Udi Wertheimer, head researcher at Colu.com, a local currency solution based on the Bitcoin-based Colored Coins protocol, recently published a “security review” of Bancor’s smart contracts. We would like to address some of the comments and concerns, in line, that were raised.
We would like to thank Udi for his respectful introduction and generous compliments. We’ve also had the pleasure of discussing some of these issues directly with Udi on the Israeli Bitcoin Facebook discussion group, as well as in person when he attended a community event as our guest. We recently published a response to Emin Gün Sirer’s article, which we encourage all to read and Udi to update in his post, for balance on both sides of the issues raised there.
About the decision to extend the minimum hour:
Many were surprised by this. Some investors were grateful, as they weren’t able to get in during the first hour due to a high load on the network. Yet others were furious — probably the ones that already managed to get in — they were promised that the cap will be enforced after 1 hour, but now that the “minimum time” was expanded to 3 hours, they were effectively being diluted.
We’ve made it as clear as possible in all of our communication channels, including the official TGE terms, that the single purpose behind the minimum 1 hour was to allow all community members, many who have been carefully researching and following Bancor for months, to participate, with any amount, if they chose to do so. We (incorrectly) estimated that 1 hour would be sufficient for the Ethereum network to process the initial demand, while not long enough to allow new demand, generated by buzz in the case of strong initial interest, to cross the hidden cap, which was never our intention. We were evidently wrong in that assessment as a single hour proved to be far too short to accommodate even a small percentage of the initial wave of contributions. The intention of the language in the terms was that anyone who transmitted in the first hour would be accepted.
We faced a tough choice between two sub-optimal options: To rigidly interpret the 1 hour minimum time, leaving many of our most loyal supporters behind, or to stay true to the stated intention behind it, and give more time to try to allow more transactions from the first hour to clear. We chose the latter and we maintain it was the right choice for this project. Those who got in and were “furious” are effectively advocating that we should have disregarded the intention behind the minimum time and accommodated less than the initial demand, in order to maximize their value at the expense of others not less deserving. As can be learned from recent high-demand capped fundraisers, the unrealized demand likely generates significant profits to those who were lucky enough to slip a transaction in, at the expense of those who didn’t. This is exactly the situation we wanted to avoid with the minimum time policy and the primary reason why the extension was made. Furthermore, because of the unique smart token functionality of BNT (which increases in value as more tokens are issued), our use of 20% of proceeds in the shared ETH reserve of the token, and our commitment to use funds raised above the cap to create a two year protection mechanism for BNT holders, those upset by a larger raise in the first place are misunderstanding the dynamics of BNT. In both cases, we chose to side with letting as many of our supporters participate as possible, and with growing BNT together over the long run. Superficially restricting demand in order to create a price spike for quick and easy profits is not the aim of the Bancor network or team. We sincerely apologize to our community for the confusion created around the minimum time and to all those contributors who tried to participate and could not. This was challenging to communicate properly in real time and we are making strong efforts in this regard moving forward.
When people think of “cryptocurrencies” or “digital assets”, or whatever the cool kids call them today, they think of decentralized, censorship resistant tokens, that no central party could control for any reason. And while some projects have various degrees of (de)centralization, I have never seen a token as centralized as BNT, that puts so much power in the hands of so few.
This was pretty much the philosophy behind TheDAO. It dictated a design that made it impossible to fix while being publicly drained of the deposited ETH due to a security breach, leaving the Ethereum community with a hard-fork as the single option of remedy. This was an existential moment for the Ethereum project, and we salute the leadership and community for ultimately navigating this successfully. Even this major setback could have ended much worse.
We also believe there is nothing inherently bad in “so much power in the hands of so few” as a blanket statement. We’re happy that Elon Musk has all the power he does. He seems to use it well across multiple exciting technology ventures which likely wouldn’t happen (or happen as soon) without his leadership. We’re happy that Steve Jobs had the power he had, as he used it to figure out how to make advanced technology more accessible to the average user. Standing against centralized and monopolistic power is noble and important, however, one should not be dismissive of the critical role of leadership, especially in a competitive space and at the forefront of innovation.
Ethereum is often criticized as being “too centralized”, especially following TheDAO hard-fork. The technical leadership of Vitalik does not compute well with many Bitcoiners, who seem to prefer a more decentralized, IETF style of management. While this philosophy might be the better way to standardize protocols, we maintain that Ethereum and Bitcoin (and Bancor) are more than just protocols. They are distributed, protocol-based open-source services, with custom tokens used to compensate self-appointed service providers and various contributors. There is still much work to be done to improve the security, capacity and robustness of these services, and we believe that a leaderless approach will not prove to be the optimal one.
For these reasons, we believe it is the right choice for Bancor to have options for dealing with unexpected problems, rather than preventing ourselves from doing so in the name of “decentralization”. Ultimately, we are the ones you will look to in the event of a breach. We are also the ones you are putting your trust in when you contribute to this project. We have taken great measures to share with the community our vision, our backgrounds, our answers to questions, our plans for the future. We take the trust that the community is placing in us very seriously, and our responsibility to maintain safety as we forge into new technical and economic territory, just as seriously. There is no way around the fact that a bet on Bancor is also, at least partly, a bet on the team. We are outspoken about our belief in decentralization, and our plans to guide BNT towards its immutable state during its 3 year pilot period.
