Nxt Rollback & Bitshares - Just an Idea for Consideration

[Myshadow]

Any exemption is an invitation to use that exemption, and it will get wider over time as the people who built the system stop being the ones who make these decisions and it becomes about "what are you going to give me right now" since there are people (and not too many) who have the power to do this stuff.

Exactly this. Again, the road to hell is paved with good intentions and people over a long enough period are short sighted and opportunistic.

I agree, there are no hard and fast rules in a democratic system. Due to the very nature of democracy they're constantly changing over time... Given enough time there are no rules.

I guess the same can be said for consensus systems to a degree... When these systems become mainstream there's a distinct possibility that the majority could vote to burn or freeze a large stake because "inequality" when there are severe economic issues and the media paints a specific demographic, in this case the large stake that has been targeted as being responsible.

The Delegates will inevitably be public figures and if they want to maintain their status they'll do what the public wants or they'll be voted out and delegates who do will be elected.

This is one of the problems we're seeing with society now, Crowd wisdom is an oxymoron if i've ever heard one.

For the reasons  stated by Adam and Riverhead among many others, i'm going with no rollbacks ever. Allowing anything to be decided by majority consensus on a arbitrary and case by case basis puts the entire system at risk.

Insurance DAC sounds like an infinitely better solution. If people are worried about theft of funds, then get insurance.

[Riverhead]

I still like the idea of an insurance DAC. Have a high deductible like 25% of lost assets. The issue of insurance fraud is then a factor but it is also in the non crypto insurance industry and they manage to survive. The revenue model would look a lot like a regular insurance company with the exception that the delegates WOULD play an active role in voting/approving claims. Such an active role would be far less damaging than having delegates vote on a rollback of the primary asset. The abstraction layer preserves the integrity of the blockchain.

[xeroc]

Rather than focusing on an internal process for mitigation, we could (and probably should) just establish standard minimum security requirements for all exchanges that trade BTSX (x% cold storage, two-factor authentication, etc).

further we need multi-sig ...

I also think it's up to the users (exchanges included) to prevent theft .. same thing as if I hold gold or USD at home .. just that btsx are easier to be stored securely IMHO

[yellowecho]

I think may of the ideas presented so far have merit but the longer its discussed the more clear it is to me that simply saying 'no rollbacks' is probably best as it has the least moral hazard.

Rather than focusing on an internal process for mitigation, we could (and probably should) just establish standard minimum security requirements for all exchanges that trade BTSX (x% cold storage, two-factor authentication, etc).
 

There needs to be a notification system, maybe by email, so delegates know there is a time sensitive vote coming up..

A notification system could likely be installed in the client relatively easy I'd imagine; however, with .p2p approaching we may see KeyMail having a strong role in the ecosystem.

[Riverhead]

Any exemption is an invitation to use that exemption, and it will get wider over time as the people who built the system stop being the ones who make these decisions and it becomes about "what are you going to give me right now" since there are people (and not too many) who have the power to do this stuff.

Exactly this. Again, the road to hell is paved with good intentions and people over a long enough period are short sighted and opportunistic.

[merockstar]

any kind of hard fork to right any kind of wrong completely undermines the legitimacy of the currency.

if nxt really did fork and roll back i'll be selling what little is left of mine today.

this kind of thing creates a dangerous precedent that will discourage future adopters from jumping in.  we do not want this to be the status quo.

I am 100% adverse to any action that reverses a transaction without the current holder's consent.


should circle be able to reverse IOUs that they issue the way banks can reverse charges today? sure.

if somebody literally manages to get a hold of all your paper dollars that's irreversible- and that's part of the reason people trust dollars.

and there's the possibility of somebody working on an insurance DAC. that's what thats for.

[AdamBLevine]

For me it's a question of whether you can design a system that gives shareholders confidence these actions will only be taken in the big cases & when there is a definite clear consensus.

In every other system the answer is no, because you don't have the ability to provide that confidence. So I would not be in favour of a rollback for NXT.

This is *exactly* the problem actually.  If the rollback is only used in big cases, it means that it is safe to be part of a very popular NXT failure but not part of a small one (Because it won't be serious enough to be rolled back) - This will have a very centralizing effect where if you're going to be part of an exchange, well it better be the biggest exchange because otherwise people will say "Well it's not so bad, it wasn't the biggest exchange so we'll survive this". 

The rules need to be the rules, if you create conditions under which the rules and history itself can be re-written you will be inviting those who want to reinvent history to create exactly the conditions you are trying to avoid.  If it was not desirable to rewrite history such a mechanism could work, but because there are many ways individuals and groups and profit from rewriting history it's a very bad thing to codify in a way that is "OK".

It's concerning more people don't see this intractable issue.

What about in the scenario of police confiscation? Could the network agree to burn in this instance?

One way to do it would be if the previous owner elects to enable the network to burn in the instanced of confiscation. Currently technology doesn't allow proof of event or a sure way to confirm police confiscation.

But in the case that it did happen then the original owner gains nothing by electing to give the network the power to burn his stash.

In the end though it's too complicated to be worrying about this right now. It creates unnecessary confusion. It's like trying to have a dynamically generated digital constitution when we don't even have a fully functioning static digital constitution.

For today let the rules be the rules because that is what works best. If the black swan event occurs then we can react to it then and it will not be so difficult to discuss and decide what to do. If governments confiscated over 51% of Bitshares it's pretty obvious to me that there would be a rollback.

Just like if the Bitcoin community discovered that the government somehow owned most of it's coins they would have to do something if mining/Proof of Work cannot generate new coins. They rely on Proof of Work to allow themselves to have static rules. The FBI can confiscate a lot of coins and even be the largest address but because new coins are always being created it's not like the FBI could ever get 51% of the hashing power even if they had 51% of the coins.

Proof of Stake is different. If the government got 51% of the stake then DPoS would be owned by the government. In that instance we might want to hit the panic button if we saw that kind of takeover attempt.

Hard rule of no rewrites has least moral hazard.


Sent from my iPhone using Tapatalk

The only black swan event which I could think of to justify burning a stash is a scenario where governments around the world start raiding and confiscating in unison. At that point it would be clear that it's an attempt to own Bitshares.

But even with these attacks the people who have escaped from confiscation along with the delegates can fight back. I think this black swan event is actually very likely to happen because it has happened with Bitcoin.

There shouldn't be rewrites but it might be possible to invalidate and burn a stash. The problem is to build this in right now creates risks and there is no evidence of the black swan event just yet. It could be that enough governments embrace it that its seen as just another technology, we just don't know yet.

