Drain the Swamp

Dom told me that Node Providers won’t engage in misconduct because law enforcement agencies exist.

I think the problem, where the original math fails, is that the diversity of node providers doesn’t increase at the same rate as the number of subnets.

So, a possible way to attack the IC would be to suddenly increase the need for more subnets, and then your nodes would be welcomed with open arms.

This forum thread has turned from shit show into something highly credible and productive. I’m really impressed to see this turn of events. Thank you for starting it @borovan and thank you to all node providers and Dfinity folks who have been contributing to the discussion. I’m learning a lot.

Indeed, and additonally the size of each subnet does not change in terms of nodes. Despite what some have claimed, anyone is allowed to raise a Subnet Membership proposals. Nodes go offline or degraded all the time within subnets and need replacing. A bad actor in the future could respond proactively to these incidents and progressively move more and more of their nodes (belonging to apparently separate NPs) into a specific subnet they’d like to attack.

Yeah, I think the community should try to use the focus that this situation has garnered to come up with a better system (and/or better checks and balances).

The hardest thing to believe is that node ownership behaves like a power law. We are actually using about 50 node providers, so for the cases above to work, we need someone behind 5, 10, or 15 providers. It feels impossible until you actually look at the providers and their websites and take into account that it would be relatively cheap to acquire nodes compared to the size of our competition, which is worth billions of dollars, and the incentives at play.

The CodeGov known neuron voted to Reject proposals 135635 and 135636. The final tally of our Followees was 0 YES, 7 NO.

Below are comments from each of our Followees that led to their decisions about these proposals:

• This forum thread surfaced a lot of information from people who know the node provider onboarding work process like @GAbassad @Lerak and @snoopy, who took the time to tag the allegedly fake node providers, all of which have posted (@Vladyslav here, @Alex43342 here, @Volodymyr here, @MaksT6 here, and @JunQ here) to identifying themselves and their background. George Bassadone posted here and here providing a lot of insight regarding his relationships with many of the people and organizations named in the proposal as well. George even directly responding to Alex’s questions here. All of this information refutes the claims of this proposal and addresses the concerns raised by Adam (who is one of ICPs biggest whales and submitted this proposal). This is in addition to the very helpful and professional context provided by @katiep and the explanation of the official DFINITY position provided by @bjoernek.

• I don’t think any concrete evidence has yet been presented about this group of NPs. In any case, I think that rather than throwing out proposals that directly target individuals there should be a more general process put forward to detect and respond to this sort of activity, and that would make for a more appropriate Governance proposal.

• Rejected based on the fact that some nodes are currently active in subnets, and mostly for the way the proposals have been raised. Feels more like a witch hunt rather than anything.

• While I would certainly like to see a more thorough investigation on this topic, I feel like there is no clear evidence that all these accounts are linked to the same person/few people at this point in time and with the available information.

• I would vote to approve the moment there is clear evidence that all these accounts are connected and there is a clear risk of a malicious attack, after a more structured approach. For now, I perceive it more as speculation and impulsive claims.

• I intend to reject the proposals as they are right now. I do acknowledge that there are some aspects that dearly require clean-up (e.g. GeoNodes LLC being controlled by two people that are also node providers). I would also like more clarity around the connections between the group of 5 Eastern European NPs that all share the same DCs; maybe it will turn out that we should rather regard them as a single node provider.

• I do not see evidence for collusion between those two groups, and I don’t think I have sufficient information at this point that would justify banning the second group, as per the proposal.

• I also think we should change the node reward scheme; the function that lowers the rewards for more nodes of the same NP is detrimental to the overall platform, since it invites and encourages sybil attacks.

• So lots of work to be done, but I do not agree with the proposals as they are.

• there’s also a risk that some of the accused people might actually be genuine and ended up for some coincidence in the same group. Before banning anyone, I need clear evidence.

