Sort:  

Steem is designed for an easy 1/3 + 1 attack. What is more, it's designed through the multivote rule to be 100% controlled by a very small number of top SP holders.

I've asked in comments several witnesses about opinion. If I'm not mistaken, none did.

@lukestokes Are you OK with the 30 for 1 centralization rule? https://steempeak.com/palnet/@hotbit/steem-blockchain-multivote-security-vulnerability

Why no community witness had the courage to express his support or the lack of thereof for the centralization multivote rule?

The nature of the issue of with imbalance caused by the witness voting setup has been discussed publicly ad nauseum in the past by me (a witness) and numerous other people. It is true that I personally have never heard some of the top witnesses comment on it, but then I haven't heard some of them comment on much at all.

Solutions to prevent this will be explored. I'm not yet convinced 1t1v (one token, one vote) is the best approach, but it may be an improvement.

As shown in my article, current voting rules cause centralization and recently allowed exchanges to set up all 20 top witnesses.

Interesting, that community witnesses talk a lot about decentralization but avoid any discussion about the power centralizing voting rule.
Another similar post didn't get much traction among the big guys either or didn't get upvotes from the big guys either.

When I brought it up years ago, crickets.

I have been involved in conversations on the EOS side of things about this also and though 1t1v may be better, what high value DPoS chains are using that approach now? Making changes can introduce risks.

I agree, this needs to be talked about more, especially now.

You are the (almost) only one from the people somewhere on the witnesses list who addressed this issue at all.
Thumbs up for this. Thanks.

From my perspective of small fry, it's a delicate political issue the majority of people (witnesses) do not want to talk about in public.

A hard cap limit on mvests witness influence per account in combination with limited number of votes or 1t1v is an improvement.

Steem is designed for an easy 1/3 + 1 attack.

That is very innacurate...1/3 +1 only gives the "attacker" the ability to block a hardfork but you cannot takeover consensus...for that you need 2/3 +1.

What is more, it's designed through the multivote rule to be 100% controlled by a very small number of top SP holders.

It designed for the majority stake to dictate consensus. The number of accounts holding the SP is irrelevant to the consensus logic. This favors centralization.

The real threat is voter apathy. Before this whole incident started only about 28% of the stake was voting (it might have been less so I might be wrong on the exact number). With that level of participation and combined with the 30 vote rule you only need 29% of the stake to take over the witness positions.

Mix in some colusion with exchanges and you have exposed the DPOS vulnerabilities.

The solution seems obvious...limit the number of seats that an account can vote on and incentivize voting (maybe direct a portion of the inflation for that). Although limiting the amount of positions introduces other risks (such as the blockchain forking if no one can control consensus).

"...for that you need 2/3 +1..."

No. All you need is 51% of stake voting. That is what determines how many witnesses control consensus.

Worse, the weight of stake is currently subject to vast multiplication via the 30 votes availed stakeholders. To wit:

User A has 1M Steem. Casting 30 witness votes worth 1M Steem each gives them 30M Steem influence on governance. User B has 100 Steem. Casting 30 witness votes gives them 3000 Steem influence on governance.

The difference between the stake held by these users is 999,900 Steem. The difference between their influence on governance is 29,997,000 Steem. This multiplication of stake weight dramatically centralizes influence on governance, which consensus witnesses have failed to previously resolve.

Clearly, this is a problem, and strongly lends support to accusations of corruption of Steem governance. It's long past time for this deception and centralization of Steem governance to end - possibly too late to save the Steem community from the Sybil attack it has promoted. Other limitations on stake influence on governance is necessary, but accurate weighting of stake influencing governance is absolutely a necessary component of securing Steem from Sybil attacks.

I am provided estimates of Tron's present stake of ~100M Steem. This theoretically enables Tron to deploy 3B Steem influence on governance. That is utterly untenable now, or ever.

That is correct with the current voting rules.

That is very innacurate...1/3 +1 only gives the "attacker" ...

https://steempeak.com/steemtron/@lauch3d/there-is-no-51-attack-in-steem

Good thing we can agree on reducing the number of witness candidates a vote can be cast on. Most importantly, should be 1SP = 1 vote. One can vote on 5 candidates, but each would get only 0.2SP worth of votes.
30 is too many, no average person can make an educated decision about so many candidates. See my post for the details.

The workaround against both options is to simply split the stake to different accounts. Both make it more difficult to overtake the chain with a minority stake but it's better than the alternative.

The current setup allows for a 51% attack instead of the theoretical 2/3 +1 that is needed today...that is very clear.

Limiting the number of blockproducers that a stakeholder can determine has other tradeoffs so it's a complex problem.

