Tuesday, July 17, 2018

DINO and IINO

One of the things that I, as an observer of the blockchain scene, find fascinating is how the various heists illuminate the deficiencies of actual, as opposed to the Platonic ideal, blockchain-based systems.

I've been writing for more than 4 years that, at scale, blockchains are DINO (Decentralized In Name Only) because irresistible economies of scale drive centralization. Now, a heist illuminates that, in practice, "smart contracts" such as those on the Ethereum blockchain (which is DINO) are also IINO (Immutable In Name Only). Follow me below the fold for the explanation.

First, the heist. David Gerard reports:
Per Matt Levine, “the standard fate of bitcoin exchanges seems to be to get hacked and lose their customers’ money.” So too Bancor, which lost $23.5 million in tokens on Monday — $12.5 million ETH, $1 million Pundi X (NPXS) and $10 million Bancor Network Tokens (BNT). They’d left administrative backdoors in the smart contract, and the thieves used those. The Israeli police are on the case (translation).
I asked myself, what are these "administrative backdoors? It turns out that Udi Wertheimer's tweet linked to an article he had written about some of them and the risks they posed more than a year ago, a week after Bancor had raised ~$150M (my emphasis):
When people think of “cryptocurrencies” or “digital assets”, or whatever the cool kids call them today, they think of decentralized, censorship resistant tokens, that no central party could control for any reason. And while some projects have various degrees of (de)centralization, I have never seen a token as centralized as BNT, that puts so much power in the hands of so few.

The BancorTokenContract controls the actual BNT token and its behavior. It is currently owned by the BancorCrowdsale contract, which is owned in turn by a closed-source contract which is most likely a “multisig” account held by the project and/or its partners.
Wertheimer listed some of the things the contract lets the owner account do:
  • All transactions using the BNT token can be disabled by the team at any time for any reason.
  • The team can issue new tokens at any time.
  • the team can DESTROY any tokens FROM ANY ACCOUNT, at any time.
It is hard to disagree with Werthheimer when he wrote:
I’m pretty sure that the Bancor team has no intention to misuse these backdoors, and that they believe they have “legitimate” uses. I’m not 100% sure of their legitimacy myself, but in any case I would argue that their existence should be clearly communicated to investors.

People in this space expect the control over tokens to be fully decentralized, and if for some reason they’re not, this should be made very clear.
Clearly, BNT is even more DINO than the Ethereum blockchain it runs on:
3 pools control more than 60% of the hashrate, and 6 pools will get you over 85%.
Wertheimer also noted:
Bancor’s contracts are “upgradeable”, meaning they can replace them with new functionality, giving them more power, or removing power from themselves. They promise on some communications they will gradually remove their control over the system.
Wait, "upgradeable" smart contracts on the blockchain? I thought the whole point of blockchains were that they were immutable! Smart contracts were "the steadfast iron will of unstoppable code". What did I know? Shane Pickens replied to Wertheimer's tweet:
You're describing a completely hypothetical case of somebody taking complete control of the contract and yeah they can do anything if they can control the contract but that is hardly a criticism of bancor and applies to all ERC 20 tokens
Wertheimer pointed out that in the Bancor case somebody had taken "complete control of the contract", so it wasn't a hypothetical case at all.

Are all ERC20 tokens really IINO? I searched for "upgradability of smart contracts ethereum and the top hit was Flexible Upgradability for Smart Contracts by Level K:
The immutable nature of Ethereum smart contracts is incredibly powerful. It allows us to build applications that are completely tamper-proof, untouchable by any individual, corporation, or government. Every participant is subject to the same set of rules, and these rules will never change.

But ultimately, these rules are created by humans. As humans, we are prone to the occasional mistake. It is impossible for us to see the whole picture from day one and build flawless systems that have no need for adaptability or improvement.

In order to balance immutability and flexibility, we need mechanisms for upgrading decentralized apps (dapps) after they are deployed. In this article, we will describe how this can be done today using some simple but powerful patterns.