I absolutely do not think letting the network intervene to burn a balance is acceptable.  Even the example you're giving where the "police" confiscate a balance, you want the one condition under which it would be OK to be the one where someone has done something illegal and the legal jurisdiction they're in catches them, confiscates their funds and then the network says "Oh the police!  Quick, burn that guys money!"

I phrase it like that because the idea that the guy who is being investigated by the police goes to the delegates and says "QUICK! BURN THE MONEY BEFORE THE COPS GET IT!" is insane on its face.

Further, if we can use it for that whats to stop a "whale" who gets robbed from going to the delegates asking the rules to change because they've been such a big supporter for so long. 

Any exemption is an invitation to use that exemption, and it will get wider over time as the people who built the system stop being the ones who make these decisions and it becomes about "what are you going to give me right now" since there are people (and not too many) who have the power to do this stuff.

[Riverhead]

24 hour response time from majority of delegates may prove unrealistic.

Why so? Their duty is to secure the network and be reachable .. that's what they get paid for ..
it's not like mining where you can through your miners at a pool and keep doing whatever comes.

as a delegate you have responsibility!

 

It's conceivable that fees earned through being a delegate could provide a decent secondary income. I can understand the "set it and forget it" mining type mentality now. The network is young and has very few transactions. Once it grows to the point of each block containing thousands of transactions a delegate will need to maintain a good infrastructure with contingency plans as well as being active in the community.

The delegates we have now are largely crypto-geeks (yes, I include myself in that proudly  ) and semi-retired miners. Once the money starts rolling in the delegate proposition will become more attractive to larger players.

IMHO of course.

[bitcoinerS]

4) Must happen quickly, ie: not effect balances over 24 hours old.

24 hour response time from majority of delegates may prove unrealistic.

Delegates have responsibility and they should make sure they can react. Behind delegates are real people. They should be reachable - phone, email, IM etc.

There needs to be a notification system, maybe by email, so delegates know there is a time sensitive vote coming up..

[xeroc]

24 hour response time from majority of delegates may prove unrealistic.

Why so? Their duty is to secure the network and be reachable .. that's what they get paid for ..
it's not like mining where you can through your miners at a pool and keep doing whatever comes.

as a delegate you have responsibility!

[oldman]

The point of making it "hard" to do is that it means it is less likely to happen.   People need to know that it is "hard" so they can trust the system. 

In my original idea I probably didn't make it clear enough that:

1) Only a delegate could make the proposal
2) The act of making the proposal must come with a non-refundable fee of large magnitude ($1 million) that is paid to shareholders
3) Majority of delegates must approve
4) Must happen quickly, ie: not effect balances over 24 hours old.

A hard fork costs a network millions and those millions will be paid if it will save the network 10's of millions.   

The presence of such an automated system means that the network can "capture" the millions a hard-fork would have caused. 

Because the fee is so expensive, no one would dare cry wolf or use this option lightly.
Because the fee is non-refundable even if the delegates vote "no" then it is not likely to be paid unless there is already support/consensus.

But perhaps most importantly, the fact that a procedure exists means that suggestions to hard-fork to bypass the pre-established procedure will be roundly rejected. 

I think you have to view these thinks like pressurized systems, if you don't provide a release valve then they can explode under heat. 

I think that the community should establish some very sound guidelines prior to the event that server to minimize moral hazard:

1) An exchange that didn't use cold storage... is ineligible
2) Failure to use multi-sig...
3) .... 

All of that said, with BitUSD there is almost no reason to keep your funds on exchanges any more.  So perhaps a VERY HARD policy on this would be best.

BM's proposal has merit; a hard-coded anti-theft/seizure protocol would make the platform more attractive to investors and provide a measure of protection to delegates and other stakeholders.

Eligibility criteria/rules such as suggested above, while necessary, are subject to corruption when the consensus seeking mechanism is voluntary (ie. democratic decay into cronyism via voter apathy).

I would suggest the only way to adequately mitigate the moral hazard created by a rollback protocol is to implement a mandatory voting mechanism. The protocol would look something like this:

1. Theft/seizure incident

2. Eligibility test

3. Delegate rollback proposal w/fee

4. Rollback proposal pushed through client

5. Users must vote before completing next transaction

If voter participation is mandatory:

- Delegates will not propose rollbacks unless they are in the best interest of the community, otherwise they risk getting fired

- Delegates will not propose rollbacks unless they are compliant with the eligibility criteria, otherwise they risk getting fired

- The potential for gaming the protocol through cronyism/apathy is reduced


Handling of the rollback assets is another issue:

Burning dilutes the individual profit motive but introduces a moral hazard for the voting body, as the value of the voter's assets will necessarily increase from the burn.

So it may come to pass that delegates, who are likely to be large stakeholders in a given asset class, will contrive to have assets seized/stolen that they may be burned and thereby made more valuable.

The rollback fee may mitigate this effect somewhat, but may also serve to motivate fraud on a larger scale wherein the fee is simply a cost of doing business (ie. banks laundering money for drug cartels and paying fines that are small in relation to overall profit).

Too many contrived burns would cause mass devaluation through loss of confidence, broken pegs, etc. The same holds true if rollback assets are retained (seized?) by the bank rather than burned.

A true rollback, ie. return of assets, combined with a large fee and mandatory voting would seem to present the least profit motive and consequently the least moral hazard.

Someone gaming the system would have to incur a great deal of effort and expense to simply return the system to a prior state.

However, as previously mentioned, there is theft/rollback/theft/rollback loop that may cause delegates to permit the theft rather than pay recurring rollback fees. In this scenario it might be cheaper to let the theft occur than attempt to correct it multiple times (this is also true for burns - there will be a large threshold where allowing the theft/seizure is cheaper than correcting it).

The final option would be to direct rollback assets outside of the system to a third party, with the obvious choice being charities or similar organizations.

The fatal flaw with third party distributions is achieving consensus as to allocations, particularly as the Bitshares platform is global.

Gaming/conflicts of interest also become problematic.


TL;DR: Implement a rollback protocol with concise criteria, create a mandatory voting mechanism and burn rollback assets.

[emski]

2) The act of making the proposal must come with a non-refundable fee of large magnitude ($1 million) that is paid to shareholders

Would it not incentivize delegates to vote no and keep $1m in fees?

They get the fees anyway.

[emski]

4) Must happen quickly, ie: not effect balances over 24 hours old.

24 hour response time from majority of delegates may prove unrealistic.