• I want to be very cautious. An impulsive proposal, a couple of spreadsheets with no explanation of what they mean, and plenty of comments muted by the community are not a good enough reason for banning an entire group of people.

• I voted to reject—not because I doubt the merit of their allegations, but because, if we see ourselves as a court system, then the presumption should be innocence until proven otherwise. We should not be finding anyone guilty before establishing their guilt.

• The claims of collusion that are less credible and are the dominant theme in the current motion proposal 135636 are based on things like node providers that all have the number 23 in their username on the forum or node providers who used the same onboarding statement or node providers that onboarded in the Aug 2023 to Dec 2023 timeframe. Node providers cannot come and go freely in the ICP network. It has to happen when node slots are open and according to a certain onboarding process. In 2023, new node positions opened up for Gen 2 node providers and the openings were specifically targeted to onboard in less represented regions of the world according to the approved topology targets at the time. This means there was an influx of new node providers over a several month period who were all asked to use a boilerplate onboarding statement and who received advice to copy and paste a successful onboarding forum post and/or proposal. Some of these people were new to ICP, so they had no forum post history and they chose new unique user names that included the calendar year. None of this was against the rules and there were no requirements that these new node providers were avid ICP enthusiasts with a known identity history. Many of them made simple business decisions to get involved in ICP as a node provider because it was a profitable option for them. These are the examples where it makes no sense to cluster. They have no relationship other than they onboarded at the same time and followed the onboarding instructions.

• I plan to vote no to both proposals 135635 and 135636. I don’t believe credible evidence has been provided to justify removing any node providers or to support the accusations of collusion. I think the valuable action that can be taken from Alex’s post and from these proposals is to improve the node provider onboarding work process, which is something that was already widely recognized as a need before all this mudslinging started. I also think there is value in identifying clusters of node providers based on known and acceptable relationships (e.g. husband and wife, business associates, node providers that have onboarded under different business names in different parts of the world, and/or new node providers that purchased or transferred nodes from existing node providers) and to use that in the decentralization metrics of the DRE tool. These things can and should happen regardless of the outcome of this motion proposal. However, regarding the specific proposals, the concrete action in this proposal is to remove 5 node providers who are alleged to be fake, which they are not. I do not support that action.

The Synapse known neuron voted to Reject proposals 135635 and 135636. The final tally of our Followees was 3 YES, 8 NO, 1 PENDING.

My (@wpb) comments are captured in the post above. I believe that @Lorimer is still planning to create his own summary post, so I won’t include his comments here. Other people provided comments and explanations of their votes as shown below.

• These allegations are concerning, but I notice they tend to surface whenever the ICP price hovers around $5. While I can’t explain this pattern, these issues deserve serious investigation, whether by DFINITY or an independent third party. I’m beginning to think the Internet Computer might need a staking mechanism. If we can’t verify true independence between node providers within subnets, we need to implement stronger incentives to ensure honest operation.

• I’m somewhat relieved this discussion is happening now, rather than risking of stopping positive momentum at a later time.
  Perhaps more people will finally realize deterministic decentralization is not reliable and the only thing that has prevented serious attacks, other than the lack of TVL, is that node onboarding has been gatekept to a minimum. Even then it seems the possibility was still there, but the NPs decided to farm the network remuneration, instead of risking the legal implications of stealing a few millions.

• Anyone can be nice and “open” on a forum. This whole safety mechanism is based on KYC and the node providers being independent.

• Blockchain technology does not rely on trust. There is no evidence that the NPs are malicious, but the fact that this one person George is connected to and brought in a bunch of other NPs in the worst case scenario could be extremely dangerous.

• Someone paranoid about an attack, who has a huge stake in the network (which I’m assuming this borovan guy is) has a complete right to be concerned about an an attack that would wipe that net worth out. Whales have much more to lose in that scenario.

• Lorimer brought the issue up previously in a less combative tone and received far less attention/action, so while I don’t believe the node providers should immediately be removed, this is a governance proposal that does not force the foundation or network to do anything.

