Bitfinex, Blockchain Hacks, and Replay Attacks Oh My - All Things that Steem’s Technology is designed to prevent.
The past couple of months have been full of hard lessons for everyone in the cryptocurrency space. Bugs in the DAO code lead to hard forks of ETH which lead to Replay Attacks and now a market battle between Ethereum and Ethereum Classic.
In the process the DAO hacker has managed to indirectly harm everyone from ETH holders to anyone doing business with Coinbase, one of many potential victims of the Replay Attack.
If the problems with Ethereum weren’t enough, there are now reports that $72 million worth of Bitcoin may have been stolen from Bitfinex.
Even steemit.com was hacked. The difference is that Steem responded quickly, decisively, and with long-lasting technological solutions rather than one-time patches that do nothing to prevent future issues.
All of this is Preventable
For over 3 years I have been working to design and build next generation blockchain technologies. Steem is the product of many hard lessons in usability, scalability, and security. Most of the lessons learned are not available on any other platform.
Preventing Replay Attacks
Way back in November 2013 I introduced the concept of Transactions as Proof of Stake also known as TaPoS.
The idea behind TaPoS is that each time a transaction is signed it should reference a recent block ID. By referencing a recent block ID the signer is also certifying their opinion on the state of the blockchain and the pre-condition for the validity of the transaction.
Over the long term this means that every stake holder is directly certifying / checkpointing the blockchain and creates a measure of consensus that is even harder to forge than redoing all of the Proof of Work on bitcoin and “migrating” the transactions.
Preventing Rebirth of Forks
Assuming a blockchain will never have to hard fork is denying reality. Bugs will happen, new features will be needed, and lack of adaptability to market conditions will eventually kill any company, product, or cryptocurrency.
The decision to hard fork should be baked into the consensus process prior to any fork occurring. If consensus is reached that a fork should occur, then all nodes that do not have the code for the fork should shutdown by consensus.
Stated another way, the only way to “revive” a fork such as Ethereum Classic would be to implement a true fork and require everyone to update their code.
Ethereum Classic is an example of a Fork that should never have existed. If the Ethereum blockchain had a true consensus process in place for deciding when to fork and when to die then the entire market could rest assured they are on the right fork.
Instead decisions about which fork to adopt are handled outside of blockchain consensus and therefore chaotic in nature. Failure to provide a governance structure will lead to market chaos, uncertainty, and situations like Ethereum Classic.
Recovering from Hacks
Attempting to prevent hacks is a nobel, but futile effort. Hacks are instant, and permanent. Even with advanced multi-sig accounts, such as those supposedly used by Bitfinex, are unable to prevent the instantaneous loss of millions of dollars of cryptocurrency.
The problem is that you do not know you have been hacked until it is too late to fix it or recover. Hackers can slowly gather keys over time and then wait until the perfect moment to strike.
The strength of a system is not measured by how thick and impenetrable the skin is, but by its ability to heal quickly after being cut. Bitcoin, Ethereum, and most other blockchains have no system in place for healing.
Every Steem account is associated with a recovery account. The recovery account can be any other user on the system who knows you by some means other than your public key. In the event that your account is stolen, the recovery account combined with your old public key has the ability to restore the account to its rightful owner.
This is not just multi-sig. Multi-sig is a fixed set of signers who must cosign a transaction. The Steem recovery process considers any key used in the past 30 days to be one party to the recovery. An attacker can change the owner keys as much as they want, it will not prevent the recovery.
Your recovery account has no power over your account without one of your recent keys and it is not needed until after you are hacked. This is very different from any multi-sig solution currently on the market.
There are only two people who can recover an account, the attacker or the legitimate owner. So long as the recovery agent does full KYC prior to recovering the account no hacker will attempt to recover. In fact, there is no reason for the hacker to attempt recovery because they are already in control of the "current keys" which means they get the account by default after 30 days.
Time locked Funds
The key to security is time. It is impossible to know that your keys have been compromised until someone else signs something with them. By the time they sign, it is too late.
Imagine if there was a 24 hour delay during which your transfer could be recovered with the help of your recovery agent. With such a system in place a hacker would have to divulge the hack by using your keys, but would be powerless to prevent you from recovering your account and canceling the transfer.
