doing mineralization to sell as carbon offsets, and challengers audit their supposed mineralization deposits hunting for fraud; the equilibrium is honest reporting of mineralization quantities, yielding a true decentralized, reliable, fraud-resistant "CO~2~ Coin".
[Can a blockchain *know* CO~2~?]{.marginnote} P2P blockchains are sometimes deprecated as solutions in search of a problem. They can do currencies, yes, but what other real-world problem can they solve? Can they do anything to help solve (rather than cause) crises like global warming? Could we, for example, create a [cryptocurrency](!W) which somehow incentivizes *removing* CO~2~ instead of emitting it? But how does a blockchain *know* what happens in the real world, like what carbon emissions have been avoided, or what CO~2~ has been removed? Most proposals for a "CO~2~ Coin" either wouldn't work for basic economic reasons, or are little more than taking existing carbon credits / cap-and-trade schemes and slapping "Blockchain™" on it (the blockchain knows whatever [the trusted third party](https://nakamotoinstitute.org/trusted-third-parties/ "'Trusted Third Parties are Security Holes', Szabo 2001") tells it to know, start to finish). Below I describe a simple scheme for how a viable but not pointless CO~2~ Coin might work, and explain how cryptoeconomics principles would lead you naturally to such a design---"you could have invented CO~2~ Coin!" # Cryptoeconomics Principles The principles of cryptoeconomics are to: *minimize* trust; trust, but *verify*; *distribute* trust; and *incentivize* upholding trust. This corresponds to things that a blockchain can know easily, with difficulty, or not at all. [Trust: zero / minimal / distributed / incentives.]{.marginnote} The goal of Bitcoin is sometimes misunderstood as *zero*-trust. It would be nice if everything could be done with zero trust, but that is often impossible. Even decentralization is often too expensive to be feasible: every system *wants* to be centralized because it is more efficient (anything a decentralized system does, a centralized system can copy, but not vice-versa^[This is in addition to the inherent technical tradeoffs. Anyone who's read hyperscale systems engineering research can appreciate the efficiency of a data warehouse compared to a bunch of flaky high-latency off-the-shelf consumer nodes. Even something straightforward like crowdsourcing training of a highly-efficient & compute [ALBERT NN](https://arxiv.org/abs/2106.10207 "'Distributed Deep Learning in Open Collaborations', Diskin et al 2021") can involve inefficiencies of 2--3×. This is the "price of decentralization".]), and systems like Bitcoin or BitTorrent are only as decentralized [as they need to be](/doc/technology/2018-07-25-johnbackus-howdecentralizationevolves.html "Resistant protocols: How decentralization evolves"). (In the case of P2P filesharing, that optimal level of distribution turns out to be 'not very', but for international currencies, it is 'very much'.) [Blockchain transactions: zero trust.]{.marginnote} Cryptographic primitives can make many 'internal' guarantees about correctness and knowledge. Bitcoin can minimize trust in the sense of validating the double-entry ledger follows all the rules (every transaction sums to zero, everything is cryptographically signed, money is not created _ex nihilo_ except as intended by PoW etc) by making it public and letting nodes recompute the history themselves, proving it is correct. (With much more advanced zero-knowledge-proof cryptography like SNARKs, the blockchain doesn't even need to store full transactions to allow nodes to prove correctness!) Because currencies are software and software can 'see' other software, cryptography can also guarantee "atomic swaps" in trading one cryptocurrency for another; more recently, "flash loans" have drawn note for how they enable seemingly-impossible trading leverage trustlessly by doing the loan & trade in a single atomic step, ensuring that the loan either gets paid back or never happens. [Blockchains: minimal trust.]{.marginnote} Validating the entire ledger can be expensive, so 'light' nodes can verify less of it, and instead trust other nodes via SPV or using checkpoint or APIs; this trust is limited, because they still do much cryptography themselves, and can still download & verify the full blockchain when necessary. [Custody/mining: distributed trust.]{.marginnote} Bitcoin further distributes trust by letting users decide how to custody their funds: Satoshi did not aim at forcing every user to be their own sovereign bank, but allowing the *choice* of which bank to trust, including but not limited to themselves.