Author Topic: Nxt Rollback & Bitshares - Just an Idea for Consideration  (Read 11193 times)

0 Members and 1 Guest are viewing this topic.

Offline Myshadow

  • Jr. Member
  • **
  • Posts: 49
    • View Profile
Any exemption is an invitation to use that exemption, and it will get wider over time as the people who built the system stop being the ones who make these decisions and it becomes about "what are you going to give me right now" since there are people (and not too many) who have the power to do this stuff.
Exactly this. Again, the road to hell is paved with good intentions and people over a long enough period are short sighted and opportunistic.

I agree, there are no hard and fast rules in a democratic system. Due to the very nature of democracy they're constantly changing over time... Given enough time there are no rules.

I guess the same can be said for consensus systems to a degree... When these systems become mainstream there's a distinct possibility that the majority could vote to burn or freeze a large stake because "inequality" when there are severe economic issues and the media paints a specific demographic, in this case the large stake that has been targeted as being responsible.

The Delegates will inevitably be public figures and if they want to maintain their status they'll do what the public wants or they'll be voted out and delegates who do will be elected.

This is one of the problems we're seeing with society now, Crowd wisdom is an oxymoron if i've ever heard one.

For the reasons  stated by Adam and Riverhead among many others, i'm going with no rollbacks ever. Allowing anything to be decided by majority consensus on a arbitrary and case by case basis puts the entire system at risk.

Insurance DAC sounds like an infinitely better solution. If people are worried about theft of funds, then get insurance.

Offline Riverhead

I still like the idea of an insurance DAC. Have a high deductible like 25% of lost assets. The issue of insurance fraud is then a factor but it is also in the non crypto insurance industry and they manage to survive. The revenue model would look a lot like a regular insurance company with the exception that the delegates WOULD play an active role in voting/approving claims. Such an active role would be far less damaging than having delegates vote on a rollback of the primary asset. The abstraction layer preserves the integrity of the blockchain.


Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
Rather than focusing on an internal process for mitigation, we could (and probably should) just establish standard minimum security requirements for all exchanges that trade BTSX (x% cold storage, two-factor authentication, etc).
+5%

further we need multi-sig ...

I also think it's up to the users (exchanges included) to prevent theft .. same thing as if I hold gold or USD at home .. just that btsx are easier to be stored securely IMHO

Offline yellowecho

I think may of the ideas presented so far have merit but the longer its discussed the more clear it is to me that simply saying 'no rollbacks' is probably best as it has the least moral hazard.

Rather than focusing on an internal process for mitigation, we could (and probably should) just establish standard minimum security requirements for all exchanges that trade BTSX (x% cold storage, two-factor authentication, etc).
 

There needs to be a notification system, maybe by email, so delegates know there is a time sensitive vote coming up..

A notification system could likely be installed in the client relatively easy I'd imagine; however, with .p2p approaching we may see KeyMail having a strong role in the ecosystem.
696c6f766562726f776e696573

Offline Riverhead

Any exemption is an invitation to use that exemption, and it will get wider over time as the people who built the system stop being the ones who make these decisions and it becomes about "what are you going to give me right now" since there are people (and not too many) who have the power to do this stuff.


Exactly this. Again, the road to hell is paved with good intentions and people over a long enough period are short sighted and opportunistic.

merockstar

  • Guest
any kind of hard fork to right any kind of wrong completely undermines the legitimacy of the currency.

if nxt really did fork and roll back i'll be selling what little is left of mine today.

this kind of thing creates a dangerous precedent that will discourage future adopters from jumping in.  we do not want this to be the status quo.

I am 100% adverse to any action that reverses a transaction without the current holder's consent.


should circle be able to reverse IOUs that they issue the way banks can reverse charges today? sure.

if somebody literally manages to get a hold of all your paper dollars that's irreversible- and that's part of the reason people trust dollars.

and there's the possibility of somebody working on an insurance DAC. that's what thats for.
« Last Edit: August 19, 2014, 02:36:06 pm by merockstar »

Offline AdamBLevine

  • Sr. Member
  • ****
  • Posts: 492
    • View Profile
    • Let's Talk Bitcoin!
For me it's a question of whether you can design a system that gives shareholders confidence these actions will only be taken in the big cases & when there is a definite clear consensus.

