Decentralization is a lie? How did Sui freeze the $160 million stolen by hackers?

This article is approximately 841 words,and reading the entire article takes about 2 minutes
Decentralization is not black and white, but users have the right to know the truth and not be misled by the label of fully decentralized.

Original author: Haotian (X: @tmel0211 )

Many people are puzzled. Sui officially said that after @CetusProtocol was hacked, the validator network coordinated to freeze the hackers address and recovered $160 million. How did they do it? Is decentralization a lie? Below, lets try to analyze it from a technical perspective:

  • Part of the cross-chain bridge transfer: After the hacker attack was successful, some USDC and other assets were immediately transferred to other chains such as Ethereum through the cross-chain bridge. This part of the funds can no longer be recovered because once it leaves the Sui ecosystem, the validator is powerless.

  • Still on Sui Chain: A considerable amount of stolen funds are still stored in Sui addresses controlled by hackers. This part of the funds has become the target of freezing.

According to the official announcement, a large number of validators have identified the addresses of stolen funds and are ignoring transactions on these addresses.

——How to achieve it specifically?

1. Transaction filtering at the validator level - in simple terms, validators collectively play blind:

- The validator directly ignores the transactions of the hacker address in the transaction pool (mempool) stage;
- These transactions are technically valid, but they are not packaged and put on the chain for you;
- The hacker’s funds are thus “under house arrest” in the address;

2. The key mechanism of the Move object model - the object model of the Move language makes this freezing feasible:

- Transfers must be on-chain: Although the hacker controls a large amount of assets in the Sui address, in order to transfer these USDC, SUI and other objects, a transaction must be initiated and packaged and confirmed by the verifier;

- The verifier holds the power of life and death: if the verifier refuses to package the object, the object will never be moved;
- Result: The hackers nominally own these assets, but in reality they have no control over them.

Its like you have a bank card, but all ATMs refuse to serve you. The money is in the card, but you cant withdraw it. With the continuous monitoring and interference of SUI verification nodes (ATM), SUI and other tokens in the hackers address will not be able to circulate. These stolen funds are now like being destroyed, which objectively plays a deflationary role?

Of course, in addition to temporary coordination by validators, Sui may have preset a deny list function at the system level. If this is the case, the process may be: the relevant authority (such as Sui Foundation or through governance) adds the hacker address to the system deny_list, and the validator executes according to this system rule and refuses to process transactions from the blacklisted address.

Whether it is temporary coordination or execution according to system rules, most validators need to act in unison. Obviously, the power distribution of Suis validator network is still too concentrated, and a few nodes can control the key decisions of the entire network. And Suis problem of excessive concentration of validators is not an isolated case of PoS chain - from Ethereum to BSC, most PoS networks face similar validator concentration risks, but Sui exposed the problem more obviously this time.

——How can a network that claims to be decentralized have such a strong centralized freezing ability?

What’s worse is that Sui officials said they would return the frozen funds to the pool, but if the validator really “refused to package the transaction”, these funds should theoretically never be moved. How did Sui return the funds? This further challenges the decentralized nature of the Sui chain!

Could it be that, in addition to a few centralized validators rejecting transactions, the authorities even have system-level super powers to directly modify asset ownership? (Sui needs to provide further details on the freeze) Before the specific details are disclosed, it is necessary to discuss the trade-offs around decentralization:

Is it necessarily a bad thing to sacrifice a little decentralization when emergency response intervenes? Is it necessarily what users want if the entire chain does nothing in the event of a hacker attack?

What I want to say is that everyone naturally does not want their money to fall into the hands of hackers, but what makes the market more worried is that the freezing standard is completely subjective: what counts as stolen funds? Who defines it? Where is the boundary? Freeze hackers today, and freeze who tomorrow? Once this precedent is set, the core anti-censorship value of the public chain will be completely bankrupt, and it will inevitably cause damage to user trust issues. Decentralization is not black and white. Sui chose a specific balance between user protection and decentralization. The key problem lies in the lack of a transparent governance mechanism and clear boundary standards. At this stage, most blockchain projects are making this trade-off, but users have the right to know the truth, rather than being misled by the label of completely decentralized.

Decentralization is a lie? How did Sui freeze the 0 million stolen by hackers?

Original link

This article references multiple sources of information:https://x.com/tmel0211/status/1925736378131751224,If reprinted, please indicate the source.

ODAILY reminds readers to establish correct monetary and investment concepts, rationally view blockchain, and effectively improve risk awareness; We can actively report and report any illegal or criminal clues discovered to relevant departments.

Recommended Reading
Editor’s Picks