^[As [Satoshi noted to Mike Hearn](https://pastebin.com/Na5FwkQ4 "Mike Hearn/Satoshi Nakamoto Email 1 (https://bitcointalk.org/index.php?topic=2080206.msg20791152#msg20791152)") (2009-04-12): "[the original] [Ripple](!W "Ripple (payment protocol)") is interesting in that it's the only other system that does something with trust besides concentrate it into a central server." Ripple was [_hawala_](!W)-esque: every participant could mint their own 'tokens', backed by anything at all (no attempt to avoid inflationary currencies or double-spend attacks), and define acceptable exchange rates for other tokens, and Ripple would try to construct any necessary chain of transactions. When I briefly used it, there were quite a few interesting tokens, including things that would probably now be called [colored](https://ansuz.sooke.bc.ca/entry/23 "What Colour are your bits?") coins or even "[NFTs](!W "Non-fungible token")".] The Bitcoin miners are also distributed: no one can stop you from mining, and miners can set up anywhere. But simply being distributed is not enough, and miners are incentivized to act honestly by their investment in PoW & Bitcoin: censoring transactions, forking, setting up alternatives, "split brain" problems---miners are highly motivated to keep everything humming along to maintain the exchange rate they need to sell their minted coins. [Blockchain _ultima ratio_: incentives.]{.marginnote} This last is the ultimate backing: incentives. We can set up economic games and design mechanisms to make doing the right thing more profitable than doing the wrong thing. The difference may be small, and cannot give us the extraordinary security that cryptography can, but economic games can achieve real-world things cryptography is unable to, and this is enough (["Bitcoin is Worse is Better"](/bitcoin-is-worse-is-better)). By putting up something to lose, otherwise impossible things can be done. To give 3 examples of incentives/games which can accomplish things software may never can: #. [2-of-2 **Nash exploding-escrow** exchange](/doc/bitcoin/nashx/index) for untrusted sales: The buyer and seller both lock 1× the price of a good inside not a 2-of-3 but a 2-of-*2* multisig cryptographic escrow. The escrow either destroys the money or sends it to the seller; the buyer only agrees to the latter if the good arrives as described; the buyer has no incentive to cheat, and the seller can't profit by cheating either (he will lose the deposit), so he will send the good. In general, no software can ever know that the good arrived as the buyer expected, short of mind-reading software; but it doesn't need to, as long as the buyer plays his part. There is no guarantee that the seller will cooperate: maybe he'll throw away his money for the lulz...? But it will usually work. #. ["**slashing**"](https://blog.ethereum.org/2014/01/15/slasher-a-punitive-proof-of-stake-algorithm "Slasher: A Punitive Proof-of-Stake Algorithm") variants on [proof](https://blog.ethereum.org/2014/07/05/stake "On Stake") [of](https://eth.wiki/en/concepts/proof-of-stake-faqs "Proof of Stake FAQs") [stake](https://en.wikipedia.org/wiki/Proof_of_stake): the miners (stakers) must put up a bond, and if a double-spend surfaces, because shenanigans, software can know that there are 2 conflicting transactions, and---without caring *which* one is right in the real world---seize the bond and pay a bounty to whomever provided the 2 contradictory transactions, thereby incentivizing fraud detection & enforcing good behavior. #. [**TrueBit**](https://people.cs.uchicago.edu/~teutsch/papers/truebit.pdf "'TrueBit: A scalable verification solution for blockchains', Teutsch & Reitwiessner 2017"), while complicated, extends our idea of what "deposits" can do even further: TrueBit tries to enable purchasing of trustworthy arbitrary cloud computation. How is that possible? Blockchains cannot possibly redo the computations, redoing the computation yourself is pointless, and advanced cryptography like SNARKs may not be available or cover the computations in question; TrueBit instead creates a "verification game" where it starts by trusting hired cloud services to do the purchased computations correctly, letting other people challenge specific subsets (which can be done cheaply) in exchange for a bounty, but---to ensure that there will be people challenging at all---also periodically *corrupting* the results to incentivize random spot-checks. #. **Forking games**: Augur, cryptocurrencies in general. An important class of games is forking games, which apply to all cryptocurrencies and is worth discussing in more detail. - [Bitcoin's]{.smallcaps} Proof-of-Work mechanism reduces the necessary trust, but there