Security, real decentralization, and anonymity are the complex yet extremely vital topics of the crypto world.  Last week, we have announced our support of BitShares Bug Bounty initiative. Apart from encouraging the security proposals and projects connected with the BitShares trading platform, we’re stepping forward with our own project.

BitShares User Security Project
"The idea of the proposal was born deep inside the team process of improving the BitShares security landscape.
After the recent phishing attack, we’ve spent a lot of time investigating the possibilities of eliminating the future attacks risk or making their consequences less dramatic for users.
Now it’s clear that the certain changes and new features must be implemented to improve the security of BitShares users. OpenLedger R&D department has enough expertise for performing the technical investigation and building specifications needed to deliver the security changes."

The OL team proposes to research and create a trusted open-source application to configure users’ account security and manage their private keys. The current proposal includes the research and analysis stage which is estimated to take a 2 months period.

Please feel free to read the details about the estimation, resources and other details of the proposal here.

Your feedback is important
OpenLedger team will appreciate any support of this project: your votes and spreading the word about the proposal make this project closer to its implementation.

What is more, we very much encourage the discussion and welcome any suggestions about the proposal to make sure this project is maximally helpful for the BitShares community. Please leave your thoughts and questions in the BitShares forum topic.

On February 2, 2017, OpenLedger ApS has launched a tokens offering for the Apptrade project, according to an ICO agreement between OpenLedger ApS and Apptrade.

Apptrade ICO results
The minimum amount of US$1 million was not raised. OpenLedger ApS continued the AppTrade offering by amending the offer to include a 50% bonus in APPX.WARRANT tokens in addition to 1 OBITS.WARRANT for every $1.00 in APPX.WARRANT purchased. This amended offer remained open until May 31, 2017.

Following these offerings, due to the fact that the minimum threshold has not been met, all the offering proceeds will be returned to the holders, according to the ICO agreement. All the offering activity related to APPX.WARRANT is deemed terminated.

APPX.WARRANT refund procedures
The record date and time for the refund calculation shall be 1:00 PM (GMT+2) on July 31, 2018, when all accounts holding APPX.WARRANT tokens will be credited with 1.0 BitUSD per 1,5 APPX.WARRANT token, and all APPX.WARRANT tokens will revert to OpenLedger ApS for cancellation (the tokens will be burned). From that point onward no APPX.WARRANT tokens will be in circulation and none will exist for exchange between any party.

No action is required from APPX.WARRANT holders. The calculated amount of BitUSD will be transferred to each applicable account without the need for any approval or confirmation by individual account holders.*


*APPX.WARRANT in orders [Important]
If you have some APPX.WARRANT in orders – be ready to get them back to your account before the refund date and time! APPX.WARRANT in orders will not be credited.

Note that OpenLedger will use its own funds to settle the APPX.WARRANT refund. Therefore, by accepting the funds from OpenLedger ApS, you agree to assign the funds in the escrow to OpenLedger ApS in lieu of payment from escrow.

Executive summary

After a recent phishing attack, the OpenLedger team has gone through a series of massive brainstorm sessions, aiming to come up with a solution, which makes further attacks impossible, much harder  or at least, that minimizes the impact of a potential attack. It has became obvious that these types of attacks will continue as more and more new businesses join the BitShares ecosystem and new faucets are launched. User security becomes a paramount focus for the community. Below is a list of the changes we would like to introduce to allow BitShares users to protect themselves and mitigate the risk and impact of phishing attacks or any other attacks that can cause private key loss.

Briefly, we propose the following changes:

• To minimize risk of both keys being stolen at the same time: Separate Active and Owner private keys, encourage their storage in different wallets (preferably on different devices).
• To minimize the impact of Active private key theft: Severely limit permissions for Active private key, while allowing to more fine-grained permissions control with Owner private key.
• To minimize the risk of transactions coming from unknown sources signed with your private key: Introduce new Device-Tagged transaction allowing users to identify and block transactions sent from an unauthorized device and implement multi-signature accounts, essentially moving to 2FA.
• To make keys and account management more secure and user-friendly: Create simple desktop and mobile applications that allow users to easily manage their accounts and private keys, create multi-signature accounts, sign transactions, enable auto-sign feature, and receive notifications for specific transactions.

Given the complexity, importance and potential impact of security for BitShares and for the community, it is difficult to have a complete solution for the features mentioned above without thorough brainstorming, research, analysis and design.

