EIP 867: Standardized Ethereum Recovery Proposals
jaytoday opened this issue · 142 comments
Reopening for discussion (/issues/867 redirects to the pull request)
Here's the unintended consequence of having a readily available, well documented, and standardized tool like this available:
Donald Trump's Ethereum address is 0x34987109857123409734097497. You just have to click on this script to take his money away.
@fulldecent this would require massive coordination among people running clients to succeed, essentially like any other kind of 51% attack. And to further eliminate the possibility of such a thing occurring it would be possible to put in place certain hardcoded safeguards, mainly in the interest of stopping people from even attempting this sort of thing thinking it has any chance of working. One idea that has been floated is a checksum in the state change objects that would only be generated when a legitimate ERP process has been successfully approved.
As one of the coauthors of the proposal, I can safely speak for all of us in saying we definitely don't want any possibility for this tool to be usable for taking people's money away from them.
Since any given recovery proposal may result in an economic fork if implemented by clients, and the first one to be implemented undoubtedly will, an ERP should also specify an alternative network ID to minimize disruption.
I'm not sure what the process would be for deciding which fork gets the existing network ID and which one uses the new ID, but I guess that's outside the scope of this EIP.
IMHO, all changes should update the network ID. The baseline is no network ID change. Technically we would stop using the term "hard fork" and then call it "new version".
Yes, this is version number bloat.
Semver already provide ample support for bloating version numbers before making rather than making changes with the same version number.
I think forking is easier, better and preferable to a bureaucratic process.
As you point out, this proposal is just the Tyranny of the Majority
this would require massive coordination among people running clients to succeed, essentially like any other kind of 51% attack.
I can misunderstand too. But I see forking as the solution to immutable history if you disagree with the history.
Furthermore, I think this fundamentally misunderstands the point of cryptocurrency. A major appeal, for me, is the push vs pull type of transaction. This breaks that. Because now the network has a pull transaction that can take money from anyone - just like banking. Then I don't technically own my coins. The people who can vote to take them do.
I don't think I support this on any grounds but I can be educated if I am completely missing the point.
Let me just make sure I understand what this is EIP is about; 'Let's standardize the way that we can react to any DAO-type events?'
That's like asking 'let's create a process for using our get out of jail free card' ignoring the fact that you only get one get out of jail free card.
If this EIP is implemented it's as good as saying 'yes we'll hard fork again to recover lost funds'. This kills the trustless nature of the chain. That kills the chain itself. There's no reason to have this EIP unless you want to initiate such recoveries.
Given the community split around this EIP, and its potential for major damage, is it possible to have a wider RFC for the broader community?
Personally, I cannot find words to express how strongly I am against this proposal, and many people from the Reddit community seem to share this opinion. I would strongly urge to somehow gather the opinion from the broader community on this topic before this is even considered.
First, I'm sorry for your lost and all others who lost ETH in parity bug or others who had lost eth in the wild.
Second, I am really scared by what I'm reading on this EIP(I'm a sysadmin so no blockchain/coder skilled guy). If I get this right, you are proposing a way to submit, let's use the right word, a request to revert transaction or refund ETH and that not only for a one time deal but as a standard process ? We should probably forget about Ethereum and use a spreadsheet so it could be easier to correct error ?
Ethereum survived the DAO Fork and I think it was necessary at the time, but this, this is not what "we" are building. I don't think you'll get a lot of people on board with that kind of idea other than those who will benefit, indeed.
I hope the community will speak it's word, even if you are not a technical person and you can at least understand the repercussion of this for the entire Ethereum project.
Write a comment here with your thought, as Ethereum will grow more money will come in and "attack" like this to the immutability of the TX will happend, we need to standup and speak, either for or against but this is a crucial question. If 10 eth is stuck somewhere now, it's a 10kUSD lost you might live with it, but think about how many of those proposal we'll see if eth is worth 5k or 10k one day ?
I am also against this proposal. An irregular state change should be by definition, irregular. This EIP is an attempt to standardize irregular state changes, making them regular state changes. There is no possible way everyone in the community will be able to read/digest/vote on all manual state-changes going forward if this EIP is accepted - reducing the decentralization of the platform. There should be no standard for making an irregular state-change. They should be so infrequent that none is needed. When a significant event does occur prompting calls for a reversion by the community there will be sufficient discussion already around the pros and cons of the choice.