In every other system the answer is no, because you don't have the ability to provide that confidence. So I would not be in favour of a rollback for NXT.

This is *exactly* the problem actually.  If the rollback is only used in big cases, it means that it is safe to be part of a very popular NXT failure but not part of a small one (Because it won't be serious enough to be rolled back) - This will have a very centralizing effect where if you're going to be part of an exchange, well it better be the biggest exchange because otherwise people will say "Well it's not so bad, it wasn't the biggest exchange so we'll survive this". 

The rules need to be the rules, if you create conditions under which the rules and history itself can be re-written you will be inviting those who want to reinvent history to create exactly the conditions you are trying to avoid.  If it was not desirable to rewrite history such a mechanism could work, but because there are many ways individuals and groups and profit from rewriting history it's a very bad thing to codify in a way that is "OK".

It's concerning more people don't see this intractable issue.

What about in the scenario of police confiscation? Could the network agree to burn in this instance?

One way to do it would be if the previous owner elects to enable the network to burn in the instanced of confiscation. Currently technology doesn't allow proof of event or a sure way to confirm police confiscation.

But in the case that it did happen then the original owner gains nothing by electing to give the network the power to burn his stash.

In the end though it's too complicated to be worrying about this right now. It creates unnecessary confusion. It's like trying to have a dynamically generated digital constitution when we don't even have a fully functioning static digital constitution.

For today let the rules be the rules because that is what works best. If the black swan event occurs then we can react to it then and it will not be so difficult to discuss and decide what to do. If governments confiscated over 51% of Bitshares it's pretty obvious to me that there would be a rollback.

Just like if the Bitcoin community discovered that the government somehow owned most of it's coins they would have to do something if mining/Proof of Work cannot generate new coins. They rely on Proof of Work to allow themselves to have static rules. The FBI can confiscate a lot of coins and even be the largest address but because new coins are always being created it's not like the FBI could ever get 51% of the hashing power even if they had 51% of the coins.

Proof of Stake is different. If the government got 51% of the stake then DPoS would be owned by the government. In that instance we might want to hit the panic button if we saw that kind of takeover attempt.

Hard rule of no rewrites has least moral hazard.


Sent from my iPhone using Tapatalk

The only black swan event which I could think of to justify burning a stash is a scenario where governments around the world start raiding and confiscating in unison. At that point it would be clear that it's an attempt to own Bitshares.

But even with these attacks the people who have escaped from confiscation along with the delegates can fight back. I think this black swan event is actually very likely to happen because it has happened with Bitcoin.

There shouldn't be rewrites but it might be possible to invalidate and burn a stash. The problem is to build this in right now creates risks and there is no evidence of the black swan event just yet. It could be that enough governments embrace it that its seen as just another technology, we just don't know yet.

I absolutely do not think letting the network intervene to burn a balance is acceptable.  Even the example you're giving where the "police" confiscate a balance, you want the one condition under which it would be OK to be the one where someone has done something illegal and the legal jurisdiction they're in catches them, confiscates their funds and then the network says "Oh the police!  Quick, burn that guys money!"

I phrase it like that because the idea that the guy who is being investigated by the police goes to the delegates and says "QUICK! BURN THE MONEY BEFORE THE COPS GET IT!" is insane on its face.

Further, if we can use it for that whats to stop a "whale" who gets robbed from going to the delegates asking the rules to change because they've been such a big supporter for so long. 

Any exemption is an invitation to use that exemption, and it will get wider over time as the people who built the system stop being the ones who make these decisions and it becomes about "what are you going to give me right now" since there are people (and not too many) who have the power to do this stuff.
« Last Edit: August 19, 2014, 02:16:04 pm by AdamBLevine »
Email me at adam@letstalkbitcoin.com

Offline Riverhead

24 hour response time from majority of delegates may prove unrealistic.
Why so? Their duty is to secure the network and be reachable .. that's what they get paid for ..
it's not like mining where you can through your miners at a pool and keep doing whatever comes.

as a delegate you have responsibility!

