I joined the Algorand community recently and I came across a disturbing detail on r/AlgorandOfficial (see below or here).
From what i understood, with the possibility to terminate access to the use of the Services of Algorand Wallet, at the sole discretion of the Algorand Foundation, at any time and for any reason, with or without notice to the users, the entire protocol should be compromised!
Is there anyone from Algorand Foundation or the community who can comment on this?
The Terms of Service state specifically:
“Right to Terminate. We may terminate your access to and use of the Services, at our sole discretion, at any time and for any reason, with or without notice to you.”
This centralization of the wallet creates a mechanism where the ENTIRE PROTOCOL is COMPROMISED. Below is the explanation and outline of the attack vector to compromise the entire proof of stake mechanism of Algorand.
Based on the referenced Terms of Service, if the Algorand Foundation or other entity has the ability to revoke access to The Official wallet, they have or will have:
- The ability to affect consensus through revocation of wallets( example: a legitimate high value wallet is revoked in order to increase the value of another high value wallet to be selected as a block proposer);
- The ability to affect the self selection of lottery winners designed to validate the protocol by revoking access of those wallets. If the wallets can have “access to services terminated”, those wallets, no matter how large or small the value of the wallet is, will not be able to be self selected using VRF, between the period of revocation and re-establishing access through alternate means (another wallet) and as such lose the ability to self select as a validator if the block;
- The ability to affect selection of Block Producers by revoking access of large wallets (example: revoke access to wallets larger than mine so that my wallet is the largest and as a result more likely to be selected as a block producer). It has been stated that the greater the value of a wallet, then the greater chances of that wallet being selected to be a block proposer. If all wallets with a value greater than mine were disabled/revoked then my chances of being selected as a block proposer increase and in some instances increase exponentially. This same tactic can be used against validators as the means to revoke an account are completely arbitrary;
- By having the ability to revoke access to any wallet, at any time, without reason, cause, or consequence, the bad actor then has the ability to affect rewards, as any number of wallets can be revoked for any reason thereby increasing the opportunity for bad actor wallets to revive awards. By way of example, all wallets in China could be revoked and because of this the likeliness of rewards per bad actor wallet increase due to the exclusion of wallets that were revoked;
- The ability to affect the entire chain subverting the Algorand algorithm as wallets with amounts greater than bad actor wallets could be revoked. Further, if all wallets except for those wallets that permit bad actors to control the largest wallets to the 30% threshold of wallets, bad actor wallets could be used then to wait until random selection (probability which increases by exclusion of wallets) of bad actor wallets occurred, at which time a “false” block is proposed, which is then validated by the population of bad actor validator who were selected as a result of the revocation of access of legitimate wallets (non-bad actor wallets). As the chances of bad actor selection increase the bad actors not only now have the largest stake(s) and ability to revoke any wallet they see fit without question or consequence. Once the action has been completed, access is restored and no record of the revocation exists and block finality has been achieved.
The argument that members of the Algorand team or foundation would not act like this is a false assumption as it assumes the Algorand team would always act with 100% honesty, 100% of the time. The protocol itself does not make this assumption therefore why should participants using the Algorand protocol?
- There is no means of recourse as transactions are almost immediately final (4 seconds) and your rights to action and suit are literally waived in the other terms in the Terms of Service.
If the Terms of Service are in fact correct and true, and if the Algorand team has the capability to revoke access to a wallet at their discretion, they can effectively “break” the protocol.
The design of the protocol becomes the weapon and the attack vector is the governance chain. X wallets are revoked, bad actor wallets gain more stake, bad actors are more frequently selected as block proposers and validator, bad actor block proposer and bad actor block validators send out false messages, false messages are relayed, finality is established, blockchain is compromised.
There is no publicly available record to audit wallets that have been revoked, the time period of revocation, or the period for which the wallets have been revoked. There is no visibility to determine if the wallets were reinstated or the time period when reinstatement began or ended. This would allow the attack to occur and be corrected without notice to network users.
Centralization is clearly apparent as a central authority can revoke any wallet and manipulate rewards, block proposer and block validator selection thereby corrupting the VRF (selection is not random if you can exclude any number of wallets, at any time, for any reason).
Finality is created by a bad actor block proposer and bad actor block validators through exclusion.
I thought the idea was to have a decentralized blockchain? How about we dump the terms of service and allow any user to use the network. After all, Silvio did state it was unlikely that 30% of the population are bad actors and the protocol is designed to avoid such having this type of control in the wallet allows manipulation of the protocol and warrants change, immediately.