is still trust involved---if only that the user must trust that they downloaded *the* blockchain, as opposed to a fork which is invisible to them because of, say, Internet censoring or a DoS attack suppressing an alternate blockchain (an "eclipse attack"). There is no mathematical way to know you have 'the' blockchain, and no similar blockchain exists anywhere in the universe; this is not a thing that software like a blockchain can know. (A similar issue holds for proof-of-stake too.) Instead, the blockchain is grounded on *social* processes which set up economic incentives: a Bitcoin user knows they have the 'right' blockchain because they can verify out-of-band with users they trust what the latest block 'is', or that their transactions are 'showing up' at the exchange they want to use, and in the rare case of a fork, they can weigh [which blockchain appears more 'legitimate'](https://vitalik.eth.limo/general/2021/03/23/legitimacy.html "'The Most Important Scarce Resource is Legitimacy', Vitalik Buterin"). The ultimate grounding of Bitcoin is in the worldwide Bitcoin community which gives it value by being willing to exchange for it. If something goes wrong, the community at large decides which is right. (An example of this is the post-DAO Ethereum fork: no one has the power to coerce everyone to not use "Ethereum Classic" owned by the DAO hacker, rather than the anti-hacker fork, but most chose the latter fork. As Yogi Berra asked, "If people don't want to go to the ball game, how are you going to stop them?") Because communities are slow, and such consensus processes trigger [holy wars](/holy-war "'Technology Holy Wars are Coordination Problems', Branwen 2020") which are extremely exhausting and expensive for everyone involved, it is to be devoutly hoped that this _ultima ratio_ is resorted to as little as possible---but as long as this free-market [backstop](/backstop "'Evolution as Backstop for Reinforcement Learning', Branwen 2018") exists & is credible, it won't *need* to be resorted to. - [Augur]{.smallcaps}: Prediction markets suffer the same problem of "how does the software know what wound up happening in the real world?", but can set up incentives to report honestly. [Augur](http://www.augur.net/whitepaper.pdf "'Augur: a Decentralized Oracle and Prediction Market Platform', Peterson et al 2018") ([WP](!W "Augur (software)")) builds 'forking' into the core protocol: should enough money be staked on a disputed market outcome, putting the Augur cat into a superposition of true & false, Augur as a whole will explicitly fork into *two* Augurs, in which the dispute is collapsed into one where the outcome was true and one where it was false, and the disputers are forced into the one they claim to be right; then, like Ethereum Classic vs Ethereum (or [Steem](https://decrypt.co/38050/steem-steemit-tron-justin-sun-cryptocurrency-war "Steem vs Tron: The rebellion against a cryptocurrency empire; Tron founder Justin Sun bought Steemit to expand his realm. But the ferocious backlash started an epic cryptocurrency war")), users will vote with their feet about which one they regard as the legitimate trustworthy Augur which will resolve markets *correctly* and which one has been hijacked by evil resolvers & is untrustworthy garbage to be sold off posthaste.[^assassination-markets] If the disputers are fraudulent, their version will quickly become largely or entirely worthless, just like Ethereum Classic has collapsed relative to regular Ethereum ([$49]($2021) vs [$2,110]($2021) as I write this). Could this go further? Instead of having 'forks' for the overall PM, one could hypothetically have individual per-market forking, or even drop the blockchain/community entirely and rely on a single trusted third party---but lots of them. [Mantic Markets](https://manifold.markets/) proposes to have specific users create, and judge, individual prediction markets, which they get royalties from transactions; their honesty is incentivized by their reputation & hope of future markets. (The experience of darknet markets like [Silk Road 1](/silk-road "'Silk Road 1: Theory & Practice', Branwen 2011") with early-finalization & exit scams offers reasons for both skepticism & hope.) [^assassination-markets]: Forking also addresses the 'problem' of [assassination markets](!W): being highly illegal & lacking any noticeable public support (it's worth noting the *first* assassination market, [Sanjuro's "Assassination Market"](/silk-road#sanjuro), shut down from lack of interest), most exchanges & services & cryptocurrency users would boycott a prediction market with active successful assassination markets, thereby rendering its tokens far less valuable (even if not outright toxic to hold), and incentivizing prediction markets to self-censor (eg. even if they cannot outright block or destroy death-related contracts, the major coinholders could simply precommit to resolving the contract in whatever way best screws over the contract, thereby incentivizing bounty-hunters to cause a resolution dispute and kick it up to the coinholders who can then intervene). [Design approach: cryptography → incentives.]