The workaround against both options is to simply split the stake to different accounts.

No, it's not. See A splitting stake to A1 and A2 in my article. He can maximize usage of his stake, but still unable to take all the seats.

Limiting the number of blockproducers that a stakeholder can determine has other tradeoffs so it's a complex problem.

If you can point out these tradeoffs. I can't see any. 1 SP = 1 vote simply allows for better decentralisation. JS made an educated decision about 20 candidates, but the average person would not :)

I can imagine a situation where 2 or 3 different versions of the code are running side by side that create different forks that do not agree on the last irreversible block. Each version being supported by different cartels with no clear way of breaking the tie.

this.

Maybe witness will finally understand this after the shitshow is over and finally securing the chain as intended.

Maybe not...

Are there other high value DPoS chains doing 1t1v?

I'm open to pushing for changes, for sure, but please also recognize exchanges voting with customer stake to Sybil attack a chain is unprecedented. It was always a theoretical risk, but was previously considered low probability.

I can't offer a solution at the moment because i haven't spent enought time to research. But there a good start to solve is the fact that 1 stake can vote 30 times. The bigger stakes are the ones defining who are the witnessess. It would be like whoever got the most money decided who the country congressman are.

There is consensus, but no discussion if all congressman have the same agenda.

But using exchanges stakes to help the attack is no different than buying a shitton of tokens and doing the same thing.

Even if it was a theoretical risk with low probability it was a risk with high damage effect.

In risk management you don't only consider the probability, but how big is the damage if that event happen.

Is that design more aligned to a republic or democracy type system?

Each user must decide for himself in what proportion he makes to divide the votes for witnesses. He can vote for only one or break own vote into 30 parts - that's his personal right. I think the current DPOS system is far from ideal and pretty unfair.

How do you suggest we improve it?

As they wrote, change to one account only gets one vote; or votes correspond to their original SP, and one can vote to one single witness or divide it into any proportion as one like, then votes to any number of witness.

I think the one vote Idea will be a problem, because you could create several accounts and make a vote. I guess the second Idea is the better and fairest one.

No. That don't actually matter, cause the votes are original SP weighted. More accounts with the same SP don't have more effect.

I know, but I mean it wouldn't make much sense to have the first option because you could only make one vote based on your SP, but you could still split your SP into several accounts ( with less voting power on each account) with the possibility (all accounts together) to vote for more than one witness. That's why I think the second option would be better because it would prevent people from creating more accounts than actually needed and it is easier for the user to handle one account than two or more.

I think he listed some suggestions in the beginning of his comment.

Sorry @lukestokes but what is happening is a consequence of the witnessess actions.

Yes, Justin Sun did a shitty move, and it was an attack.

But this kind of attack was possible because you witnessess ignored the problem for a long time.

And you can't say that this was never brought up. But witnessess attitude were "Nah... It's fine"

Isn't it time for the witnessess to also be honest and own their own mistakes?

You got the community (including me) backing you guys up in this situation, but after this crisis end, well....

I don't think witnesses thought everything was fine because last year some considered hard forking out the steemit stake which may have been a far worse fiasco than this. I did not support it.

But you are correct. This happened on our watch. We took what action we could to protect the chain and something unprecedented happened where exchanges powered up and voted in sock puppets in a Sybil attack. That can happen right now to just about any DPoS chain. Hopefully we can improve DPoS governance to prevent this in the future.

What do you think we should have done instead? Forked out the stake? Done nothing to counter the statements made by Tron about moving everything over to their blockchain without even consulting the witnesses or the community?

I see a lot of complaining lately, but what would you have done if you were a witness? What would have been a better course of action to protect the chain?

If you say reach out and talk first, that's exactly what I tried to do. A mutual friend got me in touch with Justin (thought it took a few days). An email dialog started on Sun, Feb 23. He replied on Tue, Feb 25 saying Roy would reach out to me. I heard nothing for 7 days until I sent a follow up email, but by then the v0.22.2 softfork and v0.22.5 softfork and chain takeover were already done (along with the damage).

I would sincerely like to know what you think witnesses could have done better?

Loading...

Me, OK with Justin executing a coup d'état? No. But he doesn't listen to me.

Is CZ ok with this attack by Justin?

I have engaged with you in the past about this specific threat. ~Two years ago you and other consensus witnesses did not act to prevent this threat when I came to understand and discuss it. The responses I received generally took the form 'We do not agree' I got from @timcliff (or @smooth. Maybe you. Memory fails me atm).

Here we are. While that is in the past, I reckon it is important to acknowledge our failures and limitations in order to move forward based on real and factual data.

