HIP-17: Blacklist

We need a team or some Audit DAO that will audit every single project on Harmony.
People should know: not audited by DAO - high risk, you are on your own. Audited - low risk.
Additionally, a fund could be established to cover losses for audited projects in case it happens.
The initiative of @ben2k_Stakeridoo to make this space safe is something that needs to be supported and helped with suggestions that would shape it in the best way possible for the community’s benefit.
Trust we are smart enough to support each other and keep our Harmony.

2 Likes

Yes you are correct and and just to be clear Harmony had never actually used that blacklist implementation because of those controversial conversation. I also bend to we shouldn’t use this feature and at the end it will be community decision.

Also, I agree with @Maffaz it doesn’t help to attack the OP. Let’s have some fruitful discussion and at the end allow the community to vote accordingly.

Harmony has always listen to the community and encourage healthy discussion.

Thank you very much everyone for staying in Harmony

8 Likes

Today I had 1.6M ONE stolen from my harmony wallet. I was using the official chrome extension and my only activity was to visit staking.harmony every week or two, to claim my rewards and re-delegate the rewards.

While I understand many of the points being discussed here against implementing this - I have not seen any suggestions here for how to address situations like I am in as well as the other wallet from @RoboValidator . “Education” is all I am seeing as a solution, but what does education do for me and that other wallet. Is the education “don’t use the official chrome extension, you could get hacked and loose all your coin.” ? That’s not the answer.

This is the transaction of my stolen ONE earlier today: Harmony Blockchain Explorer

Whether or not blacklist is the answer, for crypto and decentralized orgs to succeed, the ability to address situations like I find myself in must be solved.

I really appreciate anyones input.

5 Likes

3 key characteristics of blockchains are trustlessness, decentralization and immutability. This isn’t a Harmony chain characteristic. This is a blockchain characteristic. Harmony is built with those 3 characteristics in mind.

Separate from the HIP proposal, addressing @cowgp’s issue, really terrible thing to see this happen. We’d like to investigate to dive deep and investigate this with you. Please reach out to us at security@harmony.com with the list of details of your browser type, extension version, where your mnemonic may have been stored, and review a list of recently visited websites with the browser you have the extension on (all computers and browser profiles), starting from 7 days ago (when the un-delegation started). We need to dive deeper here to see what’s going on.

16 Likes

Ona level tho enough grilling just gets me angry when someone smart does something so stupid
Hope this helps

2 Likes

:rotating_light: updated proposal after AMA & Discussion :rotating_light:

Summary : This proposal is to remove the blacklist

Background : After opening this proposal we found out that only the leader need to update the already existing blacklist.

Motivation : Every Validator who set up a node is probably aware of ./hmy/blacklist.txt
By open our network to 100% external Validator and also external leader we are facing the extrem high risk of misuse the blacklist system and we have no more controll over it.

Specification : Blacklist needs to be removed from the protocol

Suggested voting options : Remove the Blacklist?

  • Yes
  • No

0 voters

3 Likes

It’s kinda funny but I thought there were a lot of people attracted by the issue…

No idea where they have gone.

4 Likes

Vote starts in 7 days on Snapshot

2 Likes

Is this vote to completely remove the blacklist function from the blockchain, INCLUDING from the 4 leader nodes, or just from validator nodes, so that the 4 leader nodes alone have that capability?

Sorry, it’s just a little unclear, given the 180 degree change from the original proposal.

1 Like

It will be removed complete. Can not be removed particial and also those 4 internal leader nodes will hopefully sone open up.

Due we found no solution how to handle, the risk of bad use is to high when open up. So I prefer to remove it complete and by this the 180 degree change. Also in the meantime there are for Tokens solution like lossless ongoing.

2 Likes

Issue opened in Harmony Github

2 Likes

haha, this then a massive attack happened on the network!

Looks like they decided to ignore this particular HIP: [Feature] limit both from and to account in txpool · Issue #4215 · harmony-one/harmony (github.com)

1 Like

Yes harmony has a blacklist and a whitelist now.

So permissionless unless harmony decides… :thinking:

wow how democratic and decentralised, great we always had a great and strong communication with the Harmony Team to know what are the plans for the future.

2 Likes

Great to see the dev priorities are to further centralise the chain.

Not like there are any other important things to fix…

1 Like

Can we fork and go before the hack and called it Harmony Two made by the Harmony One Community? :sweat_smile:

1 Like

FWIW I like the idea of this thread a lot. It’s right up my alley, as I founded the wallet blacklist from MtopSwap and never thought about this as an application of that data. But there are many good points regarding how to treat wallets that fall into a grey area in terms of how hard they rugged lol.

For our blacklist, it is usually liquidity pullers and outright scammers like Xenon Fi.

It’s not only a thread, it was a discussion and voting to use active the blacklist in case of a rug to keep funds on-chain and block and discuss. But meanwhile lossless is also active on Harmony and we saw that it worked well. The voting was to remove the blacklist as the sentiment swapped. But looks like the voting does not count anymore.

Most protocols have their own blacklist, USDT for example is using it. And I know a protocol on Harmony has used it to lock funds that have been stolen by a hacker

1 Like

I don’ think decentralized governance implies being ungoverned, it just implies more public participation in decision making. I agree with the precedent that original HIP-17 had set with your proposal & not by the community vote.

  • The on-chain governance, in this case should ONLY function as a decentralized decision-making platform to generate “on-chain activity, post-mortem reports”, which can be distributed to third-party security partners or vendors Harmony has/will have under it’s belt (i.e. Lossless Defi, AnChain AI, Mandiant, BugCrowd, Blockchain Intelligence Group & Arkham Intelligence) & the blockchain foundation for comprehensive review of malicious activity.

  • The only advantage I see with this is familiarity with the community, which might provide a better incident response in time sensitive situations.

These reports would simply serve as addendums to the foundation’s internal IT audit pipelines, bolster their third-party risk management capabilities (which is subjected, but not limited to vendors, sub-contractors, partners, captives, or affiliates) & ensure ecosystem safety.

  • However, this must be contingent on the fact that Harmony foundation conclusively publishes logs on the addresses added, removed or modified in the blacklist & whitelist files, establishes appropriate access security & change management controls there.

As far as the bridge is considered , the last Certik security audit report they published on their website was from 2020, which screams a massive compliance violation, even by traditional security standards, therefore, there is no baseline available to opine on what their current internal audit IT controls are.

Solutions:

  • The Harmony foundation would have to create an internal audit department with advanced scope (including, but not limited to IT, cybersecurity & financial risk)
  • Open better lines of communication to fix governance process.
1 Like