Centralized Single Point Of Failure - swap_identity

[FreeTrade]

There exist 7 superuser accounts defined in 'ParamUpdaterPublicKeys'.

These accounts can be used to create 'SWAP_IDENTITY' actions that can re-assign any account's username (and coin balances?) to another account. This allows any account on the platform to be cancellable by any of the superuser accounts. Having such a powerful action available undermines BitClout's claim to be a decentralized platform with self-sovereign identity.

Recommendation: Remove swap_identity and superuser accounts as soon as possible.

[kakegu]

There exist 7 superuser accounts defined in 'ParamUpdaterPublicKeys'.

These accounts can be used to create 'SWAP_IDENTITY' actions that can re-assign any account's username (and coin balances?) to another account. This allows any account on the platform to be cancellable by any of the superuser accounts. Having such a powerful action available undermines BitClout's claim to be a decentralized platform with self-sovereign identity.

Recommendation: Remove swap_identity and superuser accounts as soon as possible.

Absolutely agree this.

[dgsus]

This is most likely here while the network is maturing.

Having said this, I would love to read an estimated time for its removal by the dev team.

[vbmach]

@maebeam any thoughts on this? I understand why we need to have them for now, but it would be a great way to build some more trust if the core team can share a roadmap for this issue.

Some of the startup teams I've worked at use the following framework: they write up a press release about what needs to be delivered 6 months from now, and it serves as a great primer for a user to see what's upcoming and why it matters. It also forces the team to put their short-term vision down in writing.

My 2 cents :)

[Barnacules]

They claim this is all open source now yet their infrastructure is still required on the backend calls for tons of stuff like identity and blockchain manipulation outside what should be allowed. I'm really growing tired of this scam 🤦‍♂️

[Barnacules]

There exist 7 superuser accounts defined in 'ParamUpdaterPublicKeys'.

These accounts can be used to create 'SWAP_IDENTITY' actions that can re-assign any account's username (and coin balances?) to another account. This allows any account on the platform to be cancellable by any of the superuser accounts. Having such a powerful action available undermines BitClout's claim to be a decentralized platform with self-sovereign identity.

Recommendation: Remove swap_identity and superuser accounts as soon as possible.

I wish more people would hold them accountable like you. This entire platform has so many shady things they lie about constantly on Twitter and in their documentation that is only found by technical people paying attention. If they don't resolve these issues and stop keeping full control of everything nobody can ever trust this system. I feel bad for people who got hoodwinked into this and have a bunch of money tied up who now just have to hope for the best and blindly promote the platform hoping for a return one day. Thanks for bringing attention to these very severe issues 🙏 Hit me up on Twitter anytime @barnacules, I was sick of them censoring me so I do all communication there 👍🏻

[FreeTrade]

So an FAQ was published a few days ago that includes an update on this issue - https://docs.bitclout.com/faq/bitclout-faq#can-bitclout-com-access-my-private-keys-if-im-a-normal-user

it is important to mention that profiles and creator coins (not $CLOUT) can be recovered by certain ParamUpdater public keys using a SWAP_IDENTITY transaction type that the core dev team intends to remove after an initial bootstrapping phase.

So the claim is that only creator coins are affected by this and not the underlying coins. Also that they intend to remove it, but without a firm timeline.