If EOS uses its arbitrators to reverse the hack, the contagion will spread downstream. There will be threats of lawsuits involving the devs and the BPs. Twitter lawyers will point out the absurdity of the EOS constitution, or any document not grounded in actual law.
-
-
Show this thread
-
Exchanges have not yet figured out that EOS's governance model does not mix well with other currencies. EOS folks will blame others, and they won't be entirely wrong.
Show this thread -
I base this prediction not on any specific vulnerability I suspect is in EOS code (see here http://hackingdistributed.com/2018/05/30/choose-your-own-security-disclosure-adventure/ … ), but on having read the project git and seen how they handle safety critical bugs.
Show this thread -
Absent is any discussion of correctness invariants. Instead, we see patches that mutate the code to fix identified problems, one patch at a time. Consensus protocols are too complex to get right this way.
Show this thread -
Others have identified the lack of a testnet. Testnets are nice in that they can help identify problems, if you're lucky and they expose themselves in test. But the real subtle vulnerabilities arise only when a hacker prompts them. That won't happen in testnet.
Show this thread -
You can't incrementally patch your way to correctness. Testnets help find bugs but lack of bugs in testnet doesn't provide any assurance of correctness.
Show this thread -
In the same vein, you can't start out with some bricks, beams and cables over a body of water, patch the holes where cars fall into the ocean, and end up with a load-bearing bridge.
Show this thread -
The actual problems I was initially sure we would see in EOS involved liveness. We already had one of those issues within a day, fixed with a patch but without an analysis. We will also see more liveness issues.
Show this thread -
Perhaps the safety criteria is sufficiently simple in EOS that my exchange hack prediction will not come to pass. Or maybe it will take the h4x0rs more than a year to master the vulnerabilities. Regardless, code dev culture trumps all else.
Show this thread -
What should one do: 1. Don't store coins and money on exchanges long term. 2. Ask that development teams provide careful post mortems after bugs, describing not only the patch to fix them, but the changes made to address whatever gave rise to the bug in the first place.
Show this thread
End of conversation
New conversation -
-
-
Is it true that EOS, with its gigantic war chest, only offered $10k in bounty rewards to find bugs in its platform? while some ICO offered up to $1million?
-
Yes, the bounty was $10k, regardless of severity.
End of conversation
New conversation -
-
-
Noob q: One coin's vulnerability leaves the whole exchange exposed (if I'm holding Eth and the exchange is hacked using EOS bug, even Eth will be in danger?)
-
The exchange can lose money due to one vulnerability, and then choose to socialize its losses, as was the case at Bitfinex. Bfx lost BTC, and people holding ETH on bfx ended up taking a haircut.
-
Thank you for the explanation. Moving offline.
-
Coins that you don't plan on trading with, *should* remain offline.
End of conversation
New conversation -
-
-
You can't test in Quality, Even the mighty Toyota found that one the hard way, and they still haven't figured out how not too...
-
This is the definition of QA - quality assurance, the final step in any professional development or production process.
-
Pedant: QA is the first step, QC is the final step. The point is clear enough though.
-
I'm pretty sure they're not doing much of either QA or QC in
#EOS.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.