{.marginnote} So, cryptography is only the start when it comes to cryptoeconomics. In designing a cryptoeconomic system, we can proceed by falling back as necessary: do everything that software can do by cryptography to eliminate any unnecessary trusting; then if necessary, we can spread around our trust and make any specific trust optional; if we must trust groups which we can't choose from, we can set up economics games to detect cheating and punish it, and reward correct behavior. By playing with these design options and tradeoffs, we can come up with all sorts of interesting new systems & [markets](https://vitalik.eth.limo/general/2018/04/20/radical_markets.html "'On Radical Markets', Vitalik Buterin") like [Darkleaks](https://github.com/darkwallet/darkleaks) for information sales, [token-curated](https://medium.com/@tokencuratedregistry/the-token-curated-registry-whitepaper-bd2fb29299d6) [registries](https://medium.com/@alex.tabarrok/when-can-token-curated-registries-actually-work-%C2%B9-2ad908653aaf "When Can Token Curated Registries Actually Work?"), or [DAOs](!W "Decentralized autonomous organization") like arbitration systems ([Aragon Court](https://github.com/aragon/whitepaper)/[Kleros](https://kleros.io/assets/whitepaper.pdf)). # CO~2~ Credit Flaws
> ![The box. It can be opened.](/doc/cs/security/lobel-frogandtoadtogether-thebox-crop.jpg){.float-right .invert-not} > > Frog put the cookies in a box. “There”, he said. “Now we will not eat any more cookies.” \ > “But we can open the box”, said Toad. \ > “That is true”, said Frog. > > Frog tied some string around the box. “There”, he said. “Now we will not eat any more cookies.” \ > “But we can cut the string and open the box.” said Toad. \ > “That is true”, said Frog. > > Frog got a ladder. He put the box up on a high shelf. “There”, said Frog. “Now we will not eat any more cookies.” \ > “But we can climb the ladder & take the box down from the shelf & cut the string & open the box”, said Toad. \ > “That is true”, said Frog. > > [_Frog and Toad Together_](!W) by [Arnold Lobel](!W)
[Carbon credit security flaws.]{.marginnote} Carbon credits are easily abused, and often subjected to fraud. They can be hard to examine even on the ground. Did they really liquefy and inject as many tons of CO~2~ into the ground as they claimed? (How would you know if they lied?) How do you know 2 carbon credits don't refer to the same action? If someone claims carbon credits from *not* cutting down their forest, how do you know the counterfactual, and that they really were going to cut it down if you didn't pay them for credits---or that they [stopped cutting at all](https://www.theguardian.com/environment/2023/jan/18/revealed-forest-carbon-offsets-biggest-provider-worthless-verra-aoe), or that they did but they won't cut it down in the future, or that they didn't simply switch what they intended to cut down? That it [won't](https://www.science.org/doi/10.1126/science.aaz7005 "'Climate-driven risks to the climate mitigation potential of forests', Anderegg et al 2020") [burn](https://carbonplan.org/research/offset-project-fire "'Carbon offsets burning', Herbert et al 2020") [down](https://www.fastcompany.com/90659827/the-bootleg-fire-is-burning-through-trees-that-are-being-used-as-carbon-offsets "The Bootleg fire is burning through trees that are being used as carbon offsets: One of the dangers of using trees as offsets is that they can suddenly and catastrophically release all their stored carbon")? Or that there was ever a forest? [How does a blockchain know CO~2~?]{.marginnote} One of the most fundamental questions about a blockchain is: "how does the blockchain know about _X_?" How does the blockchain know how many coins you have? What the exchange rate of Bitcoin is? Which transaction is real? Or where a coin came from? So for a CO~2~ carbon credit blockchain: "How does the blockchain *know* how many carbon credits there are, that they are valid and real, and who owns them or has spent them?" A blockchain, being software, has no knowledge of the real material world of atoms. So how can it know anything about how many carbon credits someone owning a forest should claim? [A trusted-third-party tells it?]