 +5%

It's conceivable that fees earned through being a delegate could provide a decent secondary income. I can understand the "set it and forget it" mining type mentality now. The network is young and has very few transactions. Once it grows to the point of each block containing thousands of transactions a delegate will need to maintain a good infrastructure with contingency plans as well as being active in the community.

The delegates we have now are largely crypto-geeks (yes, I include myself in that proudly  :D ) and semi-retired miners. Once the money starts rolling in the delegate proposition will become more attractive to larger players.

IMHO of course.
« Last Edit: August 19, 2014, 12:52:08 pm by Riverhead »

Offline bitcoinerS

  • Hero Member
  • *****
  • Posts: 592
    • View Profile


4) Must happen quickly, ie: not effect balances over 24 hours old.


24 hour response time from majority of delegates may prove unrealistic.

Delegates have responsibility and they should make sure they can react. Behind delegates are real people. They should be reachable - phone, email, IM etc.

There needs to be a notification system, maybe by email, so delegates know there is a time sensitive vote coming up..
>>> approve bitcoiners

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
24 hour response time from majority of delegates may prove unrealistic.
Why so? Their duty is to secure the network and be reachable .. that's what they get paid for ..
it's not like mining where you can through your miners at a pool and keep doing whatever comes.

as a delegate you have responsibility!

Offline oldman

  • Hero Member
  • *****
  • Posts: 556
    • View Profile
The point of making it "hard" to do is that it means it is less likely to happen.   People need to know that it is "hard" so they can trust the system. 

In my original idea I probably didn't make it clear enough that:

1) Only a delegate could make the proposal
2) The act of making the proposal must come with a non-refundable fee of large magnitude ($1 million) that is paid to shareholders
3) Majority of delegates must approve
4) Must happen quickly, ie: not effect balances over 24 hours old.

A hard fork costs a network millions and those millions will be paid if it will save the network 10's of millions.   

The presence of such an automated system means that the network can "capture" the millions a hard-fork would have caused. 

Because the fee is so expensive, no one would dare cry wolf or use this option lightly.
Because the fee is non-refundable even if the delegates vote "no" then it is not likely to be paid unless there is already support/consensus.

But perhaps most importantly, the fact that a procedure exists means that suggestions to hard-fork to bypass the pre-established procedure will be roundly rejected. 

I think you have to view these thinks like pressurized systems, if you don't provide a release valve then they can explode under heat. 

I think that the community should establish some very sound guidelines prior to the event that server to minimize moral hazard:

1) An exchange that didn't use cold storage... is ineligible
2) Failure to use multi-sig...
3) .... 

All of that said, with BitUSD there is almost no reason to keep your funds on exchanges any more.  So perhaps a VERY HARD policy on this would be best.

BM's proposal has merit; a hard-coded anti-theft/seizure protocol would make the platform more attractive to investors and provide a measure of protection to delegates and other stakeholders.

Eligibility criteria/rules such as suggested above, while necessary, are subject to corruption when the consensus seeking mechanism is voluntary (ie. democratic decay into cronyism via voter apathy).

I would suggest the only way to adequately mitigate the moral hazard created by a rollback protocol is to implement a mandatory voting mechanism. The protocol would look something like this:

1. Theft/seizure incident

2. Eligibility test

3. Delegate rollback proposal w/fee

4. Rollback proposal pushed through client

5. Users must vote before completing next transaction

If voter participation is mandatory:

- Delegates will not propose rollbacks unless they are in the best interest of the community, otherwise they risk getting fired

- Delegates will not propose rollbacks unless they are compliant with the eligibility criteria, otherwise they risk getting fired

- The potential for gaming the protocol through cronyism/apathy is reduced


Handling of the rollback assets is another issue:

Burning dilutes the individual profit motive but introduces a moral hazard for the voting body, as the value of the voter's assets will necessarily increase from the burn.

