Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Centralized Single Point Of Failure - swap_identity #39

Open
FreeTrade opened this issue Jun 18, 2021 · 6 comments
Open

Centralized Single Point Of Failure - swap_identity #39

FreeTrade opened this issue Jun 18, 2021 · 6 comments

Comments

@FreeTrade
Copy link

There exist 7 superuser accounts defined in 'ParamUpdaterPublicKeys'.

These accounts can be used to create 'SWAP_IDENTITY' actions that can re-assign any account's username (and coin balances?) to another account. This allows any account on the platform to be cancellable by any of the superuser accounts. Having such a powerful action available undermines BitClout's claim to be a decentralized platform with self-sovereign identity.

Recommendation: Remove swap_identity and superuser accounts as soon as possible.

@kakegu
Copy link

kakegu commented Jun 18, 2021

There exist 7 superuser accounts defined in 'ParamUpdaterPublicKeys'.

These accounts can be used to create 'SWAP_IDENTITY' actions that can re-assign any account's username (and coin balances?) to another account. This allows any account on the platform to be cancellable by any of the superuser accounts. Having such a powerful action available undermines BitClout's claim to be a decentralized platform with self-sovereign identity.

Recommendation: Remove swap_identity and superuser accounts as soon as possible.

Absolutely agree this.

@dgsus
Copy link

dgsus commented Jun 19, 2021

This is most likely here while the network is maturing.

Having said this, I would love to read an estimated time for its removal by the dev team.

@vbmach
Copy link

vbmach commented Jun 28, 2021

@maebeam any thoughts on this? I understand why we need to have them for now, but it would be a great way to build some more trust if the core team can share a roadmap for this issue.

Some of the startup teams I've worked at use the following framework: they write up a press release about what needs to be delivered 6 months from now, and it serves as a great primer for a user to see what's upcoming and why it matters. It also forces the team to put their short-term vision down in writing.

My 2 cents :)

@Barnacules
Copy link

They claim this is all open source now yet their infrastructure is still required on the backend calls for tons of stuff like identity and blockchain manipulation outside what should be allowed. I'm really growing tired of this scam 🤦‍♂️

@Barnacules
Copy link

There exist 7 superuser accounts defined in 'ParamUpdaterPublicKeys'.

These accounts can be used to create 'SWAP_IDENTITY' actions that can re-assign any account's username (and coin balances?) to another account. This allows any account on the platform to be cancellable by any of the superuser accounts. Having such a powerful action available undermines BitClout's claim to be a decentralized platform with self-sovereign identity.

Recommendation: Remove swap_identity and superuser accounts as soon as possible.

I wish more people would hold them accountable like you. This entire platform has so many shady things they lie about constantly on Twitter and in their documentation that is only found by technical people paying attention. If they don't resolve these issues and stop keeping full control of everything nobody can ever trust this system. I feel bad for people who got hoodwinked into this and have a bunch of money tied up who now just have to hope for the best and blindly promote the platform hoping for a return one day. Thanks for bringing attention to these very severe issues 🙏 Hit me up on Twitter anytime @Barnacules, I was sick of them censoring me so I do all communication there 👍🏻

@FreeTrade
Copy link
Author

So an FAQ was published a few days ago that includes an update on this issue -
https://docs.bitclout.com/faq/bitclout-faq#can-bitclout-com-access-my-private-keys-if-im-a-normal-user

it is important to mention that profiles and creator coins (not $CLOUT) can be recovered by certain ParamUpdater public keys using a SWAP_IDENTITY transaction type that the core dev team intends to remove after an initial bootstrapping phase.

So the claim is that only creator coins are affected by this and not the underlying coins. Also that they intend to remove it, but without a firm timeline.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants