Nxt Rollback & Bitshares - Just an Idea for Consideration

[lucky331]

do what Nxt did and keep the integrity of the project intact.

If you promise that you will play CobaltSkky 


[edit] I doubt it but if somebody is not aware, here is a good summary : http://www.enterstageright.com/archive/articles/0814/cryptocurrpbterjob.htm

haha!  yeah, she is AWESOME! 

[Empirical1]

For me it's a question of whether you can design a system that gives shareholders confidence these actions will only be taken in the big cases & when there is a definite clear consensus.

In every other system the answer is no, because you don't have the ability to provide that confidence. So I would not be in favour of a rollback for NXT.

However I think DPOS is a consensus model that should be able provide a mechanism for coming to tough decisions like this and the broadstrokes in the option outlined by BM is something I approve of personally.

If the majority of shareholders felt really strongly about a certain action there would be a hard fork anyway so might as well formalise some process imo.

if it is possible to implement via a hard fork and there are cases where people would choose to hard fork, then perhaps we should formalize the process and prevent the hardfork and overall disruption.

 

[AdamBLevine]

I'm in favor of a hard-line no do-overs stance.  Any "except in the event of" just makes that the action anyone who wants a rollback must cause to occur.  Any "When the people filling these roles think it is appropriate" will result in those people and their replacements the people who must be convinced however to make it happen.

If the rules are there are no rollbacks, than for better or worse you'll have eliminated several major attack vectors you'll otherwise have.

[yellowecho]

Delegates could freeze any balance (as long as 51% decide this). They could just ignore blocks with transactions from selected addresses and not include such transactions in produced blocks.

So I see the procedure like this:
1 An extreme case arises
2 A delegate proposes action and starts a vote (If no delegate is willing to start a vote => the case is not that extreme)
3 24 hours (or more?) period for delegate voting
4 If a decision is made (with 50%+1 votes) all delegates should comply (note that this cannot be enforced).

I strongly believe no transfers should be allowed by this method. Funds should be only frozen/burned.

I don't hate that.  I was thinking transfered funds could be used for insurance in the event where shorts can't cover but we could just not burn bitAssets for that.  Burning stolen funds by 51% consensus works for me.

[emski]

Delegates could freeze any balance (as long as 51% decide this). They could just ignore blocks with transactions from selected addresses and not include such transactions in produced blocks.
However if the delegates disagree there will be forks and/or slower blocks production rate.
What would be beneficial for the system is a mechanism for 51% of delegates to enforce rules on the others - like freezing funds. However I doubt this is possible because you cant force a delegate to include or exclude specific transaction(s).

So currently the decision lies on delegate consensus (and who becomes delegate is shareholders' responsibility). I think any interventions should be avoided.
However a delegate voting system should exist for most extreme cases AND if a decision is made (50% + 1 delegates vote for/against) all delegates should comply (by convention).

So I see the procedure like this:
1 An extreme case arises
2 A delegate proposes action and starts a vote (If no delegate is willing to start a vote => the case is not that extreme)
3 24 hours (or more?) period for delegate voting
4 If a decision is made (with 50%+1 votes) all delegates should comply (note that this cannot be enforced).

I strongly believe no transfers should be allowed by this method. Funds should be only frozen/burned.

[carpet ride]

Thinking outloud here.  We need to just move away from centralized exchanges, then would there perhaps end up being two or three prominent decentralized exchanges?  Thefts will of course happen but not from the exchanges if they are decentralized...  Think BitBtsX ...

[luckybit]

I think multisig and personal responsibility solve these problems about as well as they're likely to be solved.  Give people relatively user friendly tools for security, and make sure they know that it's their responsibility and no one else is likely to bail them out if they mess up.

Creating or advertising additional convoluted ways to "steal back" stolen funds just increases the number of attack vectors to include more social engineering attacks exploiting the anti-theft mechanisms.  I generally expect the human element to be the the most vulnerable aspect of most systems already, and this makes it worse.

Suppose they didn't mess up and the government just takes their digital property by legal force?
It's actually not that hard to see this event occurring and there isn't really any way for most people to defend against it

Multisig might be the one way but how?

[Agent86]

Also - Is it even possible to trace funds if the thief creates a 2nd wallet.

Owner -> thief wallet #1 -> thief wallet #2 ?  Can we even detect that because of TITAN or is it necessary to do a full rollback ?

Yes, you can still trace funds; Titan just prevents you from knowing the account name that the specific address is associated with.  Even if inputs were combined you could still determine what portion of an unspent output was fraudulent funds.

[Troglodactyl]

I think multisig and personal responsibility solve these problems about as well as they're likely to be solved.  Give people relatively user friendly tools for security, and make sure they know that it's their responsibility and no one else is likely to bail them out if they mess up.

Creating or advertising additional convoluted ways to "steal back" stolen funds just increases the number of attack vectors to include more social engineering attacks exploiting the anti-theft mechanisms.  I generally expect the human element to be the the most vulnerable aspect of most systems already, and this makes it worse.

[luckybit]

Hmmm... this might be a dumb idea but...

What if there was a process in place where users could vote to burn stolen BTSX or automatically transfer stolen BTSX to an insurance account?  If 51% consensus is reached, the registered account could be flagged and any BTSX sent from the account would be automatically redirected into the insurance fund.  In the event that the flagged account tries to distribute the stolen funds to other accounts, the other accounts could also flagged and fined based on the transaction amount.

