AdamBLevine
commented
8 years ago This system should probably be designed so that unless the account user specifically tells us not to (and we should ask them), admin keys should be able to override their 2-fa.
So for most accounts there would be the users bitcoin 2-fa but it would also be accessible via admin 2-fa.
If a user declines admin override and loses access to the 2-fa bitcoin address, the only thing they can do is shut down the bot which will only empty to a pre-defined user bail-out address. This address should obviously be different than the one doing the 2-fa.
Under most circumstances, a user will interact with their swapbot administrative account using their email address or username. Should they need to reset a password, access to their email is all that is required to gain control.
An attacker gaining access to an email account and then gaining access to and robbing the associated accounts is one of the most common strategies. To protect the Swapbot service and its users we should protect all sensitive functions by forcing a user wishing to make major changes to prove they control the bitcoin private key that has full access rights on that particular account.
A user who is logged in but who has not verified their admin session is essentially in Read-Only mode, A user is able to see stats, add new ignore addresses to refill the machine, probably a button that lets you sweep the funds down to a minimum threshold that keeps fuel on hand to a pre-set sweep address.
Basically you should be able to perform maintenance, view stats, pay fees/bills and create new bots or add entirely new swaps that don't overlap with existing swaps or share token supplies
If you want to do anything to an existing bot that would change existing behavior, fundamentals, texts, contextual links, you need to verify your session by signing a message or sending a transaction from an admin address.
Verification addresses should be done on a hierarchical basis, so you should be able to have an address that has control of all swapbots within the account but also have the ability to designate specific admin addresses on a per-instance basis to allow delegation of control.