5 people can affect more than 2 billion US dollars of funds? Talking about the centralization hidden danger of Polygon
Compilation of the original text: Deep Tide TechFlow
Compilation of the original text: Deep Tide TechFlow
Polygon is still highly insecure and centralized. It only takes 5 people to influence over $2 billion in funding, and to make matters worse, 4 of those 5 people are the founders of Polygon. This could be one of the biggest hacks waiting to happen.
Polygon's admin keys are controlled by 5 of 8 multi-signature contracts.The founders control the first 4 and the latter 4 are held by various groups in Polygon, which means they lack fairness. As long as one group conspires with the founder, it can gain control.
Controlling the administrative key of the contract is equivalent to having the power to change the rules, and then anything is possible. Including clearing out the entire Polygon, currently valued at over $2 billion.
To make matters worse, Polygon has become completely opaque in terms of their operational security and the cryptographic rituals used to create multi-signature contracts. Since transparency is critical to at least building trust in multisig, this is a bad thing.
In the absence of transparency, we have no way of knowing whether someone has taken control of the private key.
What's even more incredible is that Chris Blec from DeFiWatch officially asked them to disclose information on May 20, 2020, and the Polygon team refused to respond. This lack of response should itself be regarded as a huge red flag.
Chris Blec continues to speak out against this lack of transparency to this day.On May 15, 2021, Polygon did publish a Transparency Report. However, this report is really just a defense of the status quo, the report does not cover any aspect of operational security, or the cryptographic behavior when creating the administrator key, it just further justifies the use of this kind of multi-signature.
In other words, this is a completely inadequate response to my and ChrisBlec's criticisms. On January 19, 2022, Polygon published their"Governance Status: Decentralized"。
I know this practice has become very common throughout the cryptocurrency ecosystem. But I'll just say Polygon because they're one of the biggest cryptocurrencies with this problem.
Polygon has an opportunity to be a leader in this field as industry norms must change.Polygon can and should lead the way in that direction. I know that in the early stages, multisig is the way to go, but $2 billion TVL means Polygon is past the early stages.
With so much money in the absence of security, a smart person could tell it was a disaster waiting to happen.
This has nothing to do with the quality of the founders, unlike some of my other criticisms, I do respect the founders of Polygon and I do believe they are good people, but it makes this much more difficult.
Founders have faith in themselves.To quote MihailoBjelic:"Getting rid of the scam is no problem for Polygon. "I know it's from his heart because he can trust himself, but it's impossible for other people to know what's on his mind.Let's not simply believe, people need to verify.
first,
first,Polygon must decentralize its own governance based on Matic token holders.Currently, Polygon's governance is still too centralized, following a DPoS model with a small number of validators. Fortunately, Polygon's "governance state" has laid the groundwork for solving this problem. Once Polygon implements its decentralized governance model:
The founders will have to hand over the power of the smart contract to manage the keys to the Matic token holders, effectively handing over control to the "Polygon DAO."However, this requires migrating to the new Polygon smart contract, which is very difficult and costly.
But that's the price we pay for not doing things right in the first place, that's the price we pay for decentralization and the security that comes with it, that's what cryptocurrencies are all about, pretending to be secure and decentralized Not enough for this field.
To make this criticism more constructive, I think ZEC can be used as a broad example, or burning admin keys like REP, UNI, and AAVE. The DAO should control the admin key so multi-signature operations can be done more securely.
Original link
