Buidler DAO: Must-Read Articles on Regulation and Security Track
This article examines the game between projects and regulation, seeking to delineate the gray areas; safety remains the constant focus, paying attention to the technical implementation path, helping to establish a foundational understanding of on-chain operations!Author: Buidler DAO
Deep selection is our recommended must-read articles under this week's hot topics in the market, sourced from the daily push of the Buidler DAO Cognition Locust Program; here, senior readers of Web 3 Native will extract the core content of quality articles and personal deep thoughts from the complex information sources.
In this issue, we look at the game between projects and regulation, searching for the delineation of gray areas; security remains the constant focus, paying attention to the technical implementation path, helping oneself establish a foundational understanding of on-chain operations!
Article Overview:
01/ Detailed explanation of the first DAO sanctions by the regulatory authorities: Defending Token holders @菠菜菠菜!
02/ LayerZero's multi-chain ambition: Technical analysis and overview of ecological projects @Yue Han
03/ In-depth analysis of Unicode visual deception attacks @Chasey
04/ Forbes exposes the inside story of Helium: False advertising, difficulty in self-sustaining, executives profiting @菠菜菠菜!
05/ Comprehensive interpretation of Cosmos 2.0: Capturing ATOM value from inter-chain security @Yue Han
06/ Web3 Dark Forest Self-Rescue Guide, 5000 words explaining wallets and security @Aviv
07/ zkpass: Decentralized KYC, a potential disruptor in the industry @memeswap
08/ How to ensure privacy in blockchain transactions? Practical analysis of zero-knowledge proof (zk-proof) technology @Tommy
Detailed explanation of the first DAO sanctions by the regulatory authorities:
Defending Token holders @菠菜菠菜!
On September 22, the U.S. Commodity Futures Trading Commission (CFTC) issued an order in a press release on Thursday, filing a federal civil enforcement lawsuit against bZeroX, LLC (which later transferred control of the bZx protocol, now the Ooki protocol, to bZx DAO, now Ooki DAO) and its founders Tom Bean and Kyle Kistner in the Northern District of California, accusing them of illegally offering leveraged and margin retail commodity transactions in digital assets; engaging in activities that only registered futures commission merchants (FCMs) can conduct; and failing to adopt a customer identification program as part of compliance with the Bank Secrecy Act as required for FCMs.
The CFTC stated that these activities participated in by Ooki DAO are related to a decentralized software protocol based on blockchain, which functions similarly to a trading platform. The CFTC also believes that Ooki DAO has evaded regulation through its structure, has never registered with the commission in any capacity, and has identified Ooki DAO as "an unincorporated association composed of Ooki Token holders," requiring it to pay a civil penalty of $250,000 and to cease further violations of the Commodity Exchange Act (CEA) and CFTC regulations as charged. Thoughts This is the first accusation and sanction by regulatory authorities against DAO, a new type of organization. The commission defines Ooki DAO as an unincorporated association of Ooki Token holders, who voted on governance proposals related to operational business, and this definition stems from Bean and Kistner being part of the Ooki Token holders. This practice is clearly unfair, and the commission's actions will create a chilling effect on voting, hindering good governance and making it difficult to form a culture of compliance in this context. The commission's definitional approach in this enforcement action indicates that individuals in the DAO community should not vote, even if governance voting encourages legal compliance. I believe this case will have a significant impact on the legal definition of DAOs in the future.
LayerZero's multi-chain ambition:
Technical analysis and overview of ecological projects @Yue Han
The article first discusses the operational mechanism of LayerZero: LayerZero achieves decentralized cross-chain information services by deploying a series of smart contracts (Endpoints) on-chain. Ultra-light nodes run on the Endpoint, where "ultra-light" means that this node only provides the Block header of the specified block. During transmission, the validity and security of the information sent are ensured through Oracles and Relayers. The Endpoint is a contract deployed on-chain, responsible for sending and receiving messages.
The functions of Relayers and Oracles are consistent, both serving as oracles, but the content transmitted differs, and the two operate independently. The Endpoint on the receiving chain verifies and matches the information sent by the Relayer and Oracle, enhancing LayerZero's security redundancy. For specific details, refer to the article "In-Depth: How to Understand Layer Zero Technical Principles."