I have to agree with all the other users against this proposal. Issues like the ones this claims to "help" are the very thing we should not be standardising. These are exceptional issues and should only be considered when the community has a calling for it. Not when some "standard form" you fill out gets sent to some group and agreed on.
I should also say, what happens with finality? If you plan to make a system where reversions are impossible after x blocks, how can this system work? You would have a set time to rush the request through a body in order to keep finality.
I am 100% against this as a long-time eth miner and supporter
This is nothing that should be on the Ethereum network.
This proposal defeats the whole point of PoW/PoS. A network with users that accept that an "EIP Editor" can change balances at will could as well use that "EIP Editor" to order transactions.
No matter how much we hate this proposal, please keep the discussion civil. While I agree with your sentiment, there are other words that can be used to express that opinion.
@nootropicat @justbotrelatedthings
This is not a place for profanity. If you can't keep it civil, don't say it
100% opposed to this EIP it's very damaging to the future of Ethereum.
The ERP author may indicate in the ERP comments when he/she believes there is sufficient support and request a review by an EIP editor (see EIP-1 for details)
I am curious as to how having EIP Editors could effect the centralization of the platform. Can anyone direct me to this EIP-1?
I don't support this. This sort of things shouldn't be built into the blockchain. If people really want to see this sort of capability I recommend letting dApps or DAOs handle this. That way, people can opt in our out such provisions.
Do not support this
@brenthompson2: EIP-1 is available here. It deals with the format of EIPs.
I'll chime in with the others here, and say I oppose this proposal. Standardizing the reversal of transactions on the blockchain cannot possibly end well, even moreso when a small group of people are relied on entirely to do so.
I am 100% against this proposal as an ETH holder and supporter. Since coming into the crypto world, I've believed in ETH and ETH only because I believed that it wouldn't pass proposals like this.
To be clear, I support open discussions about proposals like this, and I commend the Parity team for opening the dialogue.
That being said, beyond the concerns about standardizing an explicitly non-standard change to the network, the proposal has two fatal flaws in the approval process:
- The ERP author is given the sole responsibility to collect evidence of support.
While I understand that the ERP author has the most motivation to collect support, the proposal doesn't account for how the author will likely give a biased account. This doesn't sit well with me at all. Generally, we can expect the author stands to gain from recovery. Shouldn't there be opposing sides presenting evidence, especially when such a decision can effect the overall value of the network?
The Parity funds is a great example. Unlike the DAO, it's not a system-breaking amount of ETH. We could do nothing, and the network would not be affected. There are also credible risks for allowing such a proposal to go through. As such, it behooves the network to have some sort of devil's advocate which fights against these types of requests. This system is not described in the EIP as presented.
- The EIP editor is made to be the sole arbiter of acceptance.
First, the EIP editor position is not answerable to the Ethereum community. They should not be given the responsibility to decide arbitrarily on what cases deserve fund recovery and what cases do not. The guidelines given in the EIP are extremely vague as to what constitutes a valid request, and it's effectively up to the EIP editor's judgment to make a decision. I didn't have a say on electing the EIP editor nor did I have a say in allowing them to to make this decision. No one else did either (outside the foundation).
Second, there's no determined threshold of what's reviewable by the EIP editor. Is it the EIP editor's responsibility to weed through all the proposals that are essentially "I lost my private keys?" If so, this seems like a massive waste of an EIP editor's time, especially when the job of the EIP editor is so critical to the continued technical development of the system. Not only does the EIP editor become a bottleneck for ERP requests, he/she also slows down continued technical development.
In conclusion, I vehemently against this proposal because I believe it allows for biased submissions of ERPs and puts undue burdens on the shoulders of EIP editors.
Better than good example:
A crowdsale run by XYZ incorrectly published the testnet address of their crowdsale contract to their public website a week before the start of their crowdsale. Everybody had plenty of time to check for verified code at etherscan, and for a public audit referencing the production address. It quickly became apparent that XYZ had published the wrong address, so they corrected that and everything was fine.
We should not compromise immutability just for the sake of providing safety nets for irresponsible behavior, because there will be no end to it and Ethereum will turn into mush.
