Arbitrum Member of the Security Council: Why do we use God's authority to freeze $72 million
Compile & nbsp; Deep tide TechFlow
Guests: Griff Green, Arbitrum Security Committee member
Moderator: Zack Guzma
Original link:
https://www.techflowpost.com/zh-CN/article/31292
Edit Guidance
Over the past few days, the Ether and the entire encryption ring have been watching Kelp DAO (a liquidity re-collateralization agreement) hacking and affecting Aave。
The Arbitrum Security Committee used emergency powers to freeze and recover approximately $72 million of assets from locations suspected of being under the control of Korean hackers. This is the first time in the current encryption industry that an "L2" has opened up "God's Permission" to freeze funds at a certain address. Before the podcasts were gathered, there was an ongoing debate in the community about Arbitrum's ability to “transfer an address asset” despite doing the right thing, raising doubts about the boundaries of its ability and its centralization。
The guest of the podcast is one of the members of the Security Council that Arbitrum is entitled to make this decision, Griff Green. At the same time, Griff, a relative of the 2016 The DAO hackers and one of the promoters of the hard-drives of the Taichang, directly criticized the "continuing inaction" of the Circe (USDC issuer) in the Korean hacker incident in his interview and argued that the decision logic of the Circe was fully driven by the financial statements。
Expensive Notes
It's a mistake not to tamper with the chain
“It is felt that the chain of blocks cannot be altered, but in practice it is based on social consensus. If all agreed to the upgrading agreement, the rules could be changed. So it was the Taifah and the Bitcoin."
"That's why people in the Bitcoin community are talking about freezing smart coins. This is technically feasible, because the chain of blocks is not absolutely immutable, it is only rules.”
The real building block of centralization is market behavior
"If people don't like our decisions, they'll sell them. If the bitcoin network coordinated to steal people's money, the holders would obviously sell it. Decentralizing the real foundation is market behaviour, in which the role of market dynamics is severely underestimated.”
"To be honest, no one will blame us for doing nothing. There is no risk of doing nothing, so you need a little risk-taking."
Korean hacker attack pattern
"North Korea rarely makes smart contract-level attacks. Most times it's not code, it's people. Through social engineering, they find the key holders with special privileges and have access to computers and keys
"I don't know why they left the money at one address for two days. Maybe they worked three days in a row, took a Sunday break and were late on Monday. This is our window
Circle versus Tether
"I say one thing very clearly: there are obviously no good people in Circle. Because they've been choosing to do nothing. Rather, Tether, the funds of the DPRK are constantly frozen and much more than $7 million has been recovered.”
"Circle's origin is not crypto native, it's Goldman Sachs. So the logic of their decision-making is that the matter is reflected in the statements. If the freezing of funds in the DPRK makes them earn money, they will do it.”
Security is the biggest obstacle to the encryption industry
"With today's technology, we can make something safer than PayPal and more secure than banks. Bring the bank and PayPal infrastructure, remove the trustee, make it a non-host version, and the technology is in place."
"i don't know anyone whose bank account money was stolen after fishing. but i know a lot of people who lost crypto after being fished."
"I've been building for the public good, trying to build something better than the government, but repeatedly blocked by the same problem: This technology cannot yet be used safely by ordinary people.”