{.marginnote} The simplest way is to have a carbon credit company simply guarantee and sign off on every token, guaranteeing the buyer that they have done all the diligence and anti-fraud prevention. The company mints CO~2~ tokens, it guarantees the tokens are all valid and correspond to a ton of removed CO~2~, and so on. This company must be utterly trusted in every respect. This is the usual scheme [discussed](/doc/bitcoin/2019-09-12-robertgreenfield-blockchainenabledcarboncreditmarkets.html "Blockchain Enabled Carbon Credit Markets: Real considerations to make when tokenizing carbon credits") and implemented by entities like [Nori](https://nori.com/), which can get extremely complicated like [Klima](https://mirror.xyz/0xA3C0f44dAF771ce6c8bD13f290A2006826A87d9D/8DiOfNWGqXyl2s7o-iPgYGUNQM9KO5byI53yFWLwAD8 "From Kyoto Protocol to Klima Protocol (🌳,🌳)"). [Third-Parties+Blockchain = wasteful security theater.]{.marginnote} In such a scheme, why even bother with a blockchain at all? You trust it utterly, so putting some tokens on a blockchain does nothing new. (If you want to prove to a third party---say, you're a business buying offsets to be 'green' and want to prove to customers you really did buy all the credits you said you did---they can simply put a list on their website of buyers like you. Maybe go nuts, and PGP-sign it!) Recording such credits on a blockchain is like putting 5 locks on your door when the burglar will [just cut through the dry wall](/unseeing "'On Seeing Through and Unseeing: The Hacker Mindset', Branwen 2012") surrounding the door instead. A blockchain is waste & puffery. [Auditable carbon credits...?]{.marginnote} Can we do better? (Again: "how does the blockchain *know* about CO~2~ credits?") We need some sort of carbon credit which resists these fraud problems: ideally, it should be (like PoW itself) something that nobody does normally, so there are no issues with counterfactuals (if it happens at all, then it happened because of the carbon credit); it should be irreversible, so it needs be checked only once, is not vulnerable to being undone for profit; and it should be verifiable at low cost by many parties (ruling out things like drilling & sealing deep wells where verifying might cost more than the ostensible carbon capture itself does). Bitcoin's PoW satisfies these properties intrinsically---nobody calculates double-SHA-256 for any other reason than PoW and it has no other benefits, the energy spent cannot be undone or recovered, and a hash is verifiable at ~0 cost by anyone. Is there any carbon credit with similar properties? There turns out to be one that comes close! # Mineralization [Minerals absorb CO~2~.]{.marginnote} [Enhanced weathering](https://en.wikipedia.org/wiki/Enhanced_weathering) or "mineralization" using a few minerals like [basalt](/doc/technology/carbon-capture/2020-beerling.pdf "'Potential for large-scale CO~2~ removal via enhanced rock weathering with croplands', Beerling et al 2020") or [olivine](https://en.wikipedia.org/wiki/Olivine#Uses) (prefered by [Project Vesta](https://www.vesta.earth/)) uses natural chemical reactions of CO~2~ with specific common minerals to [permanently lock CO~2~ away](!W "Carbon dioxide removal") inside the mineral; this process removes many gigatons over millennia, but can be sped up into year-scale absorption by what turns out to be fairly cheap mining & grinding.^[Discussion of carbon capture methods, including the mineralization approaches: ["Negative emissions---Part 1: Research landscape and synthesis", Minx et al 2018](https://iopscience.iop.org/article/10.1088/1748-9326/aabf9b "'Negative emissions—Part 1: Research landscape and synthesis', Minx et al 2018")/["Negative emissions---Part 2: Costs, potentials and side effects"](https://iopscience.iop.org/article/10.1088/1748-9326/aabf9f "Fuss et al 2018")/["Negative emissions---Part 3: Innovation and upscaling"](https://iopscience.iop.org/article/10.1088/1748-9326/aabff4 "Nemet et al 2018"); ["We Need To Take CO~2~ Out Of The Sky"](https://www.orbuch.com/carbon-removal/ "To keep below 2°, we'll need to dramatically reduce current emissions"); [using mining tailings](https://www.frontiersin.org/articles/10.3389/fclim.2021.694175/full "'Global Carbon Dioxide Removal Potential of Waste Materials From Metal and Diamond Mining', Bullock et a l2021"); [_Works in Progress_](https://worksinprogress.co/issue/olivine-weathering/ "'Olivine weathering: Olivine is a green mineral that reacts with CO2 in the ocean to form a harmless silt. This reaction might be the key to slowing down climate change, or reversing it altogether.', Campbell Nilsen 2023-05-23"). More on basalt mineralization: [_Nature_](https://www.nature.com/articles/d41586-020-01965-7 "Removal of atmospheric CO~2~ by rock weathering holds promise for mitigating climate change: Large-scale removal of carbon dioxide from the atmosphere might be achieved through enhanced rock weathering. It now seems that this approach is as promising as other strategies, in terms of cost and CO~2~-removal potential"); [editorial](https://www.nature.com/articles/d41586-020-02001-4 "Pulling carbon from the sky is necessary but not sufficient: Carbon dioxide removal is becoming a serious proposition. But it is not a substitute for aggressive action to cut emissions"); [media](https://www.theguardian.com/environment/2020/jul/08/spreading-rock-dust-on-fields-could-remove-vast-amounts-of-co2-from-air "Spreading rock dust on fields could remove vast amounts of CO~2~ from air: It may be best near-term way to remove CO~2~, say scientists, but cutting fossil fuel use remains critical").] (Will it be cheap enough? Who knows. Let's proceed on the assumption that the details will work themselves out and mineralization will be a competitive form of carbon capture.) [Irreversible, observable, costly.]{.marginnote} Mineralization happens only extremely slowly naturally, is irreversible, not useful for other purposes, difficult to transport, physically distributed, & easily auditable. The natural slowness means new mineralization is indeed new and sped up (maybe it would've happened in a million years, but we can't wait that long!). The exothermic nature of the reaction means both that it's cheap because it requires no energy inputs to power the reaction (the downfall of most carbon capture methods) and also that *reversing* it is expensive & has no conceivable rationale so no matter what, carbon captured through mineralization will *stay* captured. The lack of other uses means that double-counting won't work: no one can mineralize for some ulterior purpose, and then double-dip by claiming carbon credits (this is bad because if they were doing it anyway, no *additional* carbon capture is being incentivized, and buyers are being ripped off). The difficult-transport assists verification because one cannot play games with inspection by rapidly moving around a few hot spots. The physically distributed aspect enables global entry (while deposits of olivine or basalt may be concentrated, it is not as if they exist only in 1 or 2 spots in the world) and competition, distributing trust. And finally, the concrete irreversible objective nature of the chemical reaction means that any specific sample of olivine/basalt dust can be quickly audited, if only by walking out to a random spot, scooping it up with one's hands, and going, 'yep, that's half-converted olivine dust alright'. [Dust easily auditable.]{.marginnote} These properties mean that, given the location of land coated in mineral dust posted publicly on a blockchain along with a security deposit, any third-party auditor can sample a few random spots and verify the presence of _X_ m^3^ of virgin mineral dust, thereby proving that: _Y_ tons have been newly created for the sole purpose of carbon capture, which would not exist counterfactually, irreversibly & permanently removing _Z_ tons of CO~2~ from the atmosphere, and which cannot be replayed by moving elsewhere (too costly and the dust will not be virgin when re-tested as 'new') or double-counted (because all interested parties can verify the non-overlap with previous or later locations using the public ledger).[^white-paint] [^white-paint]: [Another example](https://twitter.com/gfodor/status/1679503487263186944 "People are laughing about how infeasible this is.
It seems obviously the kind of thing you could solve via a decentralized blockchain for carbon credits, similarly to Gwern’s CO2 Coin. Proof-of-paint can be determined via satellite images with public APIs.") of an observable, costly, and auditable climate change intervention would be cooling the planet by painting white large surfaces so they reflect sunlight/heat back into space. This can be audited by existing near-realtime satellite photograph systems & is by definition observable (if a space satellite can't see the large area of white paint reflecting a lot of light back, then the paint isn't working), the causal effect easily quantified by measuring the brightness and can be attributed to specific property owners based on land registries, does not occur naturally because large areas do not often spontaneously become extremely white, is costly to undo (scrape it off? repaint it a different color? demolish the buildings?), the causal effect irreversible (reflected light cannot be recovered but is gone forever), and has relatively few substitution