ECAF is a security hole
and how you can patch it by voting for the v2 Constitution.
I think the EOSIO Core Arbitration Forum (ECAF) is a security hole, and the proposed EOS Constitution v2.0 could patch it.
A short overview of how ECAF arbitration works
• Alice files a claim against Bob in which she:
• provides signature with her (old) key.
• posts a bond and swears on camera that she isn’t lying. She posts KYC docs as well.
1) The ECAF looks for an additional factor to justify the freeze.
2) The ECAF issues the freezing order.
• Block Producers load the blacklist.
3) The ECAF contacts Bob.
4) Bob has one month to respond, otherwise the ECAF issues an order to confiscate the money (or change the key to an account).
If Alice would try to scam Bob and the funds were sent back to her, scammers would be able to fund themselves and scale the process to as many victims as they can find.
The following examples are just a few cases that I was able to come up with. Scammers are financially motivated and will come up with new and sneakier ways.
It’s also important to note that I explained these scams in the EOSIO Gov Telegram channel countless times, and the response is usually hand-waving on how “no abuse had happened yet”.
Let’s start with adversarial thinking. Assume that Alice is an honest user, and see how scams might go through.
SCAM #1
Cost of attack: $50 + bond
• Scammer changes his account owner key and starts with unstaking.
• Scammer sells Alice some IQ coins (for Bitcoin).
• Scammer checks her account activity, to make sure she isn’t using her account anymore.
• Scammer files a claim against Alice.
• Scammer posts a bond and pays a poor shmuck in Egypt to provide KYC and a video confession (estimated cost $50).
• The ECAF checks for additional factors, notices the unstaking and changed permissions (check passed).
• The ECAF issues the freezing order.
• Block Producers load the blacklists.
• The ECAF contacts Alice, but since Alice doesn’t babysit her account, the one month time-limit is exceeded and the ECAF issues the confiscation order.
SCAM #2
Cost of attack: $50 + bond
Similar to SCAM #1, but the scammer sells Alice an account name instead of IQ coins (by changing the owner permissions to her key). This again passes ECAF checks. I have a reason to believe this scam was already deployed in one of the freezes (but luckily the victim responded in that particular case since many people were checking their coins at the launch).
SCAM #3
Cost of attack: $50 + bond
• Scammer phishes for Alice’s private key.
• Instead of risking the freeze order, the scammer sets the alarms on this account permission changes.
• Scammer waits for Alice to accumulate more coins… and, sooner than later, changes her permissions to the hardware wallet.
• Alice now thinks her account is safe, so, she decides to just ‘hodl’, and forget about it.
• Scammer files a claim against Alice.
• Scammer posts a bond and pays a poor shmuck in Egypt to provide KYC and a video confession (estimated cost: $50).
• The ECAF checks for additional factors, sees the changed permissions (check passed).
• The ECAF issues the freezing order.
• Block Producers load the blacklists.
• The ECAF contacts Alice, but Alice doesn’t babysit her account, so after one month the ECAF issues the confiscation order.
Alice protected her account with a hardware wallet, but she just lost her money anyway! She never consented to the ECAF “protection” in the first place.
When Alice comes to the Gov Channel, to protest against the injustice, the group admins demand proof of her claims. Alice isn’t technical and can’t explain how it happened, so she leaves dumbfounded and completely powerless.
Arbitration is being sold to EOS holders as a way to protect them against Block Producers confiscation (wut?) and yet, its tools would be used to confiscate the victims’ coins instead.
Adding a second factor to your account can often lead to a less secure environment; as people who lost millions to hackers phishing their mobile phone service provider can attest. The ECAF would be targeted if given the opportunity to issue orders that can make user funds change hands. EOS users shouldn’t be subjected to its services by default. Opt-in (or wallets that opt you in by default) is a compromise that some less technical users might find helpful.
Due to exploits listed in this article, ChainRift EOS (a BP candidate), would never load the blacklist or cosign the account confiscations that are not a direct result of the buggy contract code — “Intent of Code is Law”.
ECAF is a security hole, let’s patch it together by voting for the v2 Constitution.
Don’t let the base layer arbitration make a mockery out of the EOS chain.