We have best practices which are able to prevent many of the issues we've seen. One of those best practices is third-party audits on the final production code. Audits will be more difficult if auditors have to consider whether any nefarious but innocent-looking state changes could be snuck by the overworked judges.
If something happens which is so exceptionally bad that a large majority of the community comes together to fix that special case with a fork, then it's probably worth fixing. That's a high bar, and it should be a high bar.
I'm opposed to this EIP.
sorry guys but im absolute against this proposal ! - if this goes trough, then ethereum has lost all its credibillity for me :(
I am frankly surprised there would be even so much as a proposal of this sort. I think a EIP to recover any funds is a slippery slope, one in fully enacted will thwart the viability and core advantages of Ethereum. I am strongly opposed to this proposal as it hinders the immuabilty of EIP and will leave to external forces co-oping the network, governments, corporations, rouge entities, if it were approved and accepted into the network.
Opposed.
So a movement so dedicated to decentralization is trying to allow the opposite to slowly creep in because of expensive growing pains. Not the right means of going about it.
Let's see if the community's opinion actually matters.
Supporting and implementing this ERP proposal is setting a bad precedent that in future will most likely open up a range of problems. The only reason Ethereum would require this ERP is because there is overwhelming expectation of future occurrences of lost funds. It creates a "Lost Funds" help desk for Ethereum. Is that really what people want?
I believe that establishing this ERP will create two adverse side-effects; 1. development standards will lower because a safety net is being put under bad development practice that could require an ERP and 2. lowering confidence in Ethereum by users because this is telling users that it is almost guaranteed that lost funds will happen again. Lost fund recovery will become a design feature of Ethereum. If this happens, there needs to be a fundamental rethink of Ethereum's value proposition.
I'm very much against this. I can't put it any better than @jstoxrocky above or Alex van de Sande in the following link:
#867 (comment)
Also this reply on reddit:
https://www.reddit.com/r/ethereum/comments/7xsjps/who_can_recover_stuck_funds_on_ethereum_yoichi/duaywit/
It starts with:
'The whole discussion makes no sense. If ERP, any ERP, gets merged into Ethereum we've just created the equivalent of civil forfeiture but with even less oversight and way easier to manipulate.'
As a huge Ethereum fan, I am 100% opposed to anything of this sort. A blockchain that can be retroactively edited defeats the entire purpose of the blockchain.
Frankly, I'm disappointed to even see this as a proposal. There's no end to the damage to crypto this kind of thing would do in the long run.
This goes against everything I thought this movement was for
This is introducing censorship by the back door
You are suggesting the following people should have the power to be censors of the network:
People or organizations that have a demonstrable history within the Ethereum community that are unaffected by the issue but may serve as relatively impartial adjudicators
Christopher Hitchens on choosing someone to be a censor:
Who's going to decide....who will you appoint? Who's going to say - I know exactly where the limit should be, how far you can go and when you've gone too far, and I'll decide. Who do you know? Who have you heard of? Who have you read about in history to who you would give that job?
This is censorship no matter how nicely or sinisterly you put it.
This is wrong for so many reasons besides the moral hazard of fund recovery. The issue is much deeper and goes to the heart of what a decentralized network is. We do not pick winners and losers, we do not pick kings and rulers, and so we do not pick people or organizations as the "adjudicators" no matter how impartial you think they are. I am surprised that this even made it this far...
Sad but unsurprised about this, it was going to be proposed at some point... I really hope this doesn't get implemented. If we allow humans to submit (potentially biased) ERPs and put EIP editors in a position to get bribed then we're basically killing the fairness of the ecosystem.
Looks like we're having a Star Wars Battlefront / Darth Vader moment in the EIP process!
@faustow Couldn't agree more. Bribery is a great angle to review this proposal. In a (not-so) dystopian world, what's stopping an "EIP editor" from effectively be a paid position where everyone who had lost money would pay the editor a cut to rubberstamp their ERP? (edited typo)
We've got no way to confirm whether an EIP editor is getting bribed, and we're basically asking for this to happen by putting editors in charge of decision-making without due process.
I vehemently oppose this!
While I feel for anyone who lost funds, I can’t express enough how against this I am. In fact - if this goes through I am out.
I oppose this as well.
