Open Source Blockchain Development: Fighting Spam, Fraud and Fake News
Illustration by Ji Eun Yang
Open source refers to something people can modify and share because its design is publicly accessible. Although the term is commonly associated with software and modern technology, the concept has existed since The Enlightenment. In 1790 Benjamin Franklin suggested:
As we enjoy great advantages from the inventions of others, we should be glad of an opportunity to serve others by any invention of ours. And this we should do freely and generously.
In open source software (OSS) development, the product’s source code is made publicly available, allowing anyone to examine it, modify it and contribute towards building the software. To prevent misuse open source software is typically released under a license, limiting how it can be modified and distributed. For example a license may prohibit the monetization of modified versions, or require that they are also open source. Popular software examples are Linux and Mozilla Firefox, but the concept applies to a variety of domains including commerce, education, gaming, & healthcare .
OSS are generally more reliable and contain fewer bugs per lines of code compared to proprietary software. While both are subject to exploits by malevolent actors, what makes open source blockchain (OSB) projects different from other kinds of open-source projects like games or educational platforms is there’s usually a lot of money directly at stake. Blockchain projects often involve a token sale (ICO), which can be both a primary source of operational funding and a prime attack surface for organized crime.
Blockchain technology empowers anyone in the world to be an investor, but also opens up new avenues for criminal activity. Highly liquid financial instruments represented by pieces of code (smart contracts) and held in virtual wallets make a very enticing target. Additionally, the immutability of transactions make getting your money back nearly impossible if you get hacked.
Cybersecurity may be one of the defining challenges for society in the 21st century. As the lines between our physical and digital worlds become blurred, cyberspace is becoming the frontier of battles between state and non-state actors.
According to the U.S. Department of Homeland Security:
Cyberspace is particularly difficult to secure due to a number of factors: the ability of malicious actors to operate from anywhere in the world, the linkages between cyberspace and physical systems, and the difficulty of reducing vulnerabilities and consequences in complex cyber networks.
We often think of threats as external, and it’s easy to overlook the fact that they are both internal and external. In the absence of external threats software can crash as a result of internal bugs, much like how an organization can fail as a result of internal conflict. A combination of both kinds of threats are often the most dangerous for any system.
Here’s a simple heuristic I use for assessing cybersecurity threats:
- Technical: w_eakness in software design or execution._
- Social: weakness in human psychology.
Technical threats are more easily quantifiable or verifiable. For example you can detect flaws in a smart contract or calculate the hash power necessary to launch a 51% attack on a network. On the other hand social threats are instances where lapses in people’s judgment lead to unfavorable outcomes. They are quite inconspicuous, and can’t (yet) be reliably measured. Though there are more types, as the title of this post suggests we will focus on spam, fraud, and fake news.
Spam
Any OSB, especially one planning an ICO needs robust community management. The crypto market is a global, 24-7 phenomena that changes at a blistering pace. If you’re running an OSB, it means you have dozens (or hundreds) of people from all over the world contributing code, making suggestions, asking questions or attempting to scam others all day, everyday. If that sounds like chaos, it is. But in some cases the chaos is well managed, and even harnessed to successfully launch working products. In others, people lose money or end up with vaporware.
For direct communication with people interested in the project, most OSBs rely on Telegram group chats, which can host up to 75,000 members. This allows project admins to interact in real time with the community. But it’s a double-edged sword that can be exploited by group members for personal gain, or overrun by bots and spammers.
Public collaboration for software development usually occurs on platforms like Slack and Discord. In many cases these are invite-only, but at Origin, all team communications are publicly available and anyone in the world can easily observe and contribute to protocol development through Discord. Origin is a protocol for creating sharing economy marketplaces. It boasts a radical level of transparency unthinkable for many tech startups in competitive markets. Imagine a startup like Uber had all their team communication publicly accessible..
To gain further insights into challenges and best practices of OSB community management I had a brief chat with Andrew Hyde, Head of Community at Origin. According to Andrew, using a Telegram bot that filters spam, along with dedicated 24/7 monitoring of communication channels eliminates the majority of common threats from bad actors.
strong community = strong scam control
It’s important to ensure that group chats and other real time platforms aren’t flooded by bots or spam and creating negative experiences for new contributors.
Fraud
If you’re a regular Twitter user this is probably the most obvious. Fake accounts routinely impersonate prominent figures with identical profile pics and similar handle names. They also routinely reply to popular tweets with a wallet address, claiming to give away free coins if people send them some money first. Though it may seem juvenile, these exploits can be quite sophisticated. Sometimes after the initial tweet, other sock puppet accounts will reply claiming it worked, or provide fake evidence that they did receive the free coins.
