Due to the surge in interest in consumer apps in crypto, I've been thinking a lot lately on the security aspect of crypto assets.
It's no news that there's a lot of vulnerabilities associated with various DeFi protocols and crypto DApps in general. Many times, it's easy to blame a protocol for hacks that occur but sometimes, the faults generally are from the individuals being hacked.
The problem?
While there's on-going efforts to preach on-chain security and emphasize the need for individuals to take maximum steps to stay secure, there however, isn't a single solution that balances protocol-side and individual-side security and soft locking, might just do the trick.
First off, it's imperative to note that what I'm about to discuss does not currently exist, I'm just putting it out there, and who knows, someone might stumble on it and could find it interesting and build on the concept.
I read a lot of documentation in my time in crypto and I've figured that the majority of the time, great damage occurs on systems functioning outside the control of validators.
Think about it. Validators do not control smart contracts, they only verify the transactions it carries out. The coded-rules are autonomously executed and validators are in no place to challenge them, they are quite frankly only to verify that the asset involved at any point actually exists and was “authorized” by the appropriate private key to make a move.
At the fundamental level, this is all there is to being a validator. Not often do you hear a story of loss of funds that was a fault from chain-level security, it's either careless handling of private keys or simply interacting with malicious protocols or services.
So how can both problems be solved?
Introducing Soft Locking - Hard-coded into layer 1
The same way we can change private keys, hard lock up tokens, and change recovery accounts on layer 1, we should be able to place soft locking parameters on accounts on-chain.
Unlike regular processes of locking, what I call “soft locking” isn't exactly locking but more of an account limit parameters.
I called it soft locking because it's a form of limiting how assets contained in an account is used without outrightly strict rules.
What does any of this mean?
Usually, once an account is hacked, the next line of action is to move the funds away to another account.
If we take Hive accounts for example, a hacker typically will change your keys and start a power down. Rarely are they wise enough to do things like changing your recovery account and given that it takes 30 days, it takes a really smart hacker to know how to take over an account without that piece of security being an issue.
I will not say how because some bad personalities may be reading but when it comes to your Hive account’s security, at least once a month, always check that your recovery account is not undergoing any change that you didn't initiate.
Now back to soft locking with Hive as a focus.
What I call soft locking is to redesign layer 1 to include security features that let account owners set a custom asset limit on their account.
This asset limit typically determines how much asset, maybe based on market value or raw count, can be moved from an account within a specific period.
For example, one could set a limit of 100 Hive per day and this would tell validators to either accept or reject a transaction coming from said account depending on if it respects the limit or has gone above it.
In addition to this, accounts can set up “safe parties,” which are basically other accounts they control to which they want validators to ignore their soft locking rules when funds are moving to these accounts.
Why would this be valuable?
In an event of a hack, a system like this limits the amount of assets the hacker can get away with, drastically reducing risk to a level that individuals are comfortable with because if I set 100 Hive as my limit, it means I'm OK with losing that much in such an event.
That said, the idea of having “safe accounts” which can always be changed overtime is that, sure, I want my main account with the most assets to be secure, but things happen and I could want to move a large amount. Having safe accounts allows people to still remain in control and be able to operate smoothly without worrying about losing a lot to hacks.
It's important to know that safe accounts can also have their own soft locking mechanism. There's a low chance that a hacker will have access to all safe accounts and be able to get the same level of control as the real owner.
Given that this works on the layer 1 and is enforced by validators or in Hive's case, witnesses, blocks that are created by witnesses which do not respect this soft locking rules set my accounts will be rejected by the network.
Any crypto consumer app can have this feature built into their system and offered to users in a simple way that does not even require them to understand what goes on in the backend.
Is this technically executable or what are the potential flaws?
Share in the comments if any.