This worker is for funding the Analysis and Architecture phase to elaborate on the features mentioned above, and to describe and estimate specific and feasible security solutions that can be implemented later.

Total duration: 2 months, Aug 6 2018 - Oct 5, 2018.

Total cost: 49 080 bitUSD.

The Solution

Here is how we envisage the changes mentioned above at the high functional level.

Active vs Owner private keys: Separation of Duties

At this time, each account in BitShares is separated into:

• Owner Permission: This permission has administrative powers over the whole account and should be considered for ‘backup’ strategies.
• Active Permission: Allows to access funds and some account settings, but cannot change the owner or Active permission and is thus considered the ‘online’ permissions.

This is a great approach, but if both Owner and Active private keys are stored in the same pocket the user loses both keys if a successful phishing attack was done or the wallet was compromised.

We do believe that Owner and Active private keys must be stored in different wallets, preferably on different devices.

A User uses only the Active key for day-to-day operations, but when they need to manage their account, the Owner key should be used.

Hence, to minimize the impact of a successful phishing attack on a User’s regular account (if a user suspects that Active key is compromised), we suggest to limit the Active key permissions in the following way:

• Owner is able to suspend the account activity. This means that if a user suspects that Active key is compromised, they can suspend the account Active key and then any transaction signed with the compromised Active key will be blocked.
• Daily transfer limits can be set for each asset. So that a hacker who steals the Active key is not able to drain the account immediately.
• Limit the markets where Active key can place orders. So that a hacker can't sell the assets he got illegal access to for their fake assets (Markets whitelist)
• Specify accounts the user can transfer to. So that a hacker is not able to move funds to their own account (Accounts whitelist).

Each of these settings can be modified only with the Owner private key.

These changes will provide BitShares users with a set of powerful tools, allowing them to configure security settings of the account so that users' assets stay safe even after a successful hacker attack or a security breach.

Device-Tagged Transactions

Security and privacy are key requirements of any BitShares user. However, they often contradict each other. Being anonymous is good, but anonymity is something that gives bad guys more power. If your key has been stolen, the blockchain will accept transactions signed with this key. It does not matter if they were sent by you or by the hacker. You can configure your account so that two or more signatures are required for each transaction, but if you are an active trader and submit hundreds of transactions daily, this is not a realistic option. To help active traders to keep their funds safe we suggest implementing a new transaction type - device-tagged transaction.

Let's imagine that a user has a trading BitShares account with two Active keys. If a user submits a signed device-tagged transaction, then a witness node adds DeviceID to the transaction and records it in the blockchain. DeviceID is a hash of particular data that belongs to a particular device (e.g. hash of IP address, MAC or any other device-specific information). The key requirement here is that the DeviceID is unique for each device, but the device cannot be uncovered by this ID to protect privacy of the user. Now that the user has sent their device-tagged transaction to the blockchain, they can confirm this transaction on another device.  Moreover, once a user recognizes transaction or device, they can enable auto-sign, so that future transactions from this device are automatically signed and fulfilled.

This gives the user the ability to filter out any transactions coming from an unauthorized device, even if one of the Active private keys has been stolen. It’s a method that  allows a two-factor  authorization approach even if hundreds or thousands transactions are submitted by the account daily.

User-Friendly Accounts and Keys Management

As a typical non-technical BitShares user, you need a web, mobile or desktop application to interact with the blockchain. And the problem is that you have to trust the application provider. Besides, the current new user registration and account management approach is extremely non-user-friendly. This leads to users leaving BitShares for other exchanges.

We  suggest that a new open source application should be implemented, allowing users to:

• View and manage their wallets, accounts and private key in a very transparent and user-friendly manner: e.g. view wallets stored on this device, accounts and private keys in the wallets, their relationships and interdependence (e.g. accounts hierarchy or multi-signature accounts), generate and replace private keys, and set limits for Active keys.
• Sign or auto-sign transactions, with the ability to see and filter Device ID, if a device-tagged transaction has been generated.
• Notify users by listening to the blockchain, searching for specific transaction types (e.g. transactions signed by specific key) and sending out emails and displaying notifications.

The applications can be created as a browser plugin, desktop and mobile app, and users can use a particular application type depending on their needs and habits.

To register and trade, users will still need to use a proprietary or BitShares standard application, but they now will have the ability to use a trusted open source locally executed application to configure their account security and manage keys.

