NNS Proposal: My NNS has been stolen, Please help me
Summary: User xiaobing lost access to the Internet Identity anchor attached to an 8-year neuron containing 32,000 ICP. The situation was investigated by the DFINITY Foundation and the determination was made that the most likely cause was someone had accessed the II anchor, created a new means of access (device/recovery phrase) and removed the original owner’s devices and recovery phrase. The proposal was to return control of the anchor to the original owner’s recovery phrase and remove the thief’s devices and phrases.
Proposal: User xiaobing was thorough in their explanation and self-investigation. The DFINITY investigation was also thorough and documented in detail. An executive summary was also provided. This was clearly written and made the course of events comprehensible.
Returning stolen funds to their rightful owner.
DFINITY Foundation must protect investors
A thief now has a very large amount of voting power which represents a governance threat. Future events like this could be worse.
The spawned neuron rewards are untraceable so the thief will be able to cash out stolen funds easily. Law enforcement will not have an easy time pursuing them.
Tampering with the identity system for any reason harms its strength
Some felt the investigation was insufficient.
There is a possibility that the anchor was sold and the purchaser is unaware of the forum conversation and NNS proposal.
The 3% minimum voting threshold is insufficient to make an NNS determination about tampering with the identity layer. Possibly an absolute majority or ⅔ vote should be required without Foundation participation.
Using the NNS as a court adds a new role that was not its intended use.
“Not your keys, not your crypto”.
Discussion: User xiaobing was sincere and diligent. They appeared to be part of a professional organisation and the Identity anchor was reasonably secured. The conclusion of the investigation was that an insider at the company used physical access to steal the identity anchor. It does not appear that significant negligence was involved in the theft. Rather, the possibility they put forward was a disgruntled ex-employee. The vast majority of hacks are with social engineering so this is a strange and rare event that should not reflect on the security of the II anchor system. However, the addition of two-factor authentication could have prevented this.
This was an NNS policy defining event and an opportunity to create a process for dealing with stolen identities. The DFINITY Foundation applied significant resources to investigating the theft but did not submit the proposal. In this case, the community voted not to recover the identity by a significant margin, but the total votes cast were only just over the 3% minimum. This indicates that there was barely enough voter engagement to achieve adoption even if everyone was in favour of the proposal. cycle_dao cast at least 3.3 million votes, or about 1.4%. Even though this is a very small percentage of the total voter base, with such low engagement it represents a very significant influence over NNS outcomes. cycle_dao will continue to build its voter base, however, this is a concerning state of affairs.
Conclusion: A theft of such magnitude is an awful thing to experience. This was a huge expenditure of valuable DFINITY resources and in the eyes of some cycle_dao members, inappropriate. Most DAO members were happy to see the Foundation refrain from submitting the proposal. Ultimately, cycle_dao viewed the evidence as insufficient for the significance of the action detailed in the proposal. Some in the DAO were also concerned about setting the precedent for Foundation resource expenditure and the additional proposal load this may place on the NNS. It made more sense to the DAO for such an investigation, to take place entirely outside the Foundation. Most importantly, however, identity systems must be robust against interference. Adopting a proposal that interfered with control of an identity anchor felt for some like an unjustified weakening of the Internet Identity system.
These views were not universally held. Some in the DAO believe that the foundation and NNS can, and should play a role in protecting the user and investor base against adverse events such as identity theft. It can be argued that the flexibility of NNS intervention in cases of identity theft increases the strength of IC-based identity systems. While these perspectives didn’t win on the day, the discussion is ongoing. cycle_dao voted No on this proposal.