Telos Governance Offers Protection Against Exchange Takeover
by Douglas Horn
Today, the STEEM blockchain was apparently taken over by an unprecedented coordinated attack led by Tron’s Justin Sun and the centralized exchanges Binance, Poloniex, and Huobi. What makes this more egregious is the fact that the tokens that the exchanges used to enact this hostile takeover of the chain were owned by their customers and further, these exchanges locked up these customer tokens for 13 weeks in order to gain this power. Customers who entrusted their tokens to these exchanges will not be able to withdraw them for some time.
As a result of what appears to be a startling breach of trust, there is concern in the communities of other blockchains using Delegated Proof of Stake (DPoS) that such hostile takeovers could also occur there as well. To allay fears that such a situation could occur on Telos, I’d like to discuss how the existing Telos governance actively protects the chain from a centralized exchange takeover.
Telos governance is defined by the Telos Blockchain Network Operating Agreement (TBNOA) and other governance documents. (View at tbnoa.org) The Telos developers and block producers built tools and practices founded on these documents.
Exchanges cannot vote customer tokens
The first protection that Telos has only beneficial owners of tokens can vote them. This is spelled out in Clause 21 of the TBNOA:
Only a token’s true beneficial owner or a voting Proxy recorded on the blockchain may vote tokens. Any Member holding tokens in trust for another beneficial owner, such as a centralized exchange, may not cast votes for or assign to a Proxy such tokens.
Exchanges do not have the right to vote TLOS tokens owned by their customers. The Telos block producers have made each exchange listing TLOS aware of this rule and to date, each exchange has understood this and has not voted any tokens. Of course, that was the same situation with these exchanges on STEEM, so a document alone cannot be relied upon. The Telos block producers have additional tools available.
Preventing sock puppet delegate nodes
DPoS chains are operated by validator nodes that are empowered through the delegated votes of staked tokens on their chains. On STEEM these delegates are called Witnesses and on Telos, Block Producers, but they play essentially the same role. Once voted into power, these delegates can perform a wide variety of actions by a supermajority vote of about 67%. However, it requires a number of delegates and to pull off a coordinated attack requires these delegates to be controlled by the same organization or colluding organizations.
The attack on STEEM required not just the large majority of staked token votes, but also collusion from 20 witness nodes. Each of the witness nodes that took part in the STEEM takeover was newly registered in in February 2020 and were quite obviously colluding.
Aware of this potential exploit, Telos governance addresses it in a number of ways. First, Telos block producer organizations must identify their owners. Further, no one may own any part (5% or more) of more than one block producer. This is documented in the Telos Regproducer Agreement (Clause 17) that each block producer signs as part of registration on the network. Telos block producers are also not permitted to collude (Clause 11).
Further, the Regproducer agreement (Clause 13) requires compliance with the Block Producer Minimum Requirements, one of which is to produce blocks for at least 7 days on the Telos testnet before registering on the Telos mainnet as a block producer.
Together, these rules and requirements mean that it is very difficult for new block producer to come onto the network without being scrutinized for compliance. All current block producers have followed these rules and the small number of block producers that failed to comply were removed by the prescribed enforcement actions. Block producers who have not met the 7-day minimum requirement on testnet are typically removed or self-remove when they discover this until the requirement is met. This becomes a crucial first opportunity to notice and engage with potential bad actor block producers. During this time, block producer candidates are required to disclose their ownership and show compliance with all other requirements. This creates an opportunity to search for signs of co-ownership across entities. If signs of this arise, further scrutiny is brought. In the past, the Telos block producers have removed candidates due to strong evidence of single entities owning more than one block producer. Once removed, these nodes are kicked from the network for an amount of time prescribed in the Regproducer agreement.
In order to execute a network takeover of Telos, at least 15 coordinated new block producer candidates would need to be brought onto the network, which is highly unlikely given that the Telos governance rules give block producers time, authority and mechanisms to assess new block producers for signs of co-ownership or collusion and react before an attack could be carried out. If an attacker instead chose to acquire or coerce existing block producers to be complicit in the scheme, there is a high likelihood that at least one would reject such overtures and alert the other block producers.