Delegates have responsibility and they should make sure they can react. Behind delegates are real people. They should be reachable - phone, email, IM etc.

[bitcoinerS]

2) The act of making the proposal must come with a non-refundable fee of large magnitude ($1 million) that is paid to shareholders

Would it not incentivize delegates to vote no and keep $1m in fees?

4) Must happen quickly, ie: not effect balances over 24 hours old.

24 hour response time from majority of delegates may prove unrealistic.

[Riverhead]

The point of making it "hard" to do is that it means it is less likely to happen.   People need to know that it is "hard" so they can trust the system. 

In my original idea I probably didn't make it clear enough that:

1) Only a delegate could make the proposal
2) The act of making the proposal must come with a non-refundable fee of large magnitude ($1 million) that is paid to shareholders
3) Majority of delegates must approve
4) Must happen quickly, ie: not effect balances over 24 hours old.

But perhaps most importantly, the fact that a procedure exists means that suggestions to hard-fork to bypass the pre-established procedure will be roundly rejected. 

Didn't follow this bit...do you mean that since a procedure exists that someone wanting to fork differently would then have two things to convince the community of? 1) Fork 2) Fork in a different way than the established one vs just to fork or not to fork.

Backing off from my hard stance (there may have been beer involved  ) I can see a "pressure release valve" IF and ONLY IF it came at tremendous cost. What better minds than mine need to think about is a way to implement said valve without rewriting history.


So the challenge becomes:
1) Make theft unattractive (unprofitable)
2) Attain 1) without forking with the chain.

[mf-tzo]

i think that 5 years from now I will either completely lose my investment in bitshares x either BM will get the Nobel price! I think  option 2 is more likely.

hink you have to view these thinks like pressurized systems, if you don't provide a release valve then they can explode under heat. 

Well said...Is it possible somehow the system to identify suspicious transactions and block the funds for some time? for example when the whole market cap is $20 mil if a transaction that is more than 5% of the market cap is not processed within seconds but rather takes 1 day to clear?

[bytemaster]

The point of making it "hard" to do is that it means it is less likely to happen.   People need to know that it is "hard" so they can trust the system. 

In my original idea I probably didn't make it clear enough that:

1) Only a delegate could make the proposal
2) The act of making the proposal must come with a non-refundable fee of large magnitude ($1 million) that is paid to shareholders
3) Majority of delegates must approve
4) Must happen quickly, ie: not effect balances over 24 hours old.

A hard fork costs a network millions and those millions will be paid if it will save the network 10's of millions.   

The presence of such an automated system means that the network can "capture" the millions a hard-fork would have caused. 

Because the fee is so expensive, no one would dare cry wolf or use this option lightly.
Because the fee is non-refundable even if the delegates vote "no" then it is not likely to be paid unless there is already support/consensus.

But perhaps most importantly, the fact that a procedure exists means that suggestions to hard-fork to bypass the pre-established procedure will be roundly rejected. 

I think you have to view these thinks like pressurized systems, if you don't provide a release valve then they can explode under heat. 

I think that the community should establish some very sound guidelines prior to the event that server to minimize moral hazard:

1) An exchange that didn't use cold storage... is ineligible
2) Failure to use multi-sig...
3) .... 

All of that said, with BitUSD there is almost no reason to keep your funds on exchanges any more.  So perhaps a VERY HARD policy on this would be best. 

[yellowecho]

Hard rule of no rewrites has least moral hazard.

After further thought, I think this is the best choice.  Multi-sig might be the way to go

[gamey]

For me it's a question of whether you can design a system that gives shareholders confidence these actions will only be taken in the big cases & when there is a definite clear consensus.

In every other system the answer is no, because you don't have the ability to provide that confidence. So I would not be in favour of a rollback for NXT.

This is *exactly* the problem actually.  If the rollback is only used in big cases, it means that it is safe to be part of a very popular NXT failure but not part of a small one (Because it won't be serious enough to be rolled back) - This will have a very centralizing effect where if you're going to be part of an exchange, well it better be the biggest exchange because otherwise people will say "Well it's not so bad, it wasn't the biggest exchange so we'll survive this". 

The rules need to be the rules, if you create conditions under which the rules and history itself can be re-written you will be inviting those who want to reinvent history to create exactly the conditions you are trying to avoid.  If it was not desirable to rewrite history such a mechanism could work, but because there are many ways individuals and groups and profit from rewriting history it's a very bad thing to codify in a way that is "OK".

It's concerning more people don't see this intractable issue.

We don't have to reward too big to fail. We could tax bter or burn all of it. I just don't want the hacker walking round with 50 million he can dump on the share price at any time.

You would want to tax them.  It would align the incentives in a superior way. 

At the end of the day, it will still be up to the delegates what they wish to do.  So our arguments on this board are largely superfluous.  The question is, should someone put in a mechanism to do this cleanly so it can maximize harm reduction ?  Or is it bad to make it "easy" to do, (while still requiring a majority, it could even be a large majority).

The beauty of all this is that even if the delegates went against the community consensus in some weird scenario, the community could fork around them. 

[bytemaster]

Then as soon as the hard rule is formalized, some south African cartel kidnaps the ByteMaster and demands that half of all bit shares be sent to a certain address, within 12 hours, or they terminate him.

Lets not give anyone any ideas.

[Brent.Allsop]

Dang, I'm trying to get my head around all these great ideas, and trying to monitor if there is any consensus forming.  Many people have summarized there view, but it's hard to merge any of these summaries together to see how many people agree.

I guess I'm spoiled, because that is what we get at Canonizer.com.  There are lots of good ideas being thrown out there, which lots of people seem to be agreeing with, and there is a lot of stuff that seems like trash to me,  but I might just be not fully understanding what some are saying.  If there was some measure of real consensus, so all the best ideas could rise to the top, so we could easily ignore all the bad ideas being thrown out there, like we get at Canonizer.com, that would sure help.

Wouldn't it be great to have a concise description and survey of all the best possible solutions being proposed in a consensus building way, and a quantitative measure of how many people thought each of the possibilities was important?  How many people are there, really that are for absolutely no hard forks or no hard rollbacks, under any conditions?  How many people think differently, how is this changing, over time, why?

It seems like a consensus is forming around a hard rule for never any roll backs.  So let's say we formalized that, and all the delegates indicate they are 100% for that, and will never authorize a roll back.

Then as soon as the hard rule is formalized, some south African cartel kidnaps the ByteMaster and demands that half of all bit shares be sent to a certain address, within 12 hours, or they terminate him.