Open the power of God
Zack Guzman: A lot of people are following developments. The controversy has not stopped. Let's start with the Arbitrum Security Committee structure. You are a member of the Security Council, and this is a very serious decision in your post. Can you tell me how this whole thing happened
Griff Green: Kelp DAO was attacked and the main responsibility was disputed between Kelp DAO and LayerZero, but the impact did reach Aave. It was a cross-chain attack, which had been stolen from the bridge by hackers for about $300 million on Layer 2, and deposited into the ETH as collateral on the Taifung and Arbitrum networks。
After the North Korean hackers got ETH, they kept it in their wallets for days, giving us a window of time to coordinate the rescue. Arbitrum, a still under development Stage 1 rollup (meaning certain security guarantees but not yet completely decentralised), has a security committee. This is a 9-of-12 multiple signature (nine signatures are required for 12 members to perform the operation). We worked with the team of Seal 911 (Security Emergency Response Organization for Encryption) to use emergency privileges to transfer funds from DPRK-controlled addresses and freeze them to a new address they could not access。
Base of the block chain
Zack Guzman: I didn't know I needed a 9-of-12 threshold, and many people didn't seem to know that Arbitrum had that ability. You probably don't want Korean hackers to know about this function。
Griff Green: Actually, it's completely public information. I think there's been some misunderstanding about block chain technology. The roots of the block chain are open source codes, nodes running on servers and social consensus。
My first project is the DAO. We raised $150 million and then we were hacked. If you want to know more about Laura Shin's "The Cryptopians", there are 100 pages devoted to this. Eventually, we did something very similar to what we did on Arbitrum: Breaking the rules and transferring money out of hacker's wallet without hacking permission。
It can be done on the Ether, on bitcoin, on any chain. Because the block chain is essentially based on social consensus, there are now people in the Bitcoin community who are talking about freezing smart coins that can be achieved if all agree。
A slight difference on Arbitrum is that there is no need to convince a network node operator, but there are two paths: the ARB token holder can vote to perform the same operation, or the Security Committee 9-of-12 may do more than sign in an emergency. Prior to that, the competence of the Security Council was used only to repair the bug and upgrade agreements, and funds had never been frozen. This is also the first time, as far as I know, that there is a large L2-freezing chain。
Comparison of incidents
Zack Guzman: How did you feel when you went through the DAO hacking and this
This is a lot easier. The DAO is my own project, hacked to $150 million, much more stressful. This time, I did not personally lose money but intervened as a member of the Security Council。
And now the infrastructure is too good to be able to figure out more quickly what happened. The DAO was hacked when we had no idea who the hacker was. This time, Seal 911 was able to contact the FBI, basically confirming that the attackers were Korean hackers. We have obtained extra-ecological information through the behind-the-scenes network that we have established over the years。
Discussion of key issues
Zack Guzman: In decision-making discussions, one aspect of inaction is to allow the DPRK to retain these funds. But in turn, there are fears that this will have a chilling effect on DeFi. What was the process of discussion
Griff Green: First, technology challenges. It took us a lot of time to find a perfect technological solution, and it was remarkable to find it itself, thanks to the technocrat behind it。
When technology was determined to be feasible, there was a real discussion: yes, but should it not
From my own point of view, the attackers were almost certain to be North Korea, involving $72 million, and DeFi was at risk of being left behind. It's my job to defend the Arbitrum Constitution and do what I think is right about Arbitrum. No one will blame us for choosing to do nothing, almost without risk. So it really takes a little adventure。
Some people get sick and think, "9 people can do this on the chain." But I'm telling you, it's more difficult than you think to get nine safety experts to agree to do something about extreme risk aversion. It may be more difficult than coordinating mine ponds to freeze smart coins。
The key message is that the system remains decentralized. This is reflected not only at the structural level but also in market sentiment and price behaviour. If people don't like our decisions, they'll sell them. The role of market dynamics in this matter has been seriously underestimated。
Zack Guzman: The security committee was elected by the ARB token holders. Will this event set a precedent for changing attitudes towards hackers in the ETA
Griff Green: One thing is underestimated: hackers rarely leave their money at one address for two days. It's because they're not moving that we have the action window. I didn't think there had been any hacking before on Arbitrum. I don't know why they didn't transfer the money. Maybe they're tired for three days, take a Sunday break, late Monday。
So I thought people would be more open to this. It's not because it's technically possible (it's always possible) but because people saw a practical operation. The L2Beat (L2 Security Assessment Project sponsored by the Taifeng Foundation) clearly states that the Security Committee has emergency upgrading powers. Hackers are ready to transfer money, and we're lucky。
Security lessons
Zack Guzman: Lessons on security
Griff Green: First, technology risk analysis is better. Aave did well in controlling access to low-market value, high-volatility tokens, but too loosely placed the pledge of liquid tokens (LST). These token bottom assets are ETH, and economic risk is indeed low, but the technological risk dimension requires greater scrutiny. This is not just a question of Aave, Morpho, Compund, Sky, etc., and all lending agreements require a doubling of investment in technology risk analysis。