I was thinking of something similar. For example if funds are stolen then these are burned as dividends or keep them in an insurance account.

But you cannot flag the account and the accounts that the stolen funds are redirected since the thief can start sending funds to everyone in order to further mess up with all the accounts and we end up hurting ourselves.

I am not in favor of a rollback either. what if in the meantime I make a huge deal with someone in bitusd and then we have a rollback and the other party realises that the deal he has done is not in his favor? we will  lose credibility in case of rollback and no serious business is going to accept this if there is this possibility of an "undo" button.. I think NXT got really away because they didn't do the rollback. I believe that if they had done so they would in vericoin's position now.

I don't understand very much how these things work, but in case of a theft and if there is very good proof that this is actually a theft and delegates vote 70% that this is a theft can't we just freeze these money completely and decide later how to proceed? i.e could be burned as dividends, could be sent to a charity, could be used as insurance fund, or we just find the hacker and make him return the funds?

Very good arguments against a rollback.
It has changed my opinion. I'm now not in favor of a rollback because it could damage the currency features of certain BitAssets.

I think in the case of BitUSD a rollback could be very bad. At the same time it's likely at some point a hard fork is going to be necessary so how best to handle it smoothly with the least damage?

What to do in the situation of government confiscation of Bitshares? If governments confiscate 51% then we'd have to roll back.

I think as a way to distinguish our community from NXT it will be in our competitive advantage to decide against rollback functionality. If a time comes where we need it then we could just do it as a hard fork (in the case where governments confiscate Bitshares in an attempt to own it).

Suppose governments did start confiscating Bitshares? If the network could vote to burn the shares that would be a way out of it. But I don't really favor giving the network that kind of power. It's too dangerous.

Again it might not even be in our best interest to discuss this right now.

[gamey]

Also - Is it even possible to trace funds if the thief creates a 2nd wallet.

Owner -> thief wallet #1 -> thief wallet #2 ?  Can we even detect that because of TITAN or is it necessary to do a full rollback ?

[gamey]

I think if you are going to attempt to proactively address the issue then a "frozen funds account" would be best.  An account where funds can be frozen by 51% majority and unfrozen later.  People complain all day about this being abused, but it can always be done by 51% regardless of whether it is proactively supported.

This ... together with the 5% inactivity fee sounds extremly selfish .. wouldn't advice to do so

THe idea would be that the unfrozen funds would go back to their rightful owner.  They are frozen only long enough to ascertain what happened and make a decision as fair as possible.  It isn't meant for the network to keep.

A lot of you people tend to expect the best out of people.  I tend to expect the worst.  I am not happy with bailouts and so forth, but we are  protecting people who want to put a reasonable amount of funds on an exchange to trade and increase liquidity.  We are protecting them from the exchange (fake hacks) and hackers.  I am not exactly happy with having such a capability, because I understand the downsides as well as the rest, but the reality is a hardfork can't be stopped from happening in theory.  If nothing is done proactively, it is unlikely a patch would be made in time that didn't increase headaches exponentially.  If you have the capability in the code proactively then collateral damage is minimized while severely incentivizing people to go elsewhere to rip people off.

Anyway, at the end of the day I don't care that much as I see the other side to this argument and don't really disagree.  I just think that people should seriously consider supporting such functionality for the longterm health and happiness of the currency's users.

[liondani]

Step 5)  The amount in question must be greater than X% of the shares, and the fee should be very high.

so the attacker would steal x% of shares minus -1 BTSX



PS Which one will decide that an event is in fact a steal before we take action!!! (?)
     Do we wait a court before we decide about "stealed" BTSXs? Can me anybody give proofs that it was a steal?
     What if somebody "steal" from "himself"? What if somebody pretends a steal? How can anybody proove a steal is taking place?
     What if I am just a "crazy" exchange owner and I give the passwords to my girlfriend to steal me?
     It remembers me how people are stealing all the time the insurance companys... (don't ask me why...)

     NO ROLLBACK! NO ACTION! It will harm more than it will do good...

[Agent86]

My preference is something along the lines of this: https://bitsharestalk.org/index.php?topic=5504

I would actually go further than my original conservative proposal.  I would say for any funds transferred out of your account you have up to a week to permanently freeze the funds.

People need to understand the concept of "seasoned" funds.  It is critical that you cannot participate in any internal BitShares market (such as buying and selling BitUSD) unless your funds have been seasoned for one week.  You must have kept the balance without moving it for one week before you can use it to participate in the market to buy/sell assets.

There is really no reason for anyone to permanently freeze funds that left their account unless it is a legit fraudulent transaction.  Also people can protect themselves by demanding seasoned funds when doing business with people they don't know well or for large sums of money.

As far as what to do with "permanently" frozen funds... I think this is really a secondary issue and can be addressed in many ways that take advantage of community consensus.

The most important thing is to give people the power to freeze fraudulent funds.  DO NOT let people participate in the internal marketplace without seasoned funds.  And educate exchanges on the concept of seasoned funds.  This will be a BIG deterrent to hackers and fraudsters.

[tonyk]

do what Nxt did and keep the integrity of the project intact.

If you promise that you will play CobaltSkky 


[edit] I doubt it but if somebody is not aware, here is a good summary : http://www.enterstageright.com/archive/articles/0814/cryptocurrpbterjob.htm