The bottom line is, dumb hard and fast rules are what bureaucracy is all about.  If millions of -people can find a way to work, dynamically, instantly, in an amplified wisdom of the crowd, we can know 90% of the holders will buy into this action, in an instant, we will be able to face, intelligently adapt to, and out compete any threat, or any competitor.

[Riverhead]

My views on this are pretty straight forward. Basically the road to hell is paved with good intentions.

Some basic tenants of my stance:

1) A blockchain is first and foremost a ledger. It is an immutable record of transaction that happened (just or unjust). We shouldn't play time traveler with the ledger.

2) For lack of a more elegant way to state it: people over a long enough period of time suck.

That said other precautions can be taken in the event of what happened with NXT.  Thefts happen. There going to keep happening. What is up to us to figure out is how to mitigate the financial damages to those stolen from. This is what insurance is for.

So far not a single theft has been the fault of the protocol itself, certainly not in the case of NXT. Therefore if people want to protect themselves from such events they can start an insurance DAC, be more proactive about how they secure their wealth, etc.

Bottom line: The A in DAC stands for Autonomous for a reason. People basically suck over a long enough period of time. Good intentions are abused by bad actors.

No roll backs. Ever. We are not time travelers.

You still haven't addressed the scenario of governments being the thief. They have confiscated people's gold in the past so it is very possible.

Suppose your government confiscated your stash of Bitshares using legal force? Is there anything you or the protocol could do?

If an entity compels someone with a gun to their head (metaphorical or otherwise) there isn't much you can do about it from software. Also, how the community would vote on such a situation is, again, human. Would you be willing to roll back the blockchain in the event of Silk Road's BTC confiscation?  Why or why not? The whole point of an autonomous system is that it removes that judgement call.


In this particular scenario I am compelled to turn over my stash by an agency in power. The "people in charge" decide to roll back the blockchain and I get my funds back. I get raided again and am compelled to release all my funds. Rinse and repeat.

[luckybit]

My views on this are pretty straight forward. Basically the road to hell is paved with good intentions.

Some basic tenants of my stance:

1) A blockchain is first and foremost a ledger. It is an immutable record of transaction that happened (just or unjust). We shouldn't play time traveler with the ledger.

2) For lack of a more elegant way to state it: people over a long enough period of time suck.

That said other precautions can be taken in the event of what happened with NXT.  Thefts happen. There going to keep happening. What is up to us to figure out is how to mitigate the financial damages to those stolen from. This is what insurance is for.

So far not a single theft has been the fault of the protocol itself, certainly not in the case of NXT. Therefore if people want to protect themselves from such events they can start an insurance DAC, be more proactive about how they secure their wealth, etc.

Bottom line: The A in DAC stands for Autonomous for a reason. People basically suck over a long enough period of time. Good intentions are abused by bad actors.

No roll backs. Ever. We are not time travelers.

You still haven't addressed the scenario of governments being the thief. They have confiscated people's gold in the past so it is very possible.

Suppose your government confiscated your stash of Bitshares using legal force? Is there anything you or the protocol could do?

[Empirical1]

What about snapshotting with the rollback enabled and airdropping us identical shares on a new blockchain.

[Riverhead]

My views on this are pretty straight forward. Basically the road to hell is paved with good intentions.

Some basic tenants of my stance:

1) A blockchain is first and foremost a ledger. It is an immutable record of transaction that happened (just or unjust). We shouldn't play time traveler with the ledger.

2) For lack of a more elegant way to state it: people over a long enough period of time suck.

That said other precautions can be taken in the event of what happened with NXT.  Thefts happen. They going to keep happening. What is up to us to figure out is how to mitigate the financial damages to those stolen from. This is what insurance is for.

So far not a single theft has been the fault of the protocol itself, certainly not in the case of NXT. Therefore if people want to protect themselves from such events they can start an insurance DAC, be more proactive about how they secure their wealth, etc.

Bottom line: The A in DAC stands for Autonomous for a reason. People basically suck over a long enough period of time. Good intentions are abused by bad actors.

No roll backs. Ever. We are not time travelers.
 

[Empirical1]

For me it's a question of whether you can design a system that gives shareholders confidence these actions will only be taken in the big cases & when there is a definite clear consensus.

In every other system the answer is no, because you don't have the ability to provide that confidence. So I would not be in favour of a rollback for NXT.

This is *exactly* the problem actually.  If the rollback is only used in big cases, it means that it is safe to be part of a very popular NXT failure but not part of a small one (Because it won't be serious enough to be rolled back) - This will have a very centralizing effect where if you're going to be part of an exchange, well it better be the biggest exchange because otherwise people will say "Well it's not so bad, it wasn't the biggest exchange so we'll survive this". 

The rules need to be the rules, if you create conditions under which the rules and history itself can be re-written you will be inviting those who want to reinvent history to create exactly the conditions you are trying to avoid.  If it was not desirable to rewrite history such a mechanism could work, but because there are many ways individuals and groups and profit from rewriting history it's a very bad thing to codify in a way that is "OK".

It's concerning more people don't see this intractable issue.

We don't have to reward too big to fail. We could tax bter or burn all of it. I just don't want the hacker walking round with 50 million he can dump on the share price at any time.

[Tuck Fheman]

I'm for no rollback or no "reorganization" of the blockchain in such circumstances.

[luckybit]

For me it's a question of whether you can design a system that gives shareholders confidence these actions will only be taken in the big cases & when there is a definite clear consensus.

In every other system the answer is no, because you don't have the ability to provide that confidence. So I would not be in favour of a rollback for NXT.

This is *exactly* the problem actually.  If the rollback is only used in big cases, it means that it is safe to be part of a very popular NXT failure but not part of a small one (Because it won't be serious enough to be rolled back) - This will have a very centralizing effect where if you're going to be part of an exchange, well it better be the biggest exchange because otherwise people will say "Well it's not so bad, it wasn't the biggest exchange so we'll survive this". 

The rules need to be the rules, if you create conditions under which the rules and history itself can be re-written you will be inviting those who want to reinvent history to create exactly the conditions you are trying to avoid.  If it was not desirable to rewrite history such a mechanism could work, but because there are many ways individuals and groups and profit from rewriting history it's a very bad thing to codify in a way that is "OK".

It's concerning more people don't see this intractable issue.

What about in the scenario of police confiscation? Could the network agree to burn in this instance?

One way to do it would be if the previous owner elects to enable the network to burn in the instanced of confiscation. Currently technology doesn't allow proof of event or a sure way to confirm police confiscation.

But in the case that it did happen then the original owner gains nothing by electing to give the network the power to burn his stash.