issues. (Some white-painting will happen anyway for the local benefits to cooling, and that would lead to double-crediting; but painting *large* areas or buildings white, particular in areas not in particular need of cooling, would not happen in the absence of such a program.) # CO~2~ Coin With all this in mind, can we set up an economic game which rewards honest mining & creation of mineralization, while detecting & punishing cheaters at not too absurd a cost, which minimizes the total trust and the trust placed in any entity? Maybe! Here is an example of a design which minimizes trust down to rare invocations of a third-party auditor, possessing only basic mineralogical assay skills which can verify the presence/absence of olivine/basalt dust: #. set up a "CO~2~ Coin" token on some secure blockchain somewhere (eg. your standard [ERC-20](!W)), where 1 coin = 1 ton of removed CO~2~. An 'auditor' public key _K_ is specified, which will be trusted. #. Anyone can create 1 token, in exchange for a stake (a security deposit or bond) of _x_ ETH and 4 GPS coordinates defining a rectangle somewhere. The set of GPS coordinates is invalid if they appear in any previous token. The token is created, but cannot be transferred for _y_ blocks. Ostensibly, the rectangle contains dust which will mineralize 1 ton of CO~2~. #. After _y_ blocks pass with no challenge transactions, the token can be transferred arbitrarily. It can now be sold on the market as a carbon credit for 1 ton for some price ≪ _x_. The token may go through a few owners, but eventually is 'burned' (destroyed or otherwise rendered nontransferable) by an entity which wants to claim an offset (eg. an airline might have a publicly known address which it uses to buy a gigaton of tokens per year and 'burn' the tokens, enabling customers to independently check). #. A challenge transaction contains a message signed by the auditor key _K_, and an address/key for the challenger _C_: "the GPS coordinates did not contain 1 removal-ton's worth of dust". On such a message, the _x_ ETH are 'slashed' and sent to _C_ (who has presumably previously paid the auditor), and the token is canceled. [Trust minimized to auditor, not buyer/sellers/miners.]{.marginnote} In this design, as long as the *auditor is trustworthy* only to the extent that they will not sign lies about dust not being present in a specific physical location (in exchange for bribes presumably paid out of the slashed stakes), then anyone claiming to be creating tokens will risk their large deposit being challenged by a suspicious critic hiring the auditor to go check out in the real world the supposed mineralization project, and their fraud will become unprofitable. It will be more profitable to actually engage in mineralization, and report honestly. [Audits rarely needed (hopefully).]{.marginnote} Compared to your standard CO~2~ carbon credit, in which the entity claiming the carbon credit must be trusted about everything whatsoever, the auditor in this design must be trusted to verify next to nothing. And with cheating unprofitable, and checks cheap---perhaps challengers could watch satellite imagery to get a sense of how much work is being done in terms of mining & trucking, or get tips from insiders in exchange for a cut---the auditor will rarely be invoked. (Because CO~2~ is a major global political & philanthropic concern and the auditor in equilibrium rarely or never needs to do checks, the auditor could be a highly-trusted institution like the Bill Gates Foundation, which cannot be bribed.) Should the auditor need to be invoked more, then a TrueBit-like 'fraud injection' scheme could be contemplated; or a third-party charity/philanthropy could pay for spot checks themselves.^[If a CO~2~ Coin took off, big buyers might occasionally commission spot checks themselves, much as they run "secret shoppers" or pentests or random batch testing or periodic random audits; if you are, say, an airline, or [Stripe](!W "Stripe (company)"), and you want to buy *billions of dollars* of offsets, and it would be a "green-washing" scandal if the offsets turned out to be fake, you would be foolish to not set aside a few million dollars for spot checks up front and then on an ongoing basis.] Then this system provides most of the desiderata: a global market for CO~2~ mineralization tokens which can be purchased safely, transparently, at scale, in a decentralized manner with minimal trust, in a way which is not pointless tokens-for-the-sake-of-tokens altcoin buzzword. From here we can discuss variants based on what kinds of attacks we think might result in profitable cheating. (Does the dust react slowly enough that ostensibly 'virgin' dust could be scooped up & double-counted at another site without triggering suspicion? Could the auditor defeat this by dumping dust into the ocean, or would that undermine mineralization or be too expensive & involved? etc.) ## CO~2~ Coin*s* [Going further.]