The second part of the article describes LayerZero's representative ecological projects, including the Layer Zero protocol dedicated to building fully composable native asset cross-chain bridges; a cross-chain DEX featuring zero slippage and MEV protection, utilizing LayerZero for cross-chain message passing, such as Hashflow; and the multi-chain lending project Radiant based on LayerZero/Stargate deployed on Arbitrum.
Regarding future prospects, the author mentions: What will the future blockchain world look like? What changes will LayerZero bring to blockchain, and what impact will it have? I don't know, but it can be confirmed that the future development of blockchain will definitely move towards interconnectivity, benefiting both users and developers. Thoughts With the development of multi-chain ecosystems, cross-chain asset transfer has become a necessity, but currently, there is no perfect solution. To some extent, CEX remains the best choice for cross-chain transactions, while cross-chain bridges have non-native wrapping and security flaws. With the help of oracles, Layer Zero shifts deployment costs to a pay-per-use variable cost model, promising new breakthroughs.
In-depth analysis of Unicode visual deception attacks
@Chasey
Unicode version 15.0 introduces a new specification = Unicode Security Mechanism (UTS#39), aimed at reducing homograph attacks caused by character visual deception. What is a homograph attack? Just as the digit "1" and the letters "I," "l," or "rn" and "m" can be difficult to distinguish when sufficiently small, a homograph attack refers to: injecting indistinguishable/invisible/reordered/deleted strings to confuse users' perceptions or affect the performance of models. In this article, the author primarily studies visual deception caused by glyph rendering, mixed scripts, PunyCode, bidirectional text, and combining characters.
Glyph Rendering: Glyphs refer to graphical symbols corresponding to a certain meaning, such as "a / ɑ", "強/强", "戶/户/戸", with styles that are not fixed. In languages like Arabic, glyphs can change based on other text in the environment; additionally, there are encodings like U+1F512, which resembles the small lock icon in Chrome/Firefox browser address bars, easily causing misguidance. Improper rendering can lead to security issues.
Mixed Scripts: For example, the Greek lowercase letter Omicron and the Latin letter o are difficult to distinguish, and the glyph rendered for the Latin small letter dum (U+A771) is hard to differentiate from the Latin small letter d (U+0064) in Apple products. This feature can be exploited to forge domain names.
Bidirectional Text: When right-to-left input languages like Arabic are mixed with left-to-right input languages, it can lead to confusion in text sequences. This can be exploited to forge domain names using right-to-left display + whitespace.
Combining Characters: For example, googlè.com and google.com; io.com and סוֹ.com, etc. If browsers do not perform PunyCode encoding, it can easily lead to misguidance.
Thoughts The role of Unicode is to convert computer languages into human-readable characters, and visual deception along with garbled text/special characters causing system crashes has always existed. Attacks on systems are often pranks; simply deleting unrecognizable content can suffice; however, targeting users' domain security falls under malicious phishing, which is hard to guard against.
Forbes exposes the inside story of Helium:
False advertising, difficulty in self-sustaining, executives profiting @菠菜菠菜!
Helium has been touted as the best real-world use case for Web3 technology. However, as the project struggles to generate revenue, an investigation by Forbes found that Helium executives and their friends quietly hoarded most of the wealth at the project's inception.
The $1.2 billion Web3 company Helium received funding from a16z and Tiger Global, claiming to be building a "People's Network," a global network providing wireless internet connectivity for items like parking meters and dog collars. Users simply need to spend $500 to buy a machine that looks like a Wi-Fi router, plug it into the wall, and receive Helium's cryptocurrency as a reward (a cycle of passive income). One Helium investor claimed that owners could recoup their purchase costs within weeks.