Even if a user registered and traded on a phishing site, they can still protect their funds  by replacing private keys or configuring multi-signature account in a separate trusted application. We hope that dealing with private keys in a stand-alone open-source application only will become a standard way for most users.

The Worker Proposal

Worker Scope

OpenLedger believes in a transparent and steady, step-by step development approach. Before we jump into major implementation project, we would like to perform detailed technical investigation, which will deliver clear and straightforward specifications and estimation of the new features and components to be implemented.  This worker is to fund this Analysis and Architecture phase only. As soon as the investigation for a particular feature is completed and specifications along with estimations are delivered to the community, new implementation workers will be submitted for public approval.

Work Approach and Costs

Immediately upon the approval of the worker, OpenLedger will allocate the resources listed below to perform the investigation and provide the deliverables. Reports outlining time spent and current progress to be published on bi-weekly basis. At this point, we estimate the Analysis and Research to take 2 months. Below is the resources and costs breakdown.


Worker daily pay: 3 885 BTS

Payment

We strongly believe in a bright future for BitShares, and this worker will make a great contribution to that. Therefore, we would like to be paid in BTS, BitShares core asset. Accepting BTS instead of bitUSD also allows us to not over-utilize daily workers budget by claiming more BTS than is needed to cover the current costs, leaving room for more workers to be executed simultaneously. In order to avoid over- and under-payment, we will settle the payment at the end of the worker using the current price of BTS in bitUSD. If, due to BTS rate fluctuations, more funds will be needed to complete the job, an additional worker will be created. If we need less effort or BTS rate increases, unspent BTS will be sent back to the reserve pool.

All payments will be vested for 1 month.

Openness for suggestions

Security is a complex but vital topic for BitShares and for blockchain technology. There has to be a way between tightening up security and staying anonymous, while keeping everything decentralized. We would like to open discussion and we particularly welcome suggestions and ideas about new security features and the best way to design a specific feature. 

Starting July 23, 2018, SKY, ATM, ESC, and XDRAC will no longer be tradeable on OpenLedger DEX.

To withdraw your funds from our decentralized trading platform, please create a support ticket.

For all the necessary details about the withdrawal procedure, visit https://openledger.freshdesk.com/support/solutions/articles/33000218596-what-to-do-if-coin-is-under-delisting-

Note: manual withdrawals will be available until August 23, 2018, inclusive. We won’t support the tokens after this date and you won’t be able to withdraw the coins.

OpenLedger поддерживает BitShares Bug Bounty Program


Больше информации в официальном блоге биржи

At the beginning of July, we have announced the AgentMile ICO campaign, where OpenLedger partners with AgentMile and serves as the advisor and the escrow provider on its initial coin offering.

AgentMile helps independent brokers, global brokerages, and landlords to list their commercial properties on the blockchain-powered MLS. Learn more about AgentMile here.

The presale round is the chance to get the best price, and it soon will be closed. Plan your ESTATE tokens purchase, make a deposit and join the ICO whitelist now!

AgentMile Referral Bonus
To endorse you for participating in the token sale, AgentMile runs a referral program. To learn more about this opportunity, click here.

As partners, we participate in the AgentMile Referral Program. You can use the OpenLedger referral link to sign up, buy the AgentMile ESTATE tokens and get an immediate 5% bonus for your purchase.

You might’ve already noticed that the look and feel of OpenLedger websites and products is changing. Today we’re sharing more details behind the rebranding.

Why rebrand OpenLedger
With time, the former OpenLedger design and numerous online assets became unfit for the reshaped company image, as well as the evolving products and services it is offering. That is why, the OpenLedger team initiated the process of rebranding, which covered virtually every part of our online presence.

The rebranding results are intended to show that OpenLedger has grown, evolved, added to its expertise and skills, and is now a trusted, innovative, seasoned company with its focus on blockchain technologies.

 Subscribe to it to keep abreast of latest news and updates about OpenLedger and its services, solutions, and products, including OpenLedger DEX. Latest company announcements can be also found at https://dex.openledger.io/news/.

All other channels will be closed from July 18, 2018.

The new channel will serve informational purposes only. For any technical questions, contact our support team at https://openledger.freshdesk.com/support/home.
Before submitting a ticket, please see our FAQ at https://dex.openledger.io/faq/