5$ Wrench Attack

[0xStuart]

If a node operator is required to stake a minimum amount of tokens to run a validator, then that individual or corporation should take care to keep their private keys safe from extortion. What could be $100K stake today, could be worth $1M or more in the future.

Possible suggestions:

No KYC. Node operators be advised to keep their anonymity. Multi-signatures and/or time locks. Abandon minimum staking, and switch to a community elected model.

[kthomas]

Welcome @0xStuart ... thanks for this feedback.

A few things to keep in mind with regard to validators:

Baseledger validators run (either hosted or on their own infrastructure) the open source Provide Vault; if someone who is a responsible fiduciary of the validating party (or the validator himself) was drugged, kidnapped, and hit repeatedly with a wrench, he will NOT be able to produce the private key material for the attackers. Unfortunate, I know.

You can think of this as the equivalent to delivery trucks that state "Driver does not carry cash."

edit for clarity: of course, if the compromised individual is running Vault on his laptop, then that is a different story. Really bad opsec though, don't do it like that. Run validators in high-bandwidth, highly-available, secure locations.

Because of this security inherent to our architecture, it is perfectly reasonable (and compliant, so therefore strictly required) for organizations and appropriate stakeholders to be KYC'd so they can receive rewards in the most compliant way.

[0xStuart]

@kthomas thank you. That's reassuring. I'm not entirely sure how that would work, given a validator may want to withdraw their stake at some time. But I will take your word for it. :)

[kthomas]

Validators are in control of the vaults, but can plausibly deny knowledge of the key material during waterboarding. Good opsec makes waterboarding ineffective :)

[kthomas]

@kthomas thank you. That's reassuring. I'm not entirely sure how that would work, given a validator may want to withdraw their stake at some time. But I will take your word for it. :)

Don't take my word for it! You can try running a node as well as the Vault locally. Hop in discord if you need any help setting any of it up... https://discord.gg/VP8nDmpu

[0xStuart]

Plausibly deny knowledge? You mean I lie under the threat of violence, and hope I can convince the attacker I am not able to withdraw my stake?

[kthomas]

I mean the private keys literally never leave the Vault. So how would you be lying?

[kthomas]

Plausibly deny knowledge? You mean I lie under the threat of violence, and hope I can convince the attacker I am not able to withdraw my stake?

Another thing to add... I think there will be some form of a time-delay withdrawal mechanism. Don't hold me to that though, but it's been discussed.

[0xStuart]

I mean the private keys literally never leave the Vault. So how would you be lying?

What about the ability to transfer tokens?

$UBT moons. Validators now worth $1M+ each. Criminals get hold of kyc list of 100 validators.

Victim 1: Validator is a family man. Kidnap child. Demand UBT sent to criminals wallet. Victim 2: Small business operator. Criminals visit office. Demand UBT transferred under threat of violence. Victim 3: Blackmail. ..... Victim 100: Large company. Targeted ransomeware.

Thinking about it, time-delay withdrawal only really deters immediate threat of violence. Could actually be worse in a Kidnap case.

[kthomas]

I mean the private keys literally never leave the Vault. So how would you be lying?

What about the ability to transfer tokens?

Why wouldn't a validator be able to transfer tokens? Once a withdraw is successfully processed on their behalf, such amount of tokens would no longer be providing any security to the network and would be in whatever 0x... account they used for the deposit.

$UBT moons. Validators now worth $1M+ each. Criminals get hold of kyc list of 100 validators.

Victim 1: Validator is a family man. Kidnap child. Demand UBT sent to criminals wallet. Victim 2: Small business operator. Criminals visit office. Demand UBT transferred under threat of violence. Victim 3: Blackmail. ..... Victim 100: Large company. Targeted ransomeware.

Wouldn't high net worth individuals applying to become validators look at providing that service to the network as their business and incorporate or organize an appropriate corporate structure in their jurisdiction (corporation or LLC, for example) to preserve the privacy of the principals?

Thinking about it, time-delay withdraw only really deters immediate threat of violence. Could actually be worse in a Kidnap case.

The time delay for the withdraw is actually more likely to be related to the governance rules in place at the time of the withdraw request instead of, as I think I understood from your post, some programmatic "time delay safe" functionality built into the Vault or network itself...

[0xStuart]

Why wouldn't a validator be able to transfer tokens?

Well that was my point. OK, I said private keys. I narrowed the example too much. Wrench Attack is still a problem.

Wouldn't high net worth individuals applying to become validators look at providing that service to the network as their business and incorporate or organize an appropriate corporate structure in their jurisdiction (corporation or LLC, for example) to preserve the privacy of the principals?

High net worth individuals now. They may not have been if they were an early investor.

In my experience in helping set up a similar network to Baseledger, early investors set up their own companies. Node operators, were easily identifiable, through their community participation (which is what you want) and government records about their corporate structure (kyc).