I don't care about acknowledgment, and am not here to say 'I told you so', but I do want to pierce the veil of nescience regarding foreknowledge. The fact is that during the entire existence of Steem, the founder's stake has been a threat of Sybil attack, and if the threat of majority stake effecting a 51% attack is not utterly eliminated going forward, there is no possibility of Steem being secure from Sybil attacks.

We (the Steem community) may or may not survive this attack. If we do, failing to prevent this vector for Sybil attacks will simply leave Steem as vulnerable to destruction as it has always been. The next thing I want from witnesses, while ongoing attempts to secure the chain continue, is specific proposals to eliminate this threat. You may find it useful to consider my recommendations from our prior discussions in order to reconsider their potential for success, or eliminate them from consideration as lacking potential to resolve the problem.

The witnesses that have been continually in the consensus for these last several years have profited (insofar as witnessing is profitable) from the centralizing multiplication of stake weight the current witness voting mechanism employs. It is difficult to dismiss this fact considering the potential of witnesses to actually secure the blockchain going forward, but since it's an existential matter presently (as far as Steem is concerned) I expect it is necessary and possible.

Starting with 1 Steem = 1 witness vote (or 100% VP depletion without recharge for witness votes), and executing code preventing exchanges from voting on witnesses, how do we secure Steem from this threat?

Thanks!

Are there other high value DPoS chains using 1t1v?

Major stake holders who think 1t1v is the correct way to secure the chain should announce they will only vote for witnesses who will push for this change to be made.

"Are there other high value DPoS chains using 1t1v?"

I dunno. I only care about Steem.

While you're right in your next statement, that's about the kind of commitment we have been hearing from Roy Liu regarding powering down the exchanges and withdrawing Tron's puppet witnesses.

Do please differentiate yourself from Roy. I'd like your forthright consideration, not lawyerspeak.

Saying, "I don't know" but advocating for an untested change to be implemented doesn't work. 1t1v may actually be ideal, but until things are really thought through and tested, it could end up being a bad change and the witnesses would again be blamed for moving too quickly or going with changes that haven't been shown to be successful elsewhere.

Maybe EOS will go to 1t1v before Steem, and we'll learn a lot from them. I don't know.

You are the parties, you witnesses, we Steemers have elected to understand and effect necessary governance of the chain.

Please assess the facts and take a position based on your understanding - and not whatever some other chain I have no interest in or governance of does or doesn't do - so that Steem can proceed to deal with novel circumstances that aren't replicated elsewhere.

The math is simple. Make a decision and take a stand, which is what Steem needs from it's governance now. Failing to do this will result in delivery of the chain to it's extant majority stakeholder, as has been made clear. Even implementing 1t1v is not proposed to prevent that stake advantage. All it does make possible is accurately weighting the stake of voters per their holdings. Sun's stake is magnified 30x by 1t30v, and that's the present circumstance.

I think that before pushing for an solution we must examine the problem using a solid game theory model. Else we riak introducing other attack vectors. EDIT: having stake does not equal knowing what is the best solution.

"having stake does not equal knowing what is the best solution."

No, but it sure equals the power to ram your favored solution/problem through. Pretty sure that's what @lukestoke's reply meant.

Find a better approach to governance that DPoS stake-weighted voting and it can be seriously explored. I have yet to see one that doesn't have much more serious problems (like China's centrally controlled reputation system). Read Skin in the Game for a deeper understanding for what stake-weight does have some value (but I agree, is far from perfect, especially for those who have skin in the game in other formats outside of token holdings).

Availed of the same grasp of alternate political mechanisms as you discuess, I do not propose any of them. All I am proposing is the equalization of stake undertaking governance of Steem, by eliminating the 30x multiplication of the weight of substantial stake - such as held by Tron now - over governance.

Accurately weighting our skin in the game is all I presently advocate, not replacing it with some other mechanism. It's a simple thing, and confounds potential abusers of the extant system, such as we are demonstrably and existentially threatened by today as a currency and society.

Who is more stupid:

A girl with Dawn Syndrome or Extreme Communists who don't understand basic economy?

image.png

P.S. PARTY COMMISARS, DO FLAG YOURSELVES

I don´t understand why people are upset, when exchanges use customers stake for voting. Everyone in the crypto-community knows the drill: NOT YOUR KEY = NOT YOUR COINS. So why would anyone who cares about votings in the commuity leave their stack on an exchange.
And the people who did leave it on an exchange DID their vote. They voted for not really taking care what happens with their stake. Anyone should simply stop whining.

No!!

Steem was Sybil attacked.
Steemit and Justin Sun did it.

Are you okay with that?