If the hacker managed to compromise both you and your recovery agent, then the recovery agent would go to their recovery agent first, then recover you. This process could continue indefinitely so long as everyone could recover within the allotted time. The probability of a hacker compromising all of those accounts at the same time is vanishingly small.
All of these things require time with the ability to cancel. Without time delay hacks are impossible to detect until after they irreversible. Banks have known this for a long time. They implement daily withdraw limits, 24 to 72 hour pending periods, etc.
The vast majority of cryptocurrency wealth needs to be locked behind similar protections. The only funds that should exist as liquid “cash” are those which are needed immediately and which the holder of said funds can afford to lose.
Steem Solves these Problems
95% of all Steem value is subject to time release, all accounts can be recovered so long as you have any owner key used in the past 30 days and the signature of your recovery agent. All transactions implement TaPoS which prevents replay, and the decision to hard fork is built into the consensus protocol itself. Any nodes that don’t know the details of the hard-fork will automatically shutdown at the consensus defined time.
If Bitcoin and Ethereum implemented these features then Coinbase wouldn’t be suffering from Replay, Bitfinex would be able to recover their funds, and either Ethereum or Ethereum Classic would not exist.
These features make everyone more secure, and isn’t that the whole point of Cryptocurrencies in the first place? What good is a cryptocurrency that is statistically less secure than the funds in your bank? It is time for a change.
Crypto currencies are supposed to offers us two things: security and freedom. security by using decentrelised blockchains and freedom by offering us instant payment all over the world. If we lose these advantages then the hole point of crypto is nonsense. Bitcoin and Etherum would have been more stable and secure if they followed to implement the features given above. Steem did it the right way and this is why I believe in the Steem technology.
Thank you for your time sharing this @dantheman
I think the bank analogy makes more sense when applied to the exchanges, not the Bitcon protocol itself. It's up to these services to implement the sort of security features Steem uses, and make sure they use cold storage which can't be accessed through hacking them. The hard fork issue is a direct fault of the protocol, however.
That's why Steemit is brilliant. It places the safe bank-like protocols within the cryptocurrency, so that an exchange may not even be needed.
()
I believe in Steem, and I think Crypto is something more then money, it is the new type of social organization:
https://steemit.com/blockchain/@soomrack/bitcoin-blockchain-steem-middlesociety-and-math-management
nice post, @dantheman
upvote done
Steem Power is one of the safest places to be right now and it's time to invest some marketing effort into showing that. Too much effort goes into attracting bloggers and not enough to promote Steem Power. Now that Bitcoin is going down and probably will keep being suppressed by 100,000+ Bitcoins, it's only a matter of showing traders where the safe place is.
Why do you say that? What's so safe about being unable to protect your value? (Honest question not an attack)
Yeah but it is completely illiquid, the same as buying a house. It may be safe (unless the market crashes), but will take a year to sell.
But if you could get an immediate loan based on the amount of SP you have, that would change things :)
Same goes for Steem Dollars (SBD) !!!
All I'm seeing is the value of my steem power going down everyday and I need to buy 10x more steem power before I can cash out over a period of years, safe as houses my fat arse.
Your steem power might stop going down if you don't use the FLAG to down vote people's post for dumb reasons. If it is plagiarism, or posting stuff that should be NSFW without a warning so it is in your fast in the list of posts I could see a FLAG which essentially REPORT this post... yet my reputation dropped from 7 to 5 this morning and I went to see apparently it is because you decided to flag one of my old posts that was neither offensive, violent, NSFW, was original, etc.
So is your goal for me to reciprocate and those that I know or are you interested in REMOVING your flag? I don't mind you flagging me because there is reason. Disagreement is not a reason to USE the flag, thus the reason it is nowhere NEAR the rest of the voting mechanism.
If you are using that for DISAGREE then that is likely why your steem power and reputation go down. People are not going to up vote someone who does that.
https://steemit.com/steemit/@dwinblood/not-a-ponzi-scheme-seems-like-a-new-paradigm-up-votes-regardless-of-topic-help-us-all
You apparently just flagged that...
BTW - check this out.. I made it for people like you:
https://steemit.com/steemit/@dwinblood/siren-song-for-the-down-voter-if-you-think-the-down-vote-flag-is-a-solution-i-made-this-for-you
I'll await for your reply for a bit, and I would like to see the flag removed. If it is going to stay there I'd like to know why.
