An argument I hear a lot in the context of Hive/DPOS security is that the top 20 witnesses can and have steal money from users on the network. I would just like to begin by saying this argument is patently absurd for multiple reasons, and I'll be doing a deep dive on why this is the case, even though it seems feasible in theory (if that theory ignores key components of how the technology actually works in practice).
Main argument: 20 consensus witnesses control the chain (only 16 required to agree), and thus it would be easy for 16 of them to collude to steal from whoever they wanted.
In theory, this is how Hive works. However, it ignores the fact that witnesses are elected by stakeholders. This false theory ignores that fact, and instead opts to assume that the 16 bad-acting witnesses are acting inside a little theory bubble where they can somehow fork the chain and "steal everyone's money". This false theory assumes that the witnesses don't need permission once they've been elected and they can do whatever they want without any consequences.
First of all, most witnesses are not anonymous. Last time I checked, stealing is a crime. To assume that 16 would blatantly and openly steal even though their identities are known is... a pretty extreme notion. That alone is enough to prevent this entire thing from happening. But there are so so so so many other reasons why it can't happen.
Walk me through it.
People who think that witnesses can steal or modify the chain in any way they see fit do not understand this technology. If you asked them to walk you through the process of how this theft would be accomplished, they'd give you a generic answer and wouldn't be able to say exactly how it was done, because again it is impossible to do.
They'd say something like...
16 witnesses would modify the chain and siphon money into their wallet from other wallets (or print money out of thin air).
Uh, yeah... then what.
UHHHHHH, they'd sent the Hive to an exchange and cash USD out to their bank account.
WRONG AGAIN
That makes ZERO sense. Every exchange (including decentralized exchanges) that wants to move Hive around is running a node. So in this magical scenario the exchange operator has upgraded their node with a malicious hardfork that stole money or printed it out of thin air, just so the witnesses could dump all the Hive onto the exchange and cash out? Yeah, that's sounding pretty dumb already.
You know what's more likely?
The witnesses fork the code and print a bunch of tokens, and nobody follows that fork and all those witnesses get immediately voted out in like a day. No one loses any money, and the hostile hardfork just vanishes because there are no nodes that are even running that code in the first place. That is the most likely scenario, which is why nobody in their right mind would ever ever ever do it. A witness would lose all their reputation forever for zero gain. No, not just one witness, 16 of the top 20 witnesses... all at the same time. That's the toughest of tough sells. Not going to happen.
Justin Sun & the Hostile Takeover.
The super ironic thing is that the Steem >> Hive transition and hostile takeover is these naysayers use it to "prove" their point, when in reality it does the exact opposite.
Well, they stole Steemit Inc's money; so they can steal anyone's.
Again, absurdist nonsense!
Do people not remember the hostile takeover? A vulture capitalist bad actor bought a ninjamine under the table that was promised to be used for development of the platform... then they used that premine to inflict the most damage that can possibly done to a decentralized system: centralize it with 20 sock-puppet witnesses all running on the same box.
And even though Justin Sun was the worst actor of all worst actors, even then it was very very hard to actually get community support to take away his power. Don't you guys remember how pissed everyone was at everyone during that time? It was like herding cats, everyone had their opinion, and many of those opinions were idealist nonsense whose conclusion was, "This shouldn't of happened." Yeah, no shit it shouldn't of happened, but it did happen.
So even in the scenario where you'd actually want the network to take someone's funds away, it was very difficult, and the naysayer pop in to and act like anyone could have their money stolen from them because Steemit-Inc had their premine taken away (that wasn't even acquired fairly to begin with).
If Hive has another hostile takeover like that, it will even be harder to justify moving to another chain, because another hostile takeover means all the coins were bought off the exchanges. There is no more premine to exploit, and that was a big big justification for doing what we did. "That money is for development." So we moved it to the dev fund, which I also didn't agree with but it seems to be working fine so far.