Telos tokenomics
Telos launched with a flat economic token distribution compared to most cryptocurrencies. Despite some subsequent large acquisitions by a few accounts, the distribution remains enviably egalitarian. This contributes to a voter base of small accounts that determine the Telos top 21 block producers. The top eight Telos block producers each have more than 64 million votes. To break 15 new nodes into the top 21 block producers, therefore, in addition to onboarding these block producers without revealing their collusion and/or co-ownership, an entity seeking to take over Telos would need to control the voting of at least 64 million TLOS. However, Telos has one of the lowest token supplies among DPoS chains, with just 355,208,371 tokens of which 114,002,154 are currently liquid (of which 66% are stored in REX for 15.7% staking rewards). High REX staking rewards have proven to be an effective method of limiting the amount of TLOS available for exchange.
An attempt to purchase the 64 million TLOS would require an attacker to quickly deplete all TLOS sell orders on every exchange without coming anywhere near the goal. These and further purchases would certainly drive the price of TLOS token up significantly and the rapidly increasing price and ensuing FOMO would further increase this price runup. It is difficult to calculate the cost of acquiring essentially 60% of the available TLOS tokens, but it would be an expensive venture and one likely to rouse interest within the community.
Large voter coordination
While Telos is a highly decentralized blockchain without collusion, in the face of an overt attack, key stakeholders in the network could be expected to work together for a limited time needed to fend off the overthrow. Like many chains, some of the larger token holders on Telos are the original launch group and current block producers who already have strong working relationships that would prove to be an asset in a time of attack. In addition to the other channels of communication that they use, Telos block producers must all provide working emergency telephone numbers and email addresses as a minimum requirement and these are checked periodically to ensure general compliance — so coordination could be swift. While the stake of large TLOS holders is proportionately small compared to many more centralized chains, they are adequate to temporarily present an even more formidable front against takeover once alerted to this rise in centralized token ownership and the appearance of 15 new block producers. This would most likely be expressed in shoring up the stake of block producers lower on the top 21 list. Factoring in this temporary coordination of large holders and proxies the amount of TLOS needed to control the network is likely to be even higher than 64 million.
Network destruction attempts
Finally, we must consider that the aims of such a hostile takeover might be to destroy the chain rather than to seize control. This can be accomplished on a DPoS blockchain by gaining control of about 38% of the active block producers. On a chain like Telos or EOS with 21 block producers in the schedule at any time, this requires eight colluding block producers to get into a position of be in the top 21 and then destroy their signing keys in a coordinated move over a short period of time. Telos is designed to remove block producers that do not produce blocks over about a two hour period so all eight would need to destroy their keys prior to any of them being kicked for missed blocks. Without recovering at least one of those eight signing keys, the chain would not be able to move forward and its current form would become nonviable.
Telos would, of course, use all of the aforementioned protections to prevent this. There is a significant disincentive for anyone to perform such an attack as they would need to purchase nearly the same amount of TLOS tokens needed to take over the network with 15 block producers, but they would destroy all value they had invested in the process.
Following such an destruction of the network, the remaining Telos block producers would have the ability to revert to their most recent common backup state that did not include all eight malicious block producers. These backups occur regularly on Telos and would likely occur on a rolling basis every 5–10 minutes once the chain was alerted to a scuttling attempt. The outcome would likely be that the non-colluding block producers would roll back the chain to a state not long before the previous chain was destroyed. All transactions would be retained except for the brief period between the last backup and the attack. The block producers would then likely fork off a new chain at this point, zeroing out the balances of the colluding block producers and all those that voted for them at the time of the attack as a penalty. (This would probably first occur as a freeze of these accounts pending an arbitrator action under the Telos Resolve dispute resolution process.) As such, the effects of an attempt to destroy the Telos network would be short lived and come at a high cost to the attackers.
Conclusion
I hope that this explanation of some of the protections built into Telos governance can ease concerns among the Telos community about an attack such as the one that occurred today against the STEEM blockchain. Of course, the greatest protection offered by the Telos governance system is the ability for the highly engaged Telos community to propose and vote to adopt changes to the operations or governance of the chain and adapt to such threats. This gives Telos unparalleled power to protect itself while maintaining decentralization and participatory governance.