So it may come to pass that delegates, who are likely to be large stakeholders in a given asset class, will contrive to have assets seized/stolen that they may be burned and thereby made more valuable.

The rollback fee may mitigate this effect somewhat, but may also serve to motivate fraud on a larger scale wherein the fee is simply a cost of doing business (ie. banks laundering money for drug cartels and paying fines that are small in relation to overall profit).

Too many contrived burns would cause mass devaluation through loss of confidence, broken pegs, etc. The same holds true if rollback assets are retained (seized?) by the bank rather than burned.

A true rollback, ie. return of assets, combined with a large fee and mandatory voting would seem to present the least profit motive and consequently the least moral hazard.

Someone gaming the system would have to incur a great deal of effort and expense to simply return the system to a prior state.

However, as previously mentioned, there is theft/rollback/theft/rollback loop that may cause delegates to permit the theft rather than pay recurring rollback fees. In this scenario it might be cheaper to let the theft occur than attempt to correct it multiple times (this is also true for burns - there will be a large threshold where allowing the theft/seizure is cheaper than correcting it).

The final option would be to direct rollback assets outside of the system to a third party, with the obvious choice being charities or similar organizations.

The fatal flaw with third party distributions is achieving consensus as to allocations, particularly as the Bitshares platform is global.

Gaming/conflicts of interest also become problematic.


TL;DR: Implement a rollback protocol with concise criteria, create a mandatory voting mechanism and burn rollback assets.







« Last Edit: August 19, 2014, 12:15:10 pm by OldMan »

Offline emski

  • Hero Member
  • *****
  • Posts: 1282
    • View Profile
    • http://lnkd.in/nPbhxG


2) The act of making the proposal must come with a non-refundable fee of large magnitude ($1 million) that is paid to shareholders

Would it not incentivize delegates to vote no and keep $1m in fees?


They get the fees anyway.

Offline emski

  • Hero Member
  • *****
  • Posts: 1282
    • View Profile
    • http://lnkd.in/nPbhxG


4) Must happen quickly, ie: not effect balances over 24 hours old.


24 hour response time from majority of delegates may prove unrealistic.

Delegates have responsibility and they should make sure they can react. Behind delegates are real people. They should be reachable - phone, email, IM etc.
« Last Edit: August 19, 2014, 11:57:28 am by emski »

Offline bitcoinerS

  • Hero Member
  • *****
  • Posts: 592
    • View Profile


2) The act of making the proposal must come with a non-refundable fee of large magnitude ($1 million) that is paid to shareholders

Would it not incentivize delegates to vote no and keep $1m in fees?



4) Must happen quickly, ie: not effect balances over 24 hours old.


24 hour response time from majority of delegates may prove unrealistic.
« Last Edit: August 19, 2014, 11:48:00 am by bitcoinerS »
>>> approve bitcoiners

Offline Riverhead

The point of making it "hard" to do is that it means it is less likely to happen.   People need to know that it is "hard" so they can trust the system. 

In my original idea I probably didn't make it clear enough that:

1) Only a delegate could make the proposal
2) The act of making the proposal must come with a non-refundable fee of large magnitude ($1 million) that is paid to shareholders
3) Majority of delegates must approve
4) Must happen quickly, ie: not effect balances over 24 hours old.
+5%

But perhaps most importantly, the fact that a procedure exists means that suggestions to hard-fork to bypass the pre-established procedure will be roundly rejected. 
Didn't follow this bit...do you mean that since a procedure exists that someone wanting to fork differently would then have two things to convince the community of? 1) Fork 2) Fork in a different way than the established one vs just to fork or not to fork.

Backing off from my hard stance (there may have been beer involved  :D ) I can see a "pressure release valve" IF and ONLY IF it came at tremendous cost. What better minds than mine need to think about is a way to implement said valve without rewriting history.


So the challenge becomes:
1) Make theft unattractive (unprofitable)
2) Attain 1) without forking with the chain.
« Last Edit: August 19, 2014, 10:36:09 am by Riverhead »