NEM Blacklist makes currency censorable

NEM Blacklist makes currency censorable

The CPU is a great metaphor for centralization, as it is a "central processing unit". Decentralized systems reach conclusions based on a consensus, rather than deduction.

As I covered the CoinCheck Hack last week and updated on the story this week, the choices and decisions made by some of the stakeholders have somewhat perplexed me. Particularly NEM and their “Blacklist” implementation to dealing with the stolen funds, ensuring that they are to be frozen as soon as they step onto an exchange.

Does this decision lead down a dark path?

This is not going to be the last hack. Will new hacks enlarge the blacklist? Is there a moment in time that NEM will be able to change the list without anybody noticing?

From my understanding, the NEM team created an API connection that allows exchanges to cross-reference deposits against this list. This is a beautiful way to deal with the hack, or at least it would be if the list was not centralized. There is no evidence to supplement this line of thinking because NEM did not share the tool publicly. They simply said that NEM is safe and sound, no harm has been done by the hack (to the NEM blockchain), and that funds are to be frozen as soon as they are deposited in the exchanges.

Who is in control of the “Blacklist”?

We don’t know how it works yet. NEM is certainly in control since they created it. Does it enable the addition of new addresses or is it a “fixed” list? Can they change it at will?

NEM Foundation never shared exactly how it works, and I am assuming that it’s not being handled in a decentralized way. It is very important that the issue of freezing and banning the hacked funds is done in a decentralized manner. Otherwise, it opens up yet another vulnerability for potential hackers to exploit.

If this tool is centralized, then if the NEM foundation gets hacked that means their tool is overtaken by a malicious actor, which can then easily swap out the addresses that are followed by this tool. The stable API link will communicate the wrong information to exchanges and this will create a loophole where the hackers can successfully exchange the stolen cryptocurrency.

We wouldn’t want that to happen, would we?

Possible Scenarios:

#1 Hacker returns 50% of stolen funds

Literally, an airdrop filled with paper wallets.

Hacker or hacker group steals 526 million XEM tokens, and soon after discovers that a tool has been created to track all movements made from the addresses which they used to steal the currency. They start splitting up the amounts and start to generate paper wallets filled with XEM, and litter the entire Tokyo Shibuya Crossing with these wallets for people to pick up.

They would obviously need a printer and a lot of time to do this, and I’m not even sure if it would work to confuse the exchanges and open the opportunity to escape with the loot. Paper wallets can contain 100, 1000, 10.000 XEM tokens per wallet, but in any case, they should be numerous enough to enable the hackers to get away under the radar.

But in theory, people will want to check their paper wallets, thus triggering a “red alert” from the blacklist. The exchanges will have to identify who the hacker is in a sea of thousands.

#2 Clandestine Government Financial Censorship

While it is difficult to not get into conspiracy theories, all of this talk about business improvement orders and risk management policies has stimulated me to think up these ideas. And if they can pop in my mind, they can certainly pop into the minds of FBI, CIA, NSA, or other non-US based government entities.

Unlike rouge hackers, these agencies and their counterparts around the world hold at least hundredfold of the manpower. Let’s simulate a scenario where a political activist in Japan is gathering a lot of influence that goes against the interests of one of these highly capable agencies.

This political activist is funding his campaign with NEM and is using his good decision to invest in NEM and building a political career on top of the rewards from that decision. If these agencies desire to shut him down, they would need to limit his finances, and one of the best ways to do this is to add his addresses to the Blacklist and have his funds frozen by exchanges.

How will they discover the correct addresses?

Snowden’s revelation to the world in 2014 was so important that even the BBC reported on the topic following the release of his documentary. He revealed a multitude of tools and techniques that the US government, in particular, has been using to monitor the internet. Passive records of every conversation, text message, and maybe even unqueried search results exist in a government database.

Most of that information is directly connected to individuals, so unless they’ve taken immense action to protect their identity against the spying it is likely that they are able to easily connect the political activist to his NEM address, and add him to the Blacklist after hacking NEM foundation.

The Solution

In this brave new world, we depend on each other for support. Consensus-based networks are perfect for storing value and maintaining facts.

NEM developers should distribute this tool to all willing participants and create a “consensus maintained” database that tracks the movement of the funds from address to address with the help of a network, rather than a centralized computer.

Otherwise, it makes NEM more vulnerable to an attack, exchanges vulnerable to fraud in case of the attack, and the potential to fail to accomplish exactly what they set out to prevent from happening, i.e. inadvertently help the hackers exchange the crypto that they stole from CoinCheck.

What do you think?

Is NEM taking the right approach towards dealing with this event? Or do you think they should be finding a way to do this without the use of centralized power?

Ther are many disagreements here, exchanges are centralized by nature, with the exception of EtherDelta, which is a completely decentralized cryptocurrency exchange.

Personally, I am appalled by the lack of foresight on behalf of industry leaders, but since they haven’t publicly shared their work as of yet, I hope that I am wrong in my assumptions and that the addresses are being tracked come from a solution that is decentralized.


Disclaimer: This is an opinion piece from the author, and does not represent the views of the network. This article is written based on the assumptions made by the author and is not affiliated with the views, statements, and assumptions presented in this article.