Kelp DAO has a single point failure (one-of-one, i.e. only one critical point to break), which is where it is criticized. The bigger problem, however, is that the key has been broken. Korea rarely carries out smart contract-level attacks, most of which are not code attacks, but people. This means access to computers and keys with special privileges through social engineering。
There are two ways to respond: first, by strengthening security standards. If you're managing large amounts of money, your computer security level should be like the CEO of the traditional big technology company. But the crypto industry is not at this level。
How to deal with $72 million
Zack Guzman: What about the $72 million recovered? And you voted
Yeah, it'll be fun. Users of the Aave and Kelp DAO ecology will be in a better position, but specific solutions are difficult to determine. DAO internal coordination is difficult, as is government and large organizations, especially in the absence of a clear final decision-maker。
Before that, Aave and Kelp DAO were deduced from each other, and now, with Arbitrum, became three DAO collaborations. On the bright side, there's a real allocation of money, and Aave and Kelp DAO can't just dump each other, and they need to make plans publicly. The return of the $72 million to the users will ultimately require a vote by the holders of the Arbitrum DAO currency。
My personal position is that until 100 per cent is returned directly to the user, Arbitrum DAO should not release the money。
It should be noted that the Security Committee operates only in emergency situations. We sent the money to the address of 0x000 DAO, the "DAO" suffix, which means that the money now belongs to the DAO community. I'm also the client of Arbitrum DAO. But the total vote could be 200 million votes, and I only have about 10 million votes, or about 5%. There are many more than me。
Projects under way
Zack Guzman: Let's talk about what you're doing. It's about security。
I've been building this industry since the DAO. One of the platforms I'm involved in is Giveth, which helps many non-profit organizations raise money on the Ether House. I watched these non-profit organizations throw money in every way you can think of: Sending money to the right address but wrong chain, fishing, smart contract loopholes, blacking the exchange, etc。
At today ' s level of technology, we can make something safer than PayPal and more secure than banks. The technology is in place. But the truth is, I don't know anyone who was robbed of their bank account after fishing, but I know a lot of people who were fished and lost crypto。
So we made DAO Security Fund. The goal is to make Ethera safer than banks. We have approximately $170 million in pledged assets, using pledge proceeds as long-term sources of funding in the area of security。
the first round of massive funding will start tomorrow. on qf.giveth.io, you can contribute to security projects. based on the direction of your contribution, the $1 million pool will be distributed proportionately to security projects。
But more important than funding is project discovery. There are hundreds of free open-source security tools on the market, but many people have no idea they exist. The core purpose of this round is to bring these projects together in one place and to make them visible. Funds can help these projects survive, but what is really influential is market signals: which projects are most needed and which directions deserve more input。
Compare Circle with Tech
Zack Guzman: When there is no such mechanism as the Security Council, it is actually the central issuer of the stable currency (for example, Circle) who is forced to face the problem of frozen assets. What do you think of these two patterns
If you can solve this problem, you have a responsibility. There is an old saying that all that is required for evil to prevail is that good people do nothing。
I'm very clear: there's obviously no good in Circle. They've been choosing to do nothing. In contrast, Tether, the funds of the Democratic People ' s Republic of Korea were constantly frozen and recovered well over $72 million。
You may think it's the other way around, but I think it's because Tether's founding team is DeFi, Crypto, and they keep some old-school crypto values. Circle's origins are Goldman Sachs, and the logic of decision-making is how well the statements look. If the freezing of funds in the Democratic People ' s Republic of Korea made them earn money, they would certainly do it。
I'm not Tether Extremist. I'm more decentrized. But it's hard to understand the performance of Circle on this matter. I don't know if we have to sell USDC collectively to give them enough market feedback. The North Korean attack is not only destroying our portfolio, but also threatening the security of the real world. Everyone is damaged by not stopping North Korea。
Zack Guzman: The politics of the block chain world is much more complicated than many people realize。
Griff Green: Right. You think it's financial, hard nuclear, but there's a lot of political discussion. The discussion on self-regulation and how to build a society on the new basic framework is very intensive. But every time I try to bring these things to the ground in the real world, I end up with security problems。
North Korea's attack on the Great Accord is a dimension. But there are a lot of low-level problems, such as fraudulent phone calls that impersonate Coinbase, and user experience improvements. Many of the problems are not State-level attacks, but our own technology has not yet worked。
i went to crypto in 2013 and got my first master ' s degree in digital currency in 2016. i've been building for the public interest, trying to build something better than the government, but repeatedly blocked by the same problem: this technology is not yet safe for ordinary people, but there is a great opportunity to change it。