If demand for the Helium system rises, boosting the value of its Helium Network Token (HNT), the company implied that the network's profits would be shared by everyone. However, after being exposed by Forbes, it was severely "slapped in the face." Thoughts Personally, I am quite optimistic about Helium. As the largest IoT network in the world, the addition of tens of thousands of new nodes each month continuously expands its scale, proving the disruptive nature of its IoT + blockchain model for the industry. Regarding Forbes' exposure, there are countless cases in Web3 where project parties internalize early project dividends, which is not a new phenomenon. The issue of device fraud was also mentioned in the latest proposal to migrate to Solana, which will introduce location oracles. Currently, Helium is vigorously developing new 5G services, and in the future, Helium will also introduce more networks such as Wifi and VPN. Personally, I think it is not a big deal for project parties to paint a grand vision and profit; what is truly commendable is that "the project party is doing something." What if the vision becomes a reality?
Comprehensive interpretation of Cosmos 2.0:
Capturing ATOM value from inter-chain security @Yue Han
Cosmos has released the white paper for version 2.0, with some core points excerpted as follows:
The white paper for Cosmos V1 focused on building the Cosmos Hub and communication model through IBC, which has now been realized.
Today's ATOM is a MEME in the Cosmos ecosystem, capable of more. The Cosmos Hub has become a victim of the success of the Cosmos ecosystem. The Interchain Scheduler and Interchain Allocator will become important components of the Cosmos ecosystem.
The Interchain Scheduler is a cross-chain block space market in Cosmos that generates revenue from cross-chain MEV. The Interchain Allocator aims to simplify economic coordination across the Cosmos network, accelerate user and liquidity acquisition for Cosmos projects, while ensuring ATOM's status as the network's reserve currency. In summary: the Scheduler will monetize the economic activities of IBC, with revenue ultimately flowing to the Allocator, which supports new projects in the Cosmos ecosystem, expanding the potential market capacity of the Scheduler.
Interchain Security is one of the most anticipated upgrades. If newly launched applications are protected by token stakers with market values lower than the TVL on that chain, there is a risk of being attacked. Interchain Security allows these application chains to rent security from the Cosmos Hub, requiring only a certain proportion of transaction fees, enabling these application chains to receive security guarantees from validators of the Cosmos Hub.
Currently, the ATOM token economics are criticized for high and unstable inflation rates and lack of value capture methods. The white paper 2.0 replaces token inflation used to incentivize validators and stakers with security fees generated from this process to reward validators and stakers. Users can obtain liquidity through staking certificates, allowing them to participate in more on-chain activities, such as engaging in more DeFi activities.
The Cosmos ecosystem may no longer be in a "loose alliance" state but is moving towards an economic community.
Thoughts As a cross-chain ecosystem connecting everything, among the two giants ATOM and DOT, I believe ATOM is currently ahead of DOT in both technology and ecosystem. The new white paper introduces new expansion and functional layers, with the Allocator capitalizing new Cosmos chains and incentivizing them to trade, while the Scheduler creates markets for high-value IBC transactions and uses revenue to support network growth. The 2.0 version white paper also mentions a new token model, and there may be new airdrop opportunities in the ecosystem, which is worth paying attention to.
Web3 Dark Forest Self-Rescue Guide
5000 words explaining wallets and security @Aviv
We must grasp a principle: in the computer world, there is almost no safe place, and even every action you take carries the risk of privacy leakage.
Anxiety and arrogance are the two greatest enemies we face in the blockchain world.
Safe use of web3 wallets
Cold wallets, hot wallets, and exchange cold wallets are the safest.
For most people, as long as password protection and two-factor authentication are done well, exchanges are actually safer than hot wallets.
Potential risks of USDT
Various interactive operations of wallets
It is generally believed that signing does not involve authorization and does not carry operational risks, but when encountering non-plain text signatures, there are still security risks. Besides signing, one of the most commonly used functions is authorization. One of the hackers' favorite tricks is to lure you to a fake website when you are anxious, excited, or frustrated, leading you to inadvertently grant authorization to them.
NFT
Front-end website security
Clipboard security
Some security suggestions for using wallets
a) Do not copy or use online transmission for private keys or mnemonic phrases. If absolutely necessary, Apple users can use AirDrop, while other users can use Telegram (relatively safe).
b) Use a separate wallet for large assets.
c) Before starting new projects, if you feel danger, you can create a new wallet to participate.
d) Be cautious of airdrops from unknown sources; scammers often embed phishing website URLs in NFTs, luring you to dangerous places.
e) Remain vigilant with every wallet operation.