In the end though it's too complicated to be worrying about this right now. It creates unnecessary confusion. It's like trying to have a dynamically generated digital constitution when we don't even have a fully functioning static digital constitution.

For today let the rules be the rules because that is what works best. If the black swan event occurs then we can react to it then and it will not be so difficult to discuss and decide what to do. If governments confiscated over 51% of Bitshares it's pretty obvious to me that there would be a rollback.

Just like if the Bitcoin community discovered that the government somehow owned most of it's coins they would have to do something if mining/Proof of Work cannot generate new coins. They rely on Proof of Work to allow themselves to have static rules. The FBI can confiscate a lot of coins and even be the largest address but because new coins are always being created it's not like the FBI could ever get 51% of the hashing power even if they had 51% of the coins.

Proof of Stake is different. If the government got 51% of the stake then DPoS would be owned by the government. In that instance we might want to hit the panic button if we saw that kind of takeover attempt.

Hard rule of no rewrites has least moral hazard.


Sent from my iPhone using Tapatalk

The only black swan event which I could think of to justify burning a stash is a scenario where governments around the world start raiding and confiscating in unison. At that point it would be clear that it's an attempt to own Bitshares.

But even with these attacks the people who have escaped from confiscation along with the delegates can fight back. I think this black swan event is actually very likely to happen because it has happened with Bitcoin.

There shouldn't be rewrites but it might be possible to invalidate and burn a stash. The problem is to build this in right now creates risks and there is no evidence of the black swan event just yet. It could be that enough governments embrace it that its seen as just another technology, we just don't know yet.

[bytemaster]

Hard rule of no rewrites has least moral hazard.


Sent from my iPhone using Tapatalk

[AdamBLevine]

For me it's a question of whether you can design a system that gives shareholders confidence these actions will only be taken in the big cases & when there is a definite clear consensus.

In every other system the answer is no, because you don't have the ability to provide that confidence. So I would not be in favour of a rollback for NXT.

This is *exactly* the problem actually.  If the rollback is only used in big cases, it means that it is safe to be part of a very popular NXT failure but not part of a small one (Because it won't be serious enough to be rolled back) - This will have a very centralizing effect where if you're going to be part of an exchange, well it better be the biggest exchange because otherwise people will say "Well it's not so bad, it wasn't the biggest exchange so we'll survive this". 

The rules need to be the rules, if you create conditions under which the rules and history itself can be re-written you will be inviting those who want to reinvent history to create exactly the conditions you are trying to avoid.  If it was not desirable to rewrite history such a mechanism could work, but because there are many ways individuals and groups and profit from rewriting history it's a very bad thing to codify in a way that is "OK".

It's concerning more people don't see this intractable issue.

[lucky331]

do what Nxt did and keep the integrity of the project intact.

If you promise that you will play CobaltSkky 


[edit] I doubt it but if somebody is not aware, here is a good summary : http://www.enterstageright.com/archive/articles/0814/cryptocurrpbterjob.htm

haha!  yeah, she is AWESOME! 

[Empirical1]

For me it's a question of whether you can design a system that gives shareholders confidence these actions will only be taken in the big cases & when there is a definite clear consensus.

In every other system the answer is no, because you don't have the ability to provide that confidence. So I would not be in favour of a rollback for NXT.

However I think DPOS is a consensus model that should be able provide a mechanism for coming to tough decisions like this and the broadstrokes in the option outlined by BM is something I approve of personally.

If the majority of shareholders felt really strongly about a certain action there would be a hard fork anyway so might as well formalise some process imo.

if it is possible to implement via a hard fork and there are cases where people would choose to hard fork, then perhaps we should formalize the process and prevent the hardfork and overall disruption.

 

[AdamBLevine]

I'm in favor of a hard-line no do-overs stance.  Any "except in the event of" just makes that the action anyone who wants a rollback must cause to occur.  Any "When the people filling these roles think it is appropriate" will result in those people and their replacements the people who must be convinced however to make it happen.

If the rules are there are no rollbacks, than for better or worse you'll have eliminated several major attack vectors you'll otherwise have.

[yellowecho]

Delegates could freeze any balance (as long as 51% decide this). They could just ignore blocks with transactions from selected addresses and not include such transactions in produced blocks.

So I see the procedure like this:
1 An extreme case arises
2 A delegate proposes action and starts a vote (If no delegate is willing to start a vote => the case is not that extreme)
3 24 hours (or more?) period for delegate voting
4 If a decision is made (with 50%+1 votes) all delegates should comply (note that this cannot be enforced).

I strongly believe no transfers should be allowed by this method. Funds should be only frozen/burned.

I don't hate that.  I was thinking transfered funds could be used for insurance in the event where shorts can't cover but we could just not burn bitAssets for that.  Burning stolen funds by 51% consensus works for me.

[emski]

Delegates could freeze any balance (as long as 51% decide this). They could just ignore blocks with transactions from selected addresses and not include such transactions in produced blocks.
However if the delegates disagree there will be forks and/or slower blocks production rate.
What would be beneficial for the system is a mechanism for 51% of delegates to enforce rules on the others - like freezing funds. However I doubt this is possible because you cant force a delegate to include or exclude specific transaction(s).

So currently the decision lies on delegate consensus (and who becomes delegate is shareholders' responsibility). I think any interventions should be avoided.
However a delegate voting system should exist for most extreme cases AND if a decision is made (50% + 1 delegates vote for/against) all delegates should comply (by convention).

So I see the procedure like this:
1 An extreme case arises
2 A delegate proposes action and starts a vote (If no delegate is willing to start a vote => the case is not that extreme)
3 24 hours (or more?) period for delegate voting
4 If a decision is made (with 50%+1 votes) all delegates should comply (note that this cannot be enforced).

I strongly believe no transfers should be allowed by this method. Funds should be only frozen/burned.

[carpet ride]

Thinking outloud here.  We need to just move away from centralized exchanges, then would there perhaps end up being two or three prominent decentralized exchanges?  Thefts will of course happen but not from the exchanges if they are decentralized...  Think BitBtsX ...

[luckybit]

I think multisig and personal responsibility solve these problems about as well as they're likely to be solved.  Give people relatively user friendly tools for security, and make sure they know that it's their responsibility and no one else is likely to bail them out if they mess up.

Creating or advertising additional convoluted ways to "steal back" stolen funds just increases the number of attack vectors to include more social engineering attacks exploiting the anti-theft mechanisms.  I generally expect the human element to be the the most vulnerable aspect of most systems already, and this makes it worse.