No one is safe
Surprisingly these antics sometimes do work, and scammers can receive thousands of dollars worth of coins before they get shut down. Some accounts are even faking Twitter’s “verified” symbol. The problem is so pervasive that in March Vitalik Buterin, founder of Ethereum temporarily changed his Twitter name to “Vitalik ‘Not giving away ETH’ Buterin”. Twitter’s CEO Jack Dorsey admitted Twitter’s verification system is broken, but little has changed since.
Beyond Twitter, leaders in the space and team members of several projects can find themselves being impersonated on various social media accounts. This can create serious misinformation, and at worst users get scammed by unknowingly sending money to a fraudster. High profile social media account hacks also occur, and hackers often rely on outwitting the victim’s followers.
An interesting and ironic case was when cybersecurity expert John McAfee had his Twitter account temporarily hijacked, and the hacker used McAfee’s account to pump their favorite coins. But in some cases rather than publicly shilling coins, the hacker privately messages the victims’ contacts requesting funds (usually with some unremarkable story). This can happen to anyone you know, so always remember:
Trust, but verify.
or:
Don’t trust, verify.
Depending on your philosophical stance on trust, one or the other may be more appropriate. But the key word here is verify.
Fake News
Besides stealing funds, fake accounts are also used for market manipulation. One type is fake project announcements, such as a new partnership, or some other big news that will likely lure day traders toward purchasing the asset. Another type is participation in pump and dump schemes. Many OSBs rely on a fraction of the supply of tokens they issue, for operational expenses, research and development, etc. These funds are often subject to time-based restrictions like a supply schedule. These details can be difficult to find for some projects, but a good resource for finding such info is the Messari cryptoasset library.
New token projects are typically introduced to markets on few exchanges, so they tend to have low market cap, trading volume and liquidity. This makes them especially prone to manipulation by bots and pump groups, as it doesn’t take a large amount of money or unsubstantiated hype to significantly influence the asset price or cause a frenzy in trading activity. Successful market manipulation can cause insane spikes and crashes in prices, and this severe volatility unfairly disrupts the flow of capital for project development. It also negatively impacts long term investors perception of the project. So market manipulation ruins it for everyone, especially investors and development teams. But project teams have a responsibility to maintain robust capital management, so dependence on a newly created asset in a volatile market for operational expenditure can create unacceptable risks.
A wild market manipulating bot in its natural habitat.
Responsibility lies with both projects and participants to thwart the actions of nefarious actors. While projects need excellent communication hygiene, this is only one side of the equation. Community members should be proactive and always verify that any actionable information is being announced from official sources. Especially info involving financial transactions (token sales, whitelists, etc.). If you’re unsure whether something is legit it’s always a good idea to confirm from multiple official sources, since important announcements are usually posted or pinned across many media platforms.
Scammers often get away with people’s loot simply because they didn’t pay attention to the dozens of warnings and clarifications blasted by the project on all media accounts. But sometimes what may seem like negligence on the part of community members can be attributed to communication barriers. Since most open source projects are global, there’s a need to accommodate for cultural and linguistic barriers between community members. English is a second language for most people around the world, so critical information should be always be stated with clarity, precision and minimal jargon or lingo. Translating information into common languages like Chinese and Spanish can also be very helpful for many community members.
Tips
According to a report from Ernst and Young, about 10% of money raised through ICOs between 2015 and 2017 was lost or stolen via hacks. This translates to about $400 million in stolen funds. Here are a few tips for not adding to that statistic:
- Use 2 factor authentication (2FA) whenever possible, but preferably with a hardware token. 2FA via SMS and phone calls can be compromised.
- Remember that any organization and any person can get hacked. If something doesn’t look or feel right, it probably isn’t.
- Don’t open links unless you trust the source and there are no signs of unusual activity.
- If you’re ever instructed to send money, let skepticism and doubt be your friends. Ensure the reason is valid and confirm to the best of your knowledge that it is correctly being sent to the right recipient.
This list is by no means exhaustive, so if you have better ideas or suggestions please share in the comments.
On a final note, there is a Cambrian explosion of innovation happening around OSBs. The beauty of open source is when one team makes a technical breakthrough, others can copy, adopt or improve upon it. In the blockchain space the fusion of liquid capital, economic incentives and technological development drives the virtuous cycle of innovation at warp speed. Regulation, both government and self-regulation hasn’t caught up yet.
Many of the challenges mentioned above are symptoms of structural differences between the new technology/business models and existing systems. These differences create opportunities for bad actors to exploit existing systems in order to profit in this new space. But despite the bad apples the blistering pace of innovation continues. In the long term, some of these projects may usher in an era where much of human activity is recorded on shared ledgers and facilitated by smart contracts.