In my own case, I am one of 20+ companies operating nodes for another network. I have a responsibility to keep them running, and engage with the community. Install software updates on time, report issues, etc. Travel the world and go to publicized meetings. It's people like me you want to attract to keep a stable networking going. My home address is easily found on a government web site. You just search for my company.

This is a very real problem not to be dismissed. Not just for the welbeaing of validator operators and their families, but also for the network. As UBT rises in value, so does the risk.

There was a real case, not far from me, where a small company dealing with crypto was visited by criminals. Their net worth identifiable through a block explorer, and were forced to transfer it under threat of violence. The criminals got away with it.

[kthomas]

Why wouldn't a validator be able to transfer tokens?

Well that was my point. OK, I said private keys. I narrowed the example too much. Wrench Attack is still a problem.

Wouldn't high net worth individuals applying to become validators look at providing that service to the network as their business and incorporate or organize an appropriate corporate structure in their jurisdiction (corporation or LLC, for example) to preserve the privacy of the principals?

High net worth individuals now. They may not have been if they were an early investor.

Sure... and those individuals now are now positioned to apply to become node operators... and so they need to incorporate a business for that purpose (I think we are on the same page as far as that goes). The KYC process for entities and principals is carried out off-chain (or in the future, perhaps on-chain under zero-knowledge). I would also say that the organizations should have real business addresses listed so secretary of state lookups don't return residential addresses.

In my experience in helping set up a similar network to Baseledger, early investors set up their own companies. Node operators, were easily identifiable, through their community participation (which is what you want) and government records about their corporate structure (kyc).

Yep ✅

Shouldn't the goal be to enable privacy throughout the entire governance process for node operators? Large organizations operating nodes have some privacy built in out of the box to some degree. Smaller organizations are a bit trickier. And since people are involved, a principal even at a large organization could easily get doxxed, for example, by a disgruntled coworker. I think there are some opportunities to dogfood the baseline protocol itself to add some unique privacy characteristics to these aspects of governance for Baseledger. We can call it... zkGovernance ™ ;)

In my own case, I am one of 20+ companies operating nodes for another network. I have a responsibility to keep them running, and engage with the community. Install software updates on time, report issues, etc. Travel the world and go to publicized meetings. It's people like me you want to attract to keep a stable networking going. My home address is easily found on a government web site. You just search for my company.

Do you think you could have set things up differently to preserve your personal privacy and safety in a better way? Such as having an actual corporate address instead of your home address listed as the principal place of business? When considering applications for new node operators, this definitely seems critical for a responsible validator set to consider.

This is a very real problem not to be dismissed. Not just for the welbeaing of validator operators and their families, but also for the network. As UBT rises in value, so does the risk.

There was a real case, not far from me, where a small company dealing with crypto was visited by criminals. Their net worth identifiable through a block explorer, and were forced to transfer it under threat of violence. The criminals got away with it.

Thanks so much for this! Please do not feel that I am trying to dismiss any of the credible concerns you have raised. There are likely mitigation strategies though that we can agree upon, depending on the size of the organization in question, right?

[0xStuart]

Shouldn't the goal be to enable privacy throughout the entire governance process for node operators?

If the model is KYC (which I believe is the right way to go), then yes of course. That's why I am discussing it. Ethereum validators don't have KYC. They just keep quiet. Over $100,000 at today's prices.

Do you think you could have set things up differently to preserve your personal privacy and safety in a better way? Such as having an actual corporate address instead of your home address listed as the principal place of business? When considering applications for new node operators, this definitely seems critical for a responsible validator set to consider.

No, once you have someones name, and you can link them to a business, it's fairly trivial to find out where they live. If there is $1M at stake, you hire a private detective.

The goal, is to eliminate all risk, regardless of the size of the organisation running the validator. Maybe it's a software solution, a procedural solution, or something more practical. I'd like to hear others views.

[kthomas]

I will also update this issue in the coming days with details about the MPC functionality provided by Vault. The appropriate technical solution (which looks a lot like CWAP, but a lot more user friendly) likely exists in the Baseledger stack as a result of this functionality. The feature allows users to configure Vault instances to store seeds across data centers and cloud providers securely, and the parts are actually stored on HSMs (Azure Key Vault, AWS KMS)...

@provideplatform is working on documenting this functionality and a release is forthcoming that includes it.

[yorickdowne]

HSMs such as AMDs SEV Secure Enclave would definitely help secure the keys even further. At some point good old law enforcement comes into play. You can go to someone's home now and threaten them in some way for the $1M painting they have. It's risky though. Just like with physical goods, securing these keys becomes tantamount.

Where there are seed phrases, for example, they need to be kept offline in a secure location.

[0xStuart]

Interesting. I wasn't going to mention this until I knew more about the validtor nodes and the selection process, but I am involved with a company that develops secure enclaves. https://iot-sas.tech/

If you have access to the hardware in the datacenter, then that's another layer of security.