I use the flag as if it were a downvote like you get in real sites. The reason the value of my steam power is going down (note: I'm talking dollar value not the amount of power, that goes up) is because this site is a scam, an obvious scam and I shall continue to downvote all articles I find encouraging people to invest money here. I am shocked how deeply in denial some people get about this, the devs are taking .most of the money out of the system and everything is rigged so that people that make a fuss about it don't get heard. I read your rather patronising article but you missed my point entirely, like I said it's not the amount of steam power that goes down, it's the value and the time it takes to power down will mean it is worthless to me and will be in two years time. WAKE UP!
Was at nesting limit so had to respond to same thing. The site is only a scam for people that refuse to open their eyes and see the difference. If you continue to try to use it like you would a "real site" then yeah you're going to have a problem. Turns out I don't care about your down vote it didn't actually do anything to me, they had updated the codebase and I hadn't refreshed the page. I did not go from 7 to 5 due to your flag. It was a kneejerk reaction and I started looking at who down voted me. It turns out I went from 7 to 56. The reputation system protects people from people like you. If people don't like how you are talking, and such they won't stop you, but you're obstinate view of reality at least won't impact them much. So carry on.
If the site owners are running off with the money people are investing (they are BTW), it's a scam. Changing my attitude ain't going to stop it. Kinda funny that you imply that I am the deluded one. One hell of a lot of people besides me see this for what it is why can't you see the obvious? The voting system is rigged, the devs are taking 80% of the money people are investing, there is no source of income apart from that, site rules are deceptive and vague authors get about one tenth of the payout they were expecting etc, etc etc, so how is this not a scam?
This is a good point. The one exchange that hasn't really had problems is BTC-E, which is also the oldest. And that is because they automatically freeze an account for 2 days when you attempt to change passwords or emails. And that has been sufficient time for people discover they've been compromised and contact support to retrieve their accounts. I don't know why other exchanges don't follow the same practice when it is clearly so protective and beneficial.
2FA is safe too, if I'm not mistaken.
One thing I've never understood is this...
I learned about the hack from others, and immediately took action, and changed my keys.
My old key (even if it was not compromised) is no longer needed by me.
My worry is that the hacker, now has 30 days to use my old key to recover my account without me constantly realizing it.
My guess is that if it happens, I could also use my new key to recover the account again?
So for 30 days, I have to sit here, wondering if the hacker is going to use the recovery method to recover my old key, so they could xfer funds.
Dan? Any advice? Thanks.
I think this part is the important part: "and the signature of your recovery agent"
So my recovery agent is currently the @steem account itself?
He would have to pass our ID checks which means he would have to hack your reddit or facebook account. If he did do that, then we would up the level of KYC on your account. Posting a quality introduce yourself post with photos is a good way to help secure your account.
The Ethereum Classic mess was entirely avoidable. It was driven by FUD and greed.
I hope this post gets out to the crypto world. While I'm not an expert on the matter, the solutions Steem has employed do seem logical.
These hacks, exploits and chaos needs to stop, or cyptocurrency will never be adopted by the mainstream.
Yep the Ethereum clasic could have been prevented. I blame complacency as well as greed. Steem solves a lot of these issues.
Is this "reversible transactions" thing turned on for everyone, or is it strictly opt-in? And does that go the full 30 days? How deeply will that recurse? Rewinding an entire subtree of transactions sounds rather expensive... Not to mention it screws over anyone who received the stolen funds as payment.
I think you misunderstood the nature of the solution.
Any transaction that was reversible would not show up in someones account until it could be spent. Thus, payment is never "received" until it is irreversible. Both parties know "payment is on the way".
I read every word, and agree 100%
An upvote for the whale!!!
Seriously, good post.
"The decision to hard fork should be baked into the consensus process prior to any fork occurring. If consensus is reached that a fork should occur, then all nodes that do not have the code for the fork should shutdown by consensus."
I dont even have anywhere near your experience in this field and wondered why this was allowed to happen. It simply had to be considered, but why was the threat dismissed?
Thanks for the post, and helping all of us understand that steemit is much more than just a crypto-reddit publishing platform.
Seriously good stuff.
One of the best articles I have read on this subject. Very well worded, and I totally agree with you @dantheman It is absolutely time for a change!