Suppose they didn't mess up and the government just takes their digital property by legal force?
It's actually not that hard to see this event occurring and there isn't really any way for most people to defend against it

Multisig might be the one way but how?

[Agent86]

Also - Is it even possible to trace funds if the thief creates a 2nd wallet.

Owner -> thief wallet #1 -> thief wallet #2 ?  Can we even detect that because of TITAN or is it necessary to do a full rollback ?

Yes, you can still trace funds; Titan just prevents you from knowing the account name that the specific address is associated with.  Even if inputs were combined you could still determine what portion of an unspent output was fraudulent funds.

[Troglodactyl]

I think multisig and personal responsibility solve these problems about as well as they're likely to be solved.  Give people relatively user friendly tools for security, and make sure they know that it's their responsibility and no one else is likely to bail them out if they mess up.

Creating or advertising additional convoluted ways to "steal back" stolen funds just increases the number of attack vectors to include more social engineering attacks exploiting the anti-theft mechanisms.  I generally expect the human element to be the the most vulnerable aspect of most systems already, and this makes it worse.

[luckybit]

Hmmm... this might be a dumb idea but...

What if there was a process in place where users could vote to burn stolen BTSX or automatically transfer stolen BTSX to an insurance account?  If 51% consensus is reached, the registered account could be flagged and any BTSX sent from the account would be automatically redirected into the insurance fund.  In the event that the flagged account tries to distribute the stolen funds to other accounts, the other accounts could also flagged and fined based on the transaction amount.

I was thinking of something similar. For example if funds are stolen then these are burned as dividends or keep them in an insurance account.

But you cannot flag the account and the accounts that the stolen funds are redirected since the thief can start sending funds to everyone in order to further mess up with all the accounts and we end up hurting ourselves.

I am not in favor of a rollback either. what if in the meantime I make a huge deal with someone in bitusd and then we have a rollback and the other party realises that the deal he has done is not in his favor? we will  lose credibility in case of rollback and no serious business is going to accept this if there is this possibility of an "undo" button.. I think NXT got really away because they didn't do the rollback. I believe that if they had done so they would in vericoin's position now.

I don't understand very much how these things work, but in case of a theft and if there is very good proof that this is actually a theft and delegates vote 70% that this is a theft can't we just freeze these money completely and decide later how to proceed? i.e could be burned as dividends, could be sent to a charity, could be used as insurance fund, or we just find the hacker and make him return the funds?

Very good arguments against a rollback.
It has changed my opinion. I'm now not in favor of a rollback because it could damage the currency features of certain BitAssets.

I think in the case of BitUSD a rollback could be very bad. At the same time it's likely at some point a hard fork is going to be necessary so how best to handle it smoothly with the least damage?

What to do in the situation of government confiscation of Bitshares? If governments confiscate 51% then we'd have to roll back.

I think as a way to distinguish our community from NXT it will be in our competitive advantage to decide against rollback functionality. If a time comes where we need it then we could just do it as a hard fork (in the case where governments confiscate Bitshares in an attempt to own it).

Suppose governments did start confiscating Bitshares? If the network could vote to burn the shares that would be a way out of it. But I don't really favor giving the network that kind of power. It's too dangerous.

Again it might not even be in our best interest to discuss this right now.

[gamey]

Also - Is it even possible to trace funds if the thief creates a 2nd wallet.

Owner -> thief wallet #1 -> thief wallet #2 ?  Can we even detect that because of TITAN or is it necessary to do a full rollback ?

[gamey]

I think if you are going to attempt to proactively address the issue then a "frozen funds account" would be best.  An account where funds can be frozen by 51% majority and unfrozen later.  People complain all day about this being abused, but it can always be done by 51% regardless of whether it is proactively supported.

This ... together with the 5% inactivity fee sounds extremly selfish .. wouldn't advice to do so

THe idea would be that the unfrozen funds would go back to their rightful owner.  They are frozen only long enough to ascertain what happened and make a decision as fair as possible.  It isn't meant for the network to keep.

A lot of you people tend to expect the best out of people.  I tend to expect the worst.  I am not happy with bailouts and so forth, but we are  protecting people who want to put a reasonable amount of funds on an exchange to trade and increase liquidity.  We are protecting them from the exchange (fake hacks) and hackers.  I am not exactly happy with having such a capability, because I understand the downsides as well as the rest, but the reality is a hardfork can't be stopped from happening in theory.  If nothing is done proactively, it is unlikely a patch would be made in time that didn't increase headaches exponentially.  If you have the capability in the code proactively then collateral damage is minimized while severely incentivizing people to go elsewhere to rip people off.

Anyway, at the end of the day I don't care that much as I see the other side to this argument and don't really disagree.  I just think that people should seriously consider supporting such functionality for the longterm health and happiness of the currency's users.

[liondani]

Step 5)  The amount in question must be greater than X% of the shares, and the fee should be very high.

so the attacker would steal x% of shares minus -1 BTSX



PS Which one will decide that an event is in fact a steal before we take action!!! (?)
     Do we wait a court before we decide about "stealed" BTSXs? Can me anybody give proofs that it was a steal?
     What if somebody "steal" from "himself"? What if somebody pretends a steal? How can anybody proove a steal is taking place?
     What if I am just a "crazy" exchange owner and I give the passwords to my girlfriend to steal me?
     It remembers me how people are stealing all the time the insurance companys... (don't ask me why...)

     NO ROLLBACK! NO ACTION! It will harm more than it will do good...

[Agent86]

My preference is something along the lines of this: https://bitsharestalk.org/index.php?topic=5504

I would actually go further than my original conservative proposal.  I would say for any funds transferred out of your account you have up to a week to permanently freeze the funds.

People need to understand the concept of "seasoned" funds.  It is critical that you cannot participate in any internal BitShares market (such as buying and selling BitUSD) unless your funds have been seasoned for one week.  You must have kept the balance without moving it for one week before you can use it to participate in the market to buy/sell assets.

There is really no reason for anyone to permanently freeze funds that left their account unless it is a legit fraudulent transaction.  Also people can protect themselves by demanding seasoned funds when doing business with people they don't know well or for large sums of money.

As far as what to do with "permanently" frozen funds... I think this is really a secondary issue and can be addressed in many ways that take advantage of community consensus.

The most important thing is to give people the power to freeze fraudulent funds.  DO NOT let people participate in the internal marketplace without seasoned funds.  And educate exchanges on the concept of seasoned funds.  This will be a BIG deterrent to hackers and fraudsters.