While we will be describing the mechanisms for upgradability, we will not discuss the process for how an upgrade is triggered. An assumption can be made that upgrades will be executed by an “owner”. This owner could be an individually held address, a multi-sig contract, or a complex decentralized autonomous organization (DAO).
There follows a very clear explanation of how to make smart contracts IINO, and a list of the disadvantages of doing so:
  • The upgrade “owner” has full control, meaning full trust. In order to design a truly trustless contract that is also upgradable, the “owner” must itself be a trustless contract.
  • Syntax for interacting with key/value storage is more verbose than standard solidity state variable operations.
  • A flaw in a standardized and shared contract could lead to widespread damage across all dapps that consume the contract.
But Level K doesn't notice the recursive nature of the first disadvantage. In order for an upgradeable contract to be truly trustless, the owner must be a "complex decentralized autonomous organization (DAO)", which cannot itself be upgradeable. But, as Level K wrote earlier:
But ultimately, these rules are created by humans. As humans, we are prone to the occasional mistake. It is impossible for us to see the whole picture from day one and build flawless systems that have no need for adaptability or improvement.
So the owner DAOs must not merely not be DINO, they must be the Platonic ideal "flawless systems that have no need for adaptability or improvement". In the real world, as illustrated by the very first DAO, even the experts can't build such systems. Nicholas Weaver writes (author version):
The first big smart contract, the DAO or Decentralized Autonomous Organization, sought to create a democratic mutual fund where investors could invest their Ethereum and then vote on possible investments. Approximately 10% of all Ethereum ended up in the DAO before someone discovered a reentrancy bug that enabled the attacker to effectively steal all the Ethereum. The only reason this bug and theft did not result in global losses is that Ethereum developers released a new version of the system that effectively undid the theft by altering the supposedly immutable blockchain.
So, it is only true in the Platonic ideal world that:
The immutable nature of Ethereum smart contracts is incredibly powerful. It allows us to build applications that are completely tamper-proof, untouchable by any individual, corporation, or government. Every participant is subject to the same set of rules, and these rules will never change.
In the real world of imperfect programmers, it either isn't true, or the applications will have bugs that bad guys will exploit. After all, 81% of Recent ICOs Were Scams, Research Finds, so the bad guys in these cases were the contract owners themselves.

Yes, sensible "smart contracts" are both DINO and IINO. Unlike paper contracts, they are "contracts" that the owner can rewrite at will. So you really have to trust the owner.  Wasn't the whole point of blockchains that they eliminate the need for trust?
A major misconception about blockchains is that they provide a basis of trust. A better perspective is that blockchains eliminate the need for trust.
Sigh!

5 comments:

David. said...

"Hackers managed to steal $7.7 million dollars' worth of cryptocurrency from the platform known as KICKICO by using a novel technique—destroying existing coins and then creating new ones totaling the same amount and putting them in hacker-controlled addresses, KICKICO officials said.

The technique evaded KICKICO’s security measures because it didn't change the number of KICK tokens issued on the network. ... The unknown attackers were able to destroy the existing coins and create new ones by first obtaining the secret cryptographic key controlling the KICKICO smart contract."

From Dan Goodin's Hackers find creative way to steal $7.7 million without being detected. KICKICO uses Bancor, so it is IINO. KICKICO reported that:

"The hackers gained access to the private key of the owner of the KickCoin smart contract. In order to hide the results of their activities, they employed methods used by the KickCoin smart contract in integration with the Bancor network: ... But thanks to the rapid response of our community and our coordinated team work, we were able to regain control over the tokens and prevent further possible losses by replacing the compromised private key with the private key of the cold storage."

So that's OK, then. Mutability has its uses.

David. said...

David Gerard discusses West Virginia's use of the Votaz "blockchain" mobile voting app at length. Randall Munro's take is more concise.

David. said...

Contract upgrade anti-patterns on the Trail of Bits blog starts:

"A popular trend in smart contract design is to promote the development of upgradable contracts. At Trail of Bits, we have reviewed many upgradable contracts and believe that this trend is going in the wrong direction. Existing techniques to upgrade contracts have flaws, increase the complexity of the contract significantly, and ultimately introduce bugs. To highlight this point, we are releasing a previously unknown flaw in the Zeppelin contract upgrade strategy, one of the most common upgrade approaches."

The fragility of these mechanisms is awesome. Hat tip to David Gerard.

David. said...

Danny Bradbury's Blockchain hustler beats the house with smart contract hack describes the latest not-so-smart contract fail:

"A wily hacker has scored a thousand dollar cryptocurrency jackpot – 24 times – by using their own code to tamper with a smart contract run by a betting company on the EOS blockchain."

Hat tip David Gerard.

David. said...

"Japanese cryptocurrency exchange Zaif announced today that it lost $60 million worth of company and user funds during a security incident that took place last week." reports Catalin Cimpanu. The great thing about cryptocurrencies is that there's no need for trust, and transactions are irreversible.