Trying to use the hostile takeover as evidence that witnesses can steal funds is like punching someone holding a gun and then saying you got shot because gun laws aren't strict enough. You just look like a fool. If someone builds a digital nation under the premise of peace and abundance, and then some dick starts a war with them just to prove that they aren't peaceful... that's just not valid logic on any spectrum.
Thanks for the free money, bitch!
What we need to understand is WHO loses money if block-producers pulled off a move like this. In every case, the threat-vectors are the LIQUIDITY POOLS. You don't lose any money unless you traded real coins for fake coins.
So in this magical scenario say that the top 20 witnesses stole all my money, and other prominent members of the community as well. The hardfork that was used to implement this theft is an invalid chain. Nobody in the community is actually going to follow this chain, it's a rug-pull cash out by the top 20 and they plan on being fugitives or whatever, living on the island they bought with the money.
This fake chain is also known as an airdrop.
Everyone that didn't have Hive stolen from them is going to get airdropped with the new fake tokens. Any exchange that upgrades their node to accept the fake tokens as real tokens? Well, we have to assume that everyone would just dump it and that no one is buying it. So it would crash to zero quite quickly. Let's say the pair on the exchange was HIVE/BTC and HIVE/USDT. Anyone that traded BTC or USDT for the fake HIVE is the person that lost money. Even though I had all my coins stolen... I didn't lose any money because the network is going to revert back to the real chain where my coins are safe.
So we can see that this is an obvious liquidity issue. If witnesses create a malicious hardfork and dump the tokens, the question we have to ask is: who's buying those tokens? That's the person that loses money, not the ones that actually had coins taken from their accounts (because that entire hardfork is totally invalid and no one is going to accept it as valid except for the magic exchange that somehow got tricked into updating malicious code despite everyone telling them not to).
Layer 0
It is silly to think that "code is law".
Community is law.
Decentralization can't take place without consensus, and consensus can not take place without a vast network of servers that all agree on the current state of the database they are tracking. Code is only law when a community decides that altering the code is more damaging than not. Community controls everything and makes all the law. That's how law is defined in the first place.
You can make the exact same argument to say that the Bitcoin network will steal all your money.
What's to stop a few gigantic mining pools from 51% attacking the network and double-spending money? If you receive Bitcoin on a double-spent block that gets orphaned your money is gone forever. We can use this exact same logic of 16 witnesses control the entire chain to 7 Bitcoin mining pools control the entire chain. It's the same damn thing.
The big advantage with Bitcoin is that the chance of rolling back even 3 blocks is crazy low; low enough that all exchanges only require a block height of 3 before you're allowed to access and cash out your money. Even a malignant entity with 60% of all Bitcoin hashpower in the world wouldn't be able to roll back even 10 blocks. 10 blocks is only 100 minutes (on average), so if you're Bitcoin has been sitting in your wallet for a day or more it is essentially impossible for your money to be chopped off an orphaned fork. Rolling back 144 blocks is impossible even if someone had 90% of all Bitcoin hashpower, and even if they could do it, it would be more profitable to just play nice and take the block rewards and not try to double-spend in the first place.
In order to double-spend, the receiver of the money has to give you something.
Like if someone gives me 1 BTC to buy my car... they can't just 51% attack the network, orphan the Bitcoin they gave me, and then steal my car. I know who this person is. The car has paperwork and exists in a system where I can sue that person for theft. The only way to actually double spend Bitcoin is to trade the Bitcoin for another crypto that can more easily be shuffled around anonymously. You can't buy a house or a car or anything with your identity attached to it using double spent coins.
Conclusion
Hopefully this post makes sense. The idea that witnesses can just do whatever they want is absurd, and is akin to saying that Bitcoin mining pools can do whatever they want. They can't. Mining pools, just like witnesses, will have all their delegations and support pulled if they try to attack the network. The stake holders of these chains will not allow the operators to just blatantly steal without any consequences. Those who claim theft is technically possible do not understand the technology, communities, or the politics that govern them. Thank you for listening to my TED Talk.
Posted Using LeoFinance Beta
Return from No... Hive Witnesses Can't Steal Your Money. to edicted's Web3 Blog