Powered by

EOS startup utilizes backdoor to access user wallets, retrieve airdropped tokens

Every other EOS dApp can do it, too

eos, token, cryptocurrency, blockchain

An EOS-powered decentralized app (dApp) has come under fire, having severely botched an airdrop. After erroneously distributing too many tokens to its users, blockchain-powered content ecosystem Trybe had to access user wallets to reverse transactions.

Trybe developers mistakenly awarded more than 100 EOS EOS accounts with up to four times the amount originally designated. Game developer Russell “castle” Meakim shared his disbelief on social media, after discovering a large amount TRYBE tokens in his EOS account that shouldn’t have been there.

“[…] There was a short while where I was literally looking at 8,740 TRYBE sitting on my account and wondering what the hell happened. I was looking at [the price] and I guess I could have just sold it all. I just assumed that I was supposed to get that many. I guess it’s a good thing I didn’t sell […],” Meakim wrote.

Here’s a screenshot of the transactions in question, in reverse chronological order. Trybe developers made the initial four deposits in error.

Image courtesy of Russell “castle” Meakim

The small piece of smart contract code above shows the intervention of Trybe developers. Note, the devs removed the mistakenly distributed cryptocurrency – 8,740 TRYBE ($60) – without authorization. The user wasn’t even notified.

In fact, this is by design. Developers often market this as a feature of the EOS blockchain to set it apart from direct competitors.

Ethereum, for example, features immutable smart contracts. Ethereum dApp developers must hard fork their cryptocurrencies in order to correct errors in smart contracts.

Hard forking splits a cryptocurrency into two, shedding the buggy version for a patched one. Trybe developers simply fixed problems on the fly.

This is because, unlike Ethereum’s smart contracts, EOS-based ones are mutable.

Let me make this completely clear: all smart contracts deployed on the EOS blockchain can be edited, updated, and changed after they are deployed, at any time, without notice (though it appears that some Ethereum-based startups like Bancor have chosen to build similar backdoors into their own smart contracts.)

It is entirely up to the user to protect themselves against malicious updates to EOS smart contracts by auditing the code themselves.

The Trybe development team confirmed this in a Reddit post, where founder Tom Norwood admitted to freezing all token activity, accessing user wallets, and taking back excess funds.

“Although maybe we were a little bit negligent in relying on the [EOS library] to work as it was supposed to work, the fact that it didn’t is not exactly our fault,” Norwood wrote. “However, this is very new software, as you are probably aware, and the fact that it doesn’t have more bugs is a miracle in itself.”

“If you’d prefer just to attack us, or to attack EOS itself because yes, EOS (unlike most blockchains) does have options available when things don’t go exactly according to plan, then feel free,” Norwood continued. “We are comfortable in our decision to reverse transactions in this instance rather than leaving huge amounts of tokens in a few people’s wallets […]. What we did, by the way, is not just a function of the TRYBE token but of any token built on EOS, and to be honest, I was VERY GLAD that it was […].”

This is a great time to point out that this happens on the EOS blockchain, a lot. Block producers have frozen EOS accounts without approval in the past. Most notably, seven EOS wallets were accessed illegitimately in order to retrieve funds believed to be stolen.

Nathan Rempel, Trybe lead developer, floated the idea of autonomous communities (DAOs) in a blog post titled “Hard day at the office – what happened with the TRYBE airdrop?” DAOs painstakingly delegate decisions to stakeholders. Rempel thinks this would help users to trust EOS dApps, now that we are aware of their absolute power.

“Does this allow for centralized control? Yes. Is centralized control always a bad thing? No. Decentralizing control of mutable things will become the key to trusting mutability,” reads his official statement. “When the entire community can take part in the decision making process to create something wonderful (or fix something that went wrong), they are more likely to trust those decisions.”

All this is certainly well and good, but only if we ignore how terrible DAOs can be.

Inevitably, this leads to discussions of decentralization. Immutability of smart contracts essentially enforces it. Removing the ability to edit smart contract code on the fly admits that no individual should wield the power to make changes to a cryptocurrency directly.

In fact, stubborn immutability is the reason for millions of dollars in Ethereum being stuck in smart-contract powered wallet Parity, almost a year after accounts were frozen.

This means that, at least for Ethereum, the decentralization of decision-making is more valuable than millions of digital dollars stuck in cyberspace. For Trybe, I guess it’s worth around $60.

Published September 12, 2018 — 13:38 UTC