INPUT NEEDED from Shareholders and Proxies: Potential Security Bug found

[cube]

Yes cube, I'm slowly gaining in my understanding. It's a rather complex issue with several aspects. I'm not seeing much participation in the poll threads, and I suspect one reason for that is many others are also having difficulty understanding the big picture and all the related moving parts.

I suspected most users not quite understand the issue at hand and hence the low turn-out.  Thanks for the questions.  They help in getting other users understand better.

[Thom]

Why can't things stay exactly as they are now and roll out the change to fix the bug? Why introduce a new account?

Is it that much of a risk? And, how does creating a new account (committee-trade) fix the problem? Wouldn't ALL multisig accounts be impacted by this bug?

If this is as serious a bug as it sounds to be, please be very specific about how you're proposing to fix it. I don't understand the role of the new committee-trade account, or why it doesn't suffer from the same bug.

I think puppies addressed your question here - https://bitsharestalk.org/index.php/topic,21218.0.html
and xeroc addressed your concerns here - https://bitsharestalk.org/index.php/topic,21348.msg278207.html#msg278207.

Yes cube, I'm slowly gaining in my understanding. It's a rather complex issue with several aspects. I'm not seeing much participation in the poll threads, and I suspect one reason for that is many others are also having difficulty understanding the big picture and all the related moving parts.

[xeroc]

@xeroc.  How would you create a proposal to  update an account, but require the owner permission of that account?  Is there a way to set required permissions with propose builder transaction2?

it's not possible. the required authorities are derived from the requirements of the transaction and those of the affected accounts .. and if you have account_ids in your authority, then those active keys are also allowed to approve

Okay.  So you are saying that the proposal I created to adjust the active authorities of the committee-trade account would have passed if 51% of the committee had voted for it?  1.2.0 didn't show as a required authority.  Would the individual accounts that make up the committee have been able to add their approval to the proposal?  If the majority of the committee by stake had added their approval, would that have transferred to the proposal?

Alternately couldn't the active authority of the account prevent the owner authority from making any changes by using the proposal delete operation?  Can a proposal be deleted while its under review?  There are a number of experiments I would like to do.  Please let me know if you would be open to trying some of them on your testnet.

Yes. Committee could have voted as well.

Anyone can add an approval to any proposal. It will just only make sense if you account is either active or owner auhtority.

Committee-account has owner rights and could do anything they want to this account .. in this case they need 50%+1 consensus.

Good point about removing a proposal and the review period. Note that the committee-trade account does not need a preview time. It couls be set to 0.

The cool thing is .. once there is enough approval, the operations will be executed no matter the expiration .. the owner can thus propose and approve within 3 seconds and do what he likes with the account

[puppies]

@xeroc.  How would you create a proposal to  update an account, but require the owner permission of that account?  Is there a way to set required permissions with propose builder transaction2?

it's not possible. the required authorities are derived from the requirements of the transaction and those of the affected accounts .. and if you have account_ids in your authority, then those active keys are also allowed to approve

Okay.  So you are saying that the proposal I created to adjust the active authorities of the committee-trade account would have passed if 51% of the committee had voted for it?  1.2.0 didn't show as a required authority.  Would the individual accounts that make up the committee have been able to add their approval to the proposal?  If the majority of the committee by stake had added their approval, would that have transferred to the proposal?

Alternately couldn't the active authority of the account prevent the owner authority from making any changes by using the proposal delete operation?  Can a proposal be deleted while its under review?  There are a number of experiments I would like to do.  Please let me know if you would be open to trying some of them on your testnet.

[xeroc]

@xeroc.  How would you create a proposal to  update an account, but require the owner permission of that account?  Is there a way to set required permissions with propose builder transaction2?

it's not possible. the required authorities are derived from the requirements of the transaction and those of the affected accounts .. and if you have account_ids in your authority, then those active keys are also allowed to approve

[cube]

Why can't things stay exactly as they are now and roll out the change to fix the bug? Why introduce a new account?

Is it that much of a risk? And, how does creating a new account (committee-trade) fix the problem? Wouldn't ALL multisig accounts be impacted by this bug?

If this is as serious a bug as it sounds to be, please be very specific about how you're proposing to fix it. I don't understand the role of the new committee-trade account, or why it doesn't suffer from the same bug.

I think puppies addressed your question here - https://bitsharestalk.org/index.php/topic,21218.0.html
and xeroc addressed your concerns here - https://bitsharestalk.org/index.php/topic,21348.msg278207.html#msg278207.

[Thom]

Why can't things stay exactly as they are now and roll out the change to fix the bug? Why introduce a new account?

Is it that much of a risk? And, how does creating a new account (committee-trade) fix the problem? Wouldn't ALL multisig accounts be impacted by this bug?

If this is as serious a bug as it sounds to be, please be very specific about how you're proposing to fix it. I don't understand the role of the new committee-trade account, or why it doesn't suffer from the same bug.

[puppies]

@xeroc.  How would you create a proposal to  update an account, but require the owner permission of that account?  Is there a way to set required permissions with propose builder transaction2?

[pc]

IMO that bug introduces only a minor risk factor. It is more important to have a practical way to deal with the committee funds.

Take action, please.

[xeroc]

"It does however

1) increase the chance that the account can be stolen. 

Not correct. The owner key has ultimate control over an account and the
issue only concerns the active authority.
Even if someone managed to access the active authority (by stealing 3
out of four keys), all the attacker can do is to take the funds and
change the active authority. The latter can be reverted by the owner (in
this case the committee-account)

2) It effectively removes the ability of the committee to add or remove
active authorizations (ie other committee members) to the account.  This
instead needs to be done by the existing active authorities until this
bug is fixed. "

Need to check on this ..
It should certainly not be the case!

[cube]

The  committee is about to transfer the bitassets collected by the fee pool to a separate account called committee-trade to sell them for bts. 

However, we met a potential security bug and require your input to a poll here - https://bitsharestalk.org/index.php/topic,21348.msg277523.html#msg277523

A summary of the points:

"This bug does not increase the risk of having these funds stolen while they are being traded.  This would require that of bhuz, bitcube, abit, xeroc, and myself three of us colluded together to steal these funds."

"It does however

1) increase the chance that the account can be stolen. 
2) It effectively removes the ability of the committee to add or remove active authorizations (ie other committee members) to the account.  This instead needs to be done by the existing active authorities until this bug is fixed. "

ps: I am posting a new thread here because of a low turn out so far.  Please let us know your view soon.