If you’ve ever stood in the middle of a cornfield, you know what it's like to look around and see rows and rows of stalks, all the same height, bearing the same crop, and planted equal distances apart.
This one-dimensional agricultural practice has a name: monoculture. It’s what happens when you plant a field with just one species. Monoculture is efficient and good for mass production – but it’s also risky. Because all the plants are the same, they have the same vulnerabilities to pests and diseases. A fungus that infects one corn stalk can easily take down a whole field – and more.
But corn isn’t the only thing that’s susceptible to the hazards of sameness. Any ecosystem that lacks the complex web of supporting interdependencies that diversity provides is at risk. Anytime there’s an over-reliance on too much of the same thing, there’s a real risk. Take software, for example.
Monoculture in Software
After a piece of software is created, it can be installed an infinite number of times across an infinite number of devices – much like the same kind of corn can be planted over and over again across a vast area. As with crops, the easily spreadable and reproducible nature of software makes it all too easy to form “software monocultures” – defined as “a community of computers that all run identical software.” And just like the agricultural kind, they are highly vulnerable to mass infection.
One of the more famous examples of this was the Heartbleed exploit – or as I like to think of it, the day SSL died.
The exploit was generally focused on servers that ran OpenSSL, a software library responsible for much of the secure communication on the web. The SSL/TLS protocol includes a “heartbeat” option that allows devices to send messages to each other verifying that they are still online and get a response back. Researchers found that it's possible to send a false heartbeat message that tricks devices into divulging bits of private information, including credit card information, identity data, and more.
Because OpenSSL was used so widely across the web, the impact of Heartbleed was felt across the world. Amazon Web Services, Google, Netflix, Facebook, Dropbox, Intuit, Yahoo, and Tumblr were directly affected.
Monocultures in Web3
It’s seductive to believe that we’ve learned from the past and built a Web3 ecosystem that’s resistant to these vulnerabilities. This isn’t true. A system is only as decentralized as its most centralized component… and while properly decentralized software is often more resistant to orchestrated attacks, it is not invulnerable. Software monocultures – when many, many people rely on the same software – put huge parts of our decentralized ecosystems at risk of exploitation.
There are a few famous examples of this. In November 2020, a software update in Geth caused a significant portion of Ethereum’s ecosystem to stop functioning after a latent bug in its code split its transaction history in two. And flaws in the Eth2 Prysm protocol have caused the Ethereum community to question its reliability as a means to support nodes. It’s possible that just one bug in Prysm could take down Eth2, leading to widespread and unwarranted slashing. Other Ethereum community members are concerned about the likelihood that Lido controls more than 50% of all staked ETH. And who could forget the series of glitches that caused OpenSea users’ NFTs to disappear?
For these reasons, there’s been a grassroots community effort to diversify blockchain clients and staking pools. Geth, Prysm, and Lido aren’t at fault here — in fact, they’re such good pieces of software that they’re doing “too well,” becoming so popular that they risk becoming de facto standards. As a community, we’ve come to recognize the need for blockchain client and staking pool diversity.
Clients and pools aren’t the monoculture risks to Web3. Today, MetaMask is the largest self-custodial wallet on the planet, with over 20 million users as of November 2021.
Think: A single flaw could lead to widespread geographic censorship, causing millions of people to instantly lose access to their digital assets. An arithmetic mistake, supply chain attack, or unexpected browser update could jeopardize the funds of over 20 million.
Promoting Wallet (Bio)diversity 🌸🌻 🌸🌺🌸🌷🌸
What can we do about this problem? Ask Mother Nature.
While monoculture is the rule in the human-planned agricultural industry, it is exceedingly rare in the natural world. Wild forests and fields are teeming with thousands of different organisms – so many that no single contagion can take down the whole. This is how ecosystems endure, grow, and thrive. And just like in nature, diversity is what makes the Web3 ecosystem strong and resilient to attacks: a diversity of clients, pools, community members, ideas, digital wallets, and more.
A strong diversity of wallets isn’t just good defense against the risks of wallet monoculture. It’s also better for users. Each wallet has its own strengths that are particularly well-suited for diverse users and their different needs.
So, frens, the solution is this – let a thousand wallets bloom. No single wallet should dominate anything close to the majority of the Web3 ecosystem. If one wallet is hit with an exploit, the majority of the ecosystem should still stand strong.
Tally Ho is built on an entirely new codebase, separate from MetaMask, Coinbase Wallet, Trust Wallet, and other popular wallets. This means bugs that take down MetaMask might not impact Tally Ho — and vice versa.
An independent, open-source alternative deserves to be independently owned and operated. We’re building a strong, self-governing community that owns the wallet it uses to transact. Anyone can use Tally Ho to store their digital assets, log into Web3 platforms, connect to their favorite dApps, build their wealth, and more. Learn more about Tally Ho’s in-wallet features here.
Help us build a more free and transparent financial world. Learn more about becoming a part of the Tally Ho DAO here. Join the Discord community or apply to be a delegate. If you’re a dev who’s interested in building the Tally Ho ecosystem, we’d love to work with you.