• Therefore, I’m voting “yes” because this is a critical security design flaw that needs to be addressed, and not kicked to the side.

I voted to reject the proposal, as I don’t believe sufficient evidence has been presented to justify removing these providers from the network. However, as a precautionary measure, I recommend these providers relocate to different subnets pending a more thorough investigation. Additionally, we need to address the elephant in the room - our current assumptions about KYC node providers may be incorrect. This issue requires deeper examination and extensive discussion to determine appropriate solutions.

I think there should be an audit for decentralization. Third party that isn’t affiliated with Dfinity.

I think whoever created deterministic decentralization underestimated the capability of certain entities to hoard nodes under different legal names. If my calculations are somewhat correct, it becomes a serious possibility to get compromised subnets once their number approaches a thousand. And this basically means that the IC is not infinitely scalable at all.

The culture of using fronts to conceal ownership for tax evasion is widespread in many nations. It is trivially simple to bypass the ICP KYC process using this route. The people who conceived the ICP system all came from places where such evasions are uncommon and created a naive KYC process.
The biggest weakness of the system is that it imposes no cost on the attackers while they wait for the correct moment to strike. Because node providers are generously compensated, the system allows potential attackers to run a profitable legitimate business even while building a cartel which means they are comfortable consolidating and waiting for a long period of time.
This is not to suggest that Borovan’s suspicions are grounded in reality: some of his assumptions are clearly false, others yet to be proven true. But I am glad he’s brought attanetion to the issue.

We now see many people involved in dapps also acting as node providers. This has its advantages, you can protect your dapp and TVL with a small number of nodes (reducing latency) if you deploy to a subnet where you are a provider (under many names). Additionally, it may give you the opportunity to shut down a competing dapp :).

Of course, this isn’t good for users, as you likely control a significant portion of both the DAO and the underlying infrastructure, concentrating power instead of decentralizing it.

So, there are strong incentives to hoard nodes.

Perhaps part of the solution is to allow dapps in a subnet to have more control over their own providers.

I agree. We should have more dapp specific subnets, where the rules for validators are slightly different. I would love a subnet with 50+ machines where you need to stake in order to participate.

Eventually, dapps will simply submit policies, and the (AI-powered) NNS will determine the optimal dynamic node distribution, ensuring decentralization and meeting the specific constraints of each dapp.

I would like to share DFINITY’s perspective on the motion proposal 135636 and explain our reasoning for voting.

As mentioned in this related thread, we acknowledge the value of community scrutiny on this issue. Valid concerns regarding node provider governance and the subnet allocation scheme have been raised. We also appreciate the transparency demonstrated by node providers in their responses during this discussion.

In summary, we find no substantial evidence to justify the offboarding of any node provider. Therefore, we plan to vote against this motion.

However, this discussion has been very valuable, and we believe it has highlighted important lessons which should prompt follow-up actions. In particular, node providers as listed in the registry can be connected—for example, an individual might also be the owner of a company acting as a node provider. There can be legitimate reasons for such arrangements, like certain data centers only accepting companies as clients or specific tax considerations. We started reviewing how to best capture these connections and consider them in subnet allocations, taking into account the constructive feedback received in the current discussion. In collaboration with the community we will review and propose suggested enhancements in due time.

Can you please explain the very early vote of Dfinity on removing nodes from subnets and by this increasing centralization ? Thank you .

I think marginally increasing centralisation is a good trade off for not being taken over by a colluding group of sybil attackers.

image252×307 4.45 KB

image251×141 2.7 KB

This was just round one!

the funny thing is that quite a few of the white rows are actually fake accounts, colluding, but in round two

Please prove me wrong. Get “Scott Hallock” to show us an IKEA receipt for a Galant desk and some swedish meatballs.

Thank you we all learned a lot from this.

I can’t in good faith recommend the ones from IKEA.