[tonyk]

do what Nxt did and keep the integrity of the project intact.

If you promise that you will play CobaltSkky 


[edit] I doubt it but if somebody is not aware, here is a good summary : http://www.enterstageright.com/archive/articles/0814/cryptocurrpbterjob.htm

[lucky331]

do what Nxt did and keep the integrity of the project intact.

[xeroc]

I think if you are going to attempt to proactively address the issue then a "frozen funds account" would be best.  An account where funds can be frozen by 51% majority and unfrozen later.  People complain all day about this being abused, but it can always be done by 51% regardless of whether it is proactively supported.

This ... together with the 5% inactivity fee sounds extremly selfish .. wouldn't advice to do so

[gamey]

I think if you are going to attempt to proactively address the issue then a "frozen funds account" would be best.  An account where funds can be frozen by 51% majority and unfrozen later.  People complain all day about this being abused, but it can always be done by 51% regardless of whether it is proactively supported.

It would be nice if you could just freeze all the funds from a certain transaction going forward.  Not addresses, but portions of the funds, etc.  So if I steal 100 btsx, and give 1 to 100 different addresses, well each of those new addresses will have 1 btsx frozen.

The problem with rollbacks is there is an opportunity for people not even directly involved.  I expect a rollback - I can take my funds, switch them over to BTC.  Now whoever bought my NXT gets screwed.  So a generic rollback invites abuse by sharp and dishonest parties.  It punishes smaller operations at the cost of the big guys.  This is definitely what we do not want.

[mf-tzo]

Hmmm... this might be a dumb idea but...

What if there was a process in place where users could vote to burn stolen BTSX or automatically transfer stolen BTSX to an insurance account?  If 51% consensus is reached, the registered account could be flagged and any BTSX sent from the account would be automatically redirected into the insurance fund.  In the event that the flagged account tries to distribute the stolen funds to other accounts, the other accounts could also flagged and fined based on the transaction amount.

I was thinking of something similar. For example if funds are stolen then these are burned as dividends or keep them in an insurance account.

But you cannot flag the account and the accounts that the stolen funds are redirected since the thief can start sending funds to everyone in order to further mess up with all the accounts and we end up hurting ourselves.

I am not in favor of a rollback either. what if in the meantime I make a huge deal with someone in bitusd and then we have a rollback and the other party realises that the deal he has done is not in his favor? we will  lose credibility in case of rollback and no serious business is going to accept this if there is this possibility of an "undo" button.. I think NXT got really away because they didn't do the rollback. I believe that if they had done so they would in vericoin's position now.

I don't understand very much how these things work, but in case of a theft and if there is very good proof that this is actually a theft and delegates vote 70% that this is a theft can't we just freeze these money completely and decide later how to proceed? i.e could be burned as dividends, could be sent to a charity, could be used as insurance fund, or we just find the hacker and make him return the funds?

[bitmarket]

ByteMaster with regards to your one click hardfork as a protection against delegate takeover, have you not effectively already created this?   I guess you are talking about the ability to add "Motions" to be voted on.

A motion could be "Do we want to hard fork to undo a theft"   Or a Motion could be, "Do we want to create new shares (diluting ours) and pay a Marketing company to Market the Chain?"   Or "Do we want to dilute our shares and pay Oprah 1 million shares for an endorsement?"

Is that were this eventually must get to?

[bitmarket]

Key is competition... there can be many competing BTSX chains... you can sell shares in one and move to another with smarter owners.

Maybe i am getting soft and mushy. I am trying to protect the fools from themselves.

[Brent.Allsop]

No matter what types of rules you set up, where there is a will, someone will find some new way to game the system.  What you need is a system that can improve and react, instantly, in an amplification of the wisdom of the crowd way, so things can constantly dramatically change and improve rapidly, handling all possible threats instantly, in a non bureaucratic leaderless way.  All this is possible with systems like that being developed at Canonizer.com.  With canonizer.com systems, millions of people can change dramatic directions on a dime, even faster than 24 hours, and you can be sure you have buy in by everyone. or know now, concisely and quantitatively how many people will leave, if you do, and so on.

[oldman]

No rollbacks.

The moral hazard is simply too great, particularly in the long term.

Having an 'undo' button will also encourage complacency.

Humans are by nature greedy and lazy... to pretend otherwise is inviting disaster.

Ie. current global banking complex.

Do it right.

[tonyk]

Now that my BTSX are safely out of bter.com....

I have NO IDEA which is the smaller of the 2 evils.

On that day if it was BTSX instead of NXT I know what I would have done. Be it wrong or right in the long run....

[bytemaster]

We have the power to elect Congressman and they have the power to bailout.   How did that work for us?

Key is competition... there can be many competing BTSX chains... you can sell shares in one and move to another with smarter owners.

You don't want any crypto to get to the size of the USD.

[gamey]

THis *really* needs to be discussed.  As far as we know, this was a test by bter to see what would happen. 

If an exchange sees that there will be no rollback, there is a huge incentive to take the bank and run.  This happens so often.  Rollbacks go against the idea of what cryptos are for and blockchains etc, but IMO it is really needed.  Yes, we need our own bailouts to protect users.

For bter.com a rollback protects users from a malicious exchange, even if it is put forward as a 'bailout' for the exchange.  In fact, it might not even be a bailout for an exchange, it could be something that hurts their plan. (fake hack)

If it is possible with Titan, there definitely should be a plan of action here.

[BldSwtTrs]

What would prevent a government to pay delegates to retrieve funds identified as tax evaders' possession?

Their is always the option to hard-fork if delegates are corrupted in such a manner.  Delegates can be voted out as well.  Also, the amount in question must be above a certain threshold before it can even be considered.  Ie: a government couldn't bribe delegates to go after the little guys.

Right now we are between people who understands that government are evil, but that's situation is temporary.

Let's suppose Bitshare is mass adopted, a delegate who comply with a western government query will not be perceived by the majority as corrupt, not more than a corporation is perceived as corrupt when it abides by the law of its country.

Historically people are voting to make taxes higher, there is no reason to assume that in a world where BitshareX is mass adopted their opinion regarding taxation will change.

If you implement this kind of tool within the system, people and government will use it.

PS: the treshold is not a security either, let's say it is 10%, if I am a politician who want to redistribute wealth, I can propose to take 10% of the XTS from the richer to give to the poorer.
 

[bitmarket]

We have the power to elect Congressman and they have the power to bailout.   How did that work for us?

Plus the cost of security is transferred from the ones who should pay to the innocents (cost of software updates). 