Device security
Navigating web3, maintaining device and wallet security is equally important.
Social engineering attacks
Passwords
Email phishing
Do not trust any customer service blindly.
Personal information
Thoughts In web3, asset security is particularly important. Recent hacker attacks have sounded the alarm for us. When dealing with blockchain, security issues are very close to each of us. Although hacker attacks are difficult to guard against, we can protect our wallets and assets by being vigilant and not leaking personal privacy and assets.
zkpass: Decentralized KYC
A potential disruptor in the industry @memeswap
zkPass, as a decentralized KYC solution based on MPC (Multi-Party Computation) and ZKP (Zero-Knowledge Proof), allows users to anonymously prove their identity to third parties (other project parties/validators) through credentials issued by their identity issuers in Web2. Throughout the process of converting Web2 identity credentials into anonymous credentials, there is no need for centralized servers (traditional KYC platforms) or trusted hardware (TEE, etc.). The zkPass protocol is a perfect alternative to traditional KYC service providers, offering a higher level of KYC solutions for businesses and users, entirely in a decentralized manner. Thoughts The design concept of zkPass is very clever; on one hand, it uses MPC to prevent fraud (user data forgery), and on the other hand, it uses ZKP to protect user privacy.
In past KYC verifications, users first transmitted identity data to KYC agent platforms, which then verified with the issuer (the issuer is an authoritative institution, such as a bank). During this KYC process, user data would be stored on the KYC agent platform, and whether user privacy would be leaked entirely depended on the KYC platform's integrity and related data security measures. In actual use, taking Galxe Passport as an example, there have been suspected cases of agent platforms falsely conducting KYC through algorithms (where users could simply PS their avatar onto someone else's ID for certification).
This leads to two potential issues with the current KYC:
User privacy
False KYC
zkPass, through MPC technology, allows user KYC data to bypass the KYC agent platform and communicate directly with the issuing institution for verification, preventing users from fabricating return data for fraud, and using ZK technology to help users verify relevant qualifications while keeping their identity anonymized.
Without any programmatic support from traditional identity issuers, zkPass can minimize reliance on the availability of identity issuers and ensure that anonymous credentials remain compatible with the use of identity authorization.
zkPass is an excellent choice in both the decentralized context of Web3 and the user privacy context of Web2. I believe it should not be viewed merely as a Web3 project; it has great potential to be adopted by Web2 organizations. zkPass will be a strong challenger to the existing KYC industry.
How to ensure privacy in blockchain transactions?
Practical analysis of zero-knowledge proof (zk-proof) technology @Tommy
How to integrate within the framework of homomorphic encryption and zero-knowledge proof. Through code examples and application scenarios, it describes how zksnark can be integrated into existing consortium chain systems to protect transaction privacy in the financial sector.
Zero-knowledge proof refers to one party (the prover) proving to another party (the verifier) that a statement is true without revealing any information other than the fact that the statement is true, applicable to solving any NP problem. The blockchain can be abstracted as a platform for multiple parties to verify whether transactions are valid (an NP problem), thus making the two naturally compatible.
The technical challenges of applying zero-knowledge proof to blockchain can be divided into two main categories:
One category pertains to blockchain architecture design solutions suitable for privacy protection, including proof of asset existence in secret transactions, double spending of anonymous assets, spending and transferring of anonymous assets, indistinguishability of secret transactions, and other technical challenges;
The other category involves challenges brought by zero-knowledge proof technology itself, including parameter initialization stages, algorithm performance, and security issues.
Thoughts There are many technologies for protecting transaction privacy, and zero-knowledge proof technology may not necessarily be the best choice. In the security field, there are many other privacy protection capabilities such as homomorphic encryption, secret sharing, oblivious transfer, or some privacy protection capabilities based on TEE hardware that can be utilized.
Data on the blockchain is publicly available to all users; however, how to ensure that users do not disclose excessive information during transactions, hide transaction patterns, and user transaction intentions is still in the early exploratory stage for zk-proof. We look forward to a better balance between data transparency and user privacy with the continuous development of technology.