{.marginnote} Indeed, do we even need a trusted auditor here? After all, presumably anyone in the world with a bit of geology knowledge could have gone to the GPS coordinates to check. It's convenient to specify a _K_ which triggers slashing, but is it really necessary to have only one _K_? [Fork-only by ad hoc audits?]{.marginnote} By the logic of forking games, one could imagine removing the special trusted role of _K_. Instead of having only one fungible CO~2~ Coin, one can have many Ripple-style issuers of coins trading at different prices based on their reputation for quality, which are audited by many independent _K_, which rely on their reputation and the long-term auditability of mineralization deposits. Even if a token can no longer be slashed, negative reports can still be issued, clouding the reputation of a specific token issuer and retroactively punishing them by being no longer able to sell at normal prices, until further investigation by the community settles the issue one way or another. (This would be similar to historical [private enforcement](/doc/economics/mechanism-design/2021-white.pdf "The private mint in economics: evidence from the American gold rushes") of gold coin minting: a mint could defraud customers by putting in less gold, but this could be detected by careful assays anywhere, and newspapers would then spread the news of that mint's misdeeds everywhere; fraudulent mints could steal only a little before their coins were devalued appropriately, and respectable mints would even *over*weight coins to maintain their reputation for being at or above the nominal value.) The Augur forking game could also be reused: each issuer is part of an ecosystem of CO~2~ Coins, with some permanent bond, and when an auditor issues a challenge to a specific issuer, the other issuers are forced to take sides, and if the challenge is not resolved, the CO~2~ Coins fork, drawing in community (and perhaps global) attention and scrutiny of all past mineralization deposits; issuers who fail to audit and police their ecosystem and endorse a fraud, will soon discover themselves bankrupt. # See Also - [Towards prediction markets on mouse longevity drugs](/startup-idea#mouse-longevity-perpetual-swaps){#gwern-startup-ideas .backlink-not} # External Links - [_Bitcoin and Cryptocurrency Technologies: A Comprehensive Introduction_](https://bitcoinbook.cs.princeton.edu/), Narayanan et al 2016 - ["A Survey on Applications of Game Theory in Blockchain"](https://arxiv.org/abs/1902.10865), Liu et al 2019 - ["Moving beyond coin voting governance"](https://vitalik.eth.limo/general/2021/08/16/voting3.html), Buterin - ["The Biggest Crypto Effort to End Useless Carbon Offsets Is Backfiring: A campaign to rid the world of cheap, low-quality carbon credits that don’t actually help the environment ended up generating more of them"](https://archive.is/1gXax); ["Phantom Forests: Why Ambitious Tree Planting Projects Are Failing"](https://e360.yale.edu/features/phantom-forests-tree-planting-climate-change "High-profile initiatives to plant millions of trees are being touted by governments around the world as major contributions to fighting climate change. But scientists say many of these projects are ill-conceived and poorly managed and often fail to grow any forests at all."); ["More than 90% of rainforest carbon offsets by biggest certifier are worthless, analysis shows"](https://www.theguardian.com/environment/2023/jan/18/revealed-forest-carbon-offsets-biggest-provider-worthless-verra-aoe "Patrick Greenfield 2023-01-18") ([background](https://www.newyorker.com/magazine/2023/10/23/the-great-cash-for-carbon-hustle "'The Great Cash-for-Carbon Hustle: Offsetting has been hailed as a fix for runaway emissions and climate change—but the market’s largest firm sold millions of credits for carbon reductions that weren’t real', Heidi Blake 2023-10-16")); ["Top carbon offset projects may not cut planet-heating emissions"](https://www.theguardian.com/environment/2023/sep/19/do-carbon-credit-reduce-emissions-greenhouse-gases "Nina Lakhani 2023-09-19"); ["Watch It Burn: Two scammers, a web of betrayal, and Europe’s fraud of the century"](https://magazine.atavist.com/watch-it-burn-france-europe-carbon-fraud-scam-vat-betrayal/) ("Europol eventually reported...the total amount ripped off by carbon scammers was five billion euros. Frunza kept his own score; he thinks the actual figure is closer to ten billion.")