All transactions using the BNT token can be disabled by the team at any time for any reason. Presumably the capability is there to allow the tokens to be frozen immediately after the crowdsale for about a week, until Bancor’s main product is ready. However, for some reason, after they’ll unfreeze the tokens, the team will retain the option to freeze transactions again at any time.
This is one of the security switches we created. If an exploit is detected, this switch will allow us to pause transfers, publish the findings, upgrade the contract and potentially recover stolen funds. We sincerely believe this is in the best interest of the community, given that all the tests in the world can’t prepare you for the ultimate test, live in the wild with tens of millions of real users of all intentions.
The team can issue new tokens at any time.
Shockingly, the team can DESTROY any tokens FROM ANY ACCOUNT, at any time.
The ability to issue and destroy tokens is required in order to be able to recover from a potential security breach. If tokens were issued through a security exploit in the contract, this ability would enable stopping the hacker from running away with the tokens.
This third point [destroy capability] is unheard of. I’ve looked at other high-profile contracts managing other tokens, and couldn’t find anything similar. This puts unprecedented, and worse, unexpected power in the hands of the contract owners.
Bancor is a first-of-its-kind solution. It is the first smart token, handling its own liquidity by holding a shared “treasury” (reserve), as well as issuing and destroying its own tokens in an programmatic fashion. Due to the novel and sensitive nature of its functionality, we believe it is better to have additional options for mitigating attacks. Since TheDAO, there has not been any substantial attempt to launch such a token, and we wish to avoid a similar fate. We maintain that at this point in time — the more options we have to mitigate attackers and thieves — the better, even if this means holding BNT requires more trust in our integrity and security protocols. Full decentralization is the aim, not the beginning.
People in this space expect the control over tokens to be fully decentralized, and if for some reason they’re not, this should be made very clear.
This “space” (new token generation events) is actually quite young, and we do not share the same impression that such definitive expectations exists among our contributors. In our post Learning from TheDAO we made it very clear that Bancor contracts are upgradeable by design and would be centrally controlled during the pilot period. “Upgradeable” means that we can change the code running BNT at any time. What is not clear is how anyone who understands “decentralization” could have interpreted this otherwise. We do our best to maintain an active blog with all of our thoughts, plans, and responses such as these when we detect concern from the community. We do expect contributors, and especially online critiques, to read this information fully before jumping to conclusions of bad faith. We also agree that this young industry will benefit from evolving standardization in how to best make communities aware of what they need to know in order to responsibly understand and vet projects. We will do our best to contribute to this effort, and welcome all suggestions.
The keys held by the team could be stolen for example.
This is quite far fetched, as we’re using industry best practice multi-sig contracts, on offline wallets, where the different keys are password encrypted and are never stored in proximity to each other. We take security extremely seriously and have spent much of our energy leading up to the TGE on carefully planning a redundant strategy with no single points of failure.
Or, law enforcement could force the project to freeze or destroy tokens if they realize this is possible (and if for some reason they would suspect any wrongdoing).
One of the coolest things about blockchain technology is that the transaction history is always preserved. This creates the option for a community using a token to “go back in time”, as was done with TheDAO on the Ethereum blockchain, and see exactly what has transpired and take collective action. Such a revert can be done with any ERC20 token as well, even through a self organized community effort. In the case of BNT being compromised by violent force, the community will have a course of action they could follow.
However, because the existence of these backdoors isn’t properly communicated, this puts many users at risk, and especially exchanges.
The centralized control and upgradeability was communicated again and again, in our post and whenever asked. We strongly disagree that this puts users at greater risk, especially when compared to the decentralized alternative which was used in TheDAO. We maintain that the security protocols we’ve implemented significantly reduce the risks for end-users as they provide us with more options to handle code security eventualities if they unfold. With regards to exchanges, we leave it to these for-profit entities to provide safeguards for their users and properly vet all tokens they wish to list. Their success is our success in regards to smart tokens, and we have no interest in creating a situation where exchanges are unnecessarily hindered from doing their business.
We would like to use the opportunity given to us by this widely circulated review to make it clear that the security switches built by design in the Bancor contracts will be used only in case of emergency, and with clear notice given through our official channels. While this expected conduct was obvious to us, as the stewards of the protocol and by nature of the trust placed in the project by contributors, we thank Udi for the opportunity to communicate it more clearly to all.
We believe that TheDAO has taught us best how not to launch an open, asset-holding smart contract. Not having the option to upgrade code (that is yet to be tested live in the field, despite the most meticulous internal and partner testing) has been proven to be a sub-optimal strategy, to say the least. The privilege to upgrade the code naturally provides Bancor with full access to all aspects of the token. All of the other listed “backdoors” do not provide us with any additional privileges. However, if a security breach in the code is detected, these security switches will enable us to respond quickly, mitigate damages, and responsibly handle potential thievery. We believe this is what the community is expecting of us, during this new and exciting pilot period, as we lead BNT towards its stated goal of creating liquidity justice for all.
We’ll end with a quote from our post Learning from TheDAO:
We are all about responsible decentralization and we want to get there together. We recognize that the community is trusting us to lead the project there, and we take this very seriously.
To the trust it takes to go trustless,
The Bancor Team