No, Sybil Attack ain't cool, but a clear situation/case is something else...

Thank you for taking the time to explain these things. Have a wonderful time with your friends that are visiting. I personally would love to be in Puerto Rico right now. It is cold up here in Pennsylvania!

We had a beautiful time at Charco El Hippie today. :)

Stay warm, Sgt. :)

I'll guess, what should be on the table is...
Q: should exchanges have the ability to power up Steem or not?

That's certainly part of what is being discussed to prevent this from happening again in the future.

If you stop them, couldn't they just transfer it to another account that can power up?

I wouldn't call it a true DDOS-style sybil attack. It's more a stake weighted-sybil attack.

It involved pseudonymous identities representing 20 individual witnesses when in actuality they were all controlled by one person. That, to me, is clearly and irrefutably a Sybil attack. And yes, it was definitely stake-based as that's how DPoS works.

Yeah. I thought sybil just meant lots of fake accounts or an attack vector along those lines.

The good news is that something like this brings us together to vote and to fight for a thing that we share a bond over, Steem.

Above my "pay-grade", not a coder.

Possible interesting reading on matter at hand: https://hackernoon.com/notes-on-blockchain-governance-ob65o3pod

I resteemd/reblogged this post so more people can join the conversation and move forward with solutions. I can't comment more because the previous replies were so good. ☮️✌️

The attack came from the inside out. Using the community fund to attacked the community core. However, the community managed to hold the ground.

Whatever happens we really need to find a way to stop this kind of thing happening again. Nobody should be able to come in and buy the network.
My stake is quite small but my social stake is quite large having been here for nearly three years.
I would love to see a way that this is taken into account in the Witness votes. Something like a REP system that works and a way to use that to multiply my vote strength.
A new account, a week or two old should not be able to have such power when they don't have social skin in the game.
I wrote more about this in my latest post but it fell down the back of the Steem sofa.
(I already made this comment on another post but I think is also belongs here)

  • No one should be able to buy this network
  • Having a network that is built around a token that can be purchased

Choose one.

I think we can choose both if it is only one way to play the game.

I think we can choose
Both if it is only one
Way to play the game.

                 - ammonite


I'm a bot. I detect haiku.

That doesn't rhyme!

Yes, some ideas are being thought through by very experienced DPoS developers like @blocktrades.

Congratulations @lukestokes!
Your post was mentioned in the Steem Hit Parade in the following categories:

  • Comments - Ranked 10 with 50 comments
  • Pending payout - Ranked 5 with $ 66,03

In a Sybil attack, the attacker subverts the reputation system of a network service by creating a large number of pseudonymous identities and uses them to gain a disproportionately large influence. It is named after the subject of the book Sybil, a case study of a woman diagnosed with dissociative identity disorder.

Are you claiming the 20 witnesses pushed into consensus by a single individual were not "pseudonymous identities" but known, trusted members of the community voluntarily put into a position of leadership by the community according to the intended design of DPoS?

STEEM, clearly, is not Sybil resistant enough. This was a Sybil attack. Pretending otherwise is not defensible. If noganoo had enough stake (or enough influence to get exchanges to do what they did), he could attack the chain through this Sybil strategy just the same.

It was a bribe attack as well, and I do see your point where a fully-sybil attackable system does of course have no restrictions at all in terms of the cost of account creation and those accounts giving a single actor more vote weight. I feel you are not validating my position that the stake wasn't used just to create one witness account but directly created 20 which, according to the "sybil resistant" rules or Steem, gave them full control (or "more influence in the network" if you like) of the chain. Steem is remarkably Sybil resistant in most regards. It still got Sybil attacked because one majorly staked individual was able to act as 20 accounts. That to me is a clear Sybil attack on what should be Sybil-resistant system. We have work to fix DPoS.

Justin could vote for 1 real account + 29 community witnesses and still use his power fully.

And that would not have been a Sybil attack. He also could not take over the chain with this approach unless those 29 witnesses agreed with him. In that case, it would have been done according to the proper design of DPoS (again, not a Sybil).

Yes, he only needed 20 (technically only needed 15) to do what he wanted to do. The moment "pseudonymous identities" were used to accomplish this, it became a Sybil attack. You are a technical person who has been in this space a while and you of all people should understand this. I don't think it's at all helpful to deny what took place. What is helpful is calling it exactly what it is and figuring out how to prevent it in the future.

To your point, there are other attack vectors also demonstrated here (bribe attack, centralized custodial stake without skin in the game, etc), but the real one which broke Steem, IMO, was this Sybil attack where fake accounts were able to act as a single individual. As you say, it's supposed to be Sybil resistant. It was not in this case.