Honestly it seems like someone is pushing for this as it's definitely against the beliefs of the majority of the users. It's clearly a step away from decentralization, I wanna vote against this somehow.
Oppose 👎
@jamslevy I put this challenge out to the authors of this proposal and anyone reading to name me one specific person or group of people with a 'demonstrable history within the Ethereum community' to who you would give the power to reverse transactions on the network - and then prove how we can be certain it would never create a conflict of interest.
I will send whoever does so 1 ETH
As a longtime supporter of Eth I TOTALLY OPPOSE EIP/ERP, since it run the risk of undermining:
- Neutrality
- Trustlessness
- Censorship resistance
Please reject this senseless proposal and let's try to get Yoichi back onboard.
I can't believe this is even getting considered. This is a complete disgrace to the Ethereum community, and Blockchain as a whole. I'm sorry you lost money, but WE the ETHEREUM COMMUNITY shouldn't have to pay for the fuck up of someones mistake.
The real person who is at fault here is Gav Woods (be real with yourself, who else has lost the community millions of dollars), and every other solidity developer who royally fucked up due to either ignorance, not having proper code review or whatever. make the people who lost your money pay for their mistakes not the community
The fact that this is even an EIP is scary, and an absolute joke.
edit: Seeing as how the majority of the money that has been lost in ethereum hacks can literally be attributed to one person and their company (@gavofyork) I think the proper answer is to make the people who lose your money, pay for the mistake.
I just don't see anything good in this and I was happy that this ended months ago when Parity made a post and also skipped this topic in the dev call (back then).
However it feels like that few individuals keep re-trying to get this EIP through.
I agree with Alex van de Sande @ #867 (comment)
I oppose this proposal; very surprised it's even being considered.
Opposed, close this issue.
Opposed. The responsibility to recover funds and reverse transactions is not one of the Ethereum code. People who lost money lost money, and it is the responsibility of law enforcement to do what they can, although that is very limited. This threatens censorship resistance. The DAO might have led to a fork at a crucial time when Ethereum couldn't take the blow, but Ethereum isn't a baby anymore and it is beginning to walk on its own.
I am completely opposed to this proposal. It would compromise the trustlessness and immutability of the Ethereum blockchain.
We don't need standards for recovery of funds, because "to recover funds" should not be in any case the object of any function of the platform and, thus, of its developers.
The main objective of Ethereum is to be a decentralised platform for the provable and finalised execution of coded smart contracts. In order to create and sustain this platform, it's necessary to build an economic system based on crypto-economics principles for incentives and on a pre-determined crypto-token or currency. The main function of the core developers is to create, maintain and sustain this platform according to that objective, including the well-functioning of this crypto-economic system, but not to guarantee rights of or enforce obligations on the actors within this system and the users of the platform.
Instilling the recovery of funds as a necessary function of the system is IMO misunderstanding the function of the system. Ethereum is not a bank or a private company that has profits/losses and investments. If someone loses money in the economic system created within Ethereum is at its own peril, and it never should be the function and responsibility of the system, and thus its developers, to allow the recovery of these funds and, even less, build the rules/standards for this to happen.
Yet recovery of funds may occur, but just as a consequence of this main function: to create, maintain and sustain this platform according to the objective defined above. This is exactly what happened with the DAO. The hard fork was not done to recover funds, but to protect the system from a serious threat that would have disrupted its functioning in unforeseeable and serious way. The recovery of the DAO funds was a consequence of the actions taken to execute this protection, in order to sustain Ethereum.
Edit: Ethereum Philosophy https://github.com/ethereum/ethereum.org/wiki/Philosophy
Blockchain developer here. Completely against this proposal and what this community stands for.
I hereby declare my opposition to this proposition.
I can still hear you saying
You would never break the chain
Chaaaiiiiinnnn keep us together
This is the worst EIP I have ever seen ... 100% against changing any previous blocks so that users cab get funds back or potentially steal them.
@jamslevy thank you for closing this issue! Thank you for listening to the community feedback.
I am 100% against this EIP.
Immutability isn't just about censorship or money, it's also about security and decentralisation.
Anything that compromises immutability, also compromises security AND decentralisation.
People can talk about frozen funds adding up to millions or even billions of dollars and the emotions involved if it was YOUR money.....but on the other side of the scale is an amount of money and assets that dwarfs any amount of lost or frozen funds.