The too big to fails are not properly incentivized to have security, because they are likely to get bailed out.

Lets not start singing Kumbaya and get all soft and mushy now.   Because if we do, 200 years later the constitution of this great experiment will falter.

[yellowecho]

Hmmm... this might be a dumb idea but...

What if there was a process in place where users could vote to burn stolen BTSX or automatically transfer stolen BTSX to an insurance account?  If 51% consensus is reached, the registered account could be flagged and any BTSX sent from the account would be automatically redirected into the insurance fund.  In the event that the flagged account tries to distribute the stolen funds to other accounts, the other accounts could also flagged and fined based on the transaction amount.

[luckybit]

There comes a point in every crypto-currency's life where a major hack threatens the health of the system.   It is always possible for major stakeholders (miners) to hard-fork in order to correct the problem, but hard-forks are messy and ugly.

The options for a network are:

a) never reverse transactions, to hell with the share price
b) permit bailouts with consensus

If the BTSX on BTER had been stolen, what would we do?   It would certainly be within our power to reverse it with a single update pushed to the delegates.  It could potentially "fork" the network if the delegates disagreed with the process.

Given that forks are "difficulty but possible" it sets a certain threshold that must be reached before it would be considered.  I think that it may be best to recognize that sometimes a network needs to come to consensus about this stuff and design it in ahead of time so that there are no hard forks.   

Fortunately we have delegates and thus we can design a process something like this:

Step 1)  Pay a large fee to propose reallocating funds from a set of addresses to a new set of addresses.
Step 2)  Delegates have 48 hours to approve the reallocation during which time the funds are frozen.
Step 3)  Require 51% of the delegates to approve it.
Step 4)  Like the pay-rate, delegates can campaign on a platform of always voting NO and this campaign promise can be enforced.
Step 5)  The amount in question must be greater than X% of the shares, and the fee should be very high.

Potential Problems:
1) Someone could attempt to "bribe the delegates" by proposing a massive reallocation to the delegates as part of approving the process....
   a) someone could also do this to bribe miners, forgers, etc to mine on the fork

Bottom line is this:  if it is possible to implement via a hard fork and there are cases where people would choose to hard fork, then perhaps we should formalize the process and prevent the hardfork and overall disruption.   The mere presence of such recourse is likely to prevent many large thefts in the first place.

Thoughts?

Permit bailouts with consensus. Our network has delegates which we select so we have the power do to do it democratically. But it should require 70% yes vote to do it and it should be very limited in how far it can roll back. No more than 48 hours.

What if the nightmare scenarios happen where hackers or even governments confiscate our digital property?

I think it's something worth debating for a while. We should spend a few months debating the political consequences and find a way to do it in a way which makes it harder for property to be confiscated by Mallery or Gordon.

[bytemaster]

What would prevent a government to pay delegates to retrieve funds identified as tax evaders' possession?

Their is always the option to hard-fork if delegates are corrupted in such a manner.  Delegates can be voted out as well.  Also, the amount in question must be above a certain threshold before it can even be considered.  Ie: a government couldn't bribe delegates to go after the little guys. 

[bytemaster]

Wanted to ask the same question ever since the incident happened:

If the BTSX on BTER had been stolen, what would we do?

Would you have offered (the software for a fork) and would you have expressed opinion for/ against fork?

After all the rumor is NXT was as exposed, as probably BTSX and other coins on bter.

My opinion is that majority should decide so that the developers are not put in the position to answer this question

[Empirical1]

I have to think about this one.

At the time. Off the top of my head I thought we could take the the top 1-20 delegates and tell the even numbered ones to change their names to 'YES' and the odd numbered ones to change their name to 'NO' for 24/48 hours. Then shareholders add and remove approval as necessary. At the end of 24/48 hours you can see by how many YES's are in the top 10 or adding/re-calculationg their approval to determine which decision shareholders at that time support.

Difference between the two strategies being we would know how BTSX shareholders felt about that particular incident maybe. 

I'm sure there's probably lots of problems with this approach, one being people might be lazy to re-adjust their vote afterwards and delegates might be pushed down a few positions by being randomly assigned the unpopular decision
(2. Maybe the hacked funds could influence the approval levels unless we could block them from voting.) 

[BldSwtTrs]

What would prevent a government to pay delegates to retrieve funds identified as tax evaders' possession?

[thisisausername]

I don't see how not implementing the idea helps with the potential problems (delegates could be bribed to a different fork as is, no?)  I'd say go for it.

[speedy]

Difficult question, but after BitUSD launches, there will be less need to keep BTSX on the exchanges, so this is less of an issue.

[tonyk]

Wanted to ask the same question ever since the incident happened:

If the BTSX on BTER had been stolen, what would we do?

Would you have offered (the software for a fork) and would you have expressed opinion for/ against fork?

After all the rumor is NXT was as exposed, as probably BTSX and other coins on bter.

[bytemaster]

There comes a point in every crypto-currency's life where a major hack threatens the health of the system.   It is always possible for major stakeholders (miners) to hard-fork in order to correct the problem, but hard-forks are messy and ugly.

The options for a network are:

a) never reverse transactions, to hell with the share price
b) permit bailouts with consensus

If the BTSX on BTER had been stolen, what would we do?   It would certainly be within our power to reverse it with a single update pushed to the delegates.  It could potentially "fork" the network if the delegates disagreed with the process.

Given that forks are "difficulty but possible" it sets a certain threshold that must be reached before it would be considered.  I think that it may be best to recognize that sometimes a network needs to come to consensus about this stuff and design it in ahead of time so that there are no hard forks.   

Fortunately we have delegates and thus we can design a process something like this:

Step 1)  Pay a large fee to propose reallocating funds from a set of addresses to a new set of addresses.
Step 2)  Delegates have 48 hours to approve the reallocation during which time the funds are frozen.
Step 3)  Require 51% of the delegates to approve it.
Step 4)  Like the pay-rate, delegates can campaign on a platform of always voting NO and this campaign promise can be enforced.
Step 5)  The amount in question must be greater than X% of the shares, and the fee should be very high.

Potential Problems:
1) Someone could attempt to "bribe the delegates" by proposing a massive reallocation to the delegates as part of approving the process....
   a) someone could also do this to bribe miners, forgers, etc to mine on the fork

Bottom line is this:  if it is possible to implement via a hard fork and there are cases where people would choose to hard fork, then perhaps we should formalize the process and prevent the hardfork and overall disruption.   The mere presence of such recourse is likely to prevent many large thefts in the first place.

Thoughts?