Barely two days after the eos network launched, and just one day after it stopped functioning due to a bug, the EOS Block Producing (BP) supernodes froze seven eos accounts.
One of the affected individuals says they were on eos related telegram groups when they were phished out from their eos through a fake registration website.
He thus spoke to a block producer personnel, then other affected individuals came out to share their story, with block producing supernodes deciding on June 17th there was enough evidence to freeze seven accounts that had around 2,000 EOS in combination worth circa $20,000.
There was unanimous agreement among all 21 BPs to undertake this action, according to EOSAmsterdam. They say:
“A new smart contract on Etherium could proof the truthfulness of the owners of the scammed accounts. The community decided unanimously to indeed freeze the accounts.
Each of the BPs and standby BPs wished to check the evidence first. At the end they all agreed: not freezing the account would mean genuine owners would lose their EOS.”
The “community” wasn’t involved here as far as we are aware prior to the decision being taken as there were no public discussions between non-block producers regarding this action, or at least non sufficient to reach our attention.
Nor was there a decision by an arbitrator, at least initially. Eos is governed through a constitution interpreted by an arbitration process.
The arbitrator found that the affected accounts had not yet made an EOS transaction, through which you bind yourself to the constitution. As they had not voluntarily agreed to the constitution, then the constitution could not apply to them, thus the arbitrator said he could not make a decision.
The BPs argued that then vested the right on them to make a decision, which they did, with a temporary arbitrator then somehow appointed. That temporary arbitrator, Sam Sapoznick, then made this order:
Google does not seem to know much about Sapoznick as far as eos is concerned, but his name is mentioned in a few occasions alongside Dan Larimer.
Before the matter reached the interim arbitrator, supernodes had written a smart contract to allow the affected individuals to sign a transaction with eth to prove they have ownership of that address which contains the affected eos tokens:
All of this was on-going while the community was far too busy and effectively all consumed by the network launch and the vote. The next day they had a real emergency whereby the network stopped functioning, so none of the ordinary community had any time for 2,000 eos.
They only find out next day that this action was taken, leading to a split in eos with some approving and some expressing worry.
“Question to BPs: What will you do when Governments demand you to freeze accounts or seize funds?” one eoser publicly asks.
The answer was they’d have to go through the arbitration process and if the arbitrator disagrees with a court order then the government would have to coordinate with all other jurisdictions and if BPs don’t comply they’d be in contempt of court if nothing else.
More pressing concerns, however, regard potentially fake claims. For a real arbitration process, there needs to be a Defence, but how does a claimant know the name or address of the person they are claiming against so that person can be notified? All they might have is just a blockchain address or in the case of eos a randomly named account.
What you’d have, therefore, is a one way process with only the claimant. In traditional courts, where the defendant doesn’t show up or doesn’t respond, you get a default judgment. And you do so because there’s no point in spending any more time on the case as how does the judge know you’re lying unless it is obvious?
Let’s take the specific situation here and let’s devilsadvocatenode. A smart man with say 100,000 eos sets up a phishing site and in effect “hacks” himself. He then goes on telegram, says how awful it is, completely proves he was hacked, the account is frozen.
The BPs feel all good, but a person somewhere who doesn’t know much about telegram or eos arbitration suddenly can’t move their coins. We did say he is a smart man. He obviously has sold the tokens before crying to BPs.
So far, there is no gain unless he doesn’t like the person he sold the tokens to. There is no gain because the smart man still doesn’t have the 100,000 eos he sold and now claims were hacked. They have been frozen.
What happens now we do not know. The seven accounts of unregistered tokens have been frozen, but the affected parties still don’t have their eos, making the exercise somewhat pointless if it is left here.
You could say it reduces incentives for theft, but by the time the arbitration process is over those tokens have long changed owners.
In this case, as they were unregistered tokens, maybe that was not possible, because the network just launched, but the freeze did occur two days after the network was up and running.
If the matter is left here at just freezing the tokens, then the BPs would have a considerable conflict of interest because they would be reducing other’s supply, thus if demand remains constant price should rise accordingly.
To return the tokens, however, they’ll probably have to print new ones. The 2,000 is frozen, so supply doesn’t practically change, but technically the supply has changed.
With such small sums and with a precedent of sorts having been set prior to any public discussion (we only found out because BPs announced it, they could have kept silent), persuading BPs of a hack which is not really a hack would not be very difficult you’d think.
That’s especially the case if you know one of the many BP personnel. They all humans, of course. Probably by now know each other decently so having established a nearly month long working relationship. In their closed chatrooms it wouldn’t be very difficult, you would think, for one BP to pressure all others to agree.
So, then, if our smart hacker got so far, he has managed to sell his tokens to some poor soul, he has managed to persuade BPs to freeze that address, and he has managed to persuade them to give him the 100,000 eos that were not stolen, but now are.
This sort of system already exists, most infamously with PayPal. There, anyone can go and say they did not receive a good or service, with the seller facing a chargeback. Even there, however, the seller actually has the opportunity to respond and may be able to prove they did deliver.
Here, how is the alleged hacker notified save for by perhaps reading this article which obviously won’t be repeated for all other cases if this becomes a common thing.
That’s not to say there aren’t extraordinary cases where an extraordinary decision has to be taken, but where it is taken even for 2,000 eos with BPs becoming a sort of customer support avenue, the potential for false positives increases to pretty much a certainty as the number of such cases increases.
If eos wants to really try immutability with considerable exceptions, then those exceptions need to be of a justifiable scale and only in cases where it is certain the funds have not changed hands.
Cases that meet that second requirement are extremely rare themselves. They would happen only if the funds are somehow frozen due to a bug or due to how the smart contract is set-up.
Such as in the case of the Slockit DAO, for example, were the funds were frozen and could not be moved by the thief for some period of months, or in the case of the Parity multi-sig bug which froze the coins in a way that can not possibly be moved.
Where there is a hack, however, like in MT Gox or other cases, like in Bithumb just recently or like here with these seven accounts, as the funds are easily transferable they would change hands leaving potentially innocent third parties without their assets.
Even in the traditional system, if an innocent party receives money from a thief unbeknown to him that it is theft money, they get to keep it because it is their money, obviously. They might have sold a car to the thief for example, or maybe they had their weakly shopping at the supermarket with the stolen money.
Such things, therefore, can not be rushed, as they have been in this case, and the initial arbitrator’s judgment, which effectively amounted to a no, should have been upheld.
Moreover, if such decision is taken, all of it should be public, including the evidence etc, as it is in a proper court for most cases because the eos public needs to trust the BP’s decision with some evidence and full transparency.