Sorry you lost your money, but it was through your own actions or inaction that you lost that money and any mechanism to recover such money puts immutability, security and decentralisation at risk......and that's everything that a lot of people (not me) have been working for.
I'm just another guy who's put a lot of my small amount of wealth into this.
I am opposed to this EIP. In no way is excusing irresponsible behavior, in the form of an "undo" button backdoor, an excuse to introduce centralization to a platform that was born to oppose it.
Ethereum as a project will lose face and credibility in the cryptocurrency community if this proposal passes and I, for one, will stop supporting the project and stop investing in it.
I am absolutely opposed to this EIP. Those that lost funds through the Parity muiltsig bug should find alternative ways to cover their losses. Perhaps Parity technologies can donate a chunk of their allocated DOT tokens to cover those whose ETH is locked up forever? That is a far better solution IMHO.
I am strongly opposed.
We cease to exist when we do not rise together for justice. This measure would be the first step towards that abyss.
I oppose this EIP simply because it is not an improvement for the ethereum network.
I completely oppose this EIP, thank you for closing it.
Opposed
Strongly opposite this EIP.
Categorically opposed.
Thank you to all the devs that have put work into this EIP. The approach is thoughtful and the end state is a valid approach to keeping the EVM from becoming an unforgiving 'code is absolute law' wasteland that companies avoid because one minor oversight or bug could wipe them out completely. And as a Dev myself, I know better than anyone that we are not perfect.
The last thing we need is for funds to be easily recovered. That will just ruin Ethereum. Certain cases make sense, but this can not be a standard procedure. Things like the DAO and Parity hack(s) would make more sense for an EIP, but not this.
I oppose.
Does anyone actually support this?
Certain cases make sense
I agree. There are (and will be) cases where it makes sense to at least consider recovery. This EIP attempts to ensure that in those cases there is a clear and transparent process for dealing with them. The alternative is an opaque process that is known only to the people on the inside.
Yes. But like I said, this should not be a standard process. The DAO hack involved the community, not just "the guys inside."
I quote Nick Szabo from twitter today:
"When software engineers are called upon to make legal and accounting decisions, their
fears of legal action are quite well placed.
Community norms should forbid expanding the scope of software upgrades to include making particular legal and accounting decisions to modify balances. It's an abuse of the software upgrade process, an invitation for lawyers to take over, and destructive of social scalability.
This is the kind of thing that happens in the permissioned bureaucracies of 21st century banking, where an influential minority is trying to deny permission, and most bureaucrats just don't care one way or the other)
Political analogies in this field seriously suck, but one comes to mind anyway: the difference between special legislation (fixing a particular case which should properly dealt with by courts) vs. general legislation.
ERP is an amateur court that lacks the most basic procedural protections one learns in the first year of law school: notice to affected parties, criteria for quality of evidence, etc.
ERP has no reliable or secure way to verify the supposedly required "real" names, nor to map them to social media nyms, nor to securely map these to the impacted Ethereum addresses. For this and many other reasons it would be a ripe target for fraudulent claims."
Do you think a company that is just running their business on the blockchain but has no connection to the client teams or other major players could coordinate such a process?
Also, the primary issue that is addressed in this EIP is to say (a) the ERP process only covers cases where there is no contention about ownership (it can't be used to resolve disputes), and (b) there needs to be some way for other people to verify the factual claims that are made. The rest of the standardization was to reduce work required by client teams, but it is not essential to the proposal.
I am opposed to this proposal on multiple levels of my being: morally, philosophically, politically and economically. Please do not let it come to pass.
@phiferd there are cases where a hard-fork (or a soft-fork) is necessary in order to safeguard the security and stability of the system. There might be cases that this action may have as a consequence, among others, the recovery of loss funds. But this recover should never be the end of the intervention. The end of an ad-hoc fork is to "safeguard of the system" not to "recovery of funds".
This proposal puts at the center this recovery and legitimises a systemic action in order to that end. This has a huge potential for censorship, arbitrary decisions and corruption of the system in order to satisfy private interests without defining the actual general principle it pretends to protect.
Shouldn't be a standard. So No.
I think having a way to recover funds is a good thing. It needs to be done in a way so that bribery is impossible.
Categorically opposed. Not that I think your intentions are bad, but because of the repercussions if accepted. Thanks for closing it.
I wish all the people “categorically opposed” to this EIP would remember we already had this debate a year ago. You are free to use ETC because according to your values you should not be using ETH, so what are you doing in here?
Categorically opposed to anything which would enable backdoor and fundamentally damaged the nature of a trustless network protocol like Ethereum
I oppose this EIP and any like it.
I am against this EIP and I am for an open and honest discussion. We are not discussing a "general governance issue" here, we are in this discussion only and exclusively because one corporation created a too large loss of funds because they did not adhere to coding standards, did not audit their code and did not employ any tests. Any discussion that does not acknowledge this as a foundation of the entire discussion is pretentious to me.
I am also against this EIP. As kamranrahman suggested, anything like this should be implemented in siloed DApps/DAOs.
помогите я не шарю вообще
как исправить
я выше почитал ,так понимаю на косячил
выиграть выиграл а не понимаю
всем кто пострадал от моих действий компенсирую с лихвой
Sir I do not agree. This discussion has been evolving since way before Parity. (see EIP-156). The large amount of Ether lost in the Parity issue did create some traction but there are plenty of small groups and individuals (like myself) with Ether stranded in un-spendable accounts such as the 0x000000000000000 address. If you are against this EIP based on technical issues I can respect that and urge your participation to find a solution. Stranded Ethereum not being returned to accounts that can absolutely mathematically prove ownership should be considered. I don't think any reasonable person believes that these issues will not continue to occur as Ethereum grows. There should be a vehicle to bring these cases to the community. I was hoping EIP 867 could provide that vehicle.
In any case if your objections to this EIP are based on a belief that its a rescue for corporations and millionaires I ask you to please reconsider. I am neither a corporation nor a millionaire.
Respectfully
Kevin
от меня сейчас что требуется
вы где все раньше были я весь инет рыскал кто бы помог мне ,а вы тут писюкались
It would take less than 5 years for major wall street companies to capture the positions/loyalty of these ERP reviewers by either bribing them in real life or pushing their own devs into the eth community, so that they would have effective power in reversing/allowing and disallowing ICOs etc.
If this EIP goes through, suddenly an ERP reviewer's job would become the most important job in crypto (because millions of dollars would depend on it). Shell companies and the mafia would start suing/illegally pressurising reviewers to adhere to their wishes, and I can imagine 'insurance' schemes would be offered by the major companies that have ERP reviewers on their payroll. Within 15 years the big banks would have mutated the blockchain back to their personal SQL database.
ой все, достали ребят я исправить хочу сейчас что делать
из всей ситуации я чувствую вину ,лишь перед простыми обывателями за что прошу Принять мой искренние Извенения,
ХОТЯ ВЫ ЗНАЛИ САМИ ЧЕМ ЗАНИМАЕТЕСЬ ,ОСОЗНАВАЯ РИСК
таких как я что не понимают сути уйма ,и будет на вашем пути много ))))
Я и не думал что выиграю ,зашел на сайт от балды ,покрутил рулетку а на другой день бац выиграл
It's hard to overstate how much of a disaster this would be.
i'm surprised so many people didn't see this as inevitable after the DAO situation.
Immutability is binary. Ethereum chose this path already.
I am vehemently opposed to this proposition and call for it's rejection. The ideology underlying this proposal undermines the very foundations of the project, probably even decentralised crypto-economic platforms in general.
I would also further caution the contributors and users of ethereum. This may be just the beginning. The interested parties behind this proposal are applying some pressure but this pales in comparison to the capabilities of the lobbying machine in the United States.
How can the integrity of the project be maintained under such pressures?
It's an interesting idea if there were a safe way to implement it, but all I'm seeing is how the communication would work. What's the proposal for how an erp would be approved? Did I miss that part?
Proof of stake voting doesn't seem sufficient, even with a 30 day window. That would require all users to monitor their addresses for potential reversion attempts at least once per month, and some mechanism to broadly communicate a dispute of an erp.
Obviously leaving approval up to some small set of individuals would be too centralized.
Is there some better idea being proposed, or is this just purely how the communication would work